From patchwork Mon Mar 25 22:09:35 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10870235
Return-Path: <linux-pm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EB90814DE
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Mon, 25 Mar 2019 22:12:29 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DC53E28C1D
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Mon, 25 Mar 2019 22:12:29 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D0B582908C; Mon, 25 Mar 2019 22:12:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,
	USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8348B28C1D
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Mon, 25 Mar 2019 22:12:29 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730745AbfCYWM2 (ORCPT
        <rfc822;patchwork-linux-pm@patchwork.kernel.org>);
        Mon, 25 Mar 2019 18:12:28 -0400
Received: from mail-ua1-f73.google.com ([209.85.222.73]:50104 "EHLO
        mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730794AbfCYWKT (ORCPT
        <rfc822;linux-pm@vger.kernel.org>); Mon, 25 Mar 2019 18:10:19 -0400
Received: by mail-ua1-f73.google.com with SMTP id y1so1333185uaq.16
        for <linux-pm@vger.kernel.org>; Mon, 25 Mar 2019 15:10:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=uYemRAgVTJFGahU1zMfb1n2EMnLkr+SSlEuKQqgKmLY=;
        b=U9J1t3NxYbQMopyhw2GE3bLit1uMhrE4YcCM5dJ1VZEcPOPoJohS9muHLwrm4vQlDT
         8XvcG/28ok21BF69yNbSQqCw3e6yjQAJUDrd2iaM/KgcHCo2BszrbFw8/6jMPHvtp/yf
         iWbLAQNCWBLdHGrn8i0OX9YYkOvt9fPMvh7laV3CW1NvPs5u0ovDE4DFMYQzJghhon6V
         bj6B9ZBfpvxXzkfjlaJuCbNMNi2Thezr5krapkJ9JEX32womUHt1rfjs8e8QB5aKcnQL
         DtOuGW6wgC0uGu7Lxs3FaIweVocdpEXRME7+Lfg6KE1hn5KohnaCb7igp2IE3uYR8ftF
         zagQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=uYemRAgVTJFGahU1zMfb1n2EMnLkr+SSlEuKQqgKmLY=;
        b=ouM4/iKv8LhBujO4bulyXo5psCWvxiRjDGT860N+ltf/mtFsHUL2m2pPqUFRvwae8S
         2EbVCe/QIPSMNTCD54BGte6TfLVi7kUepvvVE1KJJhl7jOjiFJRHh+IbBZOgwG84iSbw
         XCPL9+9SGpAh5ruk7dF3+SKHBJI4meU2RoS9kF2A6q3Pj2nB3k/piA6mg+acnuKcR6L6
         ShuyLnlx/ysyp/cjpE2ywvTu1sqm2vPJqImPOWV2NKCgZQqoLrWCwlTCHncoppiIwK69
         2x2cHKwcsA7dFOXF+C7i+5agexTmBODYHQ0wfViEjEtC1xtIixNoGBqZ9Gc7lZJ+QFfq
         z9Ag==
X-Gm-Message-State: APjAAAWhfSnP6sbd2Tc3uy7+ZqS5AlQGy/TnwoKXQaO8FaJ/jqkR29VP
        Z/YWucNVG9jU52PSHfwdvK10vJmaWQ+fgiUzlbiKEg==
X-Google-Smtp-Source: 
 APXvYqy7ER6okO+DXR1Hn9BcNwumz/DBgYufWQnxxDJBMiaFaOCwvLdckGZ0KGbfYqsKbYK+Droz0kzG4KKcv0gh0DEQqA==
X-Received: by 2002:ab0:65c7:: with SMTP id n7mr16136307uaq.3.1553551818764;
 Mon, 25 Mar 2019 15:10:18 -0700 (PDT)
Date: Mon, 25 Mar 2019 15:09:35 -0700
In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com>
Message-Id: <20190325220954.29054-9-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190325220954.29054-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH 08/27] hibernate: Disable when the kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        Josh Boyer <jwboyer@fedoraproject.org>, rjw@rjwysocki.net,
        pavel@ucw.cz, linux-pm@vger.kernel.org,
        Matthew Garrett <matthewgarrett@google.com>
Sender: linux-pm-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-pm.vger.kernel.org>
X-Mailing-List: linux-pm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Josh Boyer <jwboyer@fedoraproject.org>

There is currently no way to verify the resume image when returning
from hibernate.  This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it when the
kernel is locked down.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: rjw@rjwysocki.net
Cc: pavel@ucw.cz
cc: linux-pm@vger.kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/power/hibernate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..802795becb88 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
 
 bool hibernation_available(void)
 {
-	return (nohibernate == 0);
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
 }
 
 /**