From patchwork Tue Mar 26 18:27:24 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10871935
Return-Path: <linux-pm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D070113B5
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Tue, 26 Mar 2019 18:28:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BD39328DD7
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Tue, 26 Mar 2019 18:28:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B16D028DF9; Tue, 26 Mar 2019 18:28:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,
	USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 040F928DD7
	for <patchwork-linux-pm@patchwork.kernel.org>;
 Tue, 26 Mar 2019 18:28:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732654AbfCZS2Q (ORCPT
        <rfc822;patchwork-linux-pm@patchwork.kernel.org>);
        Tue, 26 Mar 2019 14:28:16 -0400
Received: from mail-yw1-f73.google.com ([209.85.161.73]:46845 "EHLO
        mail-yw1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732648AbfCZS2Q (ORCPT
        <rfc822;linux-pm@vger.kernel.org>); Tue, 26 Mar 2019 14:28:16 -0400
Received: by mail-yw1-f73.google.com with SMTP id g6so19757422ywa.13
        for <linux-pm@vger.kernel.org>; Tue, 26 Mar 2019 11:28:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=;
        b=hd/qJI5pj21wdEXiN1GwGQHBvVWEtmSPOfLn12fiaFf2w7nNYsYJpe9u8ow9/Re1Kb
         FvKsZkCo/b0GsFfWFuz7eAQFgkAyaD1YtMu/MyusFUzAhdYBGkZWIj1S+E8fN9DnaUae
         L8FwSMa5O7X9SlCg7DEGpzVPkBfeq+h0Wz6MqDxvDPB424xtQc9WmiNTOO+jUGewUNHD
         lpCXH7AOi+wpEp3OI9bXgjF1sBIcv8UIJnzzt+rmTvkH36pdxeTNEvndnDJ1OpSY/cAA
         rOexpy+QRByAQot5nHETdAlDEtaJ3PrSaljT6cRrg+ws0ERdZzfzb5mmKZf2MqHgiBKm
         t7vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=;
        b=WCKmp2yvDanatzbgpbUsmJMtwT+Ic/PupTJ6gxCGr5zGwmUgmnqLqc6CLa4fXKbyPE
         6BuP0yKfsUhakNTdK4FFdUqnCALQm4QRFV9V6ZzHbLZx6x0Bs3agYLiHm+ZkxyiM8w2R
         iTnZl5aDbbaaC6KWETs+pXf5w5XaTn1jv0Il7CS+nzvkUwU5u/ubJOikR0+kBzrCCnp5
         mnZNSaYMwwQin+PdCNnTvUCnIi0Sl+wpaGa/ezCbo2QOmAJoX0DYCRYAmsUBvdLldIEk
         eSl3oo74btgCTJw5slwyFwBNc/V46WtEkPXQuhoWnlxxub4RagyJqWjm4vCFRzwgjBLZ
         4X7Q==
X-Gm-Message-State: APjAAAXMWBX7WPT8sccuQmE/V9Pkmr3yZyEIxU9G/T20btAHP9JYJinw
        YHxMsSWFeLyLiQrKj+BC8pXHDPwG1sSkD3e25VoKAg==
X-Google-Smtp-Source: 
 APXvYqz53lg90CRAmq2n9UPcuRM+Zbwo5prjfkTYkHVgr5i0xCngmc0ofLZBkRfHjvHhL+zyIQ3AzU157vWcCX9jyM6hWw==
X-Received: by 2002:a81:3c90:: with SMTP id
 j138mr27011505ywa.276.1553624895457;
 Tue, 26 Mar 2019 11:28:15 -0700 (PDT)
Date: Tue, 26 Mar 2019 11:27:24 -0700
In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com>
Message-Id: <20190326182742.16950-9-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190326182742.16950-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V31 08/25] hibernate: Disable when the kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Josh Boyer <jwboyer@fedoraproject.org>,
        Matthew Garrett <mjg59@google.com>, rjw@rjwysocki.net,
        pavel@ucw.cz, linux-pm@vger.kernel.org
Sender: linux-pm-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-pm.vger.kernel.org>
X-Mailing-List: linux-pm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Josh Boyer <jwboyer@fedoraproject.org>

There is currently no way to verify the resume image when returning
from hibernate.  This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it when the
kernel is locked down.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: rjw@rjwysocki.net
Cc: pavel@ucw.cz
cc: linux-pm@vger.kernel.org
---
 kernel/power/hibernate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..928b198cfa26 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -70,7 +70,8 @@ static const struct platform_hibernation_ops *hibernation_ops;
 
 bool hibernation_available(void)
 {
-	return (nohibernate == 0);
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation",
+							  LOCKDOWN_INTEGRITY);
 }
 
 /**