[PATCH RFC] Add a lockdown_hibernate parameter
Kelvie Wong
kelvie at kelvie.ca
Wed Nov 22 06:52:32 UTC 2023
On Tue, 21 Nov 2023 at 20:53, Paul Moore <paul at paul-moore.com> wrote:
> On Mon, Nov 20, 2023 at 10:07 PM Kelvie Wong <kelvie at kelvie.ca> wrote:
> > On Mon, 20 Nov 2023 at 13:12, Paul Moore <paul at paul-moore.com> wrote:
> > > On Mon, Nov 13, 2023 at 11:01 PM Randy Dunlap <rdunlap at infradead.org> wrote:
> > > >
> > > > [add security & dhowells]
> > > >
> > > > On 11/13/23 18:23, Kelvie Wong wrote:
> > > > > This allows the user to tell the kernel that they know better (namely,
> > > > > they secured their swap properly), and that it can enable hibernation.
> > > > >
> > > > > I've been using this for about a year now, as it doesn't seem like
> > > > > proper secure hibernation was going to be implemented back then, and
> > > > > it's now been a year since I've been building my own kernels with this
> > > > > patch, so getting this upstreamed would save some CO2 from me building
> > > > > my own kernels every upgrade.
> > > > >
> > > > > Some other not-me users have also tested the patch:
> > > > >
> > > > > https://community.frame.work/t/guide-fedora-36-hibernation-with-enabled-secure-boot-and-full-disk-encryption-fde-decrypting-over-tpm2/25474/17
> > > > >
> > > > > Signed-off-by: Kelvie Wong <kelvie at kelvie.ca>
> > >
> > > I would feel a lot better about this if there was a way to verify that
> > > the swap was protected as opposed to leaving that as a note in a doc
> > > that the majority of users will never see, read, or understand.
> >
> I've got to warn you that I have an allergic reaction to arguments
> that start with "the right solution is really hard, so let's pick the
> easier, worse solution." ;)
>
> I guess I'm still not sold on this idea, I'm sorry.
Not a problem, thanks for looking.
I do hope that hibernate on lockdown is one day properly supported though. I'd
imagine that lockdown will eventually be the default for most distros, and it'd
be a real shame to have to sacrifice hibernate for it (which is, in my opinion,
indispensable for laptop use).
Cheers,
--
Kelvie
More information about the Linux-security-module-archive
mailing list