| Bugzilla: N/A |
| Upstream-status: Fedora mustard |
| |
| From ffe1ee94d526900ce1e5191cdd38934477dd209a Mon Sep 17 00:00:00 2001 |
| From: Josh Boyer <jwboyer@fedoraproject.org> |
| Date: Fri, 26 Oct 2012 14:02:09 -0400 |
| Subject: [PATCH] hibernate: Disable in a signed modules environment |
| |
| There is currently no way to verify the resume image when returning |
| from hibernate. This might compromise the signed modules trust model, |
| so until we can work with signed hibernate images we disable it in |
| a secure modules environment. |
| |
| Signed-off-by: Josh Boyer <jwboyer@fedoraproject.com> |
| |
| kernel/power/hibernate.c | 16 +++++++++++++++- |
| kernel/power/main.c | 7 ++++++- |
| kernel/power/user.c | 1 + |
| 3 files changed, 22 insertions(+), 2 deletions(-) |
| |
| diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c |
| index b26f5f1..e65228b 100644 |
| |
| |
| @@ -28,6 +28,8 @@ |
| #include <linux/syscore_ops.h> |
| #include <linux/ctype.h> |
| #include <linux/genhd.h> |
| +#include <linux/efi.h> |
| +#include <linux/module.h> |
| |
| #include "power.h" |
| |
| @@ -632,6 +634,10 @@ int hibernate(void) |
| { |
| int error; |
| |
| + if (secure_modules()) { |
| + return -EPERM; |
| + } |
| + |
| lock_system_sleep(); |
| /* The snapshot device should not be opened while we're running */ |
| if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { |
| @@ -723,7 +729,7 @@ static int software_resume(void) |
| /* |
| * If the user said "noresume".. bail out early. |
| */ |
| - if (noresume) |
| + if (noresume || secure_modules()) |
| return 0; |
| |
| /* |
| @@ -889,6 +895,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr, |
| int i; |
| char *start = buf; |
| |
| + if (efi_enabled(EFI_SECURE_BOOT)) { |
| + buf += sprintf(buf, "[%s]\n", "disabled"); |
| + return buf-start; |
| + } |
| + |
| for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { |
| if (!hibernation_modes[i]) |
| continue; |
| @@ -923,6 +934,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr, |
| char *p; |
| int mode = HIBERNATION_INVALID; |
| |
| + if (secure_modules()) |
| + return -EPERM; |
| + |
| p = memchr(buf, '\n', n); |
| len = p ? p - buf : n; |
| |
| diff --git a/kernel/power/main.c b/kernel/power/main.c |
| index 1d1bf63..300f300 100644 |
| |
| |
| @@ -15,6 +15,7 @@ |
| #include <linux/workqueue.h> |
| #include <linux/debugfs.h> |
| #include <linux/seq_file.h> |
| +#include <linux/efi.h> |
| |
| #include "power.h" |
| |
| @@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr, |
| } |
| #endif |
| #ifdef CONFIG_HIBERNATION |
| - s += sprintf(s, "%s\n", "disk"); |
| + if (!efi_enabled(EFI_SECURE_BOOT)) { |
| + s += sprintf(s, "%s\n", "disk"); |
| + } else { |
| + s += sprintf(s, "\n"); |
| + } |
| #else |
| if (s != buf) |
| /* convert the last space to a newline */ |
| diff --git a/kernel/power/user.c b/kernel/power/user.c |
| index 15cb72f..fa85ed5 100644 |
| |
| |
| @@ -25,6 +25,7 @@ |
| #include <linux/cpu.h> |
| #include <linux/freezer.h> |
| #include <linux/module.h> |
| +#include <linux/efi.h> |
| |
| #include <asm/uaccess.h> |
| |
| -- |
| 1.8.3.1 |
| |