116 lines
3.0 KiB
Diff
116 lines
3.0 KiB
Diff
Bugzilla: N/A
|
|
Upstream-status: Fedora mustard
|
|
|
|
From ffe1ee94d526900ce1e5191cdd38934477dd209a Mon Sep 17 00:00:00 2001
|
|
From: Josh Boyer <jwboyer@fedoraproject.org>
|
|
Date: Fri, 26 Oct 2012 14:02:09 -0400
|
|
Subject: [PATCH] hibernate: Disable in a signed modules environment
|
|
|
|
There is currently no way to verify the resume image when returning
|
|
from hibernate. This might compromise the signed modules trust model,
|
|
so until we can work with signed hibernate images we disable it in
|
|
a secure modules environment.
|
|
|
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.com>
|
|
---
|
|
kernel/power/hibernate.c | 16 +++++++++++++++-
|
|
kernel/power/main.c | 7 ++++++-
|
|
kernel/power/user.c | 1 +
|
|
3 files changed, 22 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
|
|
index b26f5f1..e65228b 100644
|
|
--- a/kernel/power/hibernate.c
|
|
+++ b/kernel/power/hibernate.c
|
|
@@ -28,6 +28,8 @@
|
|
#include <linux/syscore_ops.h>
|
|
#include <linux/ctype.h>
|
|
#include <linux/genhd.h>
|
|
+#include <linux/efi.h>
|
|
+#include <linux/module.h>
|
|
|
|
#include "power.h"
|
|
|
|
@@ -632,6 +634,10 @@ int hibernate(void)
|
|
{
|
|
int error;
|
|
|
|
+ if (secure_modules()) {
|
|
+ return -EPERM;
|
|
+ }
|
|
+
|
|
lock_system_sleep();
|
|
/* The snapshot device should not be opened while we're running */
|
|
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
|
|
@@ -723,7 +729,7 @@ static int software_resume(void)
|
|
/*
|
|
* If the user said "noresume".. bail out early.
|
|
*/
|
|
- if (noresume)
|
|
+ if (noresume || secure_modules())
|
|
return 0;
|
|
|
|
/*
|
|
@@ -889,6 +895,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
|
|
int i;
|
|
char *start = buf;
|
|
|
|
+ if (efi_enabled(EFI_SECURE_BOOT)) {
|
|
+ buf += sprintf(buf, "[%s]\n", "disabled");
|
|
+ return buf-start;
|
|
+ }
|
|
+
|
|
for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
|
|
if (!hibernation_modes[i])
|
|
continue;
|
|
@@ -923,6 +934,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
|
|
char *p;
|
|
int mode = HIBERNATION_INVALID;
|
|
|
|
+ if (secure_modules())
|
|
+ return -EPERM;
|
|
+
|
|
p = memchr(buf, '\n', n);
|
|
len = p ? p - buf : n;
|
|
|
|
diff --git a/kernel/power/main.c b/kernel/power/main.c
|
|
index 1d1bf63..300f300 100644
|
|
--- a/kernel/power/main.c
|
|
+++ b/kernel/power/main.c
|
|
@@ -15,6 +15,7 @@
|
|
#include <linux/workqueue.h>
|
|
#include <linux/debugfs.h>
|
|
#include <linux/seq_file.h>
|
|
+#include <linux/efi.h>
|
|
|
|
#include "power.h"
|
|
|
|
@@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr,
|
|
}
|
|
#endif
|
|
#ifdef CONFIG_HIBERNATION
|
|
- s += sprintf(s, "%s\n", "disk");
|
|
+ if (!efi_enabled(EFI_SECURE_BOOT)) {
|
|
+ s += sprintf(s, "%s\n", "disk");
|
|
+ } else {
|
|
+ s += sprintf(s, "\n");
|
|
+ }
|
|
#else
|
|
if (s != buf)
|
|
/* convert the last space to a newline */
|
|
diff --git a/kernel/power/user.c b/kernel/power/user.c
|
|
index 15cb72f..fa85ed5 100644
|
|
--- a/kernel/power/user.c
|
|
+++ b/kernel/power/user.c
|
|
@@ -25,6 +25,7 @@
|
|
#include <linux/cpu.h>
|
|
#include <linux/freezer.h>
|
|
#include <linux/module.h>
|
|
+#include <linux/efi.h>
|
|
|
|
#include <asm/uaccess.h>
|
|
|
|
--
|
|
1.8.3.1
|
|
|