| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 31 Oct 2012 15:55:03 +0000 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: Josh Boyer <jwboyer@...il.com> Cc: Jiri Kosina <jkosina@...e.cz>, Matthew Garrett <mjg@...hat.com>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org Subject: Re: [RFC] Second attempt at kernel secure boot support > > is basically DMA-ing arbitrary data over the whole RAM. I am currently not > > able to imagine a scenario how this could be made "secure" (without > > storing private keys to sign the hibernation image on the machine itself > > which, well, doesn't sound secure either). That's what the TPM is for (in fact all of this stuff can be done properly with a TPM while the 'secure' boot stuff can do little if any of it. > > I have a patch that disables that. I imagine it will be included in the > next submission of the patchset. > > You can find it here in the meantime: > > http://jwboyer.fedorapeople.org/pub/0001-hibernate-Disable-in-a-Secure-Boot-environment.patch All this depends on your threat model. If I have physical access to suspend/resume your machine then you already lost. If I don't have physical access then I can't boot my unsigned OS to patch your S4 image so it doesn't matter. In fact the more I think about this the more it seems disabling hibernate is basically farting in the wind. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists