| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 May 2022 18:08:08 +0200
From: Pavel Machek <pavel@....cz>
To: Evan Green <evgreen@...omium.org>
Cc: linux-kernel@...r.kernel.org,
Matthew Garrett <mgarrett@...ora.tech>, dlunev@...gle.com,
zohar@...ux.ibm.com, jejb@...ux.ibm.com,
linux-integrity@...r.kernel.org, corbet@....net, rjw@...ysocki.net,
gwendal@...omium.org, jarkko@...nel.org, linux-pm@...r.kernel.org,
David Howells <dhowells@...hat.com>,
Hao Wu <hao.wu@...rik.com>, James Morris <jmorris@...ei.org>,
Jason Gunthorpe <jgg@...pe.ca>,
Len Brown <len.brown@...el.com>,
Matthew Garrett <matthewgarrett@...gle.com>,
Peter Huewe <peterhuewe@....de>,
"Rafael J. Wysocki" <rafael@...nel.org>,
"Serge E. Hallyn" <serge@...lyn.com>, axelj <axelj@...s.com>,
keyrings@...r.kernel.org, linux-doc@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH 00/10] Encrypted Hibernation
Hi!
> We are exploring enabling hibernation in some new scenarios. However,
> our security team has a few requirements, listed below:
> 1. The hibernate image must be encrypted with protection derived from
> both the platform (eg TPM) and user authentication data (eg
> password).
> 2. Hibernation must not be a vector by which a malicious userspace can
> escalate to the kernel.
Can you (or your security team) explain why requirement 2. is needed?
On normal systems, trusted userspace handles kernel upgrades (for example),
so it can escalate to kernel priviledges.
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Powered by blists - more mailing lists