summaryrefslogtreecommitdiff
path: root/security/lockdown
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@fedoraproject.org>2019-08-19 17:17:46 -0700
committerJames Morris <jmorris@namei.org>2019-08-19 21:54:15 -0700
commit38bd94b8a1bd46e6d3d9718c7ff582e4c8ccb440 (patch)
tree72595e412734b2f3642514c01b06e9202b94ce76 /security/lockdown
parent155bdd30af17e90941589b5db4dab9a29b28c112 (diff)
downloadlinux-rpi-38bd94b8a1bd46e6d3d9718c7ff582e4c8ccb440.tar.gz
linux-rpi-38bd94b8a1bd46e6d3d9718c7ff582e4c8ccb440.tar.bz2
linux-rpi-38bd94b8a1bd46e6d3d9718c7ff582e4c8ccb440.zip
hibernate: Disable when the kernel is locked down
There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/lockdown')
-rw-r--r--security/lockdown/lockdown.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index aaf30ad351f9..3462f7edcaac 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -21,6 +21,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
[LOCKDOWN_KEXEC] = "kexec of unsigned images",
+ [LOCKDOWN_HIBERNATION] = "hibernation",
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};