On Mon, Dec 7, 2020 at 2:04 AM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote:
I think a higher priority is supporting encrypted authenticated
hibernation images. And arguably it's needed for swap as well, because
there are all kinds of private user data that can be evicted to swap.
It's another advantage of swap on zram, in that since it's volatile,
we don't have to worry about it as much when it comes to leaking user
data. It's not the same as being encrypted, of course, putting the
system in S3 means this private data could still be pilfered if the
attacker has physical access. But at least it's not persistent.
Why is encrypted and signed hibernation images a bigger priority ? Isn't that achieved with full disk encrypted systems ?
It is a good idea to setup disk based swap with a random key on each
boot. This means you don't have to enter a passphrase. But it also
means it can't be used for a hibernation image.
How would you do this even if I was not using hibernation ? Sounds pretty cool.
I think a key pre-requisite is working authenticated and signed
hibernation images. Until we can bring back hibernation support for
systems with UEFI Secure Boot, the most common configuration out of
the box, we're kinda stuck not being able to do much of anything with
hibernation.
It's sad that Linux isn't able to do hibernation with secure boot.
Regards,
Sreyan Chakravarty
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx