Re: Supporting hibernation in Workstation ed., draft 1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, May 30, 2020 at 5:46 PM Marius Schwarz <fedoradev@xxxxxxxxxxxx> wrote:
>
> Am 30.05.20 um 09:36 schrieb Chris Murphy:
> >
> > It's a security risk that is incompatible with having UEFI Secure Boot enabled.
> >
> > The entire point of UEFI Secure Boot is to ensure cryptographic
> > verification that the kernel you're running is in fact a Fedora built
> > and signed kernel. Since resuming from hibernation completely replaces
> > memory contents with that of the image, if the hibernation image isn't
> > cryptographically signed too, it's an attack vector that permits
> > arbitrary code execution, including even in the kernel.
> >
> >
>
> Anything you put unencrypted on a disk, is insecure. If you don't run
> full disk encryption, nothing stops an attacker from simply change
> whatever he likes on disk right away.

Full disk encryption doesn't adequately secure the hibernation image
either. Authenticated encryption (signing as well as encryption) is
needed to verify the image hasn't been tampered. The upstream work,
cited in the document, gets into the details, and what additional work
is needed for the next revision.


--
Chris Murphy
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux