On 6/2/20 7:41 PM, John M. Harris Jr wrote:
In what way is it incompatible with UEFI Secure Boot? If the kernel and initramfs are signed, and the resume image is for that kernel, how is this an issue? What if swap is on LUKS?
Do you understand how hibernation works? It doesn't matter if the booting kernel is signed, everything will be replaced by what's on the disk. The kernel you boot with does not even have to be the same one the hibernated image was booted with. Someone could modify the in-memory image of the kernel on the disk or change some process to be running as root when it's resumed. So it completely bypasses any protection that secure boot provides. I'm inclined to say let me have that insecurity if I want, but I think there are rules about what's allowed if secure boot is enabled.
I would expect that using an encrypted partition for swap should be sufficient to allow it though.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
