Re: Supporting hibernation in Workstation ed., draft 1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 2, 2020 at 10:28 PM Samuel Sieb <samuel@xxxxxxxx> wrote:
>
> I would expect that using an encrypted partition for swap should be
> sufficient to allow it though.

Unfortunately not. Encryption provides no integrity or authenticity.
The original set of patches for signed and authenticated hibernation
images called for the use of an HMAC for signing, and upstream
considered this insufficient and asked why not use AES-GCM to provide
a real AE (authenticated encryption) model.

Not only is encryption alone inadequate, the signature verification
model should ensure that the hibernation image being restored was
created by the computer it is being restored to.

I am not a cryptographer. And I can't do a better job of explaining
it. But it's a problem. And my disappointment isn't relevant to the
security issue. It's relevant from a UX perspective I suppose.

But, I've also just spent two days trying to track down a new
hibernation bug, resulting in fatal hibernation entry. Even without
the Secure Boot issue, hibernation can be a problem that requires
resources that are not finite. I had this working reliably several
months ago, and I've exhausted my time and interest for now doing
kernel regression testing and have literally no idea why it's
consistently failing now. On three machines (one is a VM). I did
report it upstream, I haven't gotten a reply yet (normal).

There are two emails, bottom one is the first.
https://lore.kernel.org/linux-pm/CAJCQCtQVGqxtZZTRgscT7e4inTacAd7KAmoNOz3gB4Hf1Nkp0w@xxxxxxxxxxxxxx/


-- 
Chris Murphy
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux