On Tuesday, June 2, 2020 9:45:45 PM MST Chris Murphy wrote: > On Tue, Jun 2, 2020 at 10:28 PM Samuel Sieb <samuel@xxxxxxxx> wrote: > > > > > > > I would expect that using an encrypted partition for swap should be > > sufficient to allow it though. > > > Unfortunately not. Encryption provides no integrity or authenticity. > The original set of patches for signed and authenticated hibernation > images called for the use of an HMAC for signing, and upstream > considered this insufficient and asked why not use AES-GCM to provide > a real AE (authenticated encryption) model. In what way do you believe it's not sufficient? > Not only is encryption alone inadequate, the signature verification > model should ensure that the hibernation image being restored was > created by the computer it is being restored to. Why? > I am not a cryptographer. And I can't do a better job of explaining > it. But it's a problem. And my disappointment isn't relevant to the > security issue. It's relevant from a UX perspective I suppose. It's a severe UX issue that you cannot use a standard feature of normal systems, hibernation. > But, I've also just spent two days trying to track down a new > hibernation bug, resulting in fatal hibernation entry. Even without > the Secure Boot issue, hibernation can be a problem that requires > resources that are not finite. I had this working reliably several > months ago, and I've exhausted my time and interest for now doing > kernel regression testing and have literally no idea why it's > consistently failing now. On three machines (one is a VM). I did > report it upstream, I haven't gotten a reply yet (normal). > > There are two emails, bottom one is the first. > https://lore.kernel.org/linux-pm/CAJCQCtQVGqxtZZTRgscT7e4inTacAd7KAmoNOz3gB4 > Hf1Nkp0w@xxxxxxxxxxxxxx/ > > -- > Chris Murphy -- John M. Harris, Jr. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
