On Thu 2013-08-22 19:01:54, Lee, Chun-Yi wrote: > In current solution, the snapshot signature check used the RSA key-pair > that are generated by bootloader(e.g. shim) and pass the key-pair to > kernel through EFI variables. I choice to binding the snapshot > signature check mechanism with UEFI secure boot for provide stronger > protection of hibernate. Current behavior is following: > > + UEFI Secure Boot ON, Kernel found key-pair from shim: > Will do the S4 signature check. > > + UEFI Secure Boot ON, Kernel didn't find key-pair from shim: > Will lock down S4 function. > > + UEFI Secure Boot OFF > Will NOT do the S4 signature check. > Ignore any keys from bootloader. > > v2: > Replace sign_key_data_loaded() by skey_data_available() to check sign key data > is available for hibernate. > > Reviewed-by: Jiri Kosina <jkosina@xxxxxxx> > Signed-off-by: Lee, Chun-Yi <jlee@xxxxxxxx> > --- > kernel/power/hibernate.c | 36 +++++++++++++++++- > kernel/power/main.c | 11 +++++- > kernel/power/snapshot.c | 95 ++++++++++++++++++++++++++-------------------- > kernel/power/swap.c | 4 +- > kernel/power/user.c | 11 +++++ > 5 files changed, 112 insertions(+), 45 deletions(-) > > diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c > index c545b15..0f19f3d 100644 > --- a/kernel/power/hibernate.c > +++ b/kernel/power/hibernate.c > @@ -29,6 +29,7 @@ > #include <linux/ctype.h> > #include <linux/genhd.h> > #include <linux/key.h> > +#include <linux/efi.h> > > #include "power.h" > > @@ -632,7 +633,14 @@ static void power_down(void) > int hibernate(void) > { > int error; > - int skey_error; > + > +#ifdef CONFIG_SNAPSHOT_VERIFICATION > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) { > +#else > + if (!capable(CAP_COMPROMISE_KERNEL)) { > +#endif > + return -EPERM; > + } > > lock_system_sleep(); > /* The snapshot device should not be opened while we're running */ > @@ -799,6 +807,15 @@ static int software_resume(void) > if (error) > goto Unlock; > > +#ifdef CONFIG_SNAPSHOT_VERIFICATION > + if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) { > +#else > + if (!capable(CAP_COMPROMISE_KERNEL)) { > +#endif > + mutex_unlock(&pm_mutex); > + return -EPERM; > + } > + > /* The snapshot device should not be opened while we're running */ > if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { > error = -EBUSY; > @@ -892,6 +909,15 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr, > int i; > char *start = buf; > > +#ifdef CONFIG_SNAPSHOT_VERIFICATION > + if (efi_enabled(EFI_SECURE_BOOT) && !skey_data_available()) { > +#else > + if (efi_enabled(EFI_SECURE_BOOT)) { > +#endif > + buf += sprintf(buf, "[%s]\n", "disabled"); > + return buf-start; > + } > + > for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { > if (!hibernation_modes[i]) > continue; > @@ -926,6 +952,14 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr, > char *p; > int mode = HIBERNATION_INVALID; > > +#ifdef CONFIG_SNAPSHOT_VERIFICATION > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) { > +#else > + if (!capable(CAP_COMPROMISE_KERNEL)) { > +#endif > + return -EPERM; > + } > + > p = memchr(buf, '\n', n); > len = p ? p - buf : n; > You clearly need some helper function. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html