> > is basically DMA-ing arbitrary data over the whole RAM. I am currently not > > able to imagine a scenario how this could be made "secure" (without > > storing private keys to sign the hibernation image on the machine itself > > which, well, doesn't sound secure either). That's what the TPM is for (in fact all of this stuff can be done properly with a TPM while the 'secure' boot stuff can do little if any of it. > > I have a patch that disables that. I imagine it will be included in the > next submission of the patchset. > > You can find it here in the meantime: > > http://jwboyer.fedorapeople.org/pub/0001-hibernate-Disable-in-a-Secure-Boot-environment.patch All this depends on your threat model. If I have physical access to suspend/resume your machine then you already lost. If I don't have physical access then I can't boot my unsigned OS to patch your S4 image so it doesn't matter. In fact the more I think about this the more it seems disabling hibernate is basically farting in the wind. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html