On Wed, 2013-08-28 at 18:37 -0400, Lenny Szubowicz wrote: > Did you purposely exclude similar checks for hibernate that were covered > by earlier versions of your patch set? Yes, I think it's worth tying it in with the encrypted hibernation support. The local attack is significantly harder in the hibernation case - in the face of unknown hardware it basically involves a pre-generated memory image corresponding to your system or the ability to force a reboot into an untrusted environment. I think it's probably more workable to just add a configuration option for forcing encrypted hibernation when secure boot is in use. -- Matthew Garrett <matthew.garrett@xxxxxxxxxx> ��.n��������+%������w��{.n�����{����*jg��������ݢj����G�������j:+v���w�m������w�������h�����٥