----- Original Message ----- > From: "Matthew Garrett" <matthew.garrett@xxxxxxxxxx> > To: "Lenny Szubowicz" <lszubowi@xxxxxxxxxx> > Cc: linux-kernel@xxxxxxxxxxxxxxx, linux-efi@xxxxxxxxxxxxxxx, jwboyer@xxxxxxxxxx, keescook@xxxxxxxxxxxx > Sent: Wednesday, August 28, 2013 6:41:55 PM > Subject: Re: [PATCH 0/10] Add additional security checks when module loading is restricted > > On Wed, 2013-08-28 at 18:37 -0400, Lenny Szubowicz wrote: > > > Did you purposely exclude similar checks for hibernate that were covered > > by earlier versions of your patch set? > > Yes, I think it's worth tying it in with the encrypted hibernation > support. The local attack is significantly harder in the hibernation > case - in the face of unknown hardware it basically involves a > pre-generated memory image corresponding to your system or the ability > to force a reboot into an untrusted environment. I think it's probably > more workable to just add a configuration option for forcing encrypted > hibernation when secure boot is in use. > > -- > Matthew Garrett <matthew.garrett@xxxxxxxxxx> I'm root. So I can write anything I want to the swap file that looks like a valid hibernate image but is code of my choosing. I can read anything I need from /dev/mem or /dev/kmem to help me do that. I can then immediately initiate a reboot. -Lenny. -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html