Hi! > > > If I have > > > different security designs for swap space and hibernate, then even a > > > chance of some swap leaking into this region is a problem. > > > > Could you expand some more about the this part please? > > Offline attacks (ie manipulating storage from underneath the machine) > are a major concern when enabling both swap and hibernate. But the > approach of adding integrity to mitigate offline attacks may differ > between swap and hibernate in the interest of performance. Swap for > instance essentially needs a per-page dictionary of hashes for > integrity, since pages can be added and removed arbitrarily. Hibernate > however just needs a single hash across the entire image to provide > integrity. If you have swap leaking onto a region where you don't have > integrity enabled (because say you handled integrity at the image > level for hibernate, and at the block layer for swap), your swap > integrity story is compromised. If you want to encrypt/sign the hibernation, you likely should use uswsusp, and that means you can store hibernation image where (and how) you want it, without modifying kernel. See kernel/power/user.c . > I don't think this digs the design hole deeper. Yes, the ship on this > design has long ago sailed. But if we ever did try to dig ourselves > out of the swap/hibernate hole by providing new APIs to handle them > separately, this flag would serve as a good cutover to divert out of > the swap code and into the new shiny hibernate-only code. The APIs are > never going to be totally disentangled, so a clean cutover opportunity > is the best one can hope for. Is uswsusp the place that should provide clean cutover? Anyway, I acked the patch before, but it looks like it was mistake. I withdraw the ack. Best regards, Pavel -- http://www.livejournal.com/~pavelmachek
Attachment:
signature.asc
Description: PGP signature