Comment # 4 on bug 991117 from Joey Lee

(In reply to Takashi Iwai from comment #3)
> Well, this is a side-effect of secure boot.  The recent kernel has a more
> strict check regarding the secure boot.  The suspend-to-disk is dangerous
> from secure boot POV, thus it has to be signed.  In kernel/power/hibernate.c:
> 
> bool hibernation_available(void)
> {       
>         if (nohibernate != 0)
>                 return false;
> 
>         if (get_securelevel() <= 0)
>                 return true;
>         else {
> #ifdef CONFIG_HIBERNATE_VERIFICATION
>                 sigenforce = 1;
>                 return true;
> #else           
>                 return false;
> #endif  
>         }
> }
> 
> And openSUSE kernels don't set CONFIG_HIBERNATE_VERIFICATION.
> 

Because hibernate verification patches doesn't accept by upstream. So I never
push those patches to openSUSE kernel until now.

> Joey, do you remember the reason we disabled it?  We disabled kexec
> signature check because it caused a trouble with kdump.  But this one
> (hibernation verification) seems like an overlooking.

I think either enable CONFIG_HIBERNATE_VERIFICATION or disable
CONFIG_EFI_SECURE_BOOT_SECURELEVEL even CONFIG_SECURITY_SECURELEVEL.

Because openSUSE community do not accept kernel module signature check function
in openSUSE kernel. Honestly I think that only enable kexec signature check and
hibernate verification is not enough to protect system because root can load
any unsigned kernel modules.

So, the policy of openSUSE kernel config is to sync with SLE kernel?