From: Josh Boyer <jwboyer@redhat.com> Git-commit: Not yet, reviewing Patch-mainline: Not yet, reviewing References: fate#314486 Target: SLE-11 SP3 There is currently no way to verify the resume image when returning from hibernate. This might compromise the secure boot trust model, so until we can work with signed hibernate images we disable it in a Secure Boot environment. Signed-off-by: Josh Boyer <jwboyer@redhat.com> Signed-off-by: Matthew Garrett <mjg@redhat.com> Acked-by: Lee, Chun-Yi <jlee@suse.com --- v2: Updated to include swsup after feedback from Jiri Kosina <jkosina@suse.cz> kernel/power/hibernate.c | 14 +++++++++++++- kernel/power/main.c | 4 +++- kernel/power/user.c | 3 +++ 3 files changed, 19 insertions(+), 2 deletions(-) --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -632,6 +632,10 @@ int hibernate(void) { int error; + if (!capable(CAP_COMPROMISE_KERNEL)) { + return -EPERM; + } + lock_system_sleep(); /* The snapshot device should not be opened while we're running */ if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { @@ -723,7 +727,7 @@ static int software_resume(void) /* * If the user said "noresume".. bail out early. */ - if (noresume) + if (noresume || !capable(CAP_COMPROMISE_KERNEL)) return 0; /* @@ -889,6 +893,11 @@ static ssize_t disk_show(struct kobject int i; char *start = buf; + if (!capable(CAP_COMPROMISE_KERNEL)) { + buf += sprintf(buf, "[%s]\n", "disabled"); + return buf-start; + } + for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { if (!hibernation_modes[i]) continue; @@ -923,6 +932,9 @@ static ssize_t disk_store(struct kobject char *p; int mode = HIBERNATION_INVALID; + if (!capable(CAP_COMPROMISE_KERNEL)) + return -EPERM; + p = memchr(buf, '\n', n); len = p ? p - buf : n; --- a/kernel/power/main.c +++ b/kernel/power/main.c @@ -301,7 +301,9 @@ static ssize_t state_show(struct kobject } #endif #ifdef CONFIG_HIBERNATION - s += sprintf(s, "%s\n", "disk"); + if (capable(CAP_COMPROMISE_KERNEL)) { + s += sprintf(s, "%s\n", "disk"); + } #else if (s != buf) /* convert the last space to a newline */ --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -48,6 +48,9 @@ static int snapshot_open(struct inode *i struct snapshot_data *data; int error; + if (!capable(CAP_COMPROMISE_KERNEL)) + return -EPERM; + lock_system_sleep(); if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org