From patchwork Tue Mar 26 18:27:24 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10871983
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5812117E0
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Tue, 26 Mar 2019 18:30:18 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 49CE428C50
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Tue, 26 Mar 2019 18:30:18 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3CF6628C46; Tue, 26 Mar 2019 18:30:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D4E4628C46
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Tue, 26 Mar 2019 18:30:17 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732681AbfCZSaH (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Tue, 26 Mar 2019 14:30:07 -0400
Received: from mail-yw1-f73.google.com ([209.85.161.73]:34931 "EHLO
        mail-yw1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732641AbfCZS2Q (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Tue, 26 Mar 2019 14:28:16 -0400
Received: by mail-yw1-f73.google.com with SMTP id w6so19949021ywd.2
        for <linux-security-module@vger.kernel.org>;
 Tue, 26 Mar 2019 11:28:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=;
        b=hd/qJI5pj21wdEXiN1GwGQHBvVWEtmSPOfLn12fiaFf2w7nNYsYJpe9u8ow9/Re1Kb
         FvKsZkCo/b0GsFfWFuz7eAQFgkAyaD1YtMu/MyusFUzAhdYBGkZWIj1S+E8fN9DnaUae
         L8FwSMa5O7X9SlCg7DEGpzVPkBfeq+h0Wz6MqDxvDPB424xtQc9WmiNTOO+jUGewUNHD
         lpCXH7AOi+wpEp3OI9bXgjF1sBIcv8UIJnzzt+rmTvkH36pdxeTNEvndnDJ1OpSY/cAA
         rOexpy+QRByAQot5nHETdAlDEtaJ3PrSaljT6cRrg+ws0ERdZzfzb5mmKZf2MqHgiBKm
         t7vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=;
        b=DQlmAxVHIJ9nWHK03g5vFpdz1rXYtXW+fyg1faPTZwWq7FBSuTNTMKdzKwLVsJWhPE
         eAHMLULZkRMzLSHsbQqrfMyqLIXCxv9HjVgRFVFFJrCrDaI0YaZz9NW132R35+/7yycB
         iH/r7EzKSPr9QoSjdHsP0h6+hqWgIYS7BHQg34QGfYKsvoWi5V8kPIpINq9ZXyHd3uvy
         mSc6EYMmSyoyDiFDNvjqCMHSPYU/DerQok6LLyDLRn8h2sL8B5R/tEI878qVBbVMpwx2
         k6DaJG4JaiMmuGlyOFxVb+aZXQJUiP8KwWM7Dy+/MJ3o+6ZMAyizTah95sLlp5TCq/Sv
         vqtg==
X-Gm-Message-State: APjAAAXZLF8E/pc/c4HHIH98hTQ6UEhEUIBegPHLzFq2cQxbzV2lB5w+
        j2h8K9maCKM1nbJ71BX7ax8n6q6k185QfkU5mqZgDQ==
X-Google-Smtp-Source: 
 APXvYqz53lg90CRAmq2n9UPcuRM+Zbwo5prjfkTYkHVgr5i0xCngmc0ofLZBkRfHjvHhL+zyIQ3AzU157vWcCX9jyM6hWw==
X-Received: by 2002:a81:3c90:: with SMTP id
 j138mr27011505ywa.276.1553624895457;
 Tue, 26 Mar 2019 11:28:15 -0700 (PDT)
Date: Tue, 26 Mar 2019 11:27:24 -0700
In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com>
Message-Id: <20190326182742.16950-9-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190326182742.16950-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V31 08/25] hibernate: Disable when the kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Josh Boyer <jwboyer@fedoraproject.org>,
        Matthew Garrett <mjg59@google.com>, rjw@rjwysocki.net,
        pavel@ucw.cz, linux-pm@vger.kernel.org
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Josh Boyer <jwboyer@fedoraproject.org>

There is currently no way to verify the resume image when returning
from hibernate.  This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it when the
kernel is locked down.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: rjw@rjwysocki.net
Cc: pavel@ucw.cz
cc: linux-pm@vger.kernel.org
---
 kernel/power/hibernate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..928b198cfa26 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -70,7 +70,8 @@ static const struct platform_hibernation_ops *hibernation_ops;
 
 bool hibernation_available(void)
 {
-	return (nohibernate == 0);
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation",
+							  LOCKDOWN_INTEGRITY);
 }
 
 /**