On Tue, Jun 2, 2020 at 8:42 PM John M. Harris Jr <joh...@splentity.com> wrote:
> In what way is it incompatible with UEFI Secure Boot? Secure Boot does boot verification. Hibernation right now doesn't. And that makes it a Secure Boot loophole. And that makes it incompatible with Secure Boot. It's not a new idea, it's been this way for a while. And so have the complaints. https://lwn.net/Articles/523367/ <If the kernel and > initramfs are signed, and the resume image is for that kernel, how is this an > issue? The initramfs is not signed. > What if swap is on LUKS? No signature. No integrity. It is a net reduction in the protection provided by Secure Boot - e.g. it can't detect intentional corruption that could crash the system or even cause more corruption and eventual data loss as the system runs. > If kernel lockdown is what disables this, we should look at fixing kernel > lockdown so that it doesn't break hibernation. This is definitely a security > decision that we shouldn't be imposing on the masses needlessly, in my > opinion. Instead you propose imposing a loophole for attackers to easily deploy malware needlessly. Do you really not see how this is an untenable position for Fedora? -- Chris Murphy _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
