Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Secure Boot Patches Break Hibernation

Posted by Unknown on from the intentional-side-effects dept.

hypnosec writes "Matthew Garrett published some patches today which break hibernate and kexec support on Linux when Secure Boot is used. The reason for disabling hibernation is that currently the Linux kernel doesn't have the capability of verifying the resume image when returning from hibernation, which compromises the Secure Boot trust model. The reason for disabling the kexec support while running in Secure Boot is that the kernel execution mechanism may be used to load a modified kernel thus bypassing the trust model of Secure Boot." Before arming your tactical nuclear flame cannon, note that mjg says "These patches break functionality that people rely on without providing any functional equivalent, so I'm not suggesting that they be merged as-is." Support for signed kexec should come eventually, but it looks like hibernation will require some clever hacking to support properly in a Restricted Boot environment.

4 of 196 comments (clear)

  1. Certificates can be revoked by tepples · · Score: 5, Interesting

    A patch that is not going to be merged into the kernel proper breaks hibernation with secure boot in Linux

    Perhaps the fear is that if the patch is not merged, Microsoft will revoke the certificates that have been used to sign mainstream GNU/Linux distributions.

    1. Re:Certificates can be revoked by Nerdfest · · Score: 5, Interesting

      I just bought a very nice laptop from System76. Good price/performance, fantastic Linux comparability, and no Microsoft tax. I figured I might as well put my money where my mouth is on supporting vendors that have good support for Linux.

  2. Sign the hibernation file by tepples · · Score: 3, Interesting

    The problem is that anyone with physical access can fuck with the memory dump in between the hibernation and the restore

    Anyone with physical access can probably reset the BIOS password and turn off secure boot. But barring that, perhaps one solution is to sign the memory dump with a key stored in the TPM.

  3. Conceptually.. by Junta · · Score: 5, Interesting

    What distinguishes hibernated memory image from, say, an initrd? Practically speaking, a distro has to allow for initrds to boot that aren't signed by the distribution. In fact, what about booting *any* filesystem? Some may suggest that the goal would be to have every binary signed, but what about end-user maintained scripts and config files? SecureBoot as currently defined only about the OS provider signing what they provide and that leaves a whole lot of area for malicious content outside that scope. It's of little comfort that you have assurance that you are running the correct sshd if, for example, you have malicious ssh_config and malicious authorized_keys.

    --
    XML is like violence. If it doesn't solve the problem, use more.