Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Kernel Lockdown and Hibernation
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
juliedeville
n00b
n00b


Joined: 14 Oct 2024
Posts: 30

PostPosted: Sun Nov 10, 2024 5:01 pm    Post subject: Kernel Lockdown and Hibernation Reply with quote

Is it possible to safely allow hibernation with kernel lockdown enabled using a module such as this:

https://github.com/K0HAX/kunlock-hibernate

or a patch like this one:

https://gist.github.com/brknkfr/95d1925ccdbb7a2d18947c168dfabbee

and if so, which would be the better way to do it? I am still new to gentoo and working with the kernel.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22642

PostPosted: Sun Nov 10, 2024 5:34 pm    Post subject: Reply with quote

That depends on what you mean by "safe." Kernel lockdown must disable hibernation, because it is presumed to be unsafe to resume from a kernel image that might have been modified in ways that violate the lockdown policies. The two paths you cite are both overrides of this policy, implemented through different means. Neither adds any security of its own, so whether it is "safe" depends on whether your threat model handles offline modification of the hibernation image. Broadly, I would say threat models here fit one of a few categories:
  • Kernel lockdown is not wanted, so any negative effects from it are unwanted. You would prefer to enable hibernation despite the risks.
  • Offline attacks are assumed to be impossible due to physical security of the computer. Therefore, offline modification of the hibernation image is likewise assumed to be impossible, and you can "safely" enable hibernation.
  • Offline attacks are theoretically possible, but you as the operator assume that none will occur in practice, so again, you can "safely" enable hibernation. This can be appropriate for a home user, where every person in the home is trusted.
  • Offline attacks are a serious concern (such as for a computer in an office where multiple people have physical access to it, and at least one such person is not trusted with full administrator privilege on the system). You should not enable hibernation here.

If I needed to bypass the restriction, I would use the second patch, on the basis that it was simple enough for me to do a quick visual review and find nothing malicious or complicated in it.

If you want more specific advice, please explain your threat model and why kernel lockdown is enabled at all. What, if any, value do you hope to get from other kernel lockdown features?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum