From 62e3ff7d03c65de24b1acc41ac553774ef8dd809 Mon Sep 17 00:00:00 2001 From: Chris Murphy Date: Apr 23 2021 21:35:05 +0000 Subject: add mjg59's article on making hibernation work with lockdown --- diff --git a/hibernationstatus.md b/hibernationstatus.md index c602c28..509d447 100644 --- a/hibernationstatus.md +++ b/hibernationstatus.md @@ -1,6 +1,6 @@ -# Supporting hibernation in Workstation ed., draft 2 +# Supporting hibernation in Workstation ed., draft 3 -2020-05-31 +2021-04-23 **Synopsis:** @@ -41,13 +41,14 @@ We will support an install time means of enabling hibernation retained via Custo **Necessary enhancements to hibernation:** - signed and encrypted hibernation image [6]. +- signed, but not encrypted hibernation image [7]. *Note:* This is the most central nugget needed for limited hibernation support. Encrypted swap is inadequate because encryption alone provides no integrity. Even though there is an authentication component to the encryption, the image can't be said to be authentic -- as-in trustworthy. To provide the required trust and confidentiality, the hibernation image needs to be both signed and encrypted. **Nice to have enhancements to hibernation:** -- dynamic swapfiles created and enabled prior to hibernation entry [7]; -- single interface for determining the location of the hibernation image for all file systems [8]; +- dynamic swapfiles created and enabled prior to hibernation entry [8]; +- single interface for determining the location of the hibernation image for all file systems [9]; - TPM2 support, or alternative, for storing the key(s) needed to resume. @@ -73,15 +74,17 @@ https://github.com/rhinstaller/anaconda/blob/master/pyanaconda/core/storage.py#L [6] Joey Lee @ SUSE recently confirmed [this lkml email](https://lkml.org/lkml/2019/7/10/601) is the latest status of that work. -[7] +[7] +[Making hibernation work under Linux Lockdown -by Matthew Garrett](https://mjg59.dreamwidth.org/55845.html) + +[8] Developing this means hibernation capability could be enabled post-install, and more easily serve competing use cases. Use cases that don't need hibernation would avoid the space wasted for a dedicated and unused swap partition. Use cases that need hibernation would be supported without a swap partition being created at install time. https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/MML5MAKBFNEXBT67TCOVUWGFNOUDYUUP/ https://pagure.io/fedora-workstation/issue/120#comment-618549 -[8] +[9] https://github.com/systemd/systemd/issues/11939#issuecomment-471684411 - **Appendix** [LWN: Hibernation in the cloud](https://lwn.net/Articles/821158/) @@ -89,3 +92,4 @@ https://github.com/systemd/systemd/issues/11939#issuecomment-471684411 [LWN: Fedora reawakens the hibernation debate](https://lwn.net/Articles/764841/) [Freedesktop reference: hybrid-sleep vs suspend-then-hibernate](https://www.freedesktop.org/software/systemd/man/systemd-sleep.conf.html) +