From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 18:02:09 +0000 (-0400)
Subject: hibernate: Disable in a signed modules environment
X-Git-Tag: v4.1.12-92~310^2~1
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=6189d0bc2697ace4df1b8d6432185de8b6ad2626;p=users%2Fjedix%2Flinux-maple.git

hibernate: Disable in a signed modules environment

Orabug: 21539498

There is currently no way to verify the resume image when returning
from hibernate.  This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it in
a secure modules environment.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.com>
Signed-off-by: Guangyu Sun <guangyu.sun@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
---

diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index 2329daae52553..b2579f6e6d98b 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -30,6 +30,8 @@
 #include <linux/genhd.h>
 #include <linux/ktime.h>
 #include <trace/events/power.h>
+#include <linux/security.h>
+#include <linux/efi.h>
 
 #include "power.h"
 
@@ -651,6 +653,10 @@ int hibernate(void)
 		return -EPERM;
 	}
 
+	if (get_securelevel() > 0) {
+		return -EPERM;
+	}
+
 	lock_system_sleep();
 	/* The snapshot device should not be opened while we're running */
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
@@ -743,7 +749,7 @@ static int software_resume(void)
 	/*
 	 * If the user said "noresume".. bail out early.
 	 */
-	if (noresume || !hibernation_available())
+	if (noresume || !hibernation_available() || get_securelevel() > 0)
 		return 0;
 
 	/*
@@ -912,6 +918,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
 	if (!hibernation_available())
 		return sprintf(buf, "[disabled]\n");
 
+	if (efi_enabled(EFI_SECURE_BOOT)) {
+		buf += sprintf(buf, "[%s]\n", "disabled");
+		return buf-start;
+	}
+
 	for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
 		if (!hibernation_modes[i])
 			continue;
@@ -949,6 +960,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
 	if (!hibernation_available())
 		return -EPERM;
 
+	if (get_securelevel() > 0)
+		return -EPERM;
+
 	p = memchr(buf, '\n', n);
 	len = p ? p - buf : n;
 
diff --git a/kernel/power/main.c b/kernel/power/main.c
index 86e8157a450f5..a432487e6af8d 100644
--- a/kernel/power/main.c
+++ b/kernel/power/main.c
@@ -15,6 +15,7 @@
 #include <linux/workqueue.h>
 #include <linux/debugfs.h>
 #include <linux/seq_file.h>
+#include <linux/efi.h>
 
 #include "power.h"
 
@@ -300,8 +301,13 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr,
 			s += sprintf(s,"%s ", pm_states[i]);
 
 #endif
-	if (hibernation_available())
-		s += sprintf(s, "disk ");
+	if (hibernation_available()) {
+		if (!efi_enabled(EFI_SECURE_BOOT)) {
+			s += sprintf(s, "disk ");
+		} else {
+			s += sprintf(s, "\n");
+		}
+	}
 	if (s != buf)
 		/* convert the last space to a newline */
 		*(s-1) = '\n';