This allows the user to tell the kernel that they know better (namely,
they secured their swap properly), and that it can enable hibernation.

I've been using this for about a year now, as it doesn't seem like
proper secure hibernation was going to be implemented back then, and
it's now been a year since I've been building my own kernels with this
patch, so getting this upstreamed would save some CO2 from me building
my own kernels every upgrade.

Some other not-me users have also tested the patch:

https://community.frame.work/t/guide-fedora-36-hibernation-with-enabled-secure-boot-and-full-disk-encryption-fde-decrypting-over-tpm2/25474/17

Signed-off-by: Kelvie Wong <kelvie@kelvie.ca>
---
 Documentation/admin-guide/kernel-parameters.txt |  5 +++++
 kernel/power/hibernate.c                        | 10 +++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 426fa892d311..54785faba9e0 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2804,6 +2804,11 @@
 			to extract confidential information from the kernel
 			are also disabled.
 
+	lockdown_hibernate	[HIBERNATION]
+			Enable hibernation even if lockdown is enabled. Enable this only if
+			your swap is encrypted and secured properly, as an attacker can
+			modify the kernel offline during hibernation.
+
 	locktorture.nreaders_stress= [KNL]
 			Set the number of locking read-acquisition kthreads.
 			Defaults to being automatically set based on the
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index 89c71fce225d..2221c531d54c 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -36,6 +36,7 @@
 #include "power.h"
 
 
+static int lockdown_hibernate;
 static int nocompress;
 static int noresume;
 static int nohibernate;
@@ -82,7 +83,7 @@ void hibernate_release(void)
 bool hibernation_available(void)
 {
 	return nohibernate == 0 &&
-		!security_locked_down(LOCKDOWN_HIBERNATION) &&
+		(lockdown_hibernate || !security_locked_down(LOCKDOWN_HIBERNATION)) &&
 		!secretmem_active() && !cxl_mem_active();
 }
 
@@ -1340,6 +1341,12 @@ static int __init nohibernate_setup(char *str)
 	return 1;
 }
 
+static int __init lockdown_hibernate_setup(char *str)
+{
+	lockdown_hibernate = 1;
+	return 1;
+}
+
 __setup("noresume", noresume_setup);
 __setup("resume_offset=", resume_offset_setup);
 __setup("resume=", resume_setup);
@@ -1347,3 +1354,4 @@ __setup("hibernate=", hibernate_setup);
 __setup("resumewait", resumewait_setup);
 __setup("resumedelay=", resumedelay_setup);
 __setup("nohibernate", nohibernate_setup);
+__setup("lockdown_hibernate", lockdown_hibernate_setup);
-- 
2.37.3

[add security & dhowells]

On 11/13/23 18:23, Kelvie Wong wrote:
> This allows the user to tell the kernel that they know better (namely,
> they secured their swap properly), and that it can enable hibernation.
> 
> I've been using this for about a year now, as it doesn't seem like
> proper secure hibernation was going to be implemented back then, and
> it's now been a year since I've been building my own kernels with this
> patch, so getting this upstreamed would save some CO2 from me building
> my own kernels every upgrade.
> 
> Some other not-me users have also tested the patch:
> 
> https://community.frame.work/t/guide-fedora-36-hibernation-with-enabled-secure-boot-and-full-disk-encryption-fde-decrypting-over-tpm2/25474/17
> 
> Signed-off-by: Kelvie Wong <kelvie@kelvie.ca>
> ---
>  Documentation/admin-guide/kernel-parameters.txt |  5 +++++
>  kernel/power/hibernate.c                        | 10 +++++++++-
>  2 files changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 426fa892d311..54785faba9e0 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2804,6 +2804,11 @@
>  			to extract confidential information from the kernel
>  			are also disabled.
>  
> +	lockdown_hibernate	[HIBERNATION]
> +			Enable hibernation even if lockdown is enabled. Enable this only if
> +			your swap is encrypted and secured properly, as an attacker can
> +			modify the kernel offline during hibernation.
> +
>  	locktorture.nreaders_stress= [KNL]
>  			Set the number of locking read-acquisition kthreads.
>  			Defaults to being automatically set based on the
> diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> index 89c71fce225d..2221c531d54c 100644
> --- a/kernel/power/hibernate.c
> +++ b/kernel/power/hibernate.c
> @@ -36,6 +36,7 @@
>  #include "power.h"
>  
>  
> +static int lockdown_hibernate;
>  static int nocompress;
>  static int noresume;
>  static int nohibernate;
> @@ -82,7 +83,7 @@ void hibernate_release(void)
>  bool hibernation_available(void)
>  {
>  	return nohibernate == 0 &&
> -		!security_locked_down(LOCKDOWN_HIBERNATION) &&
> +		(lockdown_hibernate || !security_locked_down(LOCKDOWN_HIBERNATION)) &&
>  		!secretmem_active() && !cxl_mem_active();
>  }
>  
> @@ -1340,6 +1341,12 @@ static int __init nohibernate_setup(char *str)
>  	return 1;
>  }
>  
> +static int __init lockdown_hibernate_setup(char *str)
> +{
> +	lockdown_hibernate = 1;
> +	return 1;
> +}
> +
>  __setup("noresume", noresume_setup);
>  __setup("resume_offset=", resume_offset_setup);
>  __setup("resume=", resume_setup);
> @@ -1347,3 +1354,4 @@ __setup("hibernate=", hibernate_setup);
>  __setup("resumewait", resumewait_setup);
>  __setup("resumedelay=", resumedelay_setup);
>  __setup("nohibernate", nohibernate_setup);
> +__setup("lockdown_hibernate", lockdown_hibernate_setup);

-- 
~Randy

On Mon, Nov 13, 2023 at 11:01 PM Randy Dunlap <rdunlap@infradead.org> wrote:
>
> [add security & dhowells]
>
> On 11/13/23 18:23, Kelvie Wong wrote:
> > This allows the user to tell the kernel that they know better (namely,
> > they secured their swap properly), and that it can enable hibernation.
> >
> > I've been using this for about a year now, as it doesn't seem like
> > proper secure hibernation was going to be implemented back then, and
> > it's now been a year since I've been building my own kernels with this
> > patch, so getting this upstreamed would save some CO2 from me building
> > my own kernels every upgrade.
> >
> > Some other not-me users have also tested the patch:
> >
> > https://community.frame.work/t/guide-fedora-36-hibernation-with-enabled-secure-boot-and-full-disk-encryption-fde-decrypting-over-tpm2/25474/17
> >
> > Signed-off-by: Kelvie Wong <kelvie@kelvie.ca>
> > ---
> >  Documentation/admin-guide/kernel-parameters.txt |  5 +++++
> >  kernel/power/hibernate.c                        | 10 +++++++++-
> >  2 files changed, 14 insertions(+), 1 deletion(-)
> >
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > index 426fa892d311..54785faba9e0 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -2804,6 +2804,11 @@
> >                       to extract confidential information from the kernel
> >                       are also disabled.
> >
> > +     lockdown_hibernate      [HIBERNATION]
> > +                     Enable hibernation even if lockdown is enabled. Enable this only if
> > +                     your swap is encrypted and secured properly, as an attacker can
> > +                     modify the kernel offline during hibernation.
> > +
> >       locktorture.nreaders_stress= [KNL]
> >                       Set the number of locking read-acquisition kthreads.
> >                       Defaults to being automatically set based on the
> > diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> > index 89c71fce225d..2221c531d54c 100644
> > --- a/kernel/power/hibernate.c
> > +++ b/kernel/power/hibernate.c
> > @@ -36,6 +36,7 @@
> >  #include "power.h"
> >
> >
> > +static int lockdown_hibernate;
> >  static int nocompress;
> >  static int noresume;
> >  static int nohibernate;
> > @@ -82,7 +83,7 @@ void hibernate_release(void)
> >  bool hibernation_available(void)
> >  {
> >       return nohibernate == 0 &&
> > -             !security_locked_down(LOCKDOWN_HIBERNATION) &&
> > +             (lockdown_hibernate || !security_locked_down(LOCKDOWN_HIBERNATION)) &&
> >               !secretmem_active() && !cxl_mem_active();
> >  }

I would feel a lot better about this if there was a way to verify that
the swap was protected as opposed to leaving that as a note in a doc
that the majority of users will never see, read, or understand.

-- 
paul-moore.com

On Mon, 20 Nov 2023 at 13:12, Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Nov 13, 2023 at 11:01 PM Randy Dunlap <rdunlap@infradead.org> wrote:
> >
> > [add security & dhowells]
> >
> > On 11/13/23 18:23, Kelvie Wong wrote:
> > > This allows the user to tell the kernel that they know better (namely,
> > > they secured their swap properly), and that it can enable hibernation.
> > >
> > > I've been using this for about a year now, as it doesn't seem like
> > > proper secure hibernation was going to be implemented back then, and
> > > it's now been a year since I've been building my own kernels with this
> > > patch, so getting this upstreamed would save some CO2 from me building
> > > my own kernels every upgrade.
> > >
> > > Some other not-me users have also tested the patch:
> > >
> > > https://community.frame.work/t/guide-fedora-36-hibernation-with-enabled-secure-boot-and-full-disk-encryption-fde-decrypting-over-tpm2/25474/17
> > >
> > > Signed-off-by: Kelvie Wong <kelvie@kelvie.ca>
>
> I would feel a lot better about this if there was a way to verify that
> the swap was protected as opposed to leaving that as a note in a doc
> that the majority of users will never see, read, or understand.

I'd argue that this wouldn't even be necessary if we detect the swap was
protected -- hibernation should just be enabled in that case without setting
any parameters.

My understanding is that it was disabled waiting for this
functionality, and it's been
at least a couple of years now [1], so it looks like it's not such an
easy problem.

Anyway, my argument is that the majority of users will never use this kernel
parameter anyway, so I think it's a fair assumption that the power users that
*do* use this will educate themselves on why this parameter even exists.

[1] https://lwn.net/Articles/847042/

-- 
Kelvie

On Mon, Nov 20, 2023 at 10:07 PM Kelvie Wong <kelvie@kelvie.ca> wrote:
> On Mon, 20 Nov 2023 at 13:12, Paul Moore <paul@paul-moore.com> wrote:
> > On Mon, Nov 13, 2023 at 11:01 PM Randy Dunlap <rdunlap@infradead.org> wrote:
> > >
> > > [add security & dhowells]
> > >
> > > On 11/13/23 18:23, Kelvie Wong wrote:
> > > > This allows the user to tell the kernel that they know better (namely,
> > > > they secured their swap properly), and that it can enable hibernation.
> > > >
> > > > I've been using this for about a year now, as it doesn't seem like
> > > > proper secure hibernation was going to be implemented back then, and
> > > > it's now been a year since I've been building my own kernels with this
> > > > patch, so getting this upstreamed would save some CO2 from me building
> > > > my own kernels every upgrade.
> > > >
> > > > Some other not-me users have also tested the patch:
> > > >
> > > > https://community.frame.work/t/guide-fedora-36-hibernation-with-enabled-secure-boot-and-full-disk-encryption-fde-decrypting-over-tpm2/25474/17
> > > >
> > > > Signed-off-by: Kelvie Wong <kelvie@kelvie.ca>
> >
> > I would feel a lot better about this if there was a way to verify that
> > the swap was protected as opposed to leaving that as a note in a doc
> > that the majority of users will never see, read, or understand.
>
> I'd argue that this wouldn't even be necessary if we detect the swap was
> protected -- hibernation should just be enabled in that case without setting
> any parameters.
>
> My understanding is that it was disabled waiting for this
> functionality, and it's been
> at least a couple of years now [1], so it looks like it's not such an
> easy problem.

I've got to warn you that I have an allergic reaction to arguments
that start with "the right solution is really hard, so let's pick the
easier, worse solution." ;)

> Anyway, my argument is that the majority of users will never use this kernel
> parameter anyway, so I think it's a fair assumption that the power users that
> *do* use this will educate themselves on why this parameter even exists.

I guess I'm still not sold on this idea, I'm sorry.

-- 
paul-moore.com

On Tue, 21 Nov 2023 at 20:53, Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Nov 20, 2023 at 10:07 PM Kelvie Wong <kelvie@kelvie.ca> wrote:
> > On Mon, 20 Nov 2023 at 13:12, Paul Moore <paul@paul-moore.com> wrote:
> > > On Mon, Nov 13, 2023 at 11:01 PM Randy Dunlap <rdunlap@infradead.org> wrote:
> > > >
> > > > [add security & dhowells]
> > > >
> > > > On 11/13/23 18:23, Kelvie Wong wrote:
> > > > > This allows the user to tell the kernel that they know better (namely,
> > > > > they secured their swap properly), and that it can enable hibernation.
> > > > >
> > > > > I've been using this for about a year now, as it doesn't seem like
> > > > > proper secure hibernation was going to be implemented back then, and
> > > > > it's now been a year since I've been building my own kernels with this
> > > > > patch, so getting this upstreamed would save some CO2 from me building
> > > > > my own kernels every upgrade.
> > > > >
> > > > > Some other not-me users have also tested the patch:
> > > > >
> > > > > https://community.frame.work/t/guide-fedora-36-hibernation-with-enabled-secure-boot-and-full-disk-encryption-fde-decrypting-over-tpm2/25474/17
> > > > >
> > > > > Signed-off-by: Kelvie Wong <kelvie@kelvie.ca>
> > >
> > > I would feel a lot better about this if there was a way to verify that
> > > the swap was protected as opposed to leaving that as a note in a doc
> > > that the majority of users will never see, read, or understand.
> >
> I've got to warn you that I have an allergic reaction to arguments
> that start with "the right solution is really hard, so let's pick the
> easier, worse solution." ;)
>
> I guess I'm still not sold on this idea, I'm sorry.

Not a problem, thanks for looking.

I do hope that hibernate on lockdown is one day properly supported though. I'd
imagine that lockdown will eventually be the default for most distros, and it'd
be a real shame to have to sacrifice hibernate for it (which is, in my opinion,
indispensable for laptop use).


Cheers,
-- 
Kelvie

Hello,

[sorry for the duplicate, had to re-send this as text/plain]

On Mon, 13 Nov 2023 at 20:01, Randy Dunlap <rdunlap@infradead.org> wrote:
>
> [add security & dhowells]
>
> On 11/13/23 18:23, Kelvie Wong wrote:
> > This allows the user to tell the kernel that they know better (namely,
> > they secured their swap properly), and that it can enable hibernation.
> >
> > I've been using this for about a year now, as it doesn't seem like
> > proper secure hibernation was going to be implemented back then, and
> > it's now been a year since I've been building my own kernels with this
> > patch, so getting this upstreamed would save some CO2 from me building
> > my own kernels every upgrade.
> >
> > Some other not-me users have also tested the patch:
> >
> > https://community.frame.work/t/guide-fedora-36-hibernation-with-enabled-secure-boot-and-full-disk-encryption-fde-decrypting-over-tpm2/25474/17
> > <snip>

Any comments on this patch? Or even a pulse (or a "this is a terrible
idea and it'll never be merged").

Or perhaps a "secure hibernate is on the way so we don't want this".

-- 
Kelvie