Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Kees Cook]

On Sat, Mar 25, 2017 at 7:54 AM, Evgenii Shatokhin
 wrote:
> On 23.03.2017 18:30, Rafael J. Wysocki wrote:
>>
>> On Thu, Mar 23, 2017 at 2:23 PM, Evgenii Shatokhin
>>  wrote:
>>>
>>> On 23.03.2017 03:27, Kees Cook wrote:


 This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
 Remove x86 hibernation restrictions"), since it appears that 32-bit
 hibernation still can't support KASLR. 64-bit is fine. Since people have
 been running with KASLR by default on 32-bit since v4.8, this disables
 hibernation (with a warning). Booting with "nokaslr" will disable KASLR
 and enable hibernation.

 Reported-by: Evgenii Shatokhin 
 Signed-off-by: Kees Cook 
 Cc: sta...@vger.kernel.org # v4.8+
>>>
>>>
>>>
>>> The patch does not work as intended on my system, unfortunately.
>>>
>>> I tried the mainline kernel v4.11-rc3 and added this patch. With
>>> "nokaslr"
>>> in the kernel command line, the system fails to hibernate. It complains
>>> this
>>> way in the log:
>>>
>>> <...>
>>> kernel: PM: writing image.
>>> kernel: PM: Cannot find swap device, try swapon -a.
>>> kernel: PM: Cannot get swap writer
>>> kernel: PM: Basic memory bitmaps freed
>>> kernel: Restarting tasks ... done.
>>> systemd[1]: Time has been changed
>>> systemd[3948]: Time has been changed
>>> systemd[14825]: Time has been changed
>>> systemd[1]: systemd-hibernate.service: main process exited, code=exited,
>>> status=1/FAILURE
>>> systemd[1]: Failed to start Hibernate.
>>> <...>
>>>
>>> The swap device (swap file, actually) is available, however:
>>> -
>>> # swapon -s
>>> Filename  Type  SizeUsed  Priority
>>> /swap file  6297596 0 -1
>>> -
>>>
>>> I built the same kernel without this patch then, added "nokaslr" in the
>>> kernel command line again, and the system hibernates and resumes fine.
>>
>>
>> With the patch applied and "nokaslr" in the kernel command line, what
>> shows up when you do
>>
>> $ cat /sys/power/state
>>
>> ?
>
>
> freeze standby mem disk
>
> However, I think now that the patch itself is OK.
>
> I experimented with the patched kernel a bit more and found that hibernate
> does work when I place "nokaslr" before "resume=xxx resume_offset=xxx" in
> the kernel command line and does not work when I place "nokaslr" after these
> options. So I guess there is an issue with parsing of the kernel command
> line somewhere (dracut scripts? systemd? I do not know). If resume= or
> resume_offset= were corrupted, that might have been the reason why the
> system could not find the swap file when hibernating.
>
> Anyway, that issue is clearly unrelated to this patch and the patch itself
> works OK for me.
>
> Thanks a lot!
>
> Tested-by: Evgenii Shatokhin 

Ah, right. Hm, that is kind of the fault of the patch (and the prior
disabling too). Let me see if I can find a better solution...

-Kees

-- 
Kees Cook
Pixel Security

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Kees Cook]

On Sat, Mar 25, 2017 at 7:54 AM, Evgenii Shatokhin
 wrote:
> On 23.03.2017 18:30, Rafael J. Wysocki wrote:
>>
>> On Thu, Mar 23, 2017 at 2:23 PM, Evgenii Shatokhin
>>  wrote:
>>>
>>> On 23.03.2017 03:27, Kees Cook wrote:


 This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
 Remove x86 hibernation restrictions"), since it appears that 32-bit
 hibernation still can't support KASLR. 64-bit is fine. Since people have
 been running with KASLR by default on 32-bit since v4.8, this disables
 hibernation (with a warning). Booting with "nokaslr" will disable KASLR
 and enable hibernation.

 Reported-by: Evgenii Shatokhin 
 Signed-off-by: Kees Cook 
 Cc: sta...@vger.kernel.org # v4.8+
>>>
>>>
>>>
>>> The patch does not work as intended on my system, unfortunately.
>>>
>>> I tried the mainline kernel v4.11-rc3 and added this patch. With
>>> "nokaslr"
>>> in the kernel command line, the system fails to hibernate. It complains
>>> this
>>> way in the log:
>>>
>>> <...>
>>> kernel: PM: writing image.
>>> kernel: PM: Cannot find swap device, try swapon -a.
>>> kernel: PM: Cannot get swap writer
>>> kernel: PM: Basic memory bitmaps freed
>>> kernel: Restarting tasks ... done.
>>> systemd[1]: Time has been changed
>>> systemd[3948]: Time has been changed
>>> systemd[14825]: Time has been changed
>>> systemd[1]: systemd-hibernate.service: main process exited, code=exited,
>>> status=1/FAILURE
>>> systemd[1]: Failed to start Hibernate.
>>> <...>
>>>
>>> The swap device (swap file, actually) is available, however:
>>> -
>>> # swapon -s
>>> Filename  Type  SizeUsed  Priority
>>> /swap file  6297596 0 -1
>>> -
>>>
>>> I built the same kernel without this patch then, added "nokaslr" in the
>>> kernel command line again, and the system hibernates and resumes fine.
>>
>>
>> With the patch applied and "nokaslr" in the kernel command line, what
>> shows up when you do
>>
>> $ cat /sys/power/state
>>
>> ?
>
>
> freeze standby mem disk
>
> However, I think now that the patch itself is OK.
>
> I experimented with the patched kernel a bit more and found that hibernate
> does work when I place "nokaslr" before "resume=xxx resume_offset=xxx" in
> the kernel command line and does not work when I place "nokaslr" after these
> options. So I guess there is an issue with parsing of the kernel command
> line somewhere (dracut scripts? systemd? I do not know). If resume= or
> resume_offset= were corrupted, that might have been the reason why the
> system could not find the swap file when hibernating.
>
> Anyway, that issue is clearly unrelated to this patch and the patch itself
> works OK for me.
>
> Thanks a lot!
>
> Tested-by: Evgenii Shatokhin 

Ah, right. Hm, that is kind of the fault of the patch (and the prior
disabling too). Let me see if I can find a better solution...

-Kees

-- 
Kees Cook
Pixel Security

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Evgenii Shatokhin]

On 23.03.2017 18:30, Rafael J. Wysocki wrote:

On Thu, Mar 23, 2017 at 2:23 PM, Evgenii Shatokhin
 wrote:

On 23.03.2017 03:27, Kees Cook wrote:


This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
Remove x86 hibernation restrictions"), since it appears that 32-bit
hibernation still can't support KASLR. 64-bit is fine. Since people have
been running with KASLR by default on 32-bit since v4.8, this disables
hibernation (with a warning). Booting with "nokaslr" will disable KASLR
and enable hibernation.

Reported-by: Evgenii Shatokhin 
Signed-off-by: Kees Cook 
Cc: sta...@vger.kernel.org # v4.8+



The patch does not work as intended on my system, unfortunately.

I tried the mainline kernel v4.11-rc3 and added this patch. With "nokaslr"
in the kernel command line, the system fails to hibernate. It complains this
way in the log:

<...>
kernel: PM: writing image.
kernel: PM: Cannot find swap device, try swapon -a.
kernel: PM: Cannot get swap writer
kernel: PM: Basic memory bitmaps freed
kernel: Restarting tasks ... done.
systemd[1]: Time has been changed
systemd[3948]: Time has been changed
systemd[14825]: Time has been changed
systemd[1]: systemd-hibernate.service: main process exited, code=exited,
status=1/FAILURE
systemd[1]: Failed to start Hibernate.
<...>

The swap device (swap file, actually) is available, however:
-
# swapon -s
Filename  Type  SizeUsed  Priority
/swap file  6297596 0 -1
-

I built the same kernel without this patch then, added "nokaslr" in the
kernel command line again, and the system hibernates and resumes fine.


With the patch applied and "nokaslr" in the kernel command line, what
shows up when you do

$ cat /sys/power/state

?


freeze standby mem disk

However, I think now that the patch itself is OK.

I experimented with the patched kernel a bit more and found that 
hibernate does work when I place "nokaslr" before "resume=xxx 
resume_offset=xxx" in the kernel command line and does not work when I 
place "nokaslr" after these options. So I guess there is an issue with 
parsing of the kernel command line somewhere (dracut scripts? systemd? I 
do not know). If resume= or resume_offset= were corrupted, that might 
have been the reason why the system could not find the swap file when 
hibernating.


Anyway, that issue is clearly unrelated to this patch and the patch 
itself works OK for me.


Thanks a lot!

Tested-by: Evgenii Shatokhin 

Regards,
Evgenii

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Evgenii Shatokhin]

On 23.03.2017 18:30, Rafael J. Wysocki wrote:

On Thu, Mar 23, 2017 at 2:23 PM, Evgenii Shatokhin
 wrote:

On 23.03.2017 03:27, Kees Cook wrote:


This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
Remove x86 hibernation restrictions"), since it appears that 32-bit
hibernation still can't support KASLR. 64-bit is fine. Since people have
been running with KASLR by default on 32-bit since v4.8, this disables
hibernation (with a warning). Booting with "nokaslr" will disable KASLR
and enable hibernation.

Reported-by: Evgenii Shatokhin 
Signed-off-by: Kees Cook 
Cc: sta...@vger.kernel.org # v4.8+



The patch does not work as intended on my system, unfortunately.

I tried the mainline kernel v4.11-rc3 and added this patch. With "nokaslr"
in the kernel command line, the system fails to hibernate. It complains this
way in the log:

<...>
kernel: PM: writing image.
kernel: PM: Cannot find swap device, try swapon -a.
kernel: PM: Cannot get swap writer
kernel: PM: Basic memory bitmaps freed
kernel: Restarting tasks ... done.
systemd[1]: Time has been changed
systemd[3948]: Time has been changed
systemd[14825]: Time has been changed
systemd[1]: systemd-hibernate.service: main process exited, code=exited,
status=1/FAILURE
systemd[1]: Failed to start Hibernate.
<...>

The swap device (swap file, actually) is available, however:
-
# swapon -s
Filename  Type  SizeUsed  Priority
/swap file  6297596 0 -1
-

I built the same kernel without this patch then, added "nokaslr" in the
kernel command line again, and the system hibernates and resumes fine.


With the patch applied and "nokaslr" in the kernel command line, what
shows up when you do

$ cat /sys/power/state

?


freeze standby mem disk

However, I think now that the patch itself is OK.

I experimented with the patched kernel a bit more and found that 
hibernate does work when I place "nokaslr" before "resume=xxx 
resume_offset=xxx" in the kernel command line and does not work when I 
place "nokaslr" after these options. So I guess there is an issue with 
parsing of the kernel command line somewhere (dracut scripts? systemd? I 
do not know). If resume= or resume_offset= were corrupted, that might 
have been the reason why the system could not find the swap file when 
hibernating.


Anyway, that issue is clearly unrelated to this patch and the patch 
itself works OK for me.


Thanks a lot!

Tested-by: Evgenii Shatokhin 

Regards,
Evgenii

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Yu Chen]

Hi,

On Thu, Mar 23, 2017 at 9:23 PM, Evgenii Shatokhin
 wrote:
> On 23.03.2017 03:27, Kees Cook wrote:
>>
>> This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
>> Remove x86 hibernation restrictions"), since it appears that 32-bit
>> hibernation still can't support KASLR. 64-bit is fine. Since people have
>> been running with KASLR by default on 32-bit since v4.8, this disables
>> hibernation (with a warning). Booting with "nokaslr" will disable KASLR
>> and enable hibernation.
>>
>> Reported-by: Evgenii Shatokhin 
>> Signed-off-by: Kees Cook 
>> Cc: sta...@vger.kernel.org # v4.8+
>
>
> The patch does not work as intended on my system, unfortunately.
>
> I tried the mainline kernel v4.11-rc3 and added this patch. With "nokaslr"
> in the kernel command line, the system fails to hibernate. It complains this
> way in the log:
Could you please send me your kernel config? I've built a 4.11-rc3
image and runs
it on my 32bit laptop and hibernate works on CONFIG_RANDOMIZE_BASE=y

Yu

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Yu Chen]

Hi,

On Thu, Mar 23, 2017 at 9:23 PM, Evgenii Shatokhin
 wrote:
> On 23.03.2017 03:27, Kees Cook wrote:
>>
>> This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
>> Remove x86 hibernation restrictions"), since it appears that 32-bit
>> hibernation still can't support KASLR. 64-bit is fine. Since people have
>> been running with KASLR by default on 32-bit since v4.8, this disables
>> hibernation (with a warning). Booting with "nokaslr" will disable KASLR
>> and enable hibernation.
>>
>> Reported-by: Evgenii Shatokhin 
>> Signed-off-by: Kees Cook 
>> Cc: sta...@vger.kernel.org # v4.8+
>
>
> The patch does not work as intended on my system, unfortunately.
>
> I tried the mainline kernel v4.11-rc3 and added this patch. With "nokaslr"
> in the kernel command line, the system fails to hibernate. It complains this
> way in the log:
Could you please send me your kernel config? I've built a 4.11-rc3
image and runs
it on my 32bit laptop and hibernate works on CONFIG_RANDOMIZE_BASE=y

Yu

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Rafael J. Wysocki]

On Thu, Mar 23, 2017 at 2:23 PM, Evgenii Shatokhin
 wrote:
> On 23.03.2017 03:27, Kees Cook wrote:
>>
>> This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
>> Remove x86 hibernation restrictions"), since it appears that 32-bit
>> hibernation still can't support KASLR. 64-bit is fine. Since people have
>> been running with KASLR by default on 32-bit since v4.8, this disables
>> hibernation (with a warning). Booting with "nokaslr" will disable KASLR
>> and enable hibernation.
>>
>> Reported-by: Evgenii Shatokhin 
>> Signed-off-by: Kees Cook 
>> Cc: sta...@vger.kernel.org # v4.8+
>
>
> The patch does not work as intended on my system, unfortunately.
>
> I tried the mainline kernel v4.11-rc3 and added this patch. With "nokaslr"
> in the kernel command line, the system fails to hibernate. It complains this
> way in the log:
>
> <...>
> kernel: PM: writing image.
> kernel: PM: Cannot find swap device, try swapon -a.
> kernel: PM: Cannot get swap writer
> kernel: PM: Basic memory bitmaps freed
> kernel: Restarting tasks ... done.
> systemd[1]: Time has been changed
> systemd[3948]: Time has been changed
> systemd[14825]: Time has been changed
> systemd[1]: systemd-hibernate.service: main process exited, code=exited,
> status=1/FAILURE
> systemd[1]: Failed to start Hibernate.
> <...>
>
> The swap device (swap file, actually) is available, however:
> -
> # swapon -s
> Filename  Type  SizeUsed  Priority
> /swap file  6297596 0 -1
> -
>
> I built the same kernel without this patch then, added "nokaslr" in the
> kernel command line again, and the system hibernates and resumes fine.

With the patch applied and "nokaslr" in the kernel command line, what
shows up when you do

$ cat /sys/power/state

?

Thanks,
Rafael

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Rafael J. Wysocki]

On Thu, Mar 23, 2017 at 2:23 PM, Evgenii Shatokhin
 wrote:
> On 23.03.2017 03:27, Kees Cook wrote:
>>
>> This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
>> Remove x86 hibernation restrictions"), since it appears that 32-bit
>> hibernation still can't support KASLR. 64-bit is fine. Since people have
>> been running with KASLR by default on 32-bit since v4.8, this disables
>> hibernation (with a warning). Booting with "nokaslr" will disable KASLR
>> and enable hibernation.
>>
>> Reported-by: Evgenii Shatokhin 
>> Signed-off-by: Kees Cook 
>> Cc: sta...@vger.kernel.org # v4.8+
>
>
> The patch does not work as intended on my system, unfortunately.
>
> I tried the mainline kernel v4.11-rc3 and added this patch. With "nokaslr"
> in the kernel command line, the system fails to hibernate. It complains this
> way in the log:
>
> <...>
> kernel: PM: writing image.
> kernel: PM: Cannot find swap device, try swapon -a.
> kernel: PM: Cannot get swap writer
> kernel: PM: Basic memory bitmaps freed
> kernel: Restarting tasks ... done.
> systemd[1]: Time has been changed
> systemd[3948]: Time has been changed
> systemd[14825]: Time has been changed
> systemd[1]: systemd-hibernate.service: main process exited, code=exited,
> status=1/FAILURE
> systemd[1]: Failed to start Hibernate.
> <...>
>
> The swap device (swap file, actually) is available, however:
> -
> # swapon -s
> Filename  Type  SizeUsed  Priority
> /swap file  6297596 0 -1
> -
>
> I built the same kernel without this patch then, added "nokaslr" in the
> kernel command line again, and the system hibernates and resumes fine.

With the patch applied and "nokaslr" in the kernel command line, what
shows up when you do

$ cat /sys/power/state

?

Thanks,
Rafael

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Evgenii Shatokhin]

On 23.03.2017 03:27, Kees Cook wrote:

This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
Remove x86 hibernation restrictions"), since it appears that 32-bit
hibernation still can't support KASLR. 64-bit is fine. Since people have
been running with KASLR by default on 32-bit since v4.8, this disables
hibernation (with a warning). Booting with "nokaslr" will disable KASLR
and enable hibernation.

Reported-by: Evgenii Shatokhin 
Signed-off-by: Kees Cook 
Cc: sta...@vger.kernel.org # v4.8+


The patch does not work as intended on my system, unfortunately.

I tried the mainline kernel v4.11-rc3 and added this patch. With 
"nokaslr" in the kernel command line, the system fails to hibernate. It 
complains this way in the log:


<...>
kernel: PM: writing image.
kernel: PM: Cannot find swap device, try swapon -a.
kernel: PM: Cannot get swap writer
kernel: PM: Basic memory bitmaps freed
kernel: Restarting tasks ... done.
systemd[1]: Time has been changed
systemd[3948]: Time has been changed
systemd[14825]: Time has been changed
systemd[1]: systemd-hibernate.service: main process exited, code=exited, 
status=1/FAILURE

systemd[1]: Failed to start Hibernate.
<...>

The swap device (swap file, actually) is available, however:
-
# swapon -s
Filename  Type  SizeUsed  Priority
/swap file  6297596 0 -1
-

I built the same kernel without this patch then, added "nokaslr" in the 
kernel command line again, and the system hibernates and resumes fine.



---
  Documentation/admin-guide/kernel-parameters.txt |  5 +
  arch/x86/boot/compressed/kaslr.c|  3 +++
  kernel/power/hibernate.c| 18 +-
  3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt 
b/Documentation/admin-guide/kernel-parameters.txt
index 2ba45caabada..6f899c7f587d 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1725,6 +1725,11 @@
kernel and module base offset ASLR (Address Space
Layout Randomization).

+   On 32-bit x86 with CONFIG_HIBERNATION, hibernation
+   is disabled if KASLR is enabled. If "nokaslr" is
+   specified, KASLR will be diabled and hibernation
+   will be enabled.
+
keepinitrd  [HW,ARM]

kernelcore= [KNL,X86,IA-64,PPC]
diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 8b7c9e75edcb..b694af45f1e0 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -572,6 +572,9 @@ void choose_random_location(unsigned long input,
return;
}

+   if (IS_ENABLED(CONFIG_X86_32) && IS_ENABLED(CONFIG_HIBERNATION))
+   warn("KASLR active: hibernation disabled on 32-bit x86.");
+
boot_params->hdr.loadflags |= KASLR_FLAG;

/* Prepare to add new identity pagetables on demand. */
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index a8b978c35a6a..1d8f1fe1b7f4 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -37,9 +37,14 @@
  #include "power.h"


-static int nocompress;
+#if defined(CONFIG_X86_32) && defined(CONFIG_RANDOMIZE_BASE)
+static int noresume = 1;
+static int nohibernate = 1;
+#else
  static int noresume;
  static int nohibernate;
+#endif
+static int nocompress;
  static int resume_wait;
  static unsigned int resume_delay;
  static char resume_file[256] = CONFIG_PM_STD_PARTITION;
@@ -1194,3 +1199,14 @@ __setup("hibernate=", hibernate_setup);
  __setup("resumewait", resumewait_setup);
  __setup("resumedelay=", resumedelay_setup);
  __setup("nohibernate", nohibernate_setup);
+
+/* Allow hibernation to be disabled in favor of KASLR on 32-bit x86. */
+#if defined(CONFIG_X86_32) && defined(CONFIG_RANDOMIZE_BASE)
+static int __init nokaslr_hibernate_setup(char *str)
+{
+   noresume = 0;
+   nohibernate = 0;
+   return 1;
+}
+__setup("nokaslr", nokaslr_hibernate_setup);
+#endif

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Evgenii Shatokhin]

On 23.03.2017 03:27, Kees Cook wrote:

This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
Remove x86 hibernation restrictions"), since it appears that 32-bit
hibernation still can't support KASLR. 64-bit is fine. Since people have
been running with KASLR by default on 32-bit since v4.8, this disables
hibernation (with a warning). Booting with "nokaslr" will disable KASLR
and enable hibernation.

Reported-by: Evgenii Shatokhin 
Signed-off-by: Kees Cook 
Cc: sta...@vger.kernel.org # v4.8+


The patch does not work as intended on my system, unfortunately.

I tried the mainline kernel v4.11-rc3 and added this patch. With 
"nokaslr" in the kernel command line, the system fails to hibernate. It 
complains this way in the log:


<...>
kernel: PM: writing image.
kernel: PM: Cannot find swap device, try swapon -a.
kernel: PM: Cannot get swap writer
kernel: PM: Basic memory bitmaps freed
kernel: Restarting tasks ... done.
systemd[1]: Time has been changed
systemd[3948]: Time has been changed
systemd[14825]: Time has been changed
systemd[1]: systemd-hibernate.service: main process exited, code=exited, 
status=1/FAILURE

systemd[1]: Failed to start Hibernate.
<...>

The swap device (swap file, actually) is available, however:
-
# swapon -s
Filename  Type  SizeUsed  Priority
/swap file  6297596 0 -1
-

I built the same kernel without this patch then, added "nokaslr" in the 
kernel command line again, and the system hibernates and resumes fine.



---
  Documentation/admin-guide/kernel-parameters.txt |  5 +
  arch/x86/boot/compressed/kaslr.c|  3 +++
  kernel/power/hibernate.c| 18 +-
  3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt 
b/Documentation/admin-guide/kernel-parameters.txt
index 2ba45caabada..6f899c7f587d 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1725,6 +1725,11 @@
kernel and module base offset ASLR (Address Space
Layout Randomization).

+   On 32-bit x86 with CONFIG_HIBERNATION, hibernation
+   is disabled if KASLR is enabled. If "nokaslr" is
+   specified, KASLR will be diabled and hibernation
+   will be enabled.
+
keepinitrd  [HW,ARM]

kernelcore= [KNL,X86,IA-64,PPC]
diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 8b7c9e75edcb..b694af45f1e0 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -572,6 +572,9 @@ void choose_random_location(unsigned long input,
return;
}

+   if (IS_ENABLED(CONFIG_X86_32) && IS_ENABLED(CONFIG_HIBERNATION))
+   warn("KASLR active: hibernation disabled on 32-bit x86.");
+
boot_params->hdr.loadflags |= KASLR_FLAG;

/* Prepare to add new identity pagetables on demand. */
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index a8b978c35a6a..1d8f1fe1b7f4 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -37,9 +37,14 @@
  #include "power.h"


-static int nocompress;
+#if defined(CONFIG_X86_32) && defined(CONFIG_RANDOMIZE_BASE)
+static int noresume = 1;
+static int nohibernate = 1;
+#else
  static int noresume;
  static int nohibernate;
+#endif
+static int nocompress;
  static int resume_wait;
  static unsigned int resume_delay;
  static char resume_file[256] = CONFIG_PM_STD_PARTITION;
@@ -1194,3 +1199,14 @@ __setup("hibernate=", hibernate_setup);
  __setup("resumewait", resumewait_setup);
  __setup("resumedelay=", resumedelay_setup);
  __setup("nohibernate", nohibernate_setup);
+
+/* Allow hibernation to be disabled in favor of KASLR on 32-bit x86. */
+#if defined(CONFIG_X86_32) && defined(CONFIG_RANDOMIZE_BASE)
+static int __init nokaslr_hibernate_setup(char *str)
+{
+   noresume = 0;
+   nohibernate = 0;
+   return 1;
+}
+__setup("nokaslr", nokaslr_hibernate_setup);
+#endif

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Rafael J. Wysocki]

On Thu, Mar 23, 2017 at 1:27 AM, Kees Cook  wrote:
> This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
> Remove x86 hibernation restrictions"), since it appears that 32-bit
> hibernation still can't support KASLR. 64-bit is fine. Since people have
> been running with KASLR by default on 32-bit since v4.8, this disables
> hibernation (with a warning). Booting with "nokaslr" will disable KASLR
> and enable hibernation.
>
> Reported-by: Evgenii Shatokhin 
> Signed-off-by: Kees Cook 
> Cc: sta...@vger.kernel.org # v4.8+

LGTM

Thanks,
Rafael

Re: [PATCH] hibernation: on 32-bit x86, disabled in favor of KASLR

[Rafael J. Wysocki]

On Thu, Mar 23, 2017 at 1:27 AM, Kees Cook  wrote:
> This is a modified revert of commit 65fe935dd238 ("x86/KASLR, x86/power:
> Remove x86 hibernation restrictions"), since it appears that 32-bit
> hibernation still can't support KASLR. 64-bit is fine. Since people have
> been running with KASLR by default on 32-bit since v4.8, this disables
> hibernation (with a warning). Booting with "nokaslr" will disable KASLR
> and enable hibernation.
>
> Reported-by: Evgenii Shatokhin 
> Signed-off-by: Kees Cook 
> Cc: sta...@vger.kernel.org # v4.8+

LGTM

Thanks,
Rafael