Am 30.05.20 um 09:36 schrieb Chris Murphy: > > It's a security risk that is incompatible with having UEFI Secure Boot > enabled. > > The entire point of UEFI Secure Boot is to ensure cryptographic > verification that the kernel you're running is in fact a Fedora built > and signed kernel. Since resuming from hibernation completely replaces > memory contents with that of the image, if the hibernation image isn't > cryptographically signed too, it's an attack vector that permits > arbitrary code execution, including even in the kernel. > >
Anything you put unencrypted on a disk, is insecure. If you don't run full disk encryption, nothing stops an attacker from simply change whatever he likes on disk right away. If the system hibernates and you boot the device with a different OS => change what ever you like. Booting a signed kernel does not change that. And in an attempt to not strech this again, we had this discussion for FDE already in the systemd homed tree. best regards, Marius _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
