1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

Secure Boot Breaks Kexec, Hibernate Support On Linux

Linux Kernel

Published on 28 January 2013 12:09 PM EST
Written by Michael Larabel in Linux Kernel
17 Comments

A set of "controversial" patches were published by Matthew Garrett this morning for the Linux kernel. One of the patch series will disable the kernel's support for kexec and hibernate support when running in a UEFI Secure Boot environment.

Hibernation power management support needs to be disabled since right now the Linux kernel has no way to verify the resume image when returning from hibernate. With this limitation of the Linux kernel not being able to verify the kernel image upon resume, it compromises the Secure Boot trust model. Ultimately, the Linux kernel will need to be changed so that it can work with signed hibernate images.

The kexec support needs to be disabled when running in Secure Boot since the kernel execution mechanism could be used as an attack vector by a malicious user. Using kexec could bypass the Secure Boot trust model to load a modified kernel. Ultimately, the Linux kernel will need to be improved to support signed kexec payloads.

The kexec and hibernate disabling patches can be found on the Linux kernel mailing list in a patch series entitled by Matthew as Secure Boot: More controversial changes. "These patches break functionality that people rely on without providing any functional equivalent, so I'm not suggesting that they be merged as-is. kexec allows trivial circumvention of the trust model (it's trivially equivalent to permitting module loading, for instance) and hibernation allows similar attacks (disable swap, write a pre-formed resume image to swap, reboot). The hibernation patch also shows up a different issue - some userspace drops all capabilities, resulting in things that userspace expects to work no longer working. This seems like an unsurprising result, but breaking userspace is bad and so it'd be nice to figure out if there's another way to handle this."

Matthew, now working at Nebula rather than Red Hat, also posted a set of 15 patches for Secure Boot policy support. "Secure boot makes it possible to ensure that the on-disk representation of the kernel hasn't been modified. This can be sidestepped if the in-memory representation can be trivially altered. We currently have a large number of interfaces that permit root to perform effectively arbitrary modifications to the kernel, so this patchset introduces a new capability ("CAP_COMPROMISE_KERNEL") that controls whether or not these features are available. The aim is for this to be useful in any other situations where kernel integrity can be assured by some other mechanism rather than special casing UEFI."

About The Author
Michael Larabel is the principal author of Phoronix.com and founded the web-site in 2004 with a focus on enriching the Linux hardware experience and being the largest web-site devoted to Linux hardware reviews, particularly for products relevant to Linux gamers and enthusiasts but also commonly reviewing servers/workstations and embedded Linux devices. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics hardware drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated testing software. He can be followed via and or contacted via .
Latest Articles & Reviews
  1. AMD FX-8320E Performance On Linux
  2. Linux Compiler Benchmarks Of LLVM Clang 3.5 vs. LLVM Clang 3.6-rc1
  3. Intel Broadwell HD Graphics 5500: Windows 8.1 vs. Linux
  4. Linux Benchmarks Of NVIDIA's Early 2015 GeForce Line-Up
  5. NVIDIA GeForce GTX 960: A Great $200 GPU For Linux Gamers
  6. Disk Encryption Tests On Fedora 21
Latest Linux News
  1. Now-Closed KDE Vulnerabilities Remind Us X11 Screen Locks / Screensavers Are Insecure
  2. Vivaldi: A New Chromium-Powered, Multi-Platform Browser
  3. KDE Plasma 5.2 Officially Released
  4. Intel Broadwell On Linux Has Working OpenCL 1.2, VP8 Video Acceleration
  5. GParted 0.21 Brings ReFS Detection, EXT4 For RHEL5, Reiser4 For Linux 3.x
  6. Wine Staging Update Has Better CUDA Support, Driver Testing Framework
  7. Nouveau In Linux 3.20 Will Have A Lot Of Code Cleaning
  8. Compare Your Linux System To The i7-5600U Broadwell X1 Carbon ThinkPad
  9. Debian 8.0 "Jessie" Installer RC1 Released
  10. Chromebook "Rush" With 64-bit Tegra SoC Support Lands In Coreboot
Most Viewed News This Week
  1. Windows 10 To Be A Free Upgrade: What Linux Users Need To Know
  2. Google Admin Encourages Trying Btrfs, Not ZFS On Linux
  3. TraceFS: The Newest Linux File-System
  4. My Initial Intel Broadwell Linux Experience With The ThinkPad X1 Carbon
  5. Keith Packard Leaves Intel's Linux Graphics Work
  6. Interstellar Marines On Linux With Catalyst: Bull S*#@
  7. Faster VP9 Decoding Is On The Horizon
  8. NetworkManager Now Supports WiFi Power Savings