Google Working On Linux Encrypted Hibernation Support
Google engineers are working on encrypted hibernation support for the Linux kernel as part of offering strong hibernation support for Google Chromebook usage.
Google engineers are working on "enabling hibernation in some new scenarios" but to do so safely. Besides taking preventative measures to ensure malicious user-space can't use hibernation as a stepping stone to kernel escalation, the Google security team is also mandating encrypted hibernation. The communication reads, "The hibernate image must be encrypted with protection derived from both the platform (eg TPM) and user authentication data (eg password)."
The uswsusp user-space software can be used for encryption support for during suspend, but that fails to meet Google's security requirements where the kernel can guarantee the integrity of the hibernation image. Being pursued now by Google is kernel-based encryption, support for using TPM-backed keys to encrypt the hibernate image, sealing the encryption key with a PCR policy, and other work to ensure the encrypted hibernate image can be trusted.
A couple of patches still need to be written on top of this series. The generalized functionality to OR in additional PCRs via Kconfig (like PCR 0 or 5) still needs to be added. We'll also need a patch that disallows unencrypted forms of resume from hibernation, to fully close the door to malicious userspace. However, I wanted to get this series out first and get reactions from upstream before continuing to add to it.
Those potentially interested in Linux encrypted hibernation support can find the initial patch series on the kernel mailing list.