|
|
Log in / Subscribe / Register

memfd_secret() in 5.14

memfd_secret() in 5.14

Posted Aug 8, 2021 4:33 UTC (Sun) by malor (guest, #2973)
Parent article: memfd_secret() in 5.14

If this feature breaks hibernation, I don't see any way it can realistically roll out or be accepted, ever. You're in effect shooting everyone using a laptop in the head.

Maybe the Linux devs don't care about laptops, but the people owning laptops do. No matter how wonderful this is for a server, they absolutely need to figure out how to make hibernation work safely. Without that, it's a nonstarter for exactly the people that mostly need it, regular users that want extra protection for their cryptographic secrets.

If hibernation isn't fixed, all 23 versions of this code strike me as a waste of everyone's time. They might as well have worked on Yet Another Roguelike instead, for all the actual uptake it will get in the real world by real distributions.

to post comments

memfd_secret() in 5.14

Posted Aug 8, 2021 5:21 UTC (Sun) by pabs (subscriber, #43278) [Link] (3 responses)

Does hibernation still work these days? I thought it was broken by the secure boot patches.

memfd_secret() in 5.14

Posted Aug 10, 2021 1:34 UTC (Tue) by calumapplepie (guest, #143655) [Link] (2 responses)

Nope. Works like a charm.

Bit finnicky, though. You might remember me, I was talking about running a kernel bisect in #debian-next for a while, to figure out when hibernate-to-swapfile broke. Of course, while I was testing kernels to see where I should put the bisection bounds, it magically started working. On every one of the QEMU images I had created, including the ones that I had just found to not work.

Of course, when was the last time you read a story with charms that were completely explained, logical, and infallible? Sounds like a boring story to me, and I sure am glad that hibernation isn't like that!

memfd_secret() in 5.14

Posted Aug 10, 2021 1:51 UTC (Tue) by pabs (subscriber, #43278) [Link] (1 responses)

Hmm, I wonder how the kernel knows the hibernation image is trustworthy. Normally that requires a trust chain from Microsoft to the thing being loaded, but with hibernation there can be none since only code running on the machine can sign the hibernation image.

memfd_secret() in 5.14

Posted Aug 10, 2021 8:59 UTC (Tue) by NYKevin (subscriber, #129325) [Link]

Secure boot checks the signature on the thing that receives control from UEFI (e.g. GRUB). It doesn't know or care about the fact that GRUB hands control over to the Linux kernel, much less what RAM image the Linux kernel subsequently decides to load up.

Otherwise, this chain of attestation would never end. You'd have to sign the kernel, and systemd, and GNOME, and Firefox, and...

memfd_secret() in 5.14

Posted Aug 8, 2021 8:12 UTC (Sun) by zdzichu (subscriber, #17118) [Link] (2 responses)

Linux on laptops is probably a statistically insignificant minority of all Linux deployment. Number of people using hibernation is even smaller.
I think biggest deployments of Linux - mobile phones and cloud servers - do not use hibernation. No problem in accepting memfd_secure() for them.

I've written this comment on a laptop running Linux, but I'm aware of wider perspective. Incidentally, I haven't had need to use hibernation for past half a decade or so.

memfd_secret() in 5.14

Posted Aug 8, 2021 9:23 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Some clouds are starting to use hibernation. E.g. EC2: https://aws.amazon.com/ru/about-aws/whats-new/2017/11/ama...

memfd_secret() in 5.14

Posted Aug 8, 2021 11:01 UTC (Sun) by zdzichu (subscriber, #17118) [Link]

That's true for guest, but there's the other half – actual hypervisors running on bare metal. I bet they do not hibernate.

memfd_secret() in 5.14

Posted Aug 9, 2021 11:14 UTC (Mon) by sandsmark (guest, #62172) [Link]

Since the only real usecase I can see for this is protecting DRM like Widevine (i. e. don't let the user inspect the code running), it doesn't matter much if the module is killed when going into suspend.

It just needs to run when you're trying to access DRM protected content in e. g. Firefox or Chrome, and when waking from suspend it can just get reloaded and check that it is running in an environment that the user hasn't messed with again.

Assuming I'm right, this is going to be fun. The API exposed to DRM modules is already pretty extensive (I remember at least including file IO and some network access in CDM11), but it is kind of limited now because on Linux you just have the "lowest" security level. They can't "trust" the operating system because the user has too much access to their own devices (except on Android).

But with this I'm assuming the goal is to allow the next level and will include API for the black box CDM binaries to inspect the whole system.

memfd_secret() in 5.14

Posted Aug 20, 2021 23:42 UTC (Fri) by jhartzell42 (guest, #153813) [Link]

I think that features useful for servers and completely useless for laptop users are ... still useful for server users, and can proceed without damaging laptop users, who will simply ... not use those features. Why should the laptop use case hold the server use case back? Why are server-only features a waste of time in your book?


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds