Bug 1330335
| Summary: | Enhancement: Support for generating and verifying the signature of memory snapshot image | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | poma <pomidorabelisima> | ||||||||
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | ||||||||
| Status: | MODIFIED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | rawhide | CC: | bugzilla, dhowells, gansalmon, itamar, johannbg, jonathan, kernel-maint, madhu.chinakonda, mchehab | ||||||||
| Target Milestone: | --- | Keywords: | FutureFeature, Reopened | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Linux | ||||||||||
| URL: | https://github.com/joeyli/linux-s4sign/commits/s4sign-hmac-v2-v4.2-rc8 | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Enhancement | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2016-04-26 00:49:01 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
A few comments. Too late for f24. Moving to rawhide and marking as FutureFeature. If we were to support this, rather than a giant patch we'd probably take the individual patches from the original author. Marking as DEFERRED until we figure out the strategy behind the Secure Boot patches overall. We can reopen when we have that figured out. Created attachment 1153506 [details]
Signature verification of hibernate snapshot v2 - 4.6-rc6
Created attachment 1153507 [details]
S4 suspend-resume log - 4.6-rc6
How to test with e.g. kernel 4.6.0-0.rc6.git0.1 $ git clone http://pkgs.fedoraproject.org/git/rpms/kernel.git ~/rpmbuild/SOURCES/ $ cd ~/rpmbuild/SOURCES/ $ git checkout 5f62b8b $ wget -c --no-check-certificate \ https://pkgs.fedoraproject.org/repo/pkgs/kernel/perf-man-4.5.tar.gz/md5/6f557fe90b800b615c85c2ca04da6154/perf-man-4.5.tar.gz \ https://pkgs.fedoraproject.org/repo/pkgs/kernel/patch-4.6-rc6.xz/md5/60d2e4b5eeb4ff2b58cf85a03d9c6a4b/patch-4.6-rc6.xz \ https://pkgs.fedoraproject.org/repo/pkgs/kernel/linux-4.5.tar.xz/md5/a60d48eee08ec0536d5efb17ca819aef/linux-4.5.tar.xz $ md5sum -c sources $ curl -s https://bugzilla.redhat.com/attachment.cgi?id=1153506 | patch -p1 $ rpmbuild -ba [--with baseonly] [--without debuginfo] kernel.spec Booting custom kernels in Fedora 2x with Secure Boot [1] $ certutil -d /etc/pki/pesign-rh-test -L -n "Red Hat Test CA" -r > rhca.der $ su # mokutil --import rhca.der # reboot MOK Managment -> Enroll MOK -> Continue -> Enroll the key -> Password -> Reboot [1] Ref. http://jwboyer.livejournal.com/46149.html (In reply to Josh Boyer from comment #1) > A few comments. > > Too late for f24. Moving to rawhide and marking as FutureFeature. This is irrelevant to specific Fedora release. > If we were to support this, rather than a giant patch we'd probably take the > individual patches from the original author. > > Marking as DEFERRED until we figure out the strategy behind the Secure Boot > patches overall. We can reopen when we have that figured out. What "strategy" is supposed to be involved here? Does this not just travel the usual upstream --> downstream path as in in the kernel patch set needs to be implemented upstream and once it's supported enabled downstream for that or those kernel version it's implemented and will be enabled in all GA releases once that or those spesific kernel version contains that or those patches..
How to test verified S4 with stable 4.6.3 kernel
Via LiveDVD [1], to promptly hibernate machine from the Xfce Desktop, enabled 512 MB swap partition is sufficient.
Of course, during both - the initial boot and resume(thaw) boot, kernel command line requires effective resume= directive.
[1] Test compilation:
http://goo.gl/Gm4ffO
iso/
|
Created attachment 1150652 [details] Signature verification of hibernate snapshot v2 - 4.5.2 Support for generating and verifying the signature of memory snapshot image by HMAC-SHA1. Tested with: efi: EFI v2.60 by EDK II DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Hypervisor detected: KVM Secure boot enabled resulted: PM: Image restored successfully. PM: Enforce hibernate signature verifying PM: Signature verifying pass PM: Restored hibernation keys