Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
Currently you can put your resume file into an encrypted luks drive, also now you can have systemd automatically unlock the luks drive if your system meets certain attestation criteria (i.e.: you have booted with the proper kernel, verified by secure boot).
Yes you can set it up in a way that will cause the hibernation to be a security issue, but it is also possible to set it up by using signed UKI images and secure boot and an encrypted luks drive so that it is IMO completely safe.
Even if you are using linux-hardended you can still do stupid things; the kernel can't protect you from your own stupidity. I think since now it is possible to setup hibernation in a way that is not problematic it would be great if linux-hardened would have CONFIG_HIBERNATION=y.
Currently you can put your resume file into an encrypted luks drive, also now you can have systemd automatically unlock the luks drive if your system meets certain attestation criteria (i.e.: you have booted with the proper kernel, verified by secure boot).
Yes you can set it up in a way that will cause the hibernation to be a security issue, but it is also possible to set it up by using signed UKI images and secure boot and an encrypted luks drive so that it is IMO completely safe.
Even if you are using linux-hardended you can still do stupid things; the kernel can't protect you from your own stupidity. I think since now it is possible to setup hibernation in a way that is not problematic it would be great if linux-hardened would have
CONFIG_HIBERNATION=y.