From ba4074484d792ae861f7a0133951ad299c16d56c Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 13 Dec 2017 18:34:58 +0800
Subject: [PATCH 11/11] PM / hibernate: require hibernate snapshot image to be
 validly signed when kernel is locked down
Patch-mainline: No, will be submitted to upstream
References: fate#316350

When the kernel is locked down, the snapshot must be signed by secret
key. Kernel should stops whole resuming process when the snapshot is
unsigned or signed by wrong key. If the efi secret key is invalid
(when secure boot is disabled), the hibernation function will be locked
down.

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 kernel/power/hibernate.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -72,7 +72,19 @@ static const struct platform_hibernation
 
 bool hibernation_available(void)
 {
-	return nohibernate == 0 && !kernel_is_locked_down();
+	if (nohibernate != 0)
+		return false;
+
+	if (kernel_is_locked_down() || snapshot_is_enforce_verify()) {
+		snapshot_set_enforce_verify();
+		if (get_efi_secret_key())
+			return true;
+		else
+			pr_warn("the secret key is invalid\n");
+		return false;
+	} else {
+		return true;
+	}
 }
 
 /**