From 14941724ec710cfe119fa9011e16982300caceec Mon Sep 17 00:00:00 2001 From: Christoph Anton Mitterer Date: Sun, 26 Mar 2023 04:31:38 +0200 Subject: [PATCH] sleep-config: add comment about security Adds information about attacks that might become possible when the hibernate location is automatically determined. --- src/shared/sleep-config.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c index 4fd129b27e..dcc233ca6f 100644 --- a/src/shared/sleep-config.c +++ b/src/shared/sleep-config.c @@ -723,6 +723,14 @@ static bool location_is_resume_device(const HibernateLocation *location, dev_t s * Attempt to find the hibernation location by parsing /proc/swaps, /sys/power/resume, and * /sys/power/resume_offset. * + * Beware: + * Never use a device or file as location that hasn't been somehow specified by a user that would also be + * entrusted with full system memory access (for example via /sys/power/resume) or that isn't an already + * active swap area! + * Otherwise various security attacks might become possible, for example an attacker could silently attach + * such a device and circumvent full disk encryption when it would be automatically used for hibernation. + * Also, having a swap area on top of encryption is not per se enough to protect from all such attacks. + * * Returns: * 1 - Values are set in /sys/power/resume and /sys/power/resume_offset. * ret_hibernate_location will represent matching /proc/swap entry if identified or NULL if not. -- 2.25.1