Google Working On Linux Encrypted Hibernation Support

Written by Michael Larabel in Google on 5 May 2022 at 07:18 AM EDT. 10 Comments
GOOGLE
Google engineers are working on encrypted hibernation support for the Linux kernel as part of offering strong hibernation support for Google Chromebook usage.

Google engineers are working on "enabling hibernation in some new scenarios" but to do so safely. Besides taking preventative measures to ensure malicious user-space can't use hibernation as a stepping stone to kernel escalation, the Google security team is also mandating encrypted hibernation. The communication reads, "The hibernate image must be encrypted with protection derived from both the platform (eg TPM) and user authentication data (eg password)."

The uswsusp user-space software can be used for encryption support for during suspend, but that fails to meet Google's security requirements where the kernel can guarantee the integrity of the hibernation image. Being pursued now by Google is kernel-based encryption, support for using TPM-backed keys to encrypt the hibernate image, sealing the encryption key with a PCR policy, and other work to ensure the encrypted hibernate image can be trusted.
A couple of patches still need to be written on top of this series. The generalized functionality to OR in additional PCRs via Kconfig (like PCR 0 or 5) still needs to be added. We'll also need a patch that disallows unencrypted forms of resume from hibernation, to fully close the door to malicious userspace. However, I wanted to get this series out first and get reactions from upstream before continuing to add to it.

Those potentially interested in Linux encrypted hibernation support can find the initial patch series on the kernel mailing list.
10 Comments
Related News
Google Announces Axion ARM-Based CPUs For The Cloud
Google's Jpegli Offers ~35% Compression Improvement For High Quality JPEGs
Google Making $1M USD Investment To Improve Rust & C++ Interoperability
Chrome 121 Adds New CSS & WebGPU Features
The Mainline Linux Kernel To Finally Support The Google Tensor GS101 SoC & Pixel 6
Chrome 120 Released With Theora Support Evaporating, Adds WebGPU & CSS Improvements
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance
Godot's Vulkan Backend Seeing Better Performance, 10~20% Reduction In Frame Times
GNOME Working To Make Key Rack A Viable Password Manager, Better Printing For Flatpaks
Niri 0.1.5 Scrollable-Tiling Wayland Compositor Adds New Animations