I’m working on a firmware platform security specification which we will announce soon. Most of the things we test are firmware protections the user cannot actually change, but there are some runtime checks we do to make sure we can actually trust the results from the kernel. For instance, if you load unknown random modules into the kernel (which means it becomes “tainted”) you can’t actually trust the values reported. Another basic sanity check we do is checking for encrypted swap space.
My Lenovo P50 was installed with Fedora 29ish, a long time ago, with encrypted /home and unencrypted swap. It’s been upgraded quite a few times and I’m not super keen on re-installing it now. I wanted to upgrade to encrypted swap so I could pass the same requirements that I’m going to be asking people to meet.
Please don’t just copy and paste the below, as you will have a different swap partition to me. If you choose the wrong partition you will either overwrite your data or your root partition, so be careful. Caveat emptor, and all that.
So, lets get started. Lets turn off the existing swap partition:
[root@localhost ~]# cat /proc/swaps Filename Type Size Used Priority /dev/nvme0n1p4 partition 5962748 0 -2 [root@localhost ~]# swapoff /dev/nvme0n1p4
Lets overwrite the existing partition with zeros, as it might have data that we’d consider private:
dd if=/dev/zero of=/dev/nvme0n1p4 bs=102400
We then need to change /etc/fstab from
# Created by anaconda on Mon Dec 9 09:05:10 2019 ... UUID=97498951-0a49-4110-b838-dd90d02ea11f none swap defaults 0 0 ...
to
... /dev/mapper/swap none swap defaults 0 0 ...
We then need to append to /etc/crypttab:
swap /dev/nvme0n1p4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
Reboot, and then cat /proc/swaps will show you using a dm device. Done!
Is there any chance we can have hibernate/suspend-to-disk working with UEFI Secure Boot in your new specification?
I don’t think so; the new spec is merely a report, not a list of things firmware has to do.
Great Job.
looking forward for your work.