1 |
My first advice would be to forget about suspend-to-disk (hibernate) |
2 |
and go for suspend-to-ram (sleep) - you can implement it securely with |
3 |
the existing feature set of hardened-sources. If you absolutely must |
4 |
hibernate, then yes - you'll need to patch hardened-sources with the |
5 |
suspend2 patchset if you're committed to using that kernel. Once you |
6 |
patch, there are many resources and HOWTOs available discussing the |
7 |
steps to use the suspend2 toolkit to encrypt your hibernation image. |
8 |
|
9 |
I, for one, question why you require hardened-sources (or |
10 |
rsbac-sources). The gains they offer over an appropriately secured |
11 |
user-space are marginal at best, and those are mostly eliminated by |
12 |
the concessions you'll make to run typical laptop setups (X, |
13 |
hibernation, etc.) IMO, they're designed as a tertiary layer of |
14 |
defense to protect against malicious local users where firewalls and |
15 |
user-space controls have failed. Unless there is a specific feature |
16 |
of the hardened trees you are looking for, your inexperience with |
17 |
manually patching kernel sources indicates to me you may be just as |
18 |
well off using suspend2-sources. Remember - the only fully secured |
19 |
system is disconnected, powered off, buried in 10 feet of concrete, |
20 |
and guarded by a dozen Marines that haven't been fed in a week. |
21 |
Beyond that, there is only a concept of "sufficiently secure." |
22 |
|
23 |
Not to discourage you - I run hardened-sources on a laptop myself, but |
24 |
it doesn't hibernate and doesn't run X. |
25 |
-- |
26 |
gentoo-hardened@g.o mailing list |