Modern Linux laptop suspending and screenlocking makes me twitch

September 18, 2015

Modern Linux by and large works quite well on my (work) laptop; I use Fedora, but I have no reason to believe that things Ubuntu or Debian would be any different. However every so often there are parts of the whole system that disturb me, and one of them is definitely how suspending and screenlocking interact in, say, Cinnamon.

The brief description is that if I suspend the laptop and then resume it (such as by closing the screen and then later opening it up again), the laptop resumes with the screen unlocked and only locks it once resumed. This is especially disturbing because at least in Cinnamon there is a clear post-resume period where the unlocked screen contents are visible. As they say, I sure hope you didn't have anything sensitive on the screen before you suspended.

On the one hand, I can half see the logic for doing it this way; not waiting to start a screenlocker allows the system to suspend faster and may be required if the first sign of an impending suspend everything gets is a magic signal that says 'we are about to suspend right now'. On the other hand, this makes me nervous about the security issues involved. Are the people involved absolutely sure that there is no way to break in to the system in the time between the resume and the screenlocker activating? People have certainly screwed this one up before on other systems. What happens if you want things like a fully encrypted disk with encryption keys wiped from memory during suspends? Or, for that matter, just a small matter like removing keys from ssh-agent when your screen locker activates.

(I suspect the answer for many desktop environments is 'ha ha not a supported configuration'.)

In the grand tradition of modern Linux desktops, I suspect that there is very little I can do to reliably fix this and very little that the desktop environments are doing to change the situation. Most people don't care about security at this level (and most people probably have faster laptops than mine, so they screenlock much faster after resume).

(At one point several versions ago, Cinnamon actually broke locking the screen after resuming from suspend. It was apparently not an urgent enough bug for either Cinnamon or Fedora to push out a fix, which I suspect says it all here.)


Comments on this page:

By Luigi "tosky" Toscano at 2015-09-18 04:37:01:

This is Cinnamon specific. Plasma restarts with a locked session, and the KWin maintainer is paying a lot of attention to this topic. See for example:

http://blog.martin-graesslin.com/blog/2014/05/screenlocker-architecture-in-plasma-next/ http://blog.martin-graesslin.com/blog/2015/09/lock-screen-security-of-phones/

There are still issues which comes from X11 architecture, though: http://blog.martin-graesslin.com/blog/2015/01/why-screen-lockers-on-x11-cannot-be-secure/

Written on 18 September 2015.
« We know what you are
Experimenting with Firefox's 'Reader' mode (or view) »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Fri Sep 18 02:19:13 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.