top | item 45345349

(no title)

maverwa | 5 months ago

To add some context: man kernel_lockdown[1] reads "Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a medium that can then be accessed.". And to my understanding there is currently no way to tell a (mainline) kernel that allows "encrypted hibernate", i.e. no way to tell the kernel that its hibernation disk is "secure".

So its not a direct "linux prevents hibernate on secure boot", its "linux recommends kernel_lockdown when secure booting", "kernel_lockdown prevents hibernate with unencrypted swap" and "theres no well to make the kernel believe the hibernation disk is encrypted", but the result is the same.

You can "just" run secure boot without lockdown. Its a cmdline, you can just omit it. You can run custom patch sets that add cmdline options so the kernel allows hibernation in lockdown (if you pinky-promise the swap is encrypted).

But neither of these are easily accessible to the average user.

1: https://manpages.debian.org/bullseye/manpages/kernel_lockdow...

discuss

imglorp|5 months ago

It seems there should be a distro that eases this route with some configuration options. Is there none?