8

I'd like to be able to hibernate another one of my Debian/KDE machines because it's practical and I'd like to save some energy.
I can't hibernate another one which has a swapfile and Secure Boot currently disabled.

The machine runs Debian10/KDE, has Secure Boot enabled and currently doesn't have a swapfile but a swap-partition (which is larger than the RAM). The hard disk is fully encrypted. I already tried the following:

  • In the DE I went to Leave but unlike on my other machine there is no entry for "Hibernate". When I search for "Hibernate" the button appears but I can't right click it for more info and nothing happens when I click it.

  • Installing uswsusp and then running sudo s2disk. This returns:

    s2disk: Could not open the snapshot device. Reason: Operation not permitted

  • Installing hibernate and running sudo hibernate. This returns:

    hibernate:Warning: Tuxonice binary signature file not found.  
UdevQt: unhandlet device action "unbind"  
UdevQt: unhandled device action "unbind"  
UdevQt: unhandlet device action "bind"  
UdevQt: unhandled device action "bind"

  • Installing pm-utils and the executing sudo pm-hibernate. This returns nothing and nothing happens.

  • Running sudo systemctl hibernate.

    Failed to hibernate system via logind: Sleep verb "hibernate" not supported

Searching syslog for "error" or "hibern" doesn't show anything.

Is it because of security issues? I intend to change the swap-partition to a swapfile later. Hibernating with Secure Boot should be fine when the disk is fully encrypted.

Improve this question
6
  • For some reason I only got this to work with openSUSE installer and its handling/configuration of GRUB2. I assume that you are using LVM on LUKS with /, /home and swap all inside the LVM container? Commented Aug 13, 2019 at 11:57
  • Please post your kernel commandline (cat /proc/cmdline, it needs resume) and lsblk output. Commented Aug 13, 2019 at 12:15
  • sudo lvdisplay shows that all 3 partitions are inside the volume group. cmdline has: BOOT_IMAGE=/vmlinuz-4.19.0.5-amd64 root=/dev/mapper/Debian-root ro quiet apparmor=1 security=apparmor. lsblk also shows all 3 partitions being part of the same crypt container. What do you mean with it needing resume? Do I need to edit uswsusp.conf and grub as described here?: wiki.debian.org/Hibernation/Hibernate_Without_Swap_Partition Commented Aug 13, 2019 at 15:13
  • 1
    Let's stay with a swap partition for the moment and get it to work because I believe doing that in a file is more complicated. I see your problem and will start with an answer when I can access the laptop where it works. Commented Aug 13, 2019 at 15:16
  • 1
    well, for me on Debian testing, it works for suspend to RAM, with disk fully encrypted LUKS on LVM. I also enabled secure boot with custom keys. In both case(secure boot enabled/disabled) it doesn't work for me. I have no DE. Commented Aug 17, 2019 at 2:35

1 Answer 1

Reset to default
0

I have a similar setup (Debian 12) with full disk encryption including a swap partition larger than my RAM. When I do systemctl hibernate with Secure Boot enabled I see the same "not supported" message. dmesg | grep Lockdown shows the reason:

[ 50.192145] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7

The Debian wiki on hibernation says

Hibernation under secure boot has been disabled since kernel 4.13..

The feature is called kernel_lockdown and the wiki quotes from its man page as follows:

Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a medium that can then be accessed

The man page explains how it is activated:

On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the system boots in EFI Secure Boot mode

I can see what mode kernel lockdown is in with cat /sys/kernel/security/lockdown. This shows: none [integrity] confidentiality ("none" is off). The wiki on Secure Boot does not make the distinction above about "Unencrypted hibernation", it just says the features disabled by Secure Boot include:

Hibernation and resume from hibernation.

You very sensibly say:

Hibernating with Secure Boot should be fine when the disk is fully encrypted.

This is very true and there are workarounds (archive) but the bottom line is hibernation is currently disabled with Secure Boot in Debian.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.