Patching the kernel to allow hibernation with secure-boot enabled

Question

My current config is Windows-11 (required for my job) and Ubuntu 21.10 dual-booting on an HP Probook G10. Since I have to have secure-boot to run Win-11, I have to live without hibernation on Linux (really really difficult).

I realize that hibernation is now officially disabled when secure-boot is enabled on all pre-built kernels. I appreciate the security and understand the nature of the decision for the lockout. But is there an "officially unofficial" way to relax this setting in a kernel compile config option or patch so that hibernation and secure-boot and co-exist, despite the staggering security risks it introduces?

I just want to be able to boot Win-11 and Linux while accepting the full litany of risks that this would open me up to.

Possible?

Answer 1

The lockdown LSM module is what disables hibernation, and there is a kernel compile flag for this called CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT, set it to no and it won't enable lockdown in when EFI secure booted.

Answer 2

Here's a patch I quickly wrote and have been using:

https://gist.github.com/kelvie/917d456cb572325aae8e3bd94a9c1350

I also ran into this setting up my Framework laptop with almost the same setup.

I have an encrypted swap (and encrypted RAM enabled), so with this patch you should understand the risks before adding lockdown_hibernate to your kernel params and forcing it to enable hibernate during lockdown.

The advantage of this vs just disabling lockdown altogether is that you still get the majority of the other protections that lockdown mode affords, albeit it's a moot point if someone can get your kernel to load from a compromised swap.

Answer 3

The assumption of hibernation being completely disabled is WRONG. You require a LUKS-encrypted swap or disk.

How can Linux hibernation be enabled under UEFI Secure Boot with kernel lockdown on select current distributions (or main line kernel)?