Can't hibernate with encrypted swap partition when secureboot enabled

Ask Fedora
, , , ,
1

I can’t make hibernation work when secureboot enabled, even with encrypted swap partition.

systemctl hibernate

Call to Hibernate failed: Sleep verb 'hibernate' is not configured or configuration is not supported by kernel

dmesg | tail

[  277.384727] usb 3-1: USB disconnect, device number 2
[  970.743088] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 1180.971933] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 1199.595358] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 1212.163790] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 1577.791641] Lockdown: fish: hibernation is restricted; see man kernel_lockdown.7
[ 2050.996106] usb 3-5: reset high-speed USB device number 4 using xhci_hcd
[ 2051.259850] usb 3-5: reset high-speed USB device number 4 using xhci_hcd
[ 2370.900651] usb 3-5: reset high-speed USB device number 4 using xhci_hcd
[ 2371.163186] usb 3-5: reset high-speed USB device number 4 using xhci_hcd

lsblk

NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0       251:0    0     8G  0 disk  [SWAP]
nvme1n1     259:0    0 931.5G  0 disk  
├─nvme1n1p1 259:1    0    32G  0 part  
│ └─swap    252:1    0    32G  0 crypt [SWAP]
└─nvme1n1p2 259:2    0 899.5G  0 part  
  └─data    252:0    0 899.5G  0 crypt /mnt/data
nvme0n1     259:3    0 476.9G  0 disk  
├─nvme0n1p1 259:4    0    16G  0 part  
└─nvme0n1p2 259:5    0 460.9G  0 part  
  └─root    252:2    0 460.9G  0 crypt /

swapon

NAME       TYPE      SIZE USED PRIO
/dev/dm-1  partition  32G   0B   -2
/dev/zram0 partition   8G   0B  100

fastfetch

             .',;::::;,'.                 root@LiAlH4-Laptop
         .';:cccccccccccc:;,.             ------------------
      .;cccccccccccccccccccccc;.          OS: Fedora Linux 42 (Workstation Edition) x86_64
    .:cccccccccccccccccccccccccc:.        Host: 21CX (ThinkBook 14 G4+ IAP)
  .;ccccccccccccc;.:dddl:.;ccccccc;.      Kernel: Linux 6.16.10-200.fc42.x86_64
 .:ccccccccccccc;OWMKOOXMWd;ccccccc:.     Uptime: 49 mins
.:ccccccccccccc;KMMc;cc;xMMc;ccccccc:.    Packages: 1775 (rpm), 17 (flatpak)
,cccccccccccccc;MMM.;cc;;WW:;cccccccc,    Shell: fish 4.0.2
:cccccccccccccc;MMM.;cccccccccccccccc:    Display (AUOC391): 2880x1800 @ 90 Hz in 14" [Built-in]
:ccccccc;oxOOOo;MMM000k.;cccccccccccc:    Terminal: xterm-256color
cccccc;0MMKxdd:;MMMkddc.;cccccccccccc;    CPU: 12th Gen Intel(R) Core(TM) i5-12500H (16) @ 4.50 GHz
ccccc;XMO';cccc;MMM.;cccccccccccccccc'    GPU: Intel Iris Xe Graphics @ 1.30 GHz [Integrated]
ccccc;MMo;ccccc;MMW.;ccccccccccccccc;     Memory: 6.09 GiB / 15.33 GiB (40%)
ccccc;0MNc.ccc.xMMd;ccccccccccccccc;      Swap: 0 B / 39.98 GiB (0%)
cccccc;dNMWXXXWM0:;cccccccccccccc:,       Disk (/): 336.41 GiB / 460.70 GiB (73%) - xfs
cccccccc;.:odl:.;cccccccccccccc:,.        Disk (/mnt/data): 17.25 GiB / 899.06 GiB (2%) - xfs
ccccccccccccccccccccccccccccc:'.          Local IP (wlp0s20f3): 192.168.86.78/24
:ccccccccccccccccccccccc:;,..             Battery (L21D4PD6): 100% [AC Connected]
 ':cccccccccccccccc::;,.                  Locale: en_US.UTF-8
2

I was testing the same setup.

From reading the kernel source here security/lockdown/lockdown.c · os-build · cki-project / kernel-ark · GitLab I think hibernation is blanket blocked in kernel_lockdown model (enabled by secure boot). It doesn’t check whether the swap partition is encrypted or not, so the only way to enable hibernation is disable secure boot.