Hibernation in F36 with Secure Boot on

Hi all,

I’m using a Framework Laptop which I’m satisfied with running F36 (and F35 before) mostly. Battery life and esp. in stand-by is not so great.

This article implies, that hibernation is possible with Secure Boot on: https://fedoramagazine.org/hibernation-in-fedora-36-workstation/

But when I tried an trouble shoot-ed I found that in fact the failure lies within kernel lockdown. Also this site implies hibernation doesn’t work with Secureboot: Secureboot - Fedora Project Wiki

My question: What’s right? Is it possible? Is there an easy way to get it working? My ideal would be like 2h Standby and then hibernate.

My specs: Framework Laptop with 11th Gen i5, 32GB RAM, btrfs with LUKS enc., F36.

Thanks in advance

As I understand it, right now, you can disable secureboot and get hibernation working, or have secureboot and no hibernation.

It’s possible to compile a linux kernel with secureboot enabled which allows hibernation, but I don’t believe Fedora offers that out-of-the-box in any way shape or form. Also, doing this is essentially turning on a security feature then intentionally opening a gaping secure hole that can be exploited to get around said security feature. As far as I can tell, Linux doesn’t currently support a hibernation mechanism that can verify the integrity of hibernation files so as retain secureboot integrity through hibernation resume.

I’ve been looking for any discussion or work on verifying kernel memory in hibernation files so as to have an actually secure hibernation that can be enabled without compromising secureboot, but I haven’t found any yet. I believe that’s what Windows currently does to get a fully secure secureboot while still allowing hibernation. I hope someone is doing the work to get something along these lines into the Linux kernel, but I’m not sure where to look.

Edit: I found a thread in the linux kernel mailing list earlier this year, LKML: Evan Green: [PATCH 00/10] Encrypted Hibernation, from someone presumably on the Chrome OS team looking to upstream an implementation that I think matches the needs here.

I’ll keep updating if I find anything else. This is all upstream kernel work that would have to be reviewed, merged, and then released before fedora could integrate any of it but it’s exciting to see at least someone looking into writing this.

1 Like