I keep getting this in the journal:
Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
and a glance at the man page reveals that hibernation and secure boot don't play nice unless the swap image filesystem is encrypted. My immediate reaction is to disable Secure Boot, but I'd like to know if there's an easy workaround, bearing in mind that my system is set to hibernate overnight and wake up automatically in the morning, without me having to type in a password.
poc
On Wed, Aug 21, 2024 at 7:35 AM Patrick O'Callaghan pocallaghan@gmail.com wrote:
I keep getting this in the journal:
Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
and a glance at the man page reveals that hibernation and secure boot don't play nice unless the swap image filesystem is encrypted. My immediate reaction is to disable Secure Boot, but I'd like to know if there's an easy workaround, bearing in mind that my system is set to hibernate overnight and wake up automatically in the morning, without me having to type in a password.
Better security almost always adds inconveniences, so there are cost versus benefit tradeoffs and it is rare to have "easy" workarounds. A laptop that could be snatched by bad actors has different requirements than a server in a secure location. "Secure boot" is mostly theater until we have unified kernels, so ranks high on the cost/benefit scale.
On Wed, 2024-08-21 at 11:34 +0100, Patrick O'Callaghan wrote:
I keep getting this in the journal:
Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
and a glance at the man page reveals that hibernation and secure boot don't play nice unless the swap image filesystem is encrypted. My immediate reaction is to disable Secure Boot, but I'd like to know if there's an easy workaround, bearing in mind that my system is set to hibernate overnight and wake up automatically in the morning, without me having to type in a password.
I've disabled Secure Boot in the UEFI settings, but I'm still getting the same error when trying to hibernate. Is there something else I need to do to tell Fedora that SB is disabled? Or maybe generate a new initramfs?
poc
On Thu, 2024-08-22 at 11:31 +0100, Patrick O'Callaghan wrote:
On Wed, 2024-08-21 at 11:34 +0100, Patrick O'Callaghan wrote:
I keep getting this in the journal:
Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
and a glance at the man page reveals that hibernation and secure boot don't play nice unless the swap image filesystem is encrypted. My immediate reaction is to disable Secure Boot, but I'd like to know if there's an easy workaround, bearing in mind that my system is set to hibernate overnight and wake up automatically in the morning, without me having to type in a password.
I've disabled Secure Boot in the UEFI settings, but I'm still getting the same error when trying to hibernate. Is there something else I need to do to tell Fedora that SB is disabled? Or maybe generate a new initramfs?
To follow up on this:
$ cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf,landlock,ima,evm
i.e. lockdown is still enabled, despite TPM being off and Secure Boot disabled in the UEFI settings.
poc
-
George N. White III -
Patrick O'Callaghan