1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • Trying to configure hibernate / resume

    From Richmond@21:1/5 to All on Sat Nov 30 19:00:01 2024
    Hibernate does not seem to be available on my system. My desktop is
    Mate. When the system was installed I accepted the default swap space
    size but this was way to small, only 1G for a system with 8G of RAM.

    So I made a new swap space and set it up in /etc/fstab and set it up as
    resume.

    "
    systemctl hibernate
    Call to Hibernate failed: Sleep verb "hibernate" not supported
    "

    So, I check that I have only one swap space and it is larger than RAM. I
    have it configured in /etc/fstab

    I also make sure that this is in /etc/initramfs-tools/conf.d/resume

    I run:

    update-initramfs -u
    update-grub2

    But when I check:

    cd /etc/grub.d/
    find . -print|xargs grep resume

    There is no resume command line parameter for kernel 6 which I am using, although there are for older kernels, but they have the wrong resume
    partition in them.

    Also I reboot the system and edit the debian menu entry and see there is
    no resume command line parameter.

    How do I get that resume space as a command line parameter and enable hibernation?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richmond@21:1/5 to All on Sat Nov 30 21:10:01 2024
    It's because secure boot prevents it.

    :(

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew M.A. Cater@21:1/5 to Richmond on Sat Nov 30 21:30:01 2024
    On Sat, Nov 30, 2024 at 07:57:14PM +0000, Richmond wrote:
    It's because secure boot prevents it.

    :(


    Hi Richmond,

    A quick search with a search engine: boot is restricted, not impossible.

    The answer seems to be to install with LVM and encryption. That ensures
    that the swap area is encrypted and *cannot* be messed with while the
    device is hibernated (which is the rationale for Secure Boot not allowing hibernation to a "naked" swap partition).

    That answer came from Stack Exchange but the poster suggests this as
    possible under (at least) Red Hat, SUSE and Debian.

    Hope this helps

    Andy
    ([email protected])

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Monnier@21:1/5 to All on Sat Nov 30 23:10:01 2024
    The answer seems to be to install with LVM and encryption. That ensures
    that the swap area is encrypted and *cannot* be messed with while the
    device is hibernated (which is the rationale for Secure Boot not allowing hibernation to a "naked" swap partition).

    How does UEFI know about Debian's swap and how does it know whether
    it's encrypted?


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew M.A. Cater@21:1/5 to Stefan Monnier on Sun Dec 1 00:10:01 2024
    On Sat, Nov 30, 2024 at 05:08:29PM -0500, Stefan Monnier wrote:
    The answer seems to be to install with LVM and encryption. That ensures that the swap area is encrypted and *cannot* be messed with while the device is hibernated (which is the rationale for Secure Boot not allowing hibernation to a "naked" swap partition).

    How does UEFI know about Debian's swap and how does it know whether
    it's encrypted?


    Hi Stefan,

    Booting via UEFI is orthogonal to Secure Boot.

    If SB is *enabled* then certain functions are restricted when considering
    what can be done by kernel modules.
    .
    https://wiki.debian.org/SecureBoot#Secure_Boot_limitations suggests
    that one of those may be hibernation/resume.

    if you have partitioned "all in one partition" with encrypted KVM,
    the ESP is not encrypted but everything else is. The swap partition
    is encrypted so cannot be modified outside the control of the modules.

    That's how I read it, anyway

    All the very best, as ever,

    Andy


    Stefan


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Anssi Saari@21:1/5 to Andrew M.A. Cater on Mon Dec 2 12:50:01 2024
    "Andrew M.A. Cater" <[email protected]> writes:

    A quick search with a search engine: boot is restricted, not impossible.

    The answer seems to be to install with LVM and encryption. That ensures
    that the swap area is encrypted and *cannot* be messed with while the
    device is hibernated (which is the rationale for Secure Boot not allowing hibernation to a "naked" swap partition).

    That answer came from Stack Exchange but the poster suggests this as
    possible under (at least) Red Hat, SUSE and Debian.

    If it was https://unix.stackexchange.com/questions/747938/how-can-linux-hibernation-be-enabled-under-uefi-secure-boot-with-kernel-lockdown
    it doesn't seem to me he suggests anything of the sort. Works (a little clunkily) for OpenSUSE but nothing is stated about anything else.

    However, high time to update Debian wiki if it is actually possible
    now. Hm, maybe it could work in Debian with OpenSUSE's kernel?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Monnier@21:1/5 to All on Tue Dec 3 15:30:01 2024
    The answer seems to be to install with LVM and encryption. That ensures
    that the swap area is encrypted and *cannot* be messed with while the
    device is hibernated (which is the rationale for Secure Boot not allowing >> > hibernation to a "naked" swap partition).
    How does UEFI know about Debian's swap and how does it know whether
    it's encrypted?
    If SB is *enabled* then certain functions are restricted when considering what can be done by kernel modules.

    So IIUC the restriction is imposed by the Linux kernel rather than by
    the machine's firmware (BIOS/UEFI/...)?
    That would indeed explain how it knows whether it's encrypted. 🙂


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)