Hibernate + Full Disk Encryption = Resume hangs

English Install/Boot/Login
#1

Hello All,
I’m trying to get hibernate to work with a fully encrypted disk.
All setup was done within Yast installation; VERSION_ID=“20210817”.


> lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda           8:0    0 465.8G  0 disk   
├─sda1        8:1    0   512M  0 part  /boot/efi
├─sda2        8:2    0 445.8G  0 part   
│ └─cr_root 254:1    0 445.8G  0 crypt /var
└─sda3        8:3    0  19.4G  0 part   
  └─cr_swap 254:0    0  19.4G  0 crypt [SWAP]

Here’s the hardware:


> lspci
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers (rev 08)
00:02.0 VGA compatible controller: Intel Corporation UHD Graphics 620 (rev 07)
00:14.0 USB controller: Intel Corporation Sunrise Point-LP USB 3.0 xHCI Controller (rev 21)
00:15.0 Signal processing controller: Intel Corporation Sunrise Point-LP Serial IO I2C Controller #0 (rev 21)
00:15.1 Signal processing controller: Intel Corporation Sunrise Point-LP Serial IO I2C Controller #1 (rev 21)
00:16.0 Communication controller: Intel Corporation Sunrise Point-LP CSME HECI #1 (rev 21)
00:17.0 SATA controller: Intel Corporation Sunrise Point-LP SATA Controller [AHCI mode] (rev 21)
00:1c.0 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #1 (rev f1)
00:1c.4 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #5 (rev f1)
00:1c.5 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #6 (rev f1)
00:1f.0 ISA bridge: Intel Corporation Sunrise Point LPC Controller/eSPI Controller (rev 21)
00:1f.2 Memory controller: Intel Corporation Sunrise Point-LP PMC (rev 21)
00:1f.3 Audio device: Intel Corporation Sunrise Point-LP HD Audio (rev 21)
00:1f.4 SMBus: Intel Corporation Sunrise Point-LP SMBus (rev 21)
01:00.0 3D controller: NVIDIA Corporation GP108M [GeForce MX150] (rev a1)
02:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTL8411B PCI Express Card Reader (rev 01)
02:00.1 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 12)
03:00.0 Network controller: Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter (rev 31)

I told Yast to increase the swap size to about 20 GB to match the RAM.

Then I performed the step mentioned here: https://forums.opensuse.org/showthread.php/555820-Hibernation-Sleep-Configuration
I wasn’t sure about the last step: What’s the correct setting for the boot command line for resume=??? in combination with a fully encrypted drive (i.e. LUKS and btrfs)?

Current status: Hibernating seem to work (how can I tell?), but resuming hangs. I’m being asked about the disk password and then the boot spinner turns forever.

Is this such an uncommon setup or are there better solutions, because I couldn’t find any recent discussions on this topic.

Thanks a lot for any hints!

PS: There are some old threads from 2008 which are most probably outdated: https://forums.opensuse.org/showthread.php/395039-Full-Disk-Encryption-with-Support-for-Hibernation

#2

It should reference whatever you are using for swap.

With an encrypted LVM, that is often “/dev/mapper/system/swap”. But that’s only if you go with LVM and the defaults. Look for the swap definition in “/etc/fstab” and use that. Or find the UUID and set it to “UUID=that-uuid” (replace “that-uuid” with what you found for swap).

#3

Thanks for the hint. What I initially used was the partition UUID given by “cfdisk” (way too many UUIDs in this business, IMHO).
Now I used the UUID in “/etc/fstab”, but I got the same result. Here’s what a boot now looks like for me:

  1. Prompt “Welcome to GRUB!” “Attempting to decrypt master key” “Enter passphrase for …”
  2. “Booting openSUSE…” (where did my GRUB menu go?)
  3. Graphical prompt for… well, it doesn’t tell: just an input field, a keyboard icon and “de” for German keyboard layout and a Tumbleweed logo at the bottom.
  4. After typing in the decrypt password, I get a spinner which would spin until the battery dies, I guess.
    Switching to VT1 gives me exactly three lines which I also saw during a non-resume and successful boot:
x86/cpu: SGX disabled by BIOS
integrity: Problem loading X.509 certificate -65
integrity: Problem loading X.509 certificate -65
  1. Switching back to VT7 shows me the spinner happily spinning.

A few observations:

  • IIRC, the result was the same for the initially wrong UUID.
  • Same result for Secure Boot on and off in BIOS.
  • All other VTs are empty.

I’m wondering if the initial dump to disk is the culprit, why I don’t see a GRUB boot menu anymore and how I’m going to boot successfully now (w/ or w/o resume)… :question:
Any help is highly appreciated. :slight_smile:

#4

It is hard to tell what is the problem.

Personally, I don’t use hibernation. So I don’t have much experience with that.

I did experiment with hibernation a while ago. On reboot, it booted straight into the system. I don’t remember whether it successfully recovered from hibernation. I think it is part of the hibernation setup, that you are supposed to boot back into the hibernated system and no have a normal grub menu. The idea is that booting to anything else could leave a corrupted disk. You can maybe try removing “/boot/grub2/grubenv” to get a normal grub menu back.

#5
  1. What about installed memory? Post

inxi -Fmz
  1. Disable secure boot because of

Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7

Check it with

dmesg | grep -i secur
  1. When you see graphical prompt - type in correct password for LUKS (with a correct language. Possibly you have to use English, not Deutsch).
    Is is Plymouth screen? You may hit Esc button to get text output.
    With Nvidia try to disable or uninstall it.