openSuSE 15.6 not hibernating any more

MQ · June 2, 2025, 5:01pm

I suspect this is the same problem as topic 184133, but I don’t understand the fix.

openSuSE 15.6 on HP Envy laptop, used to hibernate OK but since recent updates (including to BIOS) I getLockdown: systemd-hiberna: hibernation is restricted; see man kernel_lockdown.7 followed by PM: hibernation: the secret key is invalid

SecureBoot is enabled as is full LUKS encryption - so any hibernation image is well protected.

It sounds as if I need to create a secret key and enroll in NVRAM, but I can’t work how to do this, any pointers please?

Cheers
Richard

arvidjaar · June 2, 2025, 7:33pm

Should be

echo 1 > /sys/firmware/efi/secret-key

and then reboot.

Richard_MQ · June 2, 2025, 7:43pm

Thanks for the quick response, but unfortunately this doesn’t work:

$ sudo echo 1 > /sys/firmware/efi/secret-key
bash: /sys/firmware/efi/secret-key: Is a directory

Indeed there is a file there:

$ ls -al /sys/firmware/efi/secret-key/regen
-rw-r--r-- 1 root root 4096 Jun  2 09:13 /sys/firmware/efi/secret-key/regen
$ sudo cat /sys/firmware/efi/secret-key/regen
0

This seems to be protected as I cannot mv it as sudo.

There’s nothing I’ve consciously done that would create this.

arvidjaar · June 3, 2025, 4:33am

Yes, this is the correct file, sorry.

Of course you cannot.

su -
echo 1 > /sys/firmware/efi/secret-key/regen

szw0407 · June 3, 2025, 5:57pm

So is this the solution? No, I had no solution… No one gave me any idea until you pinged me. Thanks.

I am to try it later. But now I have another problem.

If I use a swapfile inside the encrypted BTRFS, why is it still considered as unencrypted? I think this has nothing different if I were using LUKS2 LVM and a swap partition inside it I suppose.

Yeah, I removed my SWAP partition now and am using a swapfile.

szw0407 · June 3, 2025, 6:00pm

Hibernation no longer works - English / Install/Boot/Login - openSUSE Forums

Seems related. I am quite confused why I didn’t find that post. I searched this time for the command above to know what it does and found this one.

Richard_MQ · June 3, 2025, 8:06pm

Perfect, many thanks - all sorted.
This really needs to be in the wiki…
Best
Richard (MQ)

Richard_MQ · June 3, 2025, 8:13pm

I am using LVM encrypted swap, set up by YaST at install time (just a small EFI system boot partition on the disc, with the rest as one big LUKS LVM containing swap, root and home partitions). One tool I tried advised that swap was unencrypted, because it is once the tool is running, but this shouldn’t stop hibernation.

The key thing we need is as arvidjaar said:

su -
echo 1 > /sys/firmware/efi/secret-key/regen

Cheers
R.