Hey,
Been trying to set up hibernation with secure boot on an encrypted swap on my laptop (asus vivobook s14 ryzen ai 365.) I’ve seen conflicting information as to whether this is even working/possible with lockdown enabled in the kernel, and am just wondering if there’s something I’m missing. I’ve read some sources that say the swap partition must be created via lvm on the root partition, and some saying a separate swap partition will work fine if encrypted. Is there some sort of systemd config file I’m missing maybe? Do I need to wipe my system and try lvm swap? Using apparmor if that’s relevant.
Thanks for any insight you all can provide.
Partitioning is Luk2 btrfs root, separate swapfs swap partition.
Steps taken:
Modified etc/crypttab:
cr_swap UUID=ec8a4b96-fd88-4088-85d9-731b6e270714 none x-initrd.attach,force,tpm2-device=auto,tpm2-measure-pcr=yes
cr_root UUID=2c6e2806-e1ff-4e14-bd9a-9769548716ab none x-initrd.attach,tpm2-device=auto,tpm2-measure-pcr=yes
Added 99-resume.conf to /etc/dracut.conf.d/ with the resume option, rebuilt with dracut -fv, seen resume option triggered in the initramfs
add_dracutmodules+=" resume "
Added the kernel parameter for the resume device:
initrd=\opensuse-tumbleweed\6.19.6-2-default\initrd-8b6f012b708e3c8c35d42d80ba65f0dc7e1665db root=/dev/mapper/cr_root splash=silent quiet acpi.ec_no_wakeup=1 security=apparmor mem_sleep_default=deep resume=UUID=1d2367b5-04e9-408f-9f23-f65ee2d3bf77 acpi_sleep=s3_bios,s3_mode mitigations=auto rootflags=subvol=@/.snapshots/1/snapshot systemd.machine_id=23b8c058a37441fa8d7dcff95222537b
systemctl hibernate has the following output
Call to Hibernate failed: Sleep verb 'hibernate' is not configured or configuration is not supported by kernel
lsblk
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1
├─nvme0n1p1 vfat FAT32 1494-3C66 406.4M 60% /boot/efi
├─nvme0n1p2 crypto_LUKS 2 2c6e2806-e1ff-4e14-bd9a-9769548716ab
│ └─cr_root btrfs cb1df6f6-64ce-45a1-b875-a5d0013cbbf0 841.9G 9% /var
│ /usr/local
│ /srv
│ /root
│ /home
│ /opt
│ /.snapshots
│ /
└─nvme0n1p3 crypto_LUKS 2 ec8a4b96-fd88-4088-85d9-731b6e270714
└─cr_swap swap 1 1d2367b5-04e9-408f-9f23-f65ee2d3bf77 [SWAP]
fwupdmgr security --force:
Host Security ID: HSI:1 (v2.0.20)
HSI-1
✔ SMM locked down: Locked
✔ BIOS firmware updates: Enabled
✔ Fused platform: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
HSI-2
✔ SPI write protection: Enabled
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ TPM PCR0 reconstruction: Valid
✘ UEFI memory protection: Disabled
HSI-3
✔ SPI replay protection: Enabled
✔ CET Platform: Supported
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
HSI-4
✔ Processor rollback protection: Enabled
✔ SMAP: Enabled
✘ Encrypted RAM: Not supported
Runtime Suffix -!
✔ CET OS Support: Supported
✔ fwupd plugins: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ Linux kernel: Untainted
✔ UEFI db: Valid
