Hello, my dmesg is getting flooded with hibernation calls:
(this is just after reboot, 14 hours uptime; many thousands of such lines after weeks of uptime)
$ dmesg|grep hiberna
1029.899628] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
1029.905175] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
1029.905190] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
1029.919599] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
1029.919614] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
2641.388086] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
2641.393228] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
2641.393243] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
2641.406276] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
2641.406291] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[37819.034126] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[37819.039563] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[37819.039580] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[37819.039825] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[37819.039836] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38116.703962] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38116.709656] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38116.709671] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38116.709886] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38116.709896] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38238.896402] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38238.901813] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38238.901828] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38238.902024] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38238.902034] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38641.497356] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38641.503873] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38641.503889] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38641.520414] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38641.520429] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38961.760322] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38961.765923] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38961.765938] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38961.779168] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[38961.779183] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[40273.062750] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[40273.068053] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[40273.068068] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[40273.081110] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[40273.081125] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[41558.923574] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[41558.930284] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[41558.930299] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[41558.946383] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[41558.946398] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[42375.621361] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[42375.626620] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[42375.626636] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[42375.643604] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[42375.643619] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[43575.910636] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[43575.916361] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[43575.916377] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[43575.930405] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[43575.930420] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[46923.860193] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[46923.865899] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[46923.865911] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[46923.880523] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[46923.880534] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
How to find out what is causing the hibernation request? I definitely do not press the power button nor call the sleep/hibernation myself.
In “systemsettings5” → “Power Management” → “Energy Saving” there is nothing about hibernation, the only action configured is — sleep when power button pressed.
There is no “resume=/dev/disk/…” in /etc/default/grub and /boot/grub2/grub.cfg
Also * I have disabled the hibernation in policykit config:
$ cat /etc/polkit-default-privs.local
#
# /etc/polkit-default-privs.local
#
# This file is used by the set_polkit_default_privs tool to generate polkit
# rules. It is meant for local overrides of the active profile (defined in
# /etc/sysconfig/security) by the administrator of the system: any definitions
# here take precedence over the distribution defaults in
# /etc/polkit-default-privs.<profile>.
#
# The syntax for this file is defined in polkit-default-privs(5). Note that you
# need to run /sbin/set_polkit_default_privs for changes to take effect.
org.freedesktop.upower.hibernate no
org.freedesktop.login1.inhibit-handle-hibernate-key no:no:no
org.freedesktop.login1.hibernate no:no:no
org.freedesktop.login1.hibernate-multiple-sessions no:no:no
org.freedesktop.login1.hibernate-ignore-inhibit no:no:no
Googling did not provide anything helpful because mostly people look for how to disable lockdown completely, and I do not want to disable it.
Grepping for “ibernat” in /var/log revealed only two matches - in file /var/log/messages obviously, and in /var/log/boot.msg:
3.663728] Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7
Could it be that the swap space isn’t large enough to acomodate hibernation and that something is reporting that (though I can’t explain the repetition of it).
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the system boots in EFI Secure Boot mode.
I would disable Secure Boot mode
Yes, I see those lockdown messages. I ignore them. I think they are just informational messages.
It has to do with secure_boot. I never hibernate. I probably should try hibernate sometime to see if it still works. I think it should, because swap is encrypted here.
I tried: man kernel_lockdown
but that man page does not exist. I can google for it, and read it there. I suppose I should report a bug on a missing man page. But it doesn’t seem urgent.
I am only seeing this on Leap 15.2. I don’t see it on Tumbleweed. But maybe there is still lockdown on Tumbleweed, just not noisily reported anymore.
, because Secure Boot and Lockdown are awesome features that provide a good enhancement of security and malware protection if your hardware is not a locked proprietary peace of sheet that uses Secure Boot to prevent installing Linux and/or prevents MOK manager from booting.
Yes, I have small swap — 2 GB (just in case, because there is plenty of RAM). But the repetition of that message means that my system wants to hibernate for some unknown reason.
Last logs:
$ dmesg| grep -i hiberna|tail -n 30
[52416.638343] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[52416.642255] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[52416.642266] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[52416.656263] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[52416.656274] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[53196.790344] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[53196.794280] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[53196.794291] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[53196.806387] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[53196.806399] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[69967.005872] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[69967.010012] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[69967.010024] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[69967.021144] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[69967.021155] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71359.533498] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71359.538074] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71359.538089] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71359.554358] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71359.554370] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71488.746941] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71488.753713] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71488.753725] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71488.766768] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71488.766779] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71730.548286] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71730.552711] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71730.552725] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71730.562988] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[71730.562999] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
— note that there are several hibernate requests per second, and their appearance period is totally random — from 4.5 hours (53196-69967) down to 2 minutes (71359-71488) !
Those are not “hibernate requests”. Message is printed when reading /sys/power/disk and systemd-logind reads this file to check what is supported:
bor@bor-Latitude-E5450:~/src/systemd$ dmesg | grep hibern | tail -n 2
[18441.026923] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[18441.312493] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
bor@bor-Latitude-E5450:~/src/systemd$ cat /sys/power/disk
[disabled]
bor@bor-Latitude-E5450:~/src/systemd$ dmesg | grep hibern | tail -n 2
[18441.312493] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[26368.223209] Lockdown: cat: hibernation is restricted; see man kernel_lockdown.7
bor@bor-Latitude-E5450:~/src/systemd$
systemd-logind most likely does it in response to desktop environment queries what menu choices to present users.
Of course printing this every time someone reads this file is not needed and confusing. If you are concerned enough, open bug report.
[HR][/HR]So, let’s step through today’s boot on this machine – short monotonic timestamps:
1.590697] xxx kernel: PM: Magic number: 12:805:689
1.590810] xxx kernel: rtc_cmos 00:02: setting system clock to 2020-11-14T15:41:33 UTC (1605368493)
1.590874] xxx kernel: Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7
2.041266] xxx kernel: ata9: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
2.041293] xxx kernel: ata10: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
2.041305] xxx kernel: ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
3.878503] xxx systemd[1]: Found device Intenso_SSD_Sata_III 1.
3.883222] xxx systemd[1]: Found device Intenso_SSD_Sata_III 2.
3.887917] xxx systemd[1]: Found device Intenso_SSD_Sata_III 3.
3.888623] xxx systemd[1]: Starting Resume from hibernation using device /dev/disk/by-id/ata-Intenso_SSD_Sata_III_AA000000000000035990-part3...
3.888733] xxx systemd[1]: Reached target Initrd Root Device.
3.891005] xxx systemd-hibernate-resume[397]: Could not resume from '/dev/disk/by-id/ata-Intenso_SSD_Sata_III_AA000000000000035990-part3' (8:3).
3.854813] xxx kernel: Lockdown: systemd-hiberna: hibernation is restricted; see man kernel_lockdown.7
3.854994] xxx kernel: PM: Image not found (code -22)
3.895309] xxx systemd[1]: Started Resume from hibernation using device /dev/disk/by-id/ata-Intenso_SSD_Sata_III_AA000000000000035990-part3.
20.729697] xxx sddm[2605]: Greeter session started successfully
20.757606] xxx sddm-greeter[2649]: High-DPI autoscaling Enabled
20.816059] xxx sddm-greeter[2649]: Reading from "/usr/share/xsessions/icewm.desktop"
20.816349] xxx sddm-greeter[2649]: Reading from "/usr/share/xsessions/plasma5.desktop"
20.816543] xxx sddm-greeter[2649]: Reading from "/usr/share/xsessions/twm.desktop"
20.818555] xxx sddm-greeter[2649]: Reading from "/usr/share/wayland-sessions/plasmafullwayland.desktop"
20.818824] xxx sddm-greeter[2649]: Reading from "/usr/share/wayland-sessions/plasmawayland.desktop"
20.819686] xxx sddm-greeter[2649]: Loading theme configuration from "/usr/share/sddm/themes/breeze-openSUSE/theme.conf"
20.879411] xxx systemd[2640]: Started D-Bus User Message Bus.
20.898944] xxx sddm-greeter[2649]: Connected to the daemon.
20.899205] xxx sddm[2605]: Message received from greeter: Connect
20.860316] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
20.860802] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
20.860822] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
20.861340] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
20.861357] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
20.969831] xxx sddm-greeter[2649]: Loading file:///usr/share/sddm/themes/breeze-openSUSE/Main.qml...
382.568187] xxx dbus-daemon[1178]: [system] Activating service name='org.kde.powerdevil.discretegpuhelper' requested by ':1.46' (uid=1000 pid=3565 comm="/usr/lib64/libexec/org_kde_powerdevil ") (using servicehelper)
382.581690] xxx dbus-daemon[1178]: [system] Successfully activated service 'org.kde.powerdevil.discretegpuhelper'
382.582365] xxx dbus-daemon[1178]: [system] Activating service name='org.kde.powerdevil.backlighthelper' requested by ':1.46' (uid=1000 pid=3565 comm="/usr/lib64/libexec/org_kde_powerdevil ") (using servicehelper)
382.588849] xxx backlighthelper[3589]: powerdevil: no kernel backlight interface found
382.597354] xxx dbus-daemon[1178]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
382.259374] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
382.262349] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
382.262361] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
382.267043] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
382.267053] xxx kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
382.615853] xxx dbus-daemon[1178]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.46" (uid=1000 pid=3565 comm="/usr/lib64/libexec/org_kde_powerdevil ") interface="org.freedesktop.login1.Manager" member="CanSuspendThenHibernate" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (>
382.644743] xxx dbus-daemon[3261]: [session uid=1000 pid=3261] Activating service name='org.kde.KScreen' requested by ':1.24' (uid=1000 pid=3565 comm="/usr/lib64/libexec/org_kde_powerdevil ")
382.667653] xxx dbus-daemon[3261]: [session uid=1000 pid=3261] Successfully activated service 'org.kde.KScreen'
382.801840] xxx dbus-daemon[3261]: [session uid=1000 pid=3261] Activating service name='org.freedesktop.Notifications' requested by ':1.23' (uid=1000 pid=3548 comm="/usr/lib64/libexec/kdeconnectd ")
So …
Things are poking the kernel’s hibernation API and causing the hibernation code to write to the systemd Journal …
Lockdown doesn’t disable hibernation altogether; as mentioned in the manpage,
[QUOTE]Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a medium that can then be accessed.
Unencrypted hibernation stores the contents of the hibernated system’s memory as-is on disk. This allows an attacker to modify those contents while the system is hibernated, resulting in changes to the running system when it is resumed, thus defeating the lockdown.
There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down.
[HR][/HR]I suspect that, we need a Release Notes Bug Report to mention this current state of affairs – there doesn’t seem to anything related to this issue in the current Release Notes …