Ubuntu
linux package

hibernation is restricted with secure boot

Bug #1992154 reported by Kjeld Flarup
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

My PC will not hibernate with 22.04 and secure boot enabled.
Only workaround seems to be to disable secure boot, og do not hibernate.
Unfortunately my PC is locked on secure boot from the IT department.

As disabling secure boot is the most useful workaround, I mark this as a security issue.

I get these messages from the kernel

sudo dmesg | grep lockdown
[sudo] password for kfa:
[ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[ 0.838074] Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7
[ 1.902562] Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[ 4.290619] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7

I found a number of reports regarding this stating that it is not possible to sign the memory when swapping it to disk. Possibly it is solved in a later 5.19 kernel version, but 22.04 is on 5.15. I found a 5.17 kernel, but that did not solve the problem.

It is not possible for me to try the latest 5.19 kernel, as it has to be signed to test this.

An alternative could be a patch to the Ubuntu kernel, disabling this until a real solution is found.

Here are some references to other sites mentioning the problem

https://askubuntu.com/questions/1106105/hibernate-with-uefi-and-secure-boot-enabled
https://unix.stackexchange.com/questions/591488/why-does-the-kernel-lockdown-prevent-hibernation/591493#591493
https://askubuntu.com/questions/1259538/lockdown-systemd-logind-hibernation-is-restricted-see-man-kernel-lockdown-7

Kjeld Flarup (kjeld-flarup)
information type: Private Security → Public
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1992154

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Seth Arnold (seth-arnold) wrote :

You may wish to try suspend to ram, instead of hibernation; please save any open work before testing, some systems don't handle suspend to ram well.

sudo systemctl suspend

Hopefully this just works and suffices for your needs. It's not the same as hibernation, but might reduce power use enough to use it.

Thanks

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.