Hibernate with UEFI and secure boot enabled

hibernate secure-boot

"sudo systemctl start hibernate.target" worked fine with 16.04 on a Acer B117 using legacy boot; Updating to 18.04 forced me to use UEFI and (Acer requirement) secure boot enabled. Suspend still works, but I need hibernate.

Swap partition is active and equals RAM size + 2GB;

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=UUID=myswapuuid"

journalctl -xe revealed failure to access /sys/power/disk

cat /sys/power/disk: [disabled]

cat /sys/power/state: freeze mem

Any suggestions?


Solution 1:

I have the same problem and, unfortunately, it's impossible with the official Ubuntu kernel since version 4.13 due to kernel lockdown patchset (efi-lockdown). Substantiation is:

There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down.

Related Bionic commit you can see here.

This is a controversial decision and Linus declined to merge these changes to linux kernel.

A bit more details you can find is the article Kernel lockdown in 4.17? and its comments.

So while we wait some magic software, that will work with signed hibernate images, we can only use another kernel or disable secure boot.

Solution 2:

I was able to hibernate using s2disk or pm-hibernate, but resume was failing. To fix this, as my system is booted up using UEFI instead of grub. I just had to reinstall the boot loader. To check if you are running UEFI use the following:

[ -d /sys/firmware/efi ] && echo "Installed in UEFI mode" || echo "Installed in Legacy mode"

if in UEFI mode, then I followed this guide to reinstall the bootloader, it varies if you are using an nvme disk or sata disk: https://support.system76.com/articles/bootloader/

The key is to run this command:

sudo update-initramfs -c -k all

make sure that in your kernalboot options you specify the partition or UUID of where to resume from, eg something like this:

resume=UUID=ed8347ed-2eb4-40bc-bc77-cc53b987ed88

You can add this by either:

  1. sudo kernel-stub -a "resume=UUID=..."
  2. edit the /etc/initramfs-tools/conf.d/resume file and add: resume=UUID=ed8347ed-2eb4-40bc-bc77-cc53b987ed88

check your /var/log/syslog file for something like this:

Aug  4 22:26:42 pop-os /usr/bin/kernelstub[19639]: kernelstub           : DEBUG    kopts: root=UUID=b37019a8-91f5-445f-94c1-7359a49ed5df ro quiet loglevel=0 systemd
.show_status=false resume=UUID=ed8347ed-2eb4-40bc-bc77-cc53b987ed88

If the resume is missing or wrong then you'll need to update your boot kernal again.

Related

How do I make sure that Canonical get affiliate benefits when I buy from amazon?
Does Ubuntu contain Non-free kernel blobs and other non-free system components?
How to make my server email me when there are security updates?
Automatically size windows using Xfce like in gnome
How to migrate an encrypted LVM install to a new disk
Embed Text File in a Resource in a native Windows Application
Using app.config in .Net Core
Combining several static libraries into one using CMake
Why do many Collection classes in Java extend the abstract class and implement the interface as well?
multimap in .NET
Does Python have a bitfield type?
What are generics in C#? [closed]