Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
fpoling 3 hours ago

I really do not understand why hibernate under secure boot is not implemented on Linux and this continues for years.

It is as if the features are implemented by completely different people. But this is not obviously the case since systemd supports both and actively improving both.

Note for me hibernation is a security measure and not about saving battery. I am traveling sometimes with the laptop and risk of theft is non-trivial. If it is hibernated, then it is just a property loss. But with just suspend there is a chance that the data can be extracted. So I configured it to hibernate automatically after 15 minutes in suspension. Surprisingly it has been working reliably with Linux.

beeflet 2 hours ago | parent | next [-]

I have secure boot, hibernation, and full disk encryption working fine on linux, but I have never heard of kernel lockdown.

The solution I found involves making a custom initramfs to support hibernation and compiling the kernel into a signed EFI stub.

fpoling 2 hours ago | parent [-]

Does the system use a boot loader? Or does it boot directly into kernel bypassing bootloaders?

Borealid an hour ago | parent | next [-]

The term to search for is "UKI".

A UKI is a kernel+initramfs+boot-arguments bundle all as a single WinPE/UEFI executable using the "EFI Stub Loader".

You configure your system firmware to execute it, passing no arguments. It boots using the command line you set earlier. It's signed, and verified by the platform secure boot.

Hibernation works fine with this approach.

beeflet 2 hours ago | parent | prev | next [-]

It boots directly into the kernel without a bootloader. You can specify built-in command line options when you're compiling the kernel.

To dual-boot, I boot from a removable USB drive on my keychain. When it's not plugged in, it boots windows instead.

heavyset_go an hour ago | parent | prev [-]

You can do both.

orbisvicis 17 minutes ago | parent | prev | next [-]

I have looked into this. It is possible, and documented on the Arch wiki. My main concern is constantly writing a large file to a small SSD.

anon7000 2 hours ago | parent | prev [-]

> It is as if the features are implemented by completely different people

This is almost definitely true considering it’s an massive open source project