Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I have secure boot, hibernation, and full disk encryption working fine on linux, but I have never heard of kernel lockdown.

The solution I found involves making a custom initramfs to support hibernation and compiling the kernel into a signed EFI stub.



To add some context: man kernel_lockdown[1] reads "Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a medium that can then be accessed.". And to my understanding there is currently no way to tell a (mainline) kernel that allows "encrypted hibernate", i.e. no way to tell the kernel that its hibernation disk is "secure".

So its not a direct "linux prevents hibernate on secure boot", its "linux recommends kernel_lockdown when secure booting", "kernel_lockdown prevents hibernate with unencrypted swap" and "theres no well to make the kernel believe the hibernation disk is encrypted", but the result is the same.

You can "just" run secure boot without lockdown. Its a cmdline, you can just omit it. You can run custom patch sets that add cmdline options so the kernel allows hibernation in lockdown (if you pinky-promise the swap is encrypted).

But neither of these are easily accessible to the average user.

1: https://manpages.debian.org/bullseye/manpages/kernel_lockdow...


It seems there should be a distro that eases this route with some configuration options. Is there none?


Does the system use a boot loader? Or does it boot directly into kernel bypassing bootloaders?


The term to search for is "UKI".

A UKI is a kernel+initramfs+boot-arguments bundle all as a single WinPE/UEFI executable using the "EFI Stub Loader".

You configure your system firmware to execute it, passing no arguments. It boots using the command line you set earlier. It's signed, and verified by the platform secure boot.

Hibernation works fine with this approach.


> Hibernation works fine with this approach.

Can you explain why it improves the hibernation behavior? I have seen UKI mentioned before but never heard that it improves hibernation.


It doesn't, it's just another bootstrapping method that happens to work fine with hibernation.

UKI allows you to extend your chain of trust from the bootloader to ramdisk, instead of just your bootloader and kernel. From there, you can enable kernel lockdown and checking of module signatures if you want to.

I think you can do the same thing without UKI (I forget tbh), but UKI simplifies it with one UEFI executable that doesn't even need a bootloader.


Does this mean that the hibernated image must be signed each time the laptop hibernates?


The swap file that memory is dumped to during hibernation is on an encrypted disk. Upon wake, you need to unlock the disk before you can resume from hibernation.


It boots directly into the kernel without a bootloader. You can specify built-in command line options when you're compiling the kernel.

To dual-boot, I boot from a removable USB drive on my keychain. When it's not plugged in, it boots windows instead.


This may or may not apply to your situation, but at least some motherboards have an integrated bootloader. You need to register the options with it (via efibootmgr for example). Then pressing a key (check your manual) presents you with the options.

This has worked with both Linux and Widows on all my machines: handbuilt 3rd gen intel with an asus MB, 6th gen with some msi, 10th gen with a cheap Gigabyte, and an assorted bunch of HP Elite desks and books with intel and AMD.

I understand there’s even a way for them to auto detect the options, but since this has been a set it forget it type thing, I never bothered to look into it.


You can do both.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: