In my systemd jounal (journalctl) I often see this message:
hibernation is restricted; see man kernel_lockdown.7
This seems to stem from the kernel lockdown feature that (only?) is active when you boot in UEFI mode with secure boot enabled.
As far as I understand that this feature is supposed to prevent a program running at user-space from modifying the kernel.
While I do understand that so far, I just don't get one thing:
Why does the kernel lockdown disable that feature? Why does it disable hibernation altogether?
What is exactly is “insecure” about hibernation that this is disabled?
It seems a locked down kernel does not want me to hibernate my device.
Linux kernel v5.6.15
Fedora 32 Silverblue
Cross-posted at Fedora Ask.
Best Answer
As mentioned in the manpage,
Unencrypted hibernation stores the contents of the hibernated system’s memory as-is on disk. This allows an attacker to modify those contents while the system is hibernated, resulting in changes to the running system when it is resumed, thus defeating the lockdown.
The manpage gives false hope that encrypted hibernation would be supported in lockdown, but that’s currently not the case, and the real requirement appears to be signed hibernation images rather than (or presumably in addition to, depending on the lockdown mode) encrypted images.
See this Twitter thread for an explanation of what’s involved in fixing this; in particular: