http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c4
--- Comment #4 from Joey Lee
Well, this is a side-effect of secure boot. The recent kernel has a more strict check regarding the secure boot. The suspend-to-disk is dangerous from secure boot POV, thus it has to be signed. In kernel/power/hibernate.c:
bool hibernation_available(void) { if (nohibernate != 0) return false;
if (get_securelevel() <= 0) return true; else { #ifdef CONFIG_HIBERNATE_VERIFICATION sigenforce = 1; return true; #else return false; #endif } }
And openSUSE kernels don't set CONFIG_HIBERNATE_VERIFICATION.
Because hibernate verification patches doesn't accept by upstream. So I never push those patches to openSUSE kernel until now.
Joey, do you remember the reason we disabled it? We disabled kexec signature check because it caused a trouble with kdump. But this one (hibernation verification) seems like an overlooking.
I think either enable CONFIG_HIBERNATE_VERIFICATION or disable CONFIG_EFI_SECURE_BOOT_SECURELEVEL even CONFIG_SECURITY_SECURELEVEL. Because openSUSE community do not accept kernel module signature check function in openSUSE kernel. Honestly I think that only enable kexec signature check and hibernate verification is not enough to protect system because root can load any unsigned kernel modules. So, the policy of openSUSE kernel config is to sync with SLE kernel? -- You are receiving this mail because: You are on the CC list for the bug.