[Bug 991117] New: Hibernate/Suspend to disk not available with 42.2 kernel-default
http://bugzilla.opensuse.org/show_bug.cgi?id=991117 Bug ID: 991117 Summary: Hibernate/Suspend to disk not available with 42.2 kernel-default Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: suse@tleine.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Installed is the current Leap 42.2 system with kernel-default: leine@x1:~> rpm -qa|grep kernel-default kernel-default-4.4.15-1.1.x86_64 leine@x1:~> uname -a Linux x1.box 4.4.15-1-default #1 SMP Wed Jul 20 12:52:54 UTC 2016 (0768d55) x86_64 x86_64 x86_64 GNU/Linux according to dmesg, S4 is enabled: leine@x1:~> dmesg|grep S4 [ 0.212333] ACPI: (supports S0 S3 S4 S5) [ 1.632604] rtc_cmos 00:02: RTC can wake from S4 unfortunately, hibernate is not available: leine@x1:~> cat /sys/power/state freeze mem and hibernate with systemctl fails: x1:~ # systemctl hibernate Failed to hibernate system via logind: Sleep verb not supported It seems to be a problem with kernel-default, because kernel-vanilla works: leine@x1:~> rpm -qa|grep kernel-vanilla kernel-vanilla-4.4.15-1.1.x86_64 leine@x1:~> uname -a Linux x1.box 4.4.15-1-vanilla #1 SMP Wed Jul 20 12:52:54 UTC 2016 (0768d55) x86_64 x86_64 x86_64 GNU/Linux leine@x1:~> dmesg|grep S4 [ 0.216590] ACPI: (supports S0 S3 S4 S5) [ 1.659649] rtc_cmos 00:02: RTC can wake from S4 Now the different parts: leine@x1:~> cat /sys/power/state freeze mem disk and now it suspends to disk: x1:~ # echo disk > /sys/power/state (systemctl hibernate does not suspend to disk, but that might be a problem after making it suspend again with kernel-default). As I do not know which information are needed, please ask for them. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c1
--- Comment #1 from Thomas Leineweber
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c2
--- Comment #2 from Thomas Leineweber
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c3
Takashi Iwai
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c4
--- Comment #4 from Joey Lee
Well, this is a side-effect of secure boot. The recent kernel has a more strict check regarding the secure boot. The suspend-to-disk is dangerous from secure boot POV, thus it has to be signed. In kernel/power/hibernate.c:
bool hibernation_available(void) { if (nohibernate != 0) return false;
if (get_securelevel() <= 0) return true; else { #ifdef CONFIG_HIBERNATE_VERIFICATION sigenforce = 1; return true; #else return false; #endif } }
And openSUSE kernels don't set CONFIG_HIBERNATE_VERIFICATION.
Because hibernate verification patches doesn't accept by upstream. So I never push those patches to openSUSE kernel until now.
Joey, do you remember the reason we disabled it? We disabled kexec signature check because it caused a trouble with kdump. But this one (hibernation verification) seems like an overlooking.
I think either enable CONFIG_HIBERNATE_VERIFICATION or disable CONFIG_EFI_SECURE_BOOT_SECURELEVEL even CONFIG_SECURITY_SECURELEVEL. Because openSUSE community do not accept kernel module signature check function in openSUSE kernel. Honestly I think that only enable kexec signature check and hibernate verification is not enough to protect system because root can load any unsigned kernel modules. So, the policy of openSUSE kernel config is to sync with SLE kernel? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c5
--- Comment #5 from Takashi Iwai
Joey, do you remember the reason we disabled it? We disabled kexec signature check because it caused a trouble with kdump. But this one (hibernation verification) seems like an overlooking.
I think either enable CONFIG_HIBERNATE_VERIFICATION or disable CONFIG_EFI_SECURE_BOOT_SECURELEVEL even CONFIG_SECURITY_SECURELEVEL.
Right, that's an option, too.
Because openSUSE community do not accept kernel module signature check function in openSUSE kernel. Honestly I think that only enable kexec signature check and hibernate verification is not enough to protect system because root can load any unsigned kernel modules.
So, the policy of openSUSE kernel config is to sync with SLE kernel?
No, both SLE12-SP2 and openSUSE-42.2 kernels share the same *code*, but the configs differ between them. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c6
--- Comment #6 from Joey Lee
(In reply to Joey Lee from comment #4)
Joey, do you remember the reason we disabled it? We disabled kexec signature check because it caused a trouble with kdump. But this one (hibernation verification) seems like an overlooking.
I think either enable CONFIG_HIBERNATE_VERIFICATION or disable CONFIG_EFI_SECURE_BOOT_SECURELEVEL even CONFIG_SECURITY_SECURELEVEL.
Right, that's an option, too.
I want to enable CONFIG_HIBERNATE_VERIFICATION. I will test this option on openSUSE 42.2 kernel then submit config change.
Because openSUSE community do not accept kernel module signature check function in openSUSE kernel. Honestly I think that only enable kexec signature check and hibernate verification is not enough to protect system because root can load any unsigned kernel modules.
So, the policy of openSUSE kernel config is to sync with SLE kernel?
No, both SLE12-SP2 and openSUSE-42.2 kernels share the same *code*, but the configs differ between them.
OK! OK! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c7
--- Comment #7 from Thomas Leineweber
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c8
--- Comment #8 from Thomas Leineweber
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c9
Joey Lee
As Beta3 of Leap 42.2 has arrived, nothing has changed when using kernel-default 4.4.22-1.1 with secure boot enabled: disk is missing from the possible power states. Is the configuration change possible in the timeframe until 42.2 will be released?
I just sent merge request to openSUSE 42.2 kernel, waiting merged: -# CONFIG_HIBERNATE_VERIFICATION is not set +CONFIG_HIBERNATE_VERIFICATION=y +# CONFIG_HIBERNATE_VERIFICATION_FORCE is not set +CONFIG_EFI_HIBERNATION_KEYS=y -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c10
--- Comment #10 from Thomas Leineweber
I just sent merge request to openSUSE 42.2 kernel, waiting merged:
thanks for your work and the information. When there is a test build, please give me a hint. I can test it on my system. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c11
--- Comment #11 from Thomas Leineweber
http://bugzilla.opensuse.org/show_bug.cgi?id=991117
http://bugzilla.opensuse.org/show_bug.cgi?id=991117#c12
Thomas Leineweber
participants (1)
-
bugzilla_noreply@novell.com