On 09.03.23 09:47, cagsm wrote:
[ +0.002718] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
just when simply using it live and turned on. not sleeping the machine, not hibernating, just during uptime. not using proprietary stuff or anything. dont quite understand what this complaint is.
Hi, with the announcement of 6.2.2 being changed this is becoming an academic discussion, but the topic is important and likely to resurface. Hence I will try to explain. If your laptop is running into a state of the battery becoming critically low, systemd will be used to trigger S4. This is necessary because the content of your RAM needs to be protected, as you may have something running that would not safe its state if the system is just shut down. Warning you that this feature is unavailable only when it is needed is not a good solution. It would be too late for you to do anything about it. Now the interesting question is why S4 is being disabled at kernel level. This is indirectly due to SecureBoot. Now I am not going to defend its implementation, nor discuss it, because it is strictly speaking not necessary to understand the logic behind this regression. Conceptually your system is divided into two zones of trust. One is cryptographically trusted via a chain of trust (kernel space). The other (user space) is not. For that chain to stay unbroken the trusted zone must not be altered by the untrusted zone nor can you add unsigned stuff to it. That means that the kernel and the modules must be signed. When you resume from S4, however, everything in memory is replaced by the content of a disk image, including the trusted parts. That breaks the chain of trust. Patches to add a cryptographic signature to the image have been floating around for years, yet they keep staying almost ready. HTH Oliver