[opensuse-factory] UEFI Secure Boot and hibernation
Hi, Both openSUSE Leap 15.1 and SLES 15 SP1 [1] references contain this limitation when Secure Boot is enabled. Hibernation (suspend on disk) is disabled. I did some digging and found this 2015 patch submission to linux-pm@ [2] from Lee Chun-Yi, but don't see that it was ever accepted (?) and I'm wondering what the status and interest level in getting upstream support for hibernation with Secure Boot enabled? Thanks, -- Chris Murphy [1] https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#book-sle-... https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.ref... [2] https://lore.kernel.org/linux-pm/1439273627-25111-1-git-send-email-jlee@suse... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Chris,
Hi,
Both openSUSE Leap 15.1 and SLES 15 SP1 [1] references contain this limitation when Secure Boot is enabled.
Hibernation (suspend on disk) is disabled.
I did some digging and found this 2015 patch submission to linux-pm@ [2] from Lee Chun-Yi, but don't see that it was ever accepted (?) and I'm wondering what the status and interest level in getting upstream support for hibernation with Secure Boot enabled?
Secure boot and hibernation at least are working for Tumbleweed systems. My DELL XPS 13 has no problem with this combination.
Thanks,
-- Chris Murphy
Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Feb 19, 2020 at 3:19 PM Michael Hirmke <mh@mike.franken.de> wrote:
Hi Chris,
Hi,
Both openSUSE Leap 15.1 and SLES 15 SP1 [1] references contain this limitation when Secure Boot is enabled.
Hibernation (suspend on disk) is disabled.
I did some digging and found this 2015 patch submission to linux-pm@ [2] from Lee Chun-Yi, but don't see that it was ever accepted (?) and I'm wondering what the status and interest level in getting upstream support for hibernation with Secure Boot enabled?
Secure boot and hibernation at least are working for Tumbleweed systems. My DELL XPS 13 has no problem with this combination.
I'm gonna guess CONFIG_SECURITY_LOCKDOWN_LSM is not set for Tumbleweed kernels? What do you get for? $ dmesg | grep -i Lockdown -- Chris Murphy -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Feb 19, 2020 at 9:11 PM Chris Murphy <lists@colorremedies.com> wrote:
On Wed, Feb 19, 2020 at 3:19 PM Michael Hirmke <mh@mike.franken.de> wrote:
Hi Chris,
Hi,
Both openSUSE Leap 15.1 and SLES 15 SP1 [1] references contain this limitation when Secure Boot is enabled.
Hibernation (suspend on disk) is disabled.
I did some digging and found this 2015 patch submission to linux-pm@ [2] from Lee Chun-Yi, but don't see that it was ever accepted (?) and I'm wondering what the status and interest level in getting upstream support for hibernation with Secure Boot enabled?
Secure boot and hibernation at least are working for Tumbleweed systems. My DELL XPS 13 has no problem with this combination.
I'm gonna guess CONFIG_SECURITY_LOCKDOWN_LSM is not set for Tumbleweed kernels? What do you get for?
$ dmesg | grep -i Lockdown
It's set for me in my kconfig: ngompa@opensuse-tw-skuld:~> cat /boot/config-$(uname -r) | grep -i LOCKDOWN CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y ngompa@opensuse-tw-skuld:~> uname -r 5.4.14-1-default -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Neal Gompa writes:
It's set for me in my kconfig:
ngompa@opensuse-tw-skuld:~> cat /boot/config-$(uname -r) | grep -i LOCKDOWN CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y ngompa@opensuse-tw-skuld:~> uname -r 5.4.14-1-default
Useless use of cat… :-) but it is also in the current Tmbleweed kernel: # grep -i lockdown /boot/config-5.5.2-1-default CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf microQ V2.22R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
ASSI writes:
Useless use of cat… :-) but it is also in the current Tmbleweed kernel:
# grep -i lockdown /boot/config-5.5.2-1-default CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
It's still there after today's kernel update. I went ahead and hibernated/resumed the machine, which worked: --8<---------------cut here---------------start------------->8--- [ 86.345011] PM: hibernation entry [ 86.376490] Filesystems sync: 0.031 seconds [ 86.376492] Freezing user space processes ... (elapsed 0.001 seconds) done. [ 86.378420] OOM killer disabled. [ 86.378503] PM: Marking nosave pages: [mem 0x00000000-0x00000fff] [ 86.378504] PM: Marking nosave pages: [mem 0x00058000-0x00058fff] [ 86.378505] PM: Marking nosave pages: [mem 0x00090000-0x00090fff] [ 86.378506] PM: Marking nosave pages: [mem 0x0009e000-0x000fffff] [ 86.378509] PM: Marking nosave pages: [mem 0xc4493000-0xc4499fff] [ 86.378510] PM: Marking nosave pages: [mem 0xc4932000-0xc52c2fff] [ 86.378557] PM: Marking nosave pages: [mem 0xd7fc4000-0xd9ffefff] [ 86.378717] PM: Marking nosave pages: [mem 0xda000000-0xffffffff] [ 86.379636] PM: Basic memory bitmaps created [ 86.379888] PM: Preallocating image memory... done (allocated 738911 pages) [ 86.977917] PM: Allocated 2955644 kbytes in 0.59 seconds (5009.56 MB/s) [ 86.977918] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. [ 86.999826] printk: Suspending console(s) (use no_console_suspend to debug) [ 87.000574] serial 00:07: disabled [ 87.000806] parport_pc 00:05: disabled [ 87.157139] ACPI: Preparing to enter system sleep state S4 [ 87.158511] PM: Saving platform NVS memory [ 87.164266] Disabling non-boot CPUs ... [ 87.164790] IRQ 27: no longer affine to CPU1 [ 87.165815] smpboot: CPU 1 is now offline [ 87.168117] IRQ 29: no longer affine to CPU2 [ 87.169792] smpboot: CPU 2 is now offline [ 87.174353] IRQ 23: no longer affine to CPU3 [ 87.175390] smpboot: CPU 3 is now offline [ 87.179779] PM: Creating hibernation image: [ 87.262120] PM: Need to copy 733471 pages [ 87.262122] PM: Normal pages needed: 733471 + 1024, available pages: 1327632 [ 87.179975] ACPI: Hardware changed while hibernated, success doubtful! [ 87.179976] PM: Restoring platform NVS memory [ 87.180903] Enabling non-boot CPUs ... [ 87.180938] x86: Booting SMP configuration: [ 87.180938] smpboot: Booting Node 0 Processor 1 APIC 0x2 [ 87.181405] CPU1 is up [ 87.181427] smpboot: Booting Node 0 Processor 2 APIC 0x1 [ 87.181968] CPU2 is up [ 87.181992] smpboot: Booting Node 0 Processor 3 APIC 0x3 [ 87.182459] CPU3 is up [ 87.184076] ACPI: Waking up from system sleep state S4 [ 87.284453] usb usb3: root hub lost power or was reset [ 87.284455] usb usb4: root hub lost power or was reset [ 87.284501] usb usb1: root hub lost power or was reset [ 87.284755] usb usb2: root hub lost power or was reset [ 87.287542] parport_pc 00:05: activated [ 87.288281] serial 00:07: activated [ 87.288394] ehci-pci 0000:00:1a.0: cache line size of 64 is not supported [ 87.288663] ehci-pci 0000:00:1d.0: cache line size of 64 is not supported [ 87.289684] sd 0:0:0:0: [sda] Starting disk [ 87.612031] ata5: SATA link up 1.5 Gbps (SStatus 113 SControl 300) [ 87.614533] ACPI BIOS Error (bug): Could not resolve symbol [\_SB.PCI0.SAT0.SPT4._GTF.DSSP], AE_NOT_FOUND (20191018/psargs-330) [ 87.614553] ACPI Error: Aborting method \_SB.PCI0.SAT0.SPT4._GTF due to previous error (AE_NOT_FOUND) (20191018/psparse-529) [ 87.615891] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [ 87.616122] ACPI BIOS Error (bug): Could not resolve symbol [\_SB.PCI0.SAT0.SPT4._GTF.DSSP], AE_NOT_FOUND (20191018/psargs-330) [ 87.616137] ACPI Error: Aborting method \_SB.PCI0.SAT0.SPT4._GTF due to previous error (AE_NOT_FOUND) (20191018/psparse-529) [ 87.616156] ata5.00: configured for UDMA/133 [ 87.619116] ata1.00: configured for UDMA/133 [ 87.628876] usb 2-1: reset high-speed USB device number 2 using ehci-pci [ 87.628880] usb 1-1: reset high-speed USB device number 2 using ehci-pci [ 87.766683] PM: Basic memory bitmaps freed [ 87.766692] OOM killer enabled. [ 87.766693] Restarting tasks ... done. [ 87.775710] PM: hibernation exit --8<---------------cut here---------------end--------------->8--- Secure UEFI boot is on, but I don't use an encrypted disk, which would quite likely paint a different picture. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf rackAttack: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Feb 19, 2020 at 11:52 PM ASSI <Stromeko@nexgo.de> wrote:
ASSI writes:
Useless use of cat… :-) but it is also in the current Tmbleweed kernel:
# grep -i lockdown /boot/config-5.5.2-1-default CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
It's still there after today's kernel update. I went ahead and hibernated/resumed the machine, which worked:
This gets used in lockdown.c which is where I get [ 0.000000] flap.local kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/securi... But I don't see that kernel message in Tumbleweed kernels. I'm not sure what actually enables the lockdown, but I'm pretty sure this is intentional for Tumbleweed where you'd want to be able to test various things. You'd want Secure Boot enabled, but you maybe wouldn't want lockdown to prevent things like tracefs, which is also subject to lockdown. I see this with Fedora, as well as in Ubuntu 20.04 kernels: https://bugs.launchpad.net/ubuntu/+source/perf-tools-unstable/+bug/1862708 I guess it could be something set in shim, or the bootloader, and handed off to the kernel separately from boot parameters. -- Chris Murphy -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 21. 02. 20, 1:49, Chris Murphy wrote:
On Wed, Feb 19, 2020 at 11:52 PM ASSI <Stromeko@nexgo.de> wrote:
ASSI writes:
Useless use of cat… :-) but it is also in the current Tmbleweed kernel:
# grep -i lockdown /boot/config-5.5.2-1-default CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
It's still there after today's kernel update. I went ahead and hibernated/resumed the machine, which worked:
This gets used in lockdown.c which is where I get [ 0.000000] flap.local kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/securi...
But I don't see that kernel message in Tumbleweed kernels. I'm not sure what actually enables the lockdown, but I'm pretty sure this is intentional for Tumbleweed where you'd want to be able to test various things. You'd want Secure Boot enabled, but you maybe wouldn't want lockdown to prevent things like tracefs, which is also subject to lockdown. I see this with Fedora, as well as in Ubuntu 20.04 kernels:
Unlike Leap (and fedora and ubuntu focal), Tumbleweed does not have the lock_kernel_down patches. Noted this to jsc#SLE-9870, so that we can have this fixed. thanks, -- js suse labs -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
ASSI writes:
It's still there after today's kernel update. I went ahead and hibernated/resumed the machine, which worked: […] Secure UEFI boot is on, but I don't use an encrypted disk, which would quite likely paint a different picture.
The subsequent powerdown/boot sequence did not so well and I ended up with a system that had some mounts not present /among them /root, which is how I noticed and unfortunately the place for the journal, which is why I don't have any logs). Another reboot got everything back in order. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Achim Gratz -
ASSI
-
Chris Murphy -
Jiri Slaby -
mh@mike.franken.de -
Neal Gompa