At least on (some) 11th gen models (not sure about 11th gen 1185g7), ME firmware needs to be upgraded with a BIOS update. Beyond that, only vPRO models can handle encrypted RAM/etc for level 3 afaik
1 Like
This is fantastic, thank you so much! 
One question: Given you have to patch the kernel, what do you do when a new version is available? Do you just avoid updating the kernel, or is there a streamlined approach to make the patch persist between upgrades?
No, not yet. I just recompile the kernel with the patch and install it. Actually, I just run these commands. With my streamlined kernel configuration, the compiling takes about half an hour on an 12th generation board.
### Set variables
export arch=x86_64
export ver=6.1
export minrel=7
export pkgrel=200
export subver=$minrel-$pkgrel
export fedver=fc37
export name=$(hostname)
### Setup build system
rpmdev-setuptree
koji download-build --arch=src kernel-$ver.$subver.$fedver
rpm -Uvh kernel-$ver.$subver.$fedver.src.rpm
cd ~/rpmbuild/SPECS
### Apply patches and customize kernel configuration
# Get patch to enable hibernate in lockdown mode (secure boot)
wget https://gist.githubusercontent.com/kelvie/917d456cb572325aae8e3bd94a9c1350/raw/74516829883c7ee7b2216938550d55ebcb7be609/0001-Add-a-lockdown_hibernate-parameter.patch -O ~/rpmbuild/SOURCES/0001-Add-a-lockdown_hibernate-parameter.patch
# Define patch in kernel.spec for building the rpms
# Patch2: 0001-Add-a-lockdown_hibernate-parameter.patch
sed -i '/^Patch999999/i Patch2: 0001-Add-a-lockdown_hibernate-parameter.patch' kernel.spec
# Add patch as ApplyOptionalPatch
sed -i '/^ApplyOptionalPatch linux-kernel-test.patch/i ApplyOptionalPatch 0001-Add-a-lockdown_hibernate-parameter.patch' kernel.spec
sed -i "s/# define buildid .local/%define buildid .$name/g" kernel.spec
sed -i "s/.$name/.$name\n%define pe_signing_cert $name/g" kernel.spec
# Copy currently running, customized and streamlined configuration (see first post how to customize)
cp /boot/config-$(uname -r) ~/rpmbuild/SOURCES/kernel-local
# Remove build infos from custom config
sed -i '0,/^#\ General\ setup$/d' ~/rpmbuild/SOURCES/kernel-local
sed -i '1i # x86_64' ~/rpmbuild/SOURCES/kernel-local
### Compile kernel
cd ~/rpmbuild/SPECS
time rpmbuild -bb --with baseonly --without debuginfo --target=$arch kernel.spec | tee ~/build-kernel.log
### Install kernel
cd ~/rpmbuild/RPMS/$arch/
sudo dnf install *.rpm
The needed patch worked with kernel version 6.0 and still works with 6.1. I hope, the author will adapt it when needed so, otherwise I’ll probably just adapt it myself (and post it here).
1 Like
This is great! Thank you so much for all this documentation. I’m going to try setting this up this weekend.
I updated my personal kernel configuration (version 6.1.9). Now it takes about fifteen minutes to compile the kernel. Check out my streamlined kernel configuration for frame.work. Copy this file to ~/rpmbuild/SOURCES/kernel-local to get a streamlined kernel for the frame.work notebook. You probably want to customize/enable more device drivers depending your needs …
Amazing work ! Thank you so much for your time !
Are we going to have to perform these steps on every kernel version or is the fedora project going to add/work on these to the next kernel version ?
@Raining-characters I don’t think they are going to work on it at all. This is all a hack to circumvent kernel lockdown. As far as Fedora is concerned, the lack of working hibernation means everything is working as intended.
1 Like
Hey everyone, I’m the person that wrote the hibernation / lockdown mode patch for the kernel (did not know anyone else knew about it, I’ve only posted it to an obscure question in stack exchange), and have been using it by modifying the linux pkgbuild on arch for quite some time now.
It looks like it’s not just me that wants this, maybe we should take it up with the kernel devs on their mailing list?
5 Likes
@Kelvie - Thanks for your solution. It would be awesome if that feature would take place in a kernel! Just to know it, how would that work? ; )
But found a reddit post that describes why it shouldn’t be an activated feature for all:
https://www.reddit.com/r/Fedora/comments/r4a4so/interesting_fedora_does_not_support_hibernation/
2 Likes
@Kelvie, it would be awesome to have the patch in the official kernel, but I don’t know the way how to get it there but I have I slight doubt if it will get accepted looking at the effort it needs to get it “working”.
At least some of these points shouldn’t matter anymore if you enabled encrypted ram which is possible with frame.work.
Btw, the patch is still working with kernel version 6.3.8! 
Yes, you are right. I mean it more in that way, that adding those kernel features, seems unlikely, cause they deliver to all devices.
Maybe git repo, with a pipeline that add’s needed stuff and bundle the kernel could be a good solution to run over time?
Just mention it, cause it could be a little bit annoying to recompile and reconfigure hibernation from time to time…
PS.: At least my setup seems to need my attention again after the last patches… ; )
As an addition, check out this nice write-up for tpm2 decription: https://community.frame.work/t/guide-setup-tpm2-autodecrypt
Just in case, I adapted the kernel patch to be compatible with kernel version 6.7.x: Enable hibernate during lockdown · GitHub
I’m a fedora noob and would appreciate some help. I’m running into issues applying the patch to my current kernel (6.7.4-200). After finishing the wget, then sed lines and trying to run rpmbuild it seems there are some errors introduced.
I get:
sam@fedora:~/rpmbuild/SPECS$ time rpmbuild -bb --with baseonly --without debuginfo --target=$arch kernel.spec | tee ~/build-kernel.log
error: parse error in expression: 0%{.fedora
error: ^
error: /home/sam/rpmbuild/SPECS/kernel.spec:99: bad %if condition: 0%{.fedora
Building target platforms: x86_64
Building for target x86_64
real 0m0.021s
user 0m0.011s
sys 0m0.011s
Looking at the original spec file it looks like alot of the 0%{?fedora} lines are being mangled changed but I’m not knowledgeable enough to go through the whole spec and fix them myself. Am I doing something wrong?
I know I’m a bit late but I had the same problem and think I found the issue. The line:
sed -i "s/.$name/.$name\n%define pe_signing_cert $name/g" kernel.spec
causes many substitutions, which results in the error you’re seeing. If you run everything before that line, then instead run
sed -i "s/%define buildid \.$name/%define buildid .$name\n%define pe_signing_cert $name/g" kernel.spec
it works!
1 Like
I’ll have to try this when I get a chance. Any idea if it works with fedora 40?
I’m trying to set it up on Fedora 40. I started compiling, then stopped it, then found that it cleans the build directory every time I invoke the build command. Normally I’d start it building, run for a bit, get some other work done, run again, etc, but I can’t here so haven’t been able to let it fully build yet. Will let you know if it’s successful when I have time to run it.
Edit: for future reference, here’s the settings I’m using for Fedora 40:
export arch=x86_64
export ver=6.8
export minrel=7
export pkgrel=300
export subver=$minrel-$pkgrel
export fedver=fc40
export name=$(hostname)
Are kernel patches still required if rocking Fedora 40 on here? I went from an 11th gen i7 to amd 7840U and I wonder if some of the suggestions here still apply
It’s still working with the patch from here [Guide] Fedora 36+: Hibernation with enabled secure boot and full disk encryption (fde) decrypting over tpm2 - #28 by Sebali
1 Like