Hibernation? Using it?

Not OP, but I set my wife’s laptop up with a similar setup to OP. The benefit of going with hibernation, in addition to power concerns, is the ability to encrypt the system state in hibernation. When you go in and out of sleep, my understanding is that all your data is just sitting there waiting to be sniffed. Setting up hibernation with an encrypted swap means that this is no longer the case.

On the other hand, encryption is not a “free” operation. For my setup, which includes an encrypted swap, root, and boot, the whole process takes about 23 seconds. This is probably more than a normal encrypted swap setup, since having an encrypted boot slows down the whole process, AFAIK. I probably wouldn’t do this setup again, since I’m not sure if I should care about that attack vector, and it would probably be more useful for me to work on setting up the TPM.

2 Likes

Framework+gentoo here.
standard gentoo guidelines + adding resume partition:

linux /vmlinuz-5.15.41-gentoo root=/dev/nvme0n1p3 ro mem_sleep_default=deep resume=/dev/nvme0n1p2

makes hibernation (dumping into disk) working.
Also, when installed proper extensions
https://extensions.gnome.org/extension/755/hibernate-status-button/

and enabling them via gnome-shell-extension-prefs,
makes restoring working nice, password-locked

Time - up to a minute (i7).
The only cons - you need much disk space >= RAM (see guidelines for your distro)

The only thing I’m fighting with is “hibernation on lid close”) - this involves some diving into details & maybe some coding

Worth noting that the hibernation restriction with secure boot is the result of the Linux lockdown patches, which disable hibernation on secure boot systems due to there being no practical way (at the moment) to verify that the hibernation image is a secure, verified image. It’s possible to disable these patches (if you build the kernel yourself) or use a distribution that doesn’t enable those patches by default (like Arch). There’s also currently work underway to enable hibernation securely, too, so this may be changing soon.

I’m currently using a LUKS + TPM + SecureBoot setup this way.

Indeed, I’ve been waiting on that for a while, but I haven’t seen much since that blog post.

I didn’t realize that Arch disabled lockdown. I’ll have to try out enabling secure boot, then. My personal threat model could probably just ignore that kind of attack as too difficult.

Is that really a concern when the image in question is encrypted and has to be un-encrypted before being able to use it to resume?

I think the threat model here assumes that root level compromise is possible, so it’s possible for an attacker to compromise a running system (or boot an older signed kernel with a vulnerability) and create a doctored hibernate image to gain persistence.

Thanks @2disbetter and every one in this thread! I learnt a lot about about Linux Ubuntu and hardware settings! I had a Mac hardware, and for my everyday work, I missed the “save stated” or “reboot and find the same apps and windows open”. Now it is well set up and running and hibernating.

FrameWork 13, 12th Gen Intel, swap partition, Ubuntu 22.04.