> the bootloader (shim and GRUB) and kernel assets will be delivered as snap packages (via gadget and kernel snaps), as opposed to being delivered as Debian packages.
And there it is.
I suppose having your kernel command line signed by Canonical and unmodifiable by the system owner without a pain-in-the-ass manual 'machine owner key enrolment' process is very much on-brand for Snap.
Yeah, I completely switched to Arch after I got the ads in my apt-get commands. It's a bit more annoying and unstable, but overall a much better experience than Ubuntu.
I still have a few server instances on Ubuntu, but I'm moving them to straight Debian or arch when they need major upgrades.
Hard pass. I'm slowly been dumping Ubuntu due to the force snaps down your throat strategy they have. Still irritated I have to jump through hoops to get Firefox without a snap.
Meanwhile my mom just asked me to switch her Dell to her favorite linux mint flavour and the key enrollment was literally 3 key presses plus the password away.
Oops, I tried to install the nvidia drivers, but it doesn't seem to have worked.
I got a weird screen during the process, pretty sure it was blue, and the default option was 'continue boot' which I selected, I think maybe it was the 'BIOS' ?
I couldn't google what to do while at that screen, or screenshot it either, for some reason.
I've tried uninstalling then reinstalling the drivers, but that hasn't made the mystery screen to come up again, and hasn't fixed my problem.
I will now go and research a fix, but as a newbie I don't know keywords like 'mok enrolment' or 'mokutil' or 'dkms' or 'secure boot' or 'shim' because WTF do those even mean?
Go ahead and try searching, see how long it takes you to find the command you need to run when you don't know any of those terms, or even that the problem is secure boot related.
Meanwhile, the BIOS with its 'secure boot on/off' switch is available every single boot.
> the key enrollment was literally 3 key presses plus the password away
If you don't count the 8+ character password you have to enter three times, maybe.
Most laptops don't have nvidia cards. And none of those issues you're talking about occurred. She's been a happy linux mint user for more than 5 years. I was just trying to get her off her old ultramobile celeron laptop and she refused to use the new one until I ran the mint installer. For me the biggest challenge was figuring out whether to install the Mate or Cinnamon version.
It asked me for an 8 character password during install, rebooted, i entered enroll existing key. I entered the password and then continued the install, that was it. Runs like a charm, boots like a charm.
She's over 70 and she absolutely loathes the random software that various windows things try to install, or the antivirus sneaks in with the next update and stuff like that.
She just browses the web, streams stuff and wants to make sure she can screencapture the streams she watches. Turns out for that use case Thunderbird is also quite good and to my surprise the google 2FA oauth phone login makes it really easy for her to log in to google. I still remember the times when I would have to reset her google password for her.
Not to dismiss your experience, but I think for a lot of basic users it works really well.
I'm in the process of moving away from Ubuntu, but this is a pretty cool feature. I've seen a tutorial here and there about how to manually set up LUKS with a TPM, but those have a downside of the TPM needing to be updated with every new kernel. I guess Ubuntu has found a way to integrate or work around that?
> but those have a downside of the TPM needing to be updated with every new kernel.
This depends on the configuration. If you don't bind the key to PCRs at key creation time kernel updates don't affect the workflow and you still will take advantage of other TPM features such as locking the key after several unsuccessful attempts.
IMHO the PCRs are way too much trouble and defend against attacks that are rare outside of extremely spooky circles. They were the biggest problem with Bitlocker too.
Yeah, I recently went down this path. It’s all doable but frankly I’m not a nation state target and getting locked out after a kernel update or similar would be far more annoying.
Instead I’m leaning toward separate boot and root disks, with a root/data disk encrypted with LUKS with a detached header. dm verity on a read only root with a separate data partition also seems simple/appealing. Of course, these all allow attacks full secure boot/tpm/etc avoid, but it’s a balance.
PCRs being problematic was actually one of the issues policy mechanism in TPM 2.0 was meant to resolve (see "Non-Brittle PCRs (New in 2.0)" in [0]).
Tldr version is that you'd authorize OS manufacturer's kernel signing key to use the TPM key so that each time your OS vendor signs the kernel it's OK for the TPM.
Sadly I don't think I've seen this deployed in the wild.
That's groovy baby, but can anyone give me the technicals on why we can't have Hibernate(not sleep) out of the box on Ubuntu like we can on Windows? That was one of the deal-breakers for me making the switch. If I understood it correctly, it's because of Z-RAM and if I'm also correct, full disk encryption is another roadblock in the path of the hibernate feature.
Windows these days prefers what they call modern standby and you probably don't want it.
I have a ThinkPad and this is what it's like:
Close the lid and stuff laptop into my backpack. I travel to work and when I pull my machine out of my bag, it has 12% battery left, is super hot, and the fan is screaming like the machine is trying to fly away. All because Microsoft thinks PCs should be more like iPhones.
>Windows these days prefers what they call modern standby and you probably don't want it.
Who cares what Windows prefers, when I'm the user and I prefer Hibernate which works out of the box and I use it precisely because it avoids the issues you mentioned. Why don't you use Hibernate? SSDs are fast enough that a wake from hibernate is not much slower than a wake from sleep.
On Ubuntu I don't even have this option because ... reasons.
Killing all of the wake timers and editing specific keys in the registry will usually fix this, but it's messy and not something typical users are comfortable doing.
This. During lockdowns, I dusted off an old PC and set it up with windows for gaming. The computer was in front of my bed. One out of two nights, the thing would randomly wake out of hibernation, blasting the freaking blue bitlocker screen at me (password unlock, since that PC didn't have a tpm).
This PC was kept reasonably up to date, too (usually installed whatever update at the most a day or two after they came out, complete with the reboot), so not sure what it was hoping to do, exactly.
>One out of two nights, the thing would randomly wake out of hibernation
I'm sure you mistakenly used sleep instead of hibernate without knowing or remembering, to have that issue, or you had the issue where hibernate didn't work and reverted to sleep instead.
I also had that issue and discovered that the Linux dual-boot installation with Grub's changes to the MBR broke Window's capability to hibernate, so me hitting hibernate was actually triggering sleep instead.
The USB bus and sound system is still the weak spot on a windows computer in my experience, this website, reddit, youtube, or dailymail generally takes them out.
Surprised that people used sleep and hibernate, considering TSR's were invented in the dos days and the browser can do lots of fancy stuff.
Theres even a reg setting to clear the page file on shutdown.
He means Windows can set a timer to wake up after a while to run scheduled tasks. You might not have noticed those wake timers because they are few and it usually works as expected with windows hibernating back after a few minutes.
The difficulty of disabling wake timers has been exaggerated, though. It's in the advanced power settings, there's no need for the big scary registry.
That very much depends on your definition of "works".
Does the machine go through the steps to save memory to disk and enter a low power state? Yes.
But then windows can and does decide to wake itself up at any time, resulting in physical damage to the machine if it's stored in a closed bag. Discharging the battery and heating up the entire machine dramatically reduces your battery's lifetime. You cannot disable this behavior without going into the registry.
So yes, it 'works', with the caveat that the machine may wake itself at any time, burn through the entire battery and possibly do irreprable damage to your machine.
>So yes, it 'works', with the caveat that the machine may wake itself at any time, burn through the entire battery and possibly do irreprable damage to your machine.
You haven't read my comment fully or are confusing hibernate with sleep. I was talking about hibernate which 100% works, not sleep. Hibernate can't wake up your laptop as your machine is completely powered off.
After hibernate Windows thinks I have a laptop keyboard. If num lock is turned on then yuihjkbnm keys turn into a numpad. A restart or replugging the keyboard fixes it. Still annoying though.
Windows also likes waking itself up for various reasons, but I don't remember if that was hibernate or sleep. Turning off everything except the power button wake up fixed it though.
But I do agree - I would like a working hibernate in any OS I use. The next best thing is never turning it off though.
On Ubuntu you do have this option, you just have to set it up yourself. They don't prioritize support for it because "people who want to hibernate a laptop" is a rounding error in their customer population statistics.
>On Ubuntu you do have this option, you just have to set it up yourself.
Which means it's not available. Technically my car can also go diving underwater, you just have to set it up yourself for that.
I expect stuff on my OS to work out of the box, not require hours of dangerous tinkering with the risk of braking, to get something basic to work.
>They don't prioritize support for it because "people who want to hibernate a laptop" is a rounding error in their customer population statistics.
I mean, it's feature that I absolutely use on Windows regularly, which means it matters a lot to me, the userbase of 1, to have it on Linux as well, I don't really care what the opinionated Ubuntu dev team think on the way I'm supped to use my own computer.
So hibernate is somewhat unreliable and prone to data loss, image you hibernate after having installed a new kernel, so the decision was made to disable it due to that IIRC, independent of secure boot.
With secure boot and lockdown, hibernate is no longer possible on an alternative reason: We need to ensure that the kernel memory has not been tampered with. If you hibernate, you could then go and modify the memory in the swap and bypass the lock down security guarantees.
To address that you'd need to authenticate the swap using the TPM somehow, but I don't know enough about TPMs to know if that's feasible. Usually people would seal some crypto key against the TPM but here it's somewhat the opposite way around.
From my (shallow) understanding you can encrypt the swap using dm-crypt/LUKS as well and unlock using TPM. It's supported using systemd-cryptenroll on Arch.
Thanks for the explanation. That kind of sucks though. I was spoiled by how good hibernate works on Windows and assumed any modern desktop OS should come with this feature if it wishes to "cut the king". I guess it's another nail in the "switching to Linux" coffin.
>hibernating a 32Gb image to a 512Gb ssd several times a day
1) It's 16GB image to 1TB SSD for me, but who needs to hibernate several times a day? I only use it when I take my laptop out of the house on long journeys which is a couple of times a month at most.
2) It's my SSD, I paid for it, and I should be allowed to use it how I please, even like in your example of hibernating it several times a day if I wish. Why should the OS dev stop me from doing this? It's my HW, not theirs.
I would understand this angle if he OS developer(Canonical) was also responsible for the longevity and the warranty of the HW I bought from them, the way Apple and sometimes Microsoft is, but since for Canonical this is not the case since they don't sell laptops, why should they limit me like that? You can show a disclaimer telling the user that hibernate will degrade the SSD if that's a big legal issue for them.
Heck, even Microsoft let's you enable hibernate with just 3 clicks.
I tried that and it didn't work on my work ThinkPad (also those steps are dangerous it could brick your system if you so much as make a single mistake).
But that doesn't answer my question of why something as basic as Hibernate (copy RAM contents to HDD on power-OFF, then reverse on power-ON) isn't something that works out of the box on Linux distros, and instead requires 2h of tutorial reading and dangerous low-lvel tinkering for it to (maybe) work or brick your system if you mess it up.
> That doesn't happen under hibernate. You used sleep thinking it was hibernate, that's why you had that issue.
I mean, while asleep, the PC blinks its annoying light every second. While hibernating, it doesn't. I'm pretty sure there were no blinky lights, they would have prevented me from falling asleep. It's why I went out of my way to enable hibernating.
Also, see the other posts around the thread. There are absolutely ways to wake up a PC from hibernation. Even from full shutdown.
The Linux kernel disable hibernation when secure boot is enabled for security reasons (it enables the lockdown mode). I don't think it's especially an Ubuntu/distro problem. When secure boot is disabled, I think hibernation is supposed to work fine.
Only 11 years behind Windows 8 making BitLocker w/ Secure Boot easily accessible to the masses. Presumably not supporting TPM 1.2, which is why my oldest hardware runs Linux under Hyper-V instead of bare metal.
And there it is.
I suppose having your kernel command line signed by Canonical and unmodifiable by the system owner without a pain-in-the-ass manual 'machine owner key enrolment' process is very much on-brand for Snap.