Hacker News new | ask | show | jobs
by julian-klode 1022 days ago
So hibernate is somewhat unreliable and prone to data loss, image you hibernate after having installed a new kernel, so the decision was made to disable it due to that IIRC, independent of secure boot.

With secure boot and lockdown, hibernate is no longer possible on an alternative reason: We need to ensure that the kernel memory has not been tampered with. If you hibernate, you could then go and modify the memory in the swap and bypass the lock down security guarantees.

To address that you'd need to authenticate the swap using the TPM somehow, but I don't know enough about TPMs to know if that's feasible. Usually people would seal some crypto key against the TPM but here it's somewhat the opposite way around.
2 comments
FredFS456 1022 days ago
From my (shallow) understanding you can encrypt the swap using dm-crypt/LUKS as well and unlock using TPM. It's supported using systemd-cryptenroll on Arch.
link
FirmwareBurner 1022 days ago
Thanks for the explanation. That kind of sucks though. I was spoiled by how good hibernate works on Windows and assumed any modern desktop OS should come with this feature if it wishes to "cut the king". I guess it's another nail in the "switching to Linux" coffin.
link
orbisvicis 1022 days ago
There's also the issue of hibernating a 32Gb image to a 512Gb ssd several times a day. That can't be good for longevity.
link
FirmwareBurner 1022 days ago
>hibernating a 32Gb image to a 512Gb ssd several times a day

1) It's 16GB image to 1TB SSD for me, but who needs to hibernate several times a day? I only use it when I take my laptop out of the house on long journeys which is a couple of times a month at most.

2) It's my SSD, I paid for it, and I should be allowed to use it how I please, even like in your example of hibernating it several times a day if I wish. Why should the OS dev stop me from doing this? It's my HW, not theirs.

I would understand this angle if he OS developer(Canonical) was also responsible for the longevity and the warranty of the HW I bought from them, the way Apple and sometimes Microsoft is, but since for Canonical this is not the case since they don't sell laptops, why should they limit me like that? You can show a disclaimer telling the user that hibernate will degrade the SSD if that's a big legal issue for them.

Heck, even Microsoft let's you enable hibernate with just 3 clicks.

link