Bug#1112207: Secure Boot unconditionally disables hibernation

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1112207: Secure Boot unconditionally disables hibernation
From: Anton Khirnov <anton@khirnov.net>
Date: Wed, 27 Aug 2025 15:00:05 +0200
Message-id: <[🔎] 175629960597.11838.196007639424163569.reportbug@localhost>
Reply-to: Anton Khirnov <anton@khirnov.net>, 1112207@bugs.debian.org

Source: linux
Severity: normal

Dear maintainer(s),
it seems that when Debian kernel images are booted under UEFI Secure
Boot, they unconditionally enable kernel lockdown, which (among other
things) unconditionally disables the ability to hibernate (suspend to
disk).

While I understand the reasoning behind this is that the suspended image
could be maliciously modified, this is not a concern for every user -
e.g. in my case the system suspends to a LUKS-encrypted swap partition.

Therefore I believe there should be a way for people to make use of
Secure Boot's boot image integrity guarantees while preserving the
ability to hibernate.

Cheers,
-- 
Anton Khirnov

-- System Information:
Debian Release: 13.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-debug'), (500, 'stable'), (400, 'unstable'), (300, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 6.16.3+deb14-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Reply to:

Prev by Date: Processing of linux-signed-amd64_6.1.148+1_source.changes
Next by Date: Bug#1112208: firmware-nvidia-graphics: Missing gsp symlink for nvidia ad107
Previous by thread: Processing of linux-signed-amd64_6.1.148+1_source.changes
Next by thread: Bug#1112208: firmware-nvidia-graphics: Missing gsp symlink for nvidia ad107
Index(es):
- Date
- Thread