Why does the kernel lockdown prevent hibernation?

In my systemd jounal (journalctl) I often see this message:

hibernation is restricted; see man kernel_lockdown.7

This seems to stem from the kernel lockdown feature that (only?) is active when you boot in UEFI mode with secure boot enabled.
As far as I understand that this feature is supposed to prevent a program running at user-space from modifying the kernel.

While I do understand that so far, I just don’t get one thing:
Why does the kernel lockdown disable that feature? Why does it disable hibernation altogether?

What is exactly is “insecure” about hibernation that this is disabled?

It seems a locked down kernel does not want me to hibernate my device.

Linux kernel v5.6.15
Fedora 32 Silverblue

Cross-posted at Unix Stackexchange.


   “Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a medium that can then be accessed.”
kernel lockdown feature


Yep, thanks. Also got a similar answer on Unix SE.

Apparently if the kernel would support some kind of “signed hibernation images” that could solve the problem, but it does not.
Also, it does not seem to care that I have an encrypted swap partition in a LUKS volume – which would be totally secure, as it cannot be altered unless one knows the password.

@.@ /* Encriypted swap! */

So what (do you mean by that)???

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.