My set-up is roughly analogous to this: https://community.frame.work/t/guide-fedora-36-hibernation-with-enabled-secure-boot-and-full-disk-encryption-fde-decrypting-over-tpm2/25474

Summary is that I use full-disk encryption (FDE) and use the TPM to decrypt the swap, and use full lockdown mode with a kernel patched to allow hibernation.

Suspend-then-hibernate (in my opinion) is a must-have feature for a laptop that goes in a backpack – if I close my laptop’s lid and put it in my backpack, I expect it to both not overheat, and to have some amount of battery left regardless of when I decide to take it out again.

Anyway, does anyone have it working well, or any other tips?

One thing I’ve been toying with is using a systemd script to drop the filesystem caches before hibernating to have it resume faster.

  • @Veraxis
    link
    English
    4
    edit-2
    1 year ago

    I am not sure if we are discussing hibernation for encrypted systems only, and I do not know what special provisions are needed for that, but for anyone curious, here is what I do on my own machine (not encrypted) per my own notes for setting up Arch, with a swap file rather than a swap partition, and rEFInd as the boot manager (the same kernel params could probably be used in Grub too, though):

    • create a file at sudo nano /etc/tmpfiles.d/hibernation_image_size.conf (copy paste the template from https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate)
    • if you made your swap file large enough (~1.2x ram size or greater), set the argument value to your amount of ram, e.g. 32GB= 34359738368
    • after a reboot, you can verify this with cat /sys/power/image_size
    • findmnt -no UUID -T /swapfile to get swapfile UUID
    • filefrag -v /swapfile | awk '$1=="0:" {print substr($4, 1, length($4)-2)}' to get offset
    • Go into your kernel parameters and add resume=UUID=### resume_offset=###
    • e.g. in /boot/refind_linux.conf (with efi partition unmounted)
    • go into /etc/mkinitcpio.conf and add “resume” after the “filesystem” and before the “fsck” hooks
    • run mkinitcpio -p linux-zen (or equivalent linux type)—