And there it is.
I suppose having your kernel command line signed by Canonical and unmodifiable by the system owner without a pain-in-the-ass manual 'machine owner key enrolment' process is very much on-brand for Snap.
I'm tired of computers being awful :(
Who’s the new big community desktop distro?
I got a weird screen during the process, pretty sure it was blue, and the default option was 'continue boot' which I selected, I think maybe it was the 'BIOS' ?
I couldn't google what to do while at that screen, or screenshot it either, for some reason.
I've tried uninstalling then reinstalling the drivers, but that hasn't made the mystery screen to come up again, and hasn't fixed my problem.
I will now go and research a fix, but as a newbie I don't know keywords like 'mok enrolment' or 'mokutil' or 'dkms' or 'secure boot' or 'shim' because WTF do those even mean?
Go ahead and try searching, see how long it takes you to find the command you need to run when you don't know any of those terms, or even that the problem is secure boot related.
Meanwhile, the BIOS with its 'secure boot on/off' switch is available every single boot.
> the key enrollment was literally 3 key presses plus the password away
If you don't count the 8+ character password you have to enter three times, maybe.
This depends on the configuration. If you don't bind the key to PCRs at key creation time kernel updates don't affect the workflow and you still will take advantage of other TPM features such as locking the key after several unsuccessful attempts.
Take a look at the systemd configuration: https://www.freedesktop.org/software/systemd/man/systemd-cry...
I'm using it on my laptop and it works well.
I'd rather just enter a password...
I have a ThinkPad and this is what it's like:
Close the lid and stuff laptop into my backpack. I travel to work and when I pull my machine out of my bag, it has 12% battery left, is super hot, and the fan is screaming like the machine is trying to fly away. All because Microsoft thinks PCs should be more like iPhones.
Who cares what Windows prefers, when I'm the user and I prefer Hibernate which works out of the box and I use it precisely because it avoids the issues you mentioned. Why don't you use Hibernate? SSDs are fast enough that a wake from hibernate is not much slower than a wake from sleep.
On Ubuntu I don't even have this option because ... reasons.
With secure boot and lockdown, hibernate is no longer possible on an alternative reason: We need to ensure that the kernel memory has not been tampered with. If you hibernate, you could then go and modify the memory in the swap and bypass the lock down security guarantees.
To address that you'd need to authenticate the swap using the TPM somehow, but I don't know enough about TPMs to know if that's feasible. Usually people would seal some crypto key against the TPM but here it's somewhat the opposite way around.
https://ubuntuhandbook.org/index.php/2021/08/enable-hibernat...
But I don't have full disk encryption so I don't know how it works with it.
But that doesn't answer my question of why something as basic as Hibernate (copy RAM contents to HDD on power-OFF, then reverse on power-ON) isn't something that works out of the box on Linux distros, and instead requires 2h of tutorial reading and dangerous low-lvel tinkering for it to (maybe) work or brick your system if you mess it up.
I still have a few server instances on Ubuntu, but I'm moving them to straight Debian or arch when they need major upgrades.
It asked me for an 8 character password during install, rebooted, i entered enroll existing key. I entered the password and then continued the install, that was it. Runs like a charm, boots like a charm.
She's over 70 and she absolutely loathes the random software that various windows things try to install, or the antivirus sneaks in with the next update and stuff like that.
She just browses the web, streams stuff and wants to make sure she can screencapture the streams she watches. Turns out for that use case Thunderbird is also quite good and to my surprise the google 2FA oauth phone login makes it really easy for her to log in to google. I still remember the times when I would have to reset her google password for her.
Not to dismiss your experience, but I think for a lot of basic users it works really well.
Instead I’m leaning toward separate boot and root disks, with a root/data disk encrypted with LUKS with a detached header. dm verity on a read only root with a separate data partition also seems simple/appealing. Of course, these all allow attacks full secure boot/tpm/etc avoid, but it’s a balance.
Tldr version is that you'd authorize OS manufacturer's kernel signing key to use the TPM key so that each time your OS vendor signs the kernel it's OK for the TPM.
Sadly I don't think I've seen this deployed in the wild.
[0]: https://ebrary.net/24725/computer_science/quick_loading
1) It's 16GB image to 1TB SSD for me, but who needs to hibernate several times a day? I only use it when I take my laptop out of the house on long journeys which is a couple of times a month at most.
2) It's my SSD, I paid for it, and I should be allowed to use it how I please, even like in your example of hibernating it several times a day if I wish. Why should the OS dev stop me from doing this? It's my HW, not theirs.
I would understand this angle if he OS developer(Canonical) was also responsible for the longevity and the warranty of the HW I bought from them, the way Apple and sometimes Microsoft is, but since for Canonical this is not the case since they don't sell laptops, why should they limit me like that? You can show a disclaimer telling the user that hibernate will degrade the SSD if that's a big legal issue for them.
Heck, even Microsoft let's you enable hibernate with just 3 clicks.
(I personally run a relatively niche distro, https://voidlinux.org/)
But certainly the bulk of the tools must be familiar.
I'm also running TPM + PIN / FIDO2 unlocking.
Didn't need to fiddle with anything. The most part of this install was going through the manual process of creating filesystems and whatnot.
Bonus points compared to Windows for actually staying asleep instead of randomly waking up while in my bag.
Ubuntu isn't Arch I think. Average Joe switching away form Windows isn't gonna start learning Arch.
>Bonus points compared to Windows for actually staying asleep instead of randomly waking up while in my bag.
That doesn't happen under hibernate. You used sleep thinking it was hibernate, that's why you had that issue.
I mean, while asleep, the PC blinks its annoying light every second. While hibernating, it doesn't. I'm pretty sure there were no blinky lights, they would have prevented me from falling asleep. It's why I went out of my way to enable hibernating.
Also, see the other posts around the thread. There are absolutely ways to wake up a PC from hibernation. Even from full shutdown.
But I do use a unified image which the UEFI boots directly (EFISTUB, no grub or anything). I don't know if that makes a difference.
Do you have any links on this kind of image? Or did you build it yourself?
I've followed this: https://wiki.archlinux.org/title/Unified_Extensible_Firmware...
Basically, my distro will install the kernel, initrd and cpu microcode normally to /boot. But at the end of it, there's a hook being triggered, that calls sbupdate with stitches together the kernel, command line, initrd, and cpu microcode, signs it and dumps it in the /EFI partition as a single file. /boot is not a separate partition on my system, it lives inside the encrypted /. I also told my UEFI about this specific image using efibootmgr. This allows me to register the image as a bootable OS and use the UEFI's boot manager to choose between Linux and Windows on startup.
If you browse around that Arch Wiki page, they also tell you how to sign your own boot images. I've installed my own keys in the UEFI, since Arch's kernel isn't signed by anybody.
Killing all of the wake timers and editing specific keys in the registry will usually fix this, but it's messy and not something typical users are comfortable doing.
This PC was kept reasonably up to date, too (usually installed whatever update at the most a day or two after they came out, complete with the reboot), so not sure what it was hoping to do, exactly.
I'm sure you mistakenly used sleep instead of hibernate without knowing or remembering, to have that issue, or you had the issue where hibernate didn't work and reverted to sleep instead.
I also had that issue and discovered that the Linux dual-boot installation with Grub's changes to the MBR broke Window's capability to hibernate, so me hitting hibernate was actually triggering sleep instead.
Hibernate does not randomly wake up.
The USB bus and sound system is still the weak spot on a windows computer in my experience, this website, reddit, youtube, or dailymail generally takes them out.
Surprised that people used sleep and hibernate, considering TSR's were invented in the dos days and the browser can do lots of fancy stuff.
Theres even a reg setting to clear the page file on shutdown.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ ClearPageFileAtShutdown Dword32 1
You're confusing that with sleep. Windows can't wake itself from hibernate as the machine is fully powered off, not in some sleep state.
The difficulty of disabling wake timers has been exaggerated, though. It's in the advanced power settings, there's no need for the big scary registry.
https://www.tenforums.com/tutorials/63070-enable-disable-wak...
The issue isn't that it doesn't go to sleep. It's that it doesn't stay asleep.
Does the machine go through the steps to save memory to disk and enter a low power state? Yes.
But then windows can and does decide to wake itself up at any time, resulting in physical damage to the machine if it's stored in a closed bag. Discharging the battery and heating up the entire machine dramatically reduces your battery's lifetime. You cannot disable this behavior without going into the registry.
So yes, it 'works', with the caveat that the machine may wake itself at any time, burn through the entire battery and possibly do irreprable damage to your machine.
You haven't read my comment fully or are confusing hibernate with sleep. I was talking about hibernate which 100% works, not sleep. Hibernate can't wake up your laptop as your machine is completely powered off.
That is quite simply not true.
Windows also likes waking itself up for various reasons, but I don't remember if that was hibernate or sleep. Turning off everything except the power button wake up fixed it though.
But I do agree - I would like a working hibernate in any OS I use. The next best thing is never turning it off though.
Which means it's not available. Technically my car can also go diving underwater, you just have to set it up yourself for that.
I expect stuff on my OS to work out of the box, not require hours of dangerous tinkering with the risk of braking, to get something basic to work.
>They don't prioritize support for it because "people who want to hibernate a laptop" is a rounding error in their customer population statistics.
I mean, it's feature that I absolutely use on Windows regularly, which means it matters a lot to me, the userbase of 1, to have it on Linux as well, I don't really care what the opinionated Ubuntu dev team think on the way I'm supped to use my own computer.
Yes, it can se timer to wake automatically from hibernate, but that doesn't mean it does that automatically withotu you setting those timers. I can understand there have been some bugs in the past but that's anon-issue today.
https://learn.microsoft.com/en-us/windows-hardware/drivers/k...
Here’s an example of a Windows machine waking from hibernate and how it was fixed:
https://www.bleepingcomputer.com/forums/t/707115/windows-10-...
These kinds of problems are not uncommon and are not always due to users confusing the different sleep states.