On Sat, Nov 30, 2024 at 05:08:29PM -0500, Stefan Monnier wrote: > > The answer seems to be to install with LVM and encryption. That ensures > > that the swap area is encrypted and *cannot* be messed with while the > > device is hibernated (which is the rationale for Secure Boot not allowing > > hibernation to a "naked" swap partition). > > How does UEFI know about Debian's swap and how does it know whether > it's encrypted? >
Hi Stefan, Booting via UEFI is orthogonal to Secure Boot. If SB is *enabled* then certain functions are restricted when considering what can be done by kernel modules. . https://wiki.debian.org/SecureBoot#Secure_Boot_limitations suggests that one of those may be hibernation/resume. if you have partitioned "all in one partition" with encrypted KVM, the ESP is not encrypted but everything else is. The swap partition is encrypted so cannot be modified outside the control of the modules. That's how I read it, anyway All the very best, as ever, Andy > > Stefan >
