>> > The answer seems to be to install with LVM and encryption. That ensures
>> > that the swap area is encrypted and *cannot* be messed with while the
>> > device is hibernated (which is the rationale for Secure Boot not allowing
>> > hibernation to a "naked" swap partition).
>> How does UEFI know about Debian's swap and how does it know whether
>> it's encrypted?
> If SB is *enabled* then certain functions are restricted when considering
> what can be done by kernel modules.
So IIUC the restriction is imposed by the Linux kernel rather than by
the machine's firmware (BIOS/UEFI/...)?
That would indeed explain how it knows whether it's encrypted. 🙂
Stefan
