I am pretty sure there is no security risk there.
IMHO it’s a design flaw caused by cost optimization.
However i saw such approach in many devices… one component less, couple cents cost reduction per unit.
Hibernation to encrypted volume is possible, however, for example smartcard-key-luks script sets kernel cmdline:
perl -pi -e ‘s/^GRUB_CMDLINE_LINUX_DEFAULT=(.*) splash/GRUB_CMDLINE_LINUX_DEFAULT=\1 nosplash noresume loglevel=3/’ /etc/default/grub
noresume will cause system will not try to reload memory from swap, and resume, isntead of that will do fsck on uncleanly unmouted partitions , and regular boot, discarding swap state.
IMHO it’s a design flaw caused by cost optimization.
That was my impression, and honestly, was one of the main reasons I sold my L14. It’s a pretty nasty cost optimization (design flaw) if that’s the case. It was far too much of a PITA to have to boot a LiveCD to set the system clock every time the battery was drained so that I could validate with PureBoot. I could have hibernated instead, as others pointed out, but I wanted sleep to function properly as I usually bounce around between a work laptop and my personal laptop with a shared power adapter.
I was caught once, traveling, without a LiveCD, and was forced to bypass the PureBoot check just to boot into my system (because I was in a rush getting off a plane and used sleep instead of shutting down, throwing the comptuer into a hotel safe and racing off to an appointment). It defeated the whole point of PureBoot for me. That, along with a few other annoyances, ultimately made the L14 a no go.
lol
clock can be set from pureboot recovery console directly - no livecd needed.
I do not say L14 is for everyone, looks like it wasn’t for you.
Personally i never experienced battery drain, on sleep, maybe because i am trying avoid usage of that state, and when i have to, i have ~ 60% SOC.
One think, probably you don’t catch, pureboot will not protect you when laptop is sleeping.
Actually letting laptop sleep is making it vulnerable. Because highly motivated actor will simply attack your system. how?
Simple - ram isn’t encrypted, and skilled attacker can disassemble unit without powering it on, hook power to ram modules, then dump content. and in ram is encryption key to your drive… ssd is not powered on sleep so can be disconnected decrypted with key recovered from RAM, modified , connected back.
System security is as high as skilled is system user…
EDIT:
the core of this issue is not, lack of RTC battery, It’s a lack of propper battery triggers in EC.
Normally Laptops in sleep, Wakeup when battery reach “CRITICAL” state, in order to allow OS to make decision what to do: Force Shutdown/Hibernate.
Take any other laptop with windows/macos and test it, by putting it to sleep, while battery is arround 10% and leave it that way (in Windows it’s even configurable)
Librem EC seems , lack of this functionality (Yet - it’s fixable).
So it’s just matter of Firmware to make it not let system discharge battery lower than RTC require to work.
@nicole.faerber - can we open task for this in Librem EC project? (i mean setup battery level threshhold to wakeup system from S3 , rest can be scripted system side, and add PANIC kill when battery drop below Certain level, to do not allow RTC go down), now i observed only Power off on ~5% while system nromally run, but on S3 it simply let battery to discharge so low, that even RTC dies.
Totally fair, but that’s not something I remembered how to do off the top of my head, and the portal to which I would look that up wasn’t able to boot.
I definitely agree that it’s not for everyone. I also agree about sleep vs power off, and I traditionally would have turned it off in that instance. A systematic approach is certainly the best preparation, that is apparently my own shortcoming. To each their own.
Actually instruction how to set time is in Pureboot menu it even trops you to emergency shell with instruction what to do.
I will raise PR to add clock set menu into pureos menu , that will help nontechniocal people to handle this issue.
Good call, that will certainly help non-technical folk. Has the firmware been improved so that all scraped grub menus actually work as well? That seems to be a common annoyance for non-technical folk as well.
Nice that there is a menu item in Pureboot, I’m not sure if this is a new firmware from what I had, but I don’t recall seeing this in Pureboot when I had the L14, slick.
Both. But on the Librem 13 it the hibernation swap is encrypted as well.
It is a pain in the butt to setup though.
Of course you don’t always get a CD/DVD anymore with your laptop (I don’t know about the L-14, I’m talking in general). Nowadays you may need a USB stick with a write tab flipped to read-only with a LiveCD written to it.