Skip to content

Instantly share code, notes, and snippets.

@Cryptophobia

Cryptophobia/fedora-43-hibernation-setup.md

Last active March 12, 2026 18:58
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Cryptophobia/e304a04fcb156dd0959fbba6b7a26106 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Cryptophobia/e304a04fcb156dd0959fbba6b7a26106 to your computer and use it in GitHub Desktop.
Download ZIP
Fedora 43 Hibernation Setup
Raw
fedora-43-hibernation-setup.md

Enabling Hibernation on Fedora 43

A complete guide to enable hibernation on Fedora 43 (Workstation) with UEFI and btrfs filesystem, including fixes for Secure Boot and SELinux issues.

Complete Command Reference

Run these commands in sequence to enable hibernation:

# Calculate swap size (RAM-based formula)
SWAPSIZE=$(free | awk '/Mem/ {x=$2/1024/1024; printf "%.0fG", (x<2 ? 2*x : x<8 ? 1.5*x : x) }')
SWAPFILE=/var/swap/swapfile

# Create btrfs subvolume and swap file
sudo btrfs subvolume create /var/swap
sudo btrfs filesystem mkswapfile --size $SWAPSIZE --uuid clear $SWAPFILE

# Enable swap file
echo $SWAPFILE none swap defaults 0 0 | sudo tee --append /etc/fstab
sudo swapon --all --verbose

# Configure dracut for resume
echo 'add_dracutmodules+=" resume "' | sudo tee /etc/dracut.conf.d/resume.conf
sudo dracut --force --verbose

# Fix SELinux permissions (critical!)
sudo semanage fcontext --add --type swapfile_t $SWAPFILE
sudo restorecon -RF /var/swap

# Test hibernation
sudo systemctl hibernate

Prerequisites

1. UEFI Boot Required

Verify your system uses UEFI:

bootctl

If this prints "Not booted with EFI", this method won't work.

2. Disable Secure Boot (Required)

Important: Hibernation requires Secure Boot to be disabled in BIOS/UEFI settings.

With Secure Boot enabled, you'll get:

Call to Hibernate failed: Sleep verb 'hibernate' is not configured or configuration is not supported by kernel

To disable: Reboot → BIOS/UEFI settings (F2/F10/F12/Del) → Security/Boot menu → Disable Secure Boot → Save and exit.

Why? Kernel lockdown (enabled with Secure Boot) prevents hibernation to unencrypted swap for security reasons.

Step-by-Step Explanation

Step 1: Create Swap File on btrfs

The command btrfs filesystem mkswapfile automatically:

  • Disables copy-on-write (COW) for the swap file
  • Creates the file with proper attributes
  • Avoids the "swapfile must not be copy-on-write" error

Using standard mkswap will fail on btrfs without additional COW disabling steps.

Step 2: Enable Swap File

The swap file is added to /etc/fstab for persistence across reboots and activated immediately. Verify with swapon --show - you should see both your swap file and the existing zram device.

Step 3: Configure dracut

The --verbose flag is important - without it, dracut appears to hang with no output for 2-5 minutes. It shows progress and confirms the command is working.

Step 4: Fix SELinux Permissions

Critical step often missed! Without proper SELinux labeling, you'll get "Access denied" errors even when running as root. These commands tag the swap file with the swapfile_t type that SELinux expects.

Verification

Check System Status

# Verify swap is active
swapon --show

# Check security configuration
fwupdmgr security

# Verify SELinux context
ls -Z /var/swap/swapfile

Expected fwupdmgr security output:

✔ UEFI secure boot: Disabled
✘ Linux kernel lockdown: Disabled (expected for hibernation)
✘ Linux swap: Invalid (unencrypted swap present)

Troubleshooting

"Sleep verb 'hibernate' is not configured"

Cause: Secure Boot is still enabled
Solution: Disable Secure Boot in BIOS/UEFI settings

"Call to Hibernate failed: Access denied"

Cause: SELinux policy not configured
Solution: Run the SELinux commands from the reference above and verify with ls -Z /var/swap/swapfile (should show swapfile_t)

dracut Appears Stuck

Cause: No progress output by default (takes 2-5 minutes)
Solution: Use --verbose flag as shown in the command reference

"swapfile must not be copy-on-write"

Cause: Using standard mkswap instead of btrfs-specific command
Solution: Use btrfs filesystem mkswapfile as shown in the command reference

Additional Notes

  • zram remains active: The existing zram swap device continues to work alongside the swap file. zram has higher priority for normal swap operations; the disk-based swap file is used primarily for hibernation.

  • Swap file location: The swap file is in /var/swap/ as a separate btrfs subvolume, isolating it from snapshots.

  • Suspend vs Hibernate:

    • Suspend: RAM stays powered, fast resume, drains battery slowly
    • Hibernate: RAM saved to disk, complete power off, slower resume, no battery drain
    • Suspend-then-hibernate: systemctl suspend-then-hibernate (suspends first, hibernates after timeout)

How It Works

On UEFI systems, hibernation uses a streamlined process:

  1. systemd stores swap file location in a UEFI variable
  2. System writes memory contents to swap file
  3. Machine powers off completely
  4. On boot, bootloader reads the UEFI variable
  5. Kernel resumes from swap file location
  6. Memory is restored and execution continues

This is simpler than legacy BIOS systems that required manual boot parameter configuration.

References and Documentation

Based on: Fedora Magazine - Update on hibernation in Fedora Workstation

Additional references:

Key improvements over original article:

  1. Uses btrfs filesystem mkswapfile instead of standard mkswap (avoids COW issues)
  2. Includes SELinux configuration (prevents "Access denied" errors)
  3. Documents Secure Boot requirement (must be disabled)
  4. Uses --verbose flag for dracut (shows progress)
  5. Complete troubleshooting section

Tested on: Fedora 43 Workstation, UEFI boot, btrfs filesystem
Last updated: February 2026

This guide is provided as-is for the community. Feel free to share, modify, and improve.

@Tobian42
Copy link

Tobian42 commented Mar 11, 2026

@random-integer mokutil --disable-validation is not required for an encrypted (or unencrypted) swap partition. It is only needed if you want to use hibernation with Secure Boot, swap will work regardless.

mokutil --disable-validation disables Secure Boot validation. When Secure Boot is enabled, your system verifies that the Linux kernel is legitimate and hasn't been tampered with while the machine was powered off. When you hibernate, your RAM is copied to the swap partition. Ideally, Linux should verify on the next boot that the swap contents are exactly what it saved. However, Linux does not currently support this. (There is reportedly a modified kernel that does support it.)

@random-integer
Copy link

random-integer commented Mar 12, 2026

@Tobian42 Thanks! I see now.

I was asking because this sentence from the original post:

Why? Kernel lockdown (enabled with Secure Boot) prevents hibernation to unencrypted swap for security reasons.

made me thought that if you use encrypted swap, you would have no problem with secure boot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment