From e2a7a2fdb9ba66e777ec1a8c0d3c9301cc21bdab Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Fri, 29 May 2026 11:18:14 +0100 Subject: feat(suspend): hardened-only init_on_free=0 + hang-detection cmdline MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Split the hardened UKI cmdline off the shared etc/kernel/cmdline.tmpl so we can carry workarounds without poking the stock linux build. Daily-driving linux-hardened on this hardware has reliably hung on resume from S3: black screen, blinking caps-lock + power LED, only the power button helps. The kernel journal stops at 'PM: suspend entry (deep)' with nothing after, so the freeze is below the level where logs can flush — characteristic of a hard hang inside a device driver's suspend/resume callback rather than a userspace bug. linux-hardened defaults init_on_free=1, which zeroes pages on free. On Intel + iwlwifi/i915/nvme stacks this routinely surfaces latent UAFs as suspend hangs that are invisible on stock linux. Drop that knob to 0 for the hardened cmdline as the working hypothesis. Add nmi_watchdog=panic, softlockup_panic=1, panic=10 so if the next attempt still wedges, a stuck CPU self-panics and auto-reboots within ~10s, giving us a 'journalctl -b -1 -k' trace to look at instead of having to force-power-off blindly. Stock linux is untouched. --- .chezmoiignore | 1 + 1 file changed, 1 insertion(+) (limited to '.chezmoiignore') diff --git a/.chezmoiignore b/.chezmoiignore index 99af635..ae7912d 100644 --- a/.chezmoiignore +++ b/.chezmoiignore @@ -2,6 +2,7 @@ KEYBINDS.md README.md bootstrap.sh migrate-podman-to-btrfs.sh +diagnose-suspend.sh meta/ systemd-units/ etc/ -- cgit v1.3.1