Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

destroyfvkeyonstandby requires additional pmset settings in order to avoid system shutdown #124

Closed
kristovatlas opened this issue Jul 9, 2016 · 34 comments

Comments

@kristovatlas
Copy link

commented Jul 9, 2016

I'm wondering if anyone has tried the combination of OSX Login via Yubikey (https://www.yubico.com/why-yubico/for-individuals/computer-login/mac-os-login/) with the pmset -a destroyfvkeyonstandby 1 system configuration enabled to destroy the file vault key.

I have both of these set on a machine, and when I put my computer to sleep, upon waking it later I often find that the system has turned itself entirely.

I suspect that this is because of a negative interaction between these two configurations -- that removing my YubiKey during the sleep process is depriving the system of something it wants in order to stay on while the FileVault key is no longer accessible.

Similar experiences or suggestions on how to troubleshoot this are welcome.

kristovatlas added a commit to kristovatlas/osx-config-check that referenced this issue Jul 11, 2016
I like the idea of destroyfvkeyonstandby but find it to be somewhat of
a PITA, making the system less stable. Downgraded to experimental.
Related:
drduh/macOS-Security-and-Privacy-Guide#124
@quinncomendant

This comment has been minimized.

Copy link

commented Jul 12, 2016

I'm not using Yubikey, but I have tried pmset -a destroyfvkeyonstandby 1 on a 2015 rMBP and it has the same behavior: the system is completely off in the morning when I've put it to sleep the night before. I'm unable to use this setting without risk of losing unsaved documents. I have assumed its a hardware issue, so am looking forward to taking in for diagnosis, once I'm in a country with an apple store. But I would like to hear if anyone has solved this issue on their own.

@drduh

This comment has been minimized.

Copy link
Owner

commented Jul 12, 2016

What is likely happening is, the Mac is waking for Power Nap, hitting the FileVault unlock screen, then powering off due to a temperature failsafe. At least that's my theory. Try leaving Power Nap off and don't connect the machine to AC power to test it.

@anton48

This comment has been minimized.

Copy link

commented Jul 12, 2016

you may find explanation and the fix there: https://derflounder.wordpress.com/2014/02/12/power-nap-power-management-settings-and-filevault-2/, not sure about Yubikey though.

@quinncomendant

This comment has been minimized.

Copy link

commented Jul 13, 2016

I've always had Power Nap disabled, so that wasn't the cause. It does appear to be a bug (or incorrect documentation) regarding the standby and standbydelay options. I've followed some of the (counterintuitive) suggestions mentioned in the above link and found it to work for me. These expected-to-be-correct settings do not work:

standbydelay         3600
standby              1

So I've changed them to this, and it works:

standbydelay         0
standby              0

¯_(ツ)_/¯

@kristovatlas, what are your current (non-working) settings (via pmset -g custom)?

@quinncomendant

This comment has been minimized.

Copy link

commented Jul 13, 2016

Oh look, shrug is munged by github markdown. This:

¯_(ツ)_/¯

Should be:

¯\_(ツ)_/¯

🤔

@anton48

This comment has been minimized.

Copy link

commented Jul 13, 2016

sorry, but did you read the whole story from this link above? :)

the quote: "Once I’d disabled Power Nap, I thought the problem would be solved. Nothing else should wake it up, right? Then I put my laptop to sleep the next night and tried to wake it the following morning. The laptop was off again, so not fixed".

so, powernap is the part of the problem, but even with disabled powernap it is still there. and yes, to fix the problem you need to set these two variables to 0, as the link above says.

@kristovatlas

This comment has been minimized.

Copy link
Author

commented Jul 18, 2016

My settings before applying the proposed fix are:

$ pmset -g
System-wide power settings:
 DestroyFVKeyOnStandby      1
Active Profiles:
Battery Power       -1
AC Power        -1*
Currently in use:
 standbydelay         10800
 standby              1
 womp                 0
 halfdim              1
 hibernatefile        /var/vm/sleepimage
 powernap             1
 gpuswitch            2
 networkoversleep     0
 disksleep            10
 sleep                1
 autopoweroffdelay    14400
 hibernatemode        25
 autopoweroff         1
 ttyskeepawake        1
 displaysleep         10
 acwake               0
 lidwake              1
@kristovatlas

This comment has been minimized.

Copy link
Author

commented Jul 18, 2016

These commands were not sufficient to fix the problem:

sudo pmset -a standby 0
sudo pmset -a standbydelay 0

Resulting in these overall settings:

$ pmset -g
System-wide power settings:
 DestroyFVKeyOnStandby      1
Active Profiles:
Battery Power       -1
AC Power        -1*
Currently in use:
 standbydelay         0
 standby              0
 womp                 0
 halfdim              1
 hibernatefile        /var/vm/sleepimage
 powernap             1
 gpuswitch            2
 networkoversleep     0
 disksleep            10
 sleep                1 (sleep prevented by AddressBookSourceSync)
 autopoweroffdelay    14400
 hibernatemode        25
 autopoweroff         1
 ttyskeepawake        1
 displaysleep         10
 acwake               0
 lidwake              1
@anton48

This comment has been minimized.

Copy link

commented Jul 19, 2016

yes, since you need to switch off powernap too (in the case of quinncomendant it was already disabled).

@burguesia

This comment has been minimized.

Copy link

commented Jul 19, 2016

I have the same problem (macbook pro randomly shutting itself off while in hibernation) and I have the powernap off. The instructions in here (https://derflounder.wordpress.com/2014/02/12/power-nap-power-management-settings-and-filevault-2/) did not help to prevent the problem.

Below the best performing settings I found so far - with them the issue seems to be inconsistent: my macbook works as expected for a couple of days, then I suddenly find it powered off. Anyhow most of the times it works as expected.

System-wide power settings:
 DestroyFVKeyOnStandby      1
Active Profiles:
Battery Power       -1
AC Power        -1*
Currently in use:
 standbydelay         0
 standby              0
 womp                 0
 halfdim              1
 hibernatefile        /var/vm/sleepimage
 powernap             0
 networkoversleep     0
 disksleep            0
 sleep                0 (sleep prevented by backupd, backupd, AddressBookSourceSync, UserEventAgent, UserEventAgent, UserEventAgent, UserEventAgent)
 autopoweroffdelay    0
 hibernatemode        25
 autopoweroff         1
 ttyskeepawake        1
 displaysleep         10
 acwake               0
 lidwake              1
@anton48

This comment has been minimized.

Copy link

commented Jul 19, 2016

two differences with my setup: autopoweroffdelay is 14400 in my settings (it is measured in minutes, so it never happens anyway I guess) and autopoweroff is 0 in my settings (you have 1, but I guess that it is never triggered in your case, since you set autopoweroffdelay to 0).

@kristovatlas

This comment has been minimized.

Copy link
Author

commented Jul 19, 2016

Running this command resolved the issue:
$ sudo pmset -a powernap 0

This doesn't appear to have anything to do with Yubikey's OS X Login since other people not using Yubikey observed the same problem. (I'll be adjust the title of the issue accordingly.)

The final configuration of the machine is:

$ pmset -g
System-wide power settings:
 DestroyFVKeyOnStandby      1
Active Profiles:
Battery Power       -1
AC Power        -1*
Currently in use:
 standbydelay         0
 standby              0
 womp                 0
 halfdim              1
 hibernatefile        /var/vm/sleepimage
 powernap             0
 gpuswitch            2
 networkoversleep     0
 disksleep            10
 sleep                1
 autopoweroffdelay    14400
 hibernatemode        25
 autopoweroff         1
 ttyskeepawake        1
 displaysleep         10
 acwake               0
 lidwake              1
@kristovatlas kristovatlas changed the title destroyfvkeyonstandby + YubiKey Login bug? destroyfvkeyonstandby requires additional pmset settings in order to avoid system shutdown Jul 19, 2016
kristovatlas added a commit to kristovatlas/OS-X-Security-and-Privacy-Guide that referenced this issue Jul 19, 2016
@burguesia

This comment has been minimized.

Copy link

commented Jul 19, 2016

@kristovatlas I would wait a couple of days before considering it resolved - in my case the laptop works fine for 1, 2 or even 3 days and then I suddenly find it powered off when it's supposed to be hibernating.

@kristovatlas

This comment has been minimized.

Copy link
Author

commented Jul 19, 2016

@burguesia: ok, thanks for letting me know.

@burguesia

This comment has been minimized.

Copy link

commented Jul 21, 2016

FYI: just found my laptop off after a few days of correct functioning. It seems that it goes off more often if I leave the ac power connected while it's hibernating. If it's on battery power it seems to always work fine.

@anton48

This comment has been minimized.

Copy link

commented Jul 21, 2016

I use these settings for at least two months without problems. however, I never put it to AC power while it is in hibernate mode.

@kristovatlas

This comment has been minimized.

Copy link
Author

commented Jul 21, 2016

@burguesia: my machine is powered off today :(

Some output for troubleshooting:

$ pmset -g
...
 sleep                1 (sleep prevented by UserEventAgent, UserEventAgent, UserEventAgent, UserEventAgent, UserEventAgent, UserEventAgent, AddressBookSourceSync, apsd, apsd, softwareupdate_notify_agent)
...

and

$ pmset -g custom
Battery Power:
 lidwake              1
 autopoweroff         1
 autopoweroffdelay    14400
 standbydelay         0
 standby              0
 ttyskeepawake        1
 hibernatemode        25
 powernap             0
 gpuswitch            2
 hibernatefile        /var/vm/sleepimage
 displaysleep         2
 sleep                1
 acwake               0
 halfdim              1
 lessbright           1
 disksleep            10
AC Power:
 lidwake              1
 autopoweroff         1
 autopoweroffdelay    14400
 standbydelay         0
 standby              0
 ttyskeepawake        1
 hibernatemode        25
 powernap             0
 gpuswitch            2
 hibernatefile        /var/vm/sleepimage
 womp                 0
 displaysleep         10
 networkoversleep     0
 sleep                1
 acwake               0
 halfdim              1
 disksleep            10
@kristovatlas

This comment has been minimized.

Copy link
Author

commented Jul 21, 2016

I think the problem could be autopoweroff, which is set to 1 for me and @burguesia. @anton48 noticed that he was not having problems and had this set to 0, but he incorrectly stated that the autopoweroffdelay is measured in minutes when it's actually seconds (equivalent to 4 hours).

autopoweroff is enabled by default on supported platforms as an implementation of Lot 6 to the European Energy-related Products Directive. After sleeping for seconds, the system will write a hibernation image and go into a lower power chipset sleep. Wakeups from this state will take longer than wakeups from regular sleep.

I'm going to test it out and report back.

@anton48

This comment has been minimized.

Copy link

commented Jul 21, 2016

@kristovatlas yes, you are right, the unit for this setting is seconds now, but it was in minutes before, so I just remembered that and not rechecked, my bad. you may compare the sources for the man page of pmset here:

https://opensource.apple.com/source/PowerManagement/PowerManagement-571.1.3/pmset/pmset.1 (10.11, says "seconds")

https://opensource.apple.com/source/PowerManagement/PowerManagement-494.1.2/pmset/pmset.1 (10.10, says "minutes")

on the other hand, I just tested the configuration with autopoweroff set to 1 and my notebook was hibernated after 60 seconds regardless of the number set to autopoweroffdelay (I tried 10, 60, 120).

@kristovatlas

This comment has been minimized.

Copy link
Author

commented Jul 28, 2016

Since setting autopoweroff to 0, I haven't had any more problems. I'm going to make a PR now to include this update, and I think it would be safe to close this issue, @drduh.

@drduh

This comment has been minimized.

Copy link
Owner

commented Aug 19, 2016

How are these settings working for folks? Can this issue be resolved now?

@burguesia

This comment has been minimized.

Copy link

commented Aug 20, 2016

@drduh with autopoweroff to 0 everything has been working fine for me for weeks. I'd say the issue is resolved.

@drduh

This comment has been minimized.

Copy link
Owner

commented Aug 21, 2016

Please reopen the ticket and write to Apple if the intended behavior is still not working.

@drduh drduh closed this Aug 21, 2016
@elken

This comment has been minimized.

Copy link

commented Aug 24, 2016

Tried what's mentioned here, hasn't been working for a few days.

System-wide power settings:
 DestroyFVKeyOnStandby      1
Active Profiles:
Battery Power       -1
AC Power        -1*
Currently in use:
 standbydelay         0
 standby              0
 womp                 0
 halfdim              1
 hibernatefile        /var/vm/sleepimage
 powernap             0
 gpuswitch            2
 networkoversleep     0
 disksleep            10
 sleep                0
 autopoweroffdelay    0
 hibernatemode        25
 autopoweroff         0
 ttyskeepawake        1
 displaysleep         180 (display sleep prevented by com.apple.WebKit.WebContent)
 acwake               0
 lidwake              1

Am I just being stupid?

@burguesia

This comment has been minimized.

Copy link

commented Oct 13, 2016

I just encountered an edge case when I replaced the 512GB stock SSD of my late 2013 13 inch Macbook Pro with a 1TB OWC Aura SSD.

"DestroyFVKeyOnStandby 1" + "hibernatemode 25" stopped working. Tweaking powernap, autopoweroffdelay and other options doesn't work. The system cannot come back from hibernation, the only possible solution is a hard reboot.

I think the problem is that macOS views the new SSD as an "external" disk. When the system comes back from hibernation it doesn't seem to be able to find the disk. Either the screen stays black or the "missing disk" shows up. In any case the only solution is to manually power off the laptop.

@kun-zhou

This comment has been minimized.

Copy link

commented Apr 15, 2017

I am on Sierra 10.12.4 with late 2016 Macbook Pro without touchbar. It seems like my computer is still not sleeping and waking properly. Here are my settings:

System-wide power settings:
 DestroyFVKeyOnStandby		1
Currently in use:
 standbydelay         0
 standby              0
 halfdim              1
 hibernatefile        /var/vm/sleepimage
 powernap             0
 gpuswitch            2
 disksleep            10
 sleep                10
 autopoweroffdelay    28800
 hibernatemode        25
 autopoweroff         0
 ttyskeepawake        1
 displaysleep         1
 acwake               0
 lidwake              1

Here is when things go wrong on my machine. I close the lid. After 1 minute, I open the lid, it prompts me for filevault key. IF I DO NOT ENTER IT AND CLOSE THE LID AGAIN, THE COMPUTER SHUTSDOWN WHEN I OPEN THE LID ONE MINUTE LATER.

In my pmset -g log, I see the following:


Time stamp                Domain              	Message                                                                    	Duration  	Delay     
==========                ======              	=======                                                                    	========  	=====     
UUID: (null)
2017-04-17 13:51:09 -0400 Start               	powerd process is started                                                  	          
2017-04-17 13:51:09 -0400 Assertions          	Summary- [System: No Assertions] Using Batt(Charge: 73)          
2017-04-17 13:51:09 -0400 HibernateStats      	hibmode=0 standbydelay=0                                                   	          0         	
Sleep/Wakes since boot at 2017-04-17 13:51:09 -0400 :0   Dark Wake Count in this sleep cycle:1

Time stamp                Domain              	Message                                                                    	Duration  	Delay     
==========                ======              	=======                                                                    	========  	=====     
UUID: Unknown UUID
2017-04-17 13:51:09 -0400 Failure             	Sleep Failure [code:0xFFFFFFFF0400001F]:                                   	          

I also see a sleep failure here.

I think apple's pmset is pretty broken and poorly documented. I don't know I should even trust the computer to destroy the filevault key properly during sleep and we have little control over when the computer actually enters the standbymode and destroy the filevault key.

@skynw

This comment has been minimized.

Copy link

commented May 27, 2017

Aloha,
I have also the same issue with OWC Aura SSD.
Replaced my original internal SSD with a OWC Aura.
Now wake up from hibernation does not work anymore.

@burguesia

This comment has been minimized.

Copy link

commented May 30, 2017

@skynw : I never managed to solve this issue. Only thing I could do was to go back to standard settings, which means not hibernating the laptop but just using the standard sleep.

@ajkblue

This comment has been minimized.

Copy link

commented May 31, 2017

@kun-zhou I am seeing the exact same issue, including the same sleep failure log and how my Mac fails to re-awake after opening up the lid a second time. I am on Sierra 10.12.5 with Mid-2013 MacBook Air.

@MichelDiz

This comment has been minimized.

Copy link

commented Aug 4, 2017

PMSET behavior is very annoying. "UserAgent" preventing my Mac from sleeping. Even web apps running on Electron are having this behavior. Would not it be so simple to overwrite these things Apple?

pmset -g assertions                                      

Assertion status system-wide:
   BackgroundTask                 1
   ApplePushServiceTask           0
   UserIsActive                   1
   PreventUserIdleDisplaySleep    0
   PreventSystemSleep             0
   ExternalMedia                  0
   PreventUserIdleSystemSleep     0
   NetworkClientActive            0
Listed by owning process:
   pid 387(UserEventAgent): [0x00009d95000b93d6] 00:29:58 BackgroundTask named: "com.apple.siri.xpc_activity.metrics-sender"
	Created for PID: 2374.
   pid 109(hidd): [0x00006a5800098e13] 04:08:41 UserIsActive named: "com.apple.iohideventsystem.queue.tickle.4294971603.17"
	Timeout will fire in 594 secs Action=TimeoutActionRelease
Kernel Assertions: 0x4=USB
   id=512  level=255 0x4=USB mod=31/12/69 21:00 description=com.apple.usb.externaldevice.13100000 owner=Microsoft® 2.4GHz Transceiver v7.0
   id=513  level=255 0x4=USB mod=31/12/69 21:00 description=com.apple.usb.externaldevice.16300000 owner=Gaming Mouse G402
Idle sleep preventers: IODisplayWrangler
@kun-zhou

This comment has been minimized.

Copy link

commented Aug 4, 2017

@V1-Bloom

This comment has been minimized.

Copy link

commented Jun 18, 2018

The other day after running sudo launchctl config user path "/usr/local/bin:$PATH" my Mac was able to wake from hibernation successfully. This was written on the Homebrew FAQ for letting .apps find /usr/local/bin. I'm not sure why that would affect the booting from hibernation issue, but it was the only significant change I made before I noticed it successfully waking instead of restarting. It's an MBP Early 2015 model running 10.13.6

@tbodt

This comment has been minimized.

Copy link

commented Jun 22, 2018

If you have an OWC Aura SSD, there's a firmware update available that causes the drive to be recognized as an internal hard drive, making it possible to wake from hibernation. You can find information here: https://eshop.macsales.com/Service/Knowledgebase/Article/10/730/Aura-SSDs-Firmware-Update

@danweber

This comment has been minimized.

Copy link

commented Mar 25, 2019

The instructions explicitly say to turn off standby and standbydelay. But those are the settings that allow the MBP to enter hibernate mode and drop the FV key. (The key is called DestroyFVKeyOnStandby, after all.) Do other people have their MBPs going into Hibernate mode with these settings? I have never gotten it to enter standby with these settings, and thus never drop the FV key.

Mojave, 10.14.3, MBP with touchbar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.