Re: X server blocked by SecureBoot

To: debian-user@lists.debian.org
Subject: Re: X server blocked by SecureBoot
From: Christian <chris@argonautx.net>
Date: Wed, 30 Oct 2024 15:57:47 +0100
Message-id: <[🔎] 967ad2e1-e7f4-4538-9694-6ff00690c4d8@argonautx.net>
In-reply-to: <[🔎] 19041327546537610557@scdbackup.webframe.org>
References: <[🔎] aec1c8bd-58eb-45c2-a833-e85b990c25b2@argonautx.net> <[🔎] 19041327546537610557@scdbackup.webframe.org>

Hi Thomas, thank you for your help. So far I couldn't see anything in mycmdline which is kernel_lockdown related. And I grep'ed the whole /etcand /boot directory recursively. Nothing. And neither in the dmesg,there is no "lsm=" line. Only in the kernel .config isCONFIG_SECURITY_LOCKDOWN=y, enabled. So yes the kernel supports it.Debian Live boot system couldn't either boot up my new PC, but Ubuntudid. WIth Ubuntu I was able to boot it with Desktop and everthing, butthey used Nouveu driver. And dmesg dumped this out:[ 0.209551] LSM: initializinglsm=lockdown,capability,landlock,yama,apparmor,ima,evm

I couldn't find out where this parameters are set. Even on the UbuntuLive system I didn't find a file with just one single line with thewords lsm= or lockdown (case insensitive)


Thank you

BR Christian

Hi,

Christian wrote:

[   47.042454] Lockdown: Xorg: raw io port access is restricted; see man kernel_lockdown.7
I think it's still SecureBoot, but what is it this time? Can anyone help

At least the above log snippet seems to be related to SecureBoot.
In
   https://manpages.debian.org/bookworm/manpages/kernel_lockdown.7.en.html
i see

   "On an EFI-enabled x86 or arm64 machine, lockdown will be automatically
    enabled if the system boots in EFI Secure Boot mode.
    Coverage
    When lockdown is in effect, a number of features are disabled or have
    their use restricted. This includes special device files and kernel
    services that allow direct access of the kernel image:"
    [...]
   NOTES
     The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
     The lsm=lsm1,...,lsmN command line parameter controls the sequence of
     the initialization of Linux Security Modules. It must contain the
     string lockdown to enable the Kernel Lockdown feature. If the command
     line parameter is not specified, the initialization falls back to the
     value of the deprecated security= command line parameter and further
     to the value of CONFIG_LSM."

So i guess you have to look into your boot configuration for kernel
parameter "lockdown".

On
   https://bbs.archlinux.org/viewtopic.php?id=290866
i see this statement by espritlibre:

   "Re: Secure boot and Nvidia
    i have secure boot enabled, but lockdown disabled  (for another
    reason). loading the nvidia module does taint the kernel, but loads
    and work just fine with prime-run on a hybrid systme. i'm not signing
    OOT modules, just kernel and efi stuff."

(Whatever "prime-run" might be ...)


Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: X server blocked by SecureBoot
  - From: Timothy M Butterworth <timothy.m.butterworth@gmail.com>
- Re: X server blocked by SecureBoot
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

References:
- X server blocked by SecureBoot
  - From: Christian <chris@argonautx.net>
- Re: X server blocked by SecureBoot
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

Prev by Date: Re: printer problem
Next by Date: Re: Support forum for pdfminer.six [especially pdf2txt]
Previous by thread: Re: X server blocked by SecureBoot
Next by thread: Re: X server blocked by SecureBoot
Index(es):
- Date
- Thread