[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: X server blocked by SecureBoot



On Wed, Oct 30, 2024 at 10:58 AM Christian <chris@argonautx.net> wrote:
Hi Thomas, thank you for your help. So far I couldn't see anything in my
cmdline which is kernel_lockdown related. And I grep'ed the whole /etc
and /boot directory recursively. Nothing. And neither in the dmesg,
there is no "lsm=" line. Only in the kernel .config is
CONFIG_SECURITY_LOCKDOWN=y, enabled. So yes the kernel supports it.
Debian Live boot system couldn't either boot up my new PC, but Ubuntu
did. WIth Ubuntu I was able to boot it with Desktop and everthing, but
they used Nouveu driver.
 
Try booting with Trixie (testing), https://www.debian.org/CD/live/ It may just be that the stable kernel is simply too old for your hardware. I am currently running Trixie and have not had any problems with it. If you do install Trixie and it asks you if you want to install accesibility tools... select NO! Otherwise it will install and run everything and you will waste lots of time figuring out how to disable them.

And dmesg dumped this out:
[    0.209551] LSM: initializing
lsm=lockdown,capability,landlock,yama,apparmor,ima,evm

I couldn't find out where this parameters are set. Even on the Ubuntu
Live system I didn't find a file with just one single line with the
words lsm= or lockdown (case insensitive)

Thank you

BR Christian


> Hi,
>
> Christian wrote:
>> [   47.042454] Lockdown: Xorg: raw io port access is restricted; see man kernel_lockdown.7
>> I think it's still SecureBoot, but what is it this time? Can anyone help
> At least the above log snippet seems to be related to SecureBoot.
> In
>    https://manpages.debian.org/bookworm/manpages/kernel_lockdown.7.en.html
> i see
>
>    "On an EFI-enabled x86 or arm64 machine, lockdown will be automatically
>     enabled if the system boots in EFI Secure Boot mode.
>     Coverage
>     When lockdown is in effect, a number of features are disabled or have
>     their use restricted. This includes special device files and kernel
>     services that allow direct access of the kernel image:"
>     [...]
>    NOTES
>      The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
>      The lsm=lsm1,...,lsmN command line parameter controls the sequence of
>      the initialization of Linux Security Modules. It must contain the
>      string lockdown to enable the Kernel Lockdown feature. If the command
>      line parameter is not specified, the initialization falls back to the
>      value of the deprecated security= command line parameter and further
>      to the value of CONFIG_LSM."
>
> So i guess you have to look into your boot configuration for kernel
> parameter "lockdown".
>
> On
>    https://bbs.archlinux.org/viewtopic.php?id=290866
> i see this statement by espritlibre:
>
>    "Re: Secure boot and Nvidia
>     i have secure boot enabled, but lockdown disabled  (for another
>     reason). loading the nvidia module does taint the kernel, but loads
>     and work just fine with prime-run on a hybrid systme. i'm not signing
>     OOT modules, just kernel and efi stuff."
>
> (Whatever "prime-run" might be ...)
>
>
> Have a nice day :)
>
> Thomas
>



--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀
Reply to: