Hi Thomas, thank you for your help. So far I couldn't see anything in my
cmdline which is kernel_lockdown related. And I grep'ed the whole /etc
and /boot directory recursively. Nothing. And neither in the dmesg,
there is no "lsm=" line. Only in the kernel .config is
CONFIG_SECURITY_LOCKDOWN=y, enabled. So yes the kernel supports it.
Debian Live boot system couldn't either boot up my new PC, but Ubuntu
did. WIth Ubuntu I was able to boot it with Desktop and everthing, but
they used Nouveu driver. And dmesg dumped this out:
[ 0.209551] LSM: initializing
lsm=lockdown,capability,landlock,yama,apparmor,ima,evm
I couldn't find out where this parameters are set. Even on the Ubuntu
Live system I didn't find a file with just one single line with the
words lsm= or lockdown (case insensitive)
Thank you
BR Christian
Hi,
Christian wrote:
[ 47.042454] Lockdown: Xorg: raw io port access is restricted; see man
kernel_lockdown.7
I think it's still SecureBoot, but what is it this time? Can anyone help
At least the above log snippet seems to be related to SecureBoot.
In
https://manpages.debian.org/bookworm/manpages/kernel_lockdown.7.en.html
i see
"On an EFI-enabled x86 or arm64 machine, lockdown will be automatically
enabled if the system boots in EFI Secure Boot mode.
Coverage
When lockdown is in effect, a number of features are disabled or have
their use restricted. This includes special device files and kernel
services that allow direct access of the kernel image:"
[...]
NOTES
The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
The lsm=lsm1,...,lsmN command line parameter controls the sequence of
the initialization of Linux Security Modules. It must contain the
string lockdown to enable the Kernel Lockdown feature. If the command
line parameter is not specified, the initialization falls back to the
value of the deprecated security= command line parameter and further
to the value of CONFIG_LSM."
So i guess you have to look into your boot configuration for kernel
parameter "lockdown".
On
https://bbs.archlinux.org/viewtopic.php?id=290866
i see this statement by espritlibre:
"Re: Secure boot and Nvidia
i have secure boot enabled, but lockdown disabled (for another
reason). loading the nvidia module does taint the kernel, but loads
and work just fine with prime-run on a hybrid systme. i'm not signing
OOT modules, just kernel and efi stuff."
(Whatever "prime-run" might be ...)
Have a nice day :)
Thomas
