Hello Timothy, I did so. I used Debian Testing/Trixie, which I also use
on my current old system (build 2015) with apt pinning and everything...
The ISO I used was debian-live-testing-amd64-xfce.iso.
BR Christian
On Wed, Oct 30, 2024 at 10:58 AM Christian <ch...@argonautx.net> wrote:
Hi Thomas, thank you for your help. So far I couldn't see anything in my
cmdline which is kernel_lockdown related. And I grep'ed the whole /etc
and /boot directory recursively. Nothing. And neither in the dmesg,
there is no "lsm=" line. Only in the kernel .config is
CONFIG_SECURITY_LOCKDOWN=y, enabled. So yes the kernel supports it.
Debian Live boot system couldn't either boot up my new PC, but Ubuntu
did. WIth Ubuntu I was able to boot it with Desktop and everthing, but
they used Nouveu driver.
Try booting with Trixie (testing), https://www.debian.org/CD/live/ It may
just be that the stable kernel is simply too old for your hardware. I am
currently running Trixie and have not had any problems with it. If you do
install Trixie and it asks you if you want to install accesibility tools...
select NO! Otherwise it will install and run everything and you will waste
lots of time figuring out how to disable them.
And dmesg dumped this out:
[ 0.209551] LSM: initializing
lsm=lockdown,capability,landlock,yama,apparmor,ima,evm
I couldn't find out where this parameters are set. Even on the Ubuntu
Live system I didn't find a file with just one single line with the
words lsm= or lockdown (case insensitive)
Thank you
BR Christian
Hi,
Christian wrote:
[ 47.042454] Lockdown: Xorg: raw io port access is restricted; see
man kernel_lockdown.7
I think it's still SecureBoot, but what is it this time? Can anyone help
At least the above log snippet seems to be related to SecureBoot.
In
https://manpages.debian.org/bookworm/manpages/kernel_lockdown.7.en.html
i see
"On an EFI-enabled x86 or arm64 machine, lockdown will be
automatically
enabled if the system boots in EFI Secure Boot mode.
Coverage
When lockdown is in effect, a number of features are disabled or have
their use restricted. This includes special device files and kernel
services that allow direct access of the kernel image:"
[...]
NOTES
The Kernel Lockdown feature is enabled by
CONFIG_SECURITY_LOCKDOWN_LSM.
The lsm=lsm1,...,lsmN command line parameter controls the sequence
of
the initialization of Linux Security Modules. It must contain the
string lockdown to enable the Kernel Lockdown feature. If the
command
line parameter is not specified, the initialization falls back to
the
value of the deprecated security= command line parameter and further
to the value of CONFIG_LSM."
So i guess you have to look into your boot configuration for kernel
parameter "lockdown".
On
https://bbs.archlinux.org/viewtopic.php?id=290866
i see this statement by espritlibre:
"Re: Secure boot and Nvidia
i have secure boot enabled, but lockdown disabled (for another
reason). loading the nvidia module does taint the kernel, but loads
and work just fine with prime-run on a hybrid systme. i'm not signing
OOT modules, just kernel and efi stuff."
(Whatever "prime-run" might be ...)
Have a nice day :)
Thomas
