On Thu, Jun 29, 2023 at 09:59:36AM +0200, Jiri Slaby wrote:
Hi,
Kernel 6.4 is submitted to factory as SR#1095360. It will take some time for us to fix all 6.4's fallouts. But once it is merged, lockdown will enabled in Tumbleweed again.
For all the details, see Joey's e-mail below.
(You can test the kernel in Kernel:stable, if you are not sure everything is going to work for you.)
Just did a test with NVIDIA proprietary driver. Kernel update from Kernel:stable triggers rebuild of modules, signs them - as expected. And after boot you can accept the new certificate. Reboot again and nvidia modules are working with Kernel 6.4. Desktop works, glxinfo and vulkaninfo does. So looks good from my side. Thanks, Stefan
On 08. 06. 23, 6:54, joeyli via openSUSE Factory wrote:
Hi folks,
After testing NVIDIA kmp with lockdown kernel, the lockdown function be enabled in master branch of openSUSE Tumbleweed kernel again. (SLE and Leap kernels are already enabled)
The following patches are unmartked:
patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch
The following config be enabled. It will load MOK (machine owner key) to kernel keyring:
CONFIG_IMA_ARCH_POLICY=y CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
The following downstream config be enabled on x86_64 and aarch64. It will connect lockdown function with secure boot option in EFI firmware:
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
Kernel will set to integrity lockdown mode when secure boot be enabled:
linux/security.h enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, // kernel module verification LOCKDOWN_DEV_MEM, LOCKDOWN_EFI_TEST, LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, LOCKDOWN_DEVICE_TREE, LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, LOCKDOWN_DEBUGFS, // restricted debugfs LOCKDOWN_XMON_WR, LOCKDOWN_BPF_WRITE_USER, // BPF write LOCKDOWN_DBG_WRITE_KERNEL, LOCKDOWN_RTAS_ERROR_INJECTION, LOCKDOWN_INTEGRITY_MAX, // integrity mode LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ_KERNEL, // BPF read LOCKDOWN_DBG_READ_KERNEL, LOCKDOWN_PERF, LOCKDOWN_TRACEFS, LOCKDOWN_XMON_RW, LOCKDOWN_XFRM_SECRET, LOCKDOWN_CONFIDENTIALITY_MAX, // confidentiality mode };
As you see, the kernel module verification will be enabled. So please sign your self-built kernel module. You can reference this section in openSUSE UEFI wiki page:
https://en.opensuse.org/openSUSE:UEFI#Signing_kernel_module_for_verification
Please enroll your key to MOK by mokutil.
If you didn't use shim, e.g. systemd-boot/dracut solution. I have created a bug bsc#1211224. Currently we do not support it with secure boot. Let's discuss it in bsc#1211224.
Regards Joey Lee
regards, -- js suse labs
-- Regards, Stefan Dirsch Public Key available ------------------------------------------------------ Stefan Dirsch (Res. & Dev.) SUSE Software Solutions Germany GmbH Tel: 0911-740 53 0 Frankenstraße 146 FAX: 0911-740 53 479 D-90461 Nürnberg http://www.suse.de Germany ---------------------------------------------------------------- Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman (HRB 36809, AG Nürnberg) ----------------------------------------------------------------