[Bug 1234646] New: Lockdown is not activated with Secure Boot in kernel 6.12

https://bugzilla.suse.com/show_bug.cgi?id=1234646 Bug ID: 1234646 Summary: Lockdown is not activated with Secure Boot in kernel 6.12 Classification: openSUSE Product: openSUSE Tumbleweed Version: Slowroll Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: jlee@suse.com Reporter: arvidjaar@gmail.com QA Contact: qa-bugs@suse.de CC: jslaby@suse.com Target Milestone: --- Found By: --- Blocker: --- Kernel 6.12 moved initialization of lockdown LSM after arch setup. SUSE kernel tries to activate lockdown in arch setup if Secure Boot is detected which does not work anymore. The upstream commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/in... See also the mailing list thread: https://lists.opensuse.org/archives/list/kernel@lists.opensuse.org/thread/IK... -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1234646 https://bugzilla.suse.com/show_bug.cgi?id=1234646#c2 --- Comment #2 from Joey Lee <jlee@suse.com> --- My plan is that we also use subsys_initcall(arm64_kernel_lockdown) on x86_64. Base on the dmesg log, the place is still earlier than hibernation which is the first locked-down function when kernel booting: [ 0.023049] [ T0] setup_arch() end [ 0.023051] [ T0] lockdown_lsm_init <-- lockdown=integrity kernel parameter start the locking here ... [ 0.525716] [ T1] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 <-- subsys_initcall(arm64_kernel_lockdown), secure boot start the locking here ... [ 1.169608] [ T1] Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7 <-- hibernation, the first locked-down function when booting ... [ 2.632957] [ T532] Lockdown: systemd-hiberna: hibernation is restricted; see man kernel_lockdown.7 ... [ 6.487955] [ T1015] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1234646 Frank Krüger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fkrueger@mailbox.org -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1234646 https://bugzilla.suse.com/show_bug.cgi?id=1234646#c4 --- Comment #4 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1234646) was mentioned in https://build.opensuse.org/request/show/1232651 Factory / kernel-source -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com