[Bug 1194332] New: kernel lsm boot parameter needs lsm=integrity to use IMA
https://bugzilla.suse.com/show_bug.cgi?id=1194332 Bug ID: 1194332 Summary: kernel lsm boot parameter needs lsm=integrity to use IMA Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: petr.vorel@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Build 20211229 added 'lsm=apparmor' as a kernel parameter into GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub. Please change it to 'lsm=integrity,apparmor' to allow using IMA (e.g. 'ima_policy=tcb' kernel parameter). That avoids kernel oops breaking boot [1]: [ 1.210321][ T1] Kernel panic - not syncing: integrity_inode_get: lsm=integrity required. [ 1.212119][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.12-1-default #1 openSUSE Tumbleweed dacaf19d133e8023737b25567dc90a32d973f26e [ 1.215246][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 [ 1.218496][ T1] Call Trace: [ 1.219715][ T1] <TASK> [ 1.220844][ T1] dump_stack_lvl+0x46/0x5a [ 1.222144][ T1] panic+0xf3/0x2cb [ 1.223326][ T1] integrity_inode_get.cold+0x13/0x13 [ 1.224710][ T1] process_measurement+0x86e/0x960 [ 1.226069][ T1] ? aa_file_perm+0x112/0x480 [ 1.227359][ T1] ? select_task_rq_fair+0x15a/0x1350 [ 1.228744][ T1] ? __kernel_read+0x14a/0x2d0 [ 1.230068][ T1] ? profile_signal_perm.part.0+0x91/0xb0 [ 1.231516][ T1] ima_bprm_check+0x55/0xb0 [ 1.232810][ T1] bprm_execve+0x22a/0x660 [ 1.234104][ T1] ? rest_init+0xc0/0xc0 [ 1.235372][ T1] kernel_execve+0x12e/0x1b0 [ 1.236689][ T1] kernel_init+0x76/0x120 [ 1.237982][ T1] ret_from_fork+0x22/0x30 [ 1.239278][ T1] </TASK> [ 1.240462][ T1] Kernel Offset: 0x7600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 1.243605][ T1] Rebooting in 90 seconds.. [1] https://openqa.opensuse.org/tests/2122167#step/boot_ltp/13 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Petr Vorel
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Chenzi Cao
https://bugzilla.suse.com/show_bug.cgi?id=1194332
https://bugzilla.suse.com/show_bug.cgi?id=1194332#c1
--- Comment #1 from Petr Vorel
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Petr Vorel
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Lukas Ocilka
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Knut Alejandro Anderssen Gonz�lez
https://bugzilla.suse.com/show_bug.cgi?id=1194332
lili zhao
https://bugzilla.suse.com/show_bug.cgi?id=1194332
https://bugzilla.suse.com/show_bug.cgi?id=1194332#c3
Knut Alejandro Anderssen Gonz�lez
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Petr Vorel
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Petr Vorel
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Johannes Segitz
participants (1)
-
bugzilla_noreply@suse.com