Kernel 6.4.3 comes with lockdown enabled
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago. Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx. Regards, Frank
Frank Krüger wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago. Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx. Regards, Frank Frank Krüger wrote: JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago. Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx. For an update, see https://bugzilla.suse.com/show_bug.cgi?id=1208766#c12
Regards, Frank
Hi Frank! On Tue, 2023-07-11 at 22:23 +0200, Frank Krüger via openSUSE Factory wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
For clarification: In case hibernation no longer works with 6.4.x, it should be enough to turn off Secure Boot for the time being? Thanks, Adrian
Am 13.07.23 um 11:24 schrieb Adrian Glaubitz:
Hi Frank!
On Tue, 2023-07-11 at 22:23 +0200, Frank Krüger via openSUSE Factory wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
For clarification: In case hibernation no longer works with 6.4.x, it should be enough to turn off Secure Boot for the time being?
Thanks, Adrian Of course, hibernation works fine with kernel lockdown and secure boot disabled. Hopefully, there will be an upstream fix in kernel >= 6.5.
Regards, Frank
On 7/11/2023 14:23, Frank Krüger via openSUSE Factory wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
So now that it has arrived, does this have any impact for non-UEFI or non-secure boot? I do not have UEFI (and thus no secure boot), but I do have the following in dmesg: r8168: loading out-of-tree module taints kernel. r8168: module verification failed: signature and/or required key missing - tainting kernel Will I have problems when I dup to the new kernel? -- Jason Craig
Am 23.07.23 um 02:39 schrieb Jason Craig:
On 7/11/2023 14:23, Frank Krüger via openSUSE Factory wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
So now that it has arrived, does this have any impact for non-UEFI or non-secure boot? I do not have UEFI (and thus no secure boot), but I do have the following in dmesg:
r8168: loading out-of-tree module taints kernel. r8168: module verification failed: signature and/or required key missing - tainting kernel
Will I have problems when I dup to the new kernel? You can follow the "lockdown issue" at https://bugzilla.suse.com/show_bug.cgi?id=1208766. As for r8168, cf. https://bugzilla.opensuse.org/show_bug.cgi?id=1213491; https://bugzilla.kernel.org/show_bug.cgi?id=217596.
Regards, Frank
participants (3)
-
Adrian Glaubitz
-
Frank Krüger
-
Jason Craig