Kernel 6.4.3 comes with lockdown enabled
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago. Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx. Regards, Frank
On 7/11/23 15:23, Frank Krüger wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
Is 6.4.3 the first kernel with this problem? What exactly is the problem? Could you be more specific? The best way to report such a bug would be to bisect the problem to find the exact commit that causes the failure. Larry
Am 11.07.23 um 22:50 schrieb Larry Finger:
On 7/11/23 15:23, Frank Krüger wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
Is 6.4.3 the first kernel with this problem?
What exactly is the problem? Could you be more specific?
The best way to report such a bug would be to bisect the problem to find the exact commit that causes the failure.
Larry See https://bugzilla.opensuse.org/show_bug.cgi?id=1208766#c3
Regards, Frank
On 7/11/23 16:12, Frank Krüger wrote:
Am 11.07.23 um 22:50 schrieb Larry Finger:
On 7/11/23 15:23, Frank Krüger wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
Is 6.4.3 the first kernel with this problem?
What exactly is the problem? Could you be more specific?
The best way to report such a bug would be to bisect the problem to find the exact commit that causes the failure.
Larry See https://bugzilla.opensuse.org/show_bug.cgi?id=1208766#c3
You will need to wait a while. That series of patches are not in kernel 6.5.0-rc1, thus the earliest they will appear is likely kernel 6.6. Larry
Hi, On Tue, Jul 11, 2023 at 04:35:21PM -0500, Larry Finger wrote:
On 7/11/23 16:12, Frank Krüger wrote:
Am 11.07.23 um 22:50 schrieb Larry Finger:
On 7/11/23 15:23, Frank Krüger wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
Is 6.4.3 the first kernel with this problem?
What exactly is the problem? Could you be more specific?
The best way to report such a bug would be to bisect the problem to find the exact commit that causes the failure.
Larry See https://bugzilla.opensuse.org/show_bug.cgi?id=1208766#c3
You will need to wait a while. That series of patches are not in kernel 6.5.0-rc1, thus the earliest they will appear is likely kernel 6.6.
Evan's patch set is developed to v5. Then he got suggestions about the security of PCR23. His idea is following: [PATCH v5 01/11] tpm: Add support for in-kernel resetting of PCRs Evan Green https://lore.kernel.org/lkml/20221111151451.v5.7.Ifff11e11797a1bde0297577ecb... Hibernation dumps kernel space memory to keep in a file. It's a dangerous function from a security point of view. If you have any opinion or concern against kernel usptream's implementation, just raise on kernel upstream please. Before kernel upstream has a official solution, the only way for using hibernation is still disable secure boot. Just like what I done on one of my laptops. Regards Joey Lee
Am 12.07.23 um 06:47 schrieb joeyli:
Hi,
On Tue, Jul 11, 2023 at 04:35:21PM -0500, Larry Finger wrote:
On 7/11/23 16:12, Frank Krüger wrote:
Am 11.07.23 um 22:50 schrieb Larry Finger:
On 7/11/23 15:23, Frank Krüger wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
Is 6.4.3 the first kernel with this problem?
What exactly is the problem? Could you be more specific?
The best way to report such a bug would be to bisect the problem to find the exact commit that causes the failure.
Larry See https://bugzilla.opensuse.org/show_bug.cgi?id=1208766#c3
You will need to wait a while. That series of patches are not in kernel 6.5.0-rc1, thus the earliest they will appear is likely kernel 6.6.
Evan's patch set is developed to v5. Then he got suggestions about the security of PCR23. His idea is following:
[PATCH v5 01/11] tpm: Add support for in-kernel resetting of PCRs Evan Green https://lore.kernel.org/lkml/20221111151451.v5.7.Ifff11e11797a1bde0297577ecb...
Hibernation dumps kernel space memory to keep in a file. It's a dangerous function from a security point of view. If you have any opinion or concern against kernel usptream's implementation, just raise on kernel upstream please.
Before kernel upstream has a official solution, the only way for using hibernation is still disable secure boot. Just like what I done on one of my laptops.
Thank you for the update and the comment at https://bugzilla.suse.com/show_bug.cgi?id=1208766#c12. Shouldn't we reopen the bug report to track this issue? Regards, Frank
On Wed, Jul 12, 2023 at 07:36:39AM +0200, Frank Krüger wrote:
Am 12.07.23 um 06:47 schrieb joeyli:
Hi,
On Tue, Jul 11, 2023 at 04:35:21PM -0500, Larry Finger wrote:
On 7/11/23 16:12, Frank Krüger wrote:
Am 11.07.23 um 22:50 schrieb Larry Finger:
On 7/11/23 15:23, Frank Krüger wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
Is 6.4.3 the first kernel with this problem?
What exactly is the problem? Could you be more specific?
The best way to report such a bug would be to bisect the problem to find the exact commit that causes the failure.
Larry See https://bugzilla.opensuse.org/show_bug.cgi?id=1208766#c3
You will need to wait a while. That series of patches are not in kernel 6.5.0-rc1, thus the earliest they will appear is likely kernel 6.6.
Evan's patch set is developed to v5. Then he got suggestions about the security of PCR23. His idea is following:
[PATCH v5 01/11] tpm: Add support for in-kernel resetting of PCRs Evan Green https://lore.kernel.org/lkml/20221111151451.v5.7.Ifff11e11797a1bde0297577ecb...
Hibernation dumps kernel space memory to keep in a file. It's a dangerous function from a security point of view. If you have any opinion or concern against kernel usptream's implementation, just raise on kernel upstream please.
Before kernel upstream has a official solution, the only way for using hibernation is still disable secure boot. Just like what I done on one of my laptops.
Thank you for the update and the comment at https://bugzilla.suse.com/show_bug.cgi?id=1208766#c12. Shouldn't we reopen the bug report to track this issue?
Yes, feel free to reopen it for tracking status please. Thanks! Joey Lee
Hi Frank! On Tue, 2023-07-11 at 22:23 +0200, Frank Krüger via openSUSE Factory wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
For clarification: In case hibernation no longer works with 6.4.x, it should be enough to turn off Secure Boot for the time being? Thanks, Adrian
Am 13.07.23 um 11:24 schrieb Adrian Glaubitz:
Hi Frank!
On Tue, 2023-07-11 at 22:23 +0200, Frank Krüger via openSUSE Factory wrote:
JFYI: Kernel 6.4.3-3.g5ab030f-default from Kernel:stable has lockdown enabled (i.e. "cat /sys/kernel/security/lockdown -> integrity"), which was announced some time ago.
Since hibernation is not working in this case with secure boot enabled, is there any solution in sight? Thx.
For clarification: In case hibernation no longer works with 6.4.x, it should be enough to turn off Secure Boot for the time being?
Thanks, Adrian Of course, hibernation works fine with kernel lockdown and secure boot disabled. Hopefully, there will be an upstream fix in kernel >= 6.5.
Regards, Frank
participants (4)
-
Adrian Glaubitz -
Frank Krüger -
joeyli -
Larry Finger