On 08.05.2023 17:29, Joe Salmeri wrote:

HI Andrei

On 5/8/23 00:50, Andrei Borzenkov wrote:

...

On 07.05.2023 21:25, Joe Salmeri wrote:

...

I just updated from 20230413 to 20230505 and after rebooting vmware kernel modules ( after recompiling for kernel 6.3.1-1 ) would not load.

      modprobe: ERROR: could not insert 'vmmon': Key was rejected by service       modprobe: ERROR: could not insert 'vmnet': Key was rejected by service

Post kernel messages (dmesg output) at the time when you see this error. Even better in such cases is to provide full dmesg output.

I interpreted the 2 modprobe messages to indicate that since the 2 vmware modules were not signed they were rejected.

The same errors were thrown in my test environment and in my main desktop.

As a test for you, I recompiled both modules again in my test environment, but this time I did NOT sign them.

I ran 'journalctl -k -xef' in one konsole session and in another konsole session I ran 'systemctl start vmware'

The only 2 messages that were displayed were

    May 08 10:17:56 Test-VM: Loading of unsigned module is rejected     May 08 10:17:56 Test-VM: Loading of unsigned module is rejected

So that seems to indicate that the kernel was changed back to requiring signed modules.

Yes, although it probably is not exactly lockdown. It is due to CONFIG_IMA_ARCH_POLICY=y which was set by this commit: commit 90a46594a115a4abf9381bd4c327fd875ac0da0b Author: Lee, Chun-Yi <jlee@suse.com> Date: Thu Mar 9 13:25:10 2023 +0800 Update config files. Add the following config to x86_64, arm64 and i386. CONFIG_IMA_ARCH_POLICY=y CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y This config be used to detect secure boot. (bsc#1209006) There is no way to override it at run time (except disabling secure boot). Cc kernel.

If I boot back to the previous kernel which was 6.2.10-1, then the unsigned vmware modules load fine.

If I follow the steps in my original message and sign the vmware modules, then kernel 6.3.1.1 loads the modules, the service starts and vmware works.

...

...

I have not see an announcement regarding kernel lockdown being enabled

Where do you see any indication of kernel lockdown?

Everything I had noted from the last time that kernel lockdown was enabled, indicates that it is NOT locked down with 6.3.1-1.

I don't understand why everything indicates that lockdown is NOT enabled, however, the actual messages from the journal/dmesg indicate that unsigned modules can no longer be loaded with the 6.3.1-1 kernel and signing them allows them to load so clearly something changed.

Maybe they found a way to deal with the previous issues that occurred back with the 6.2 kernel where lockdown would not allow signing with secondary keys and loading the modules?

Hopefully Jira,will see these messages and chime in....