Message in info of KDE (Sysinfo): event in August says: kernel not integer. - A part from this no other warning received.
Eventi sicurezza host 2023-08-27 07:22:35: <span style="color:red;"></span><span style="font- weight:bold;color:red;">✘</span> Il kernel non è integro in English this is: security event host: the kernel isn't integer Do I have to reinstall, what kind of problem could this be? I am also using a CPU based TPM (AMD) but the system says "no tpm". I did activate "reliable boot via UEFI" in Yast but the system claims that uefi is not used.... weired because I did install with UEFI. So is this only false positives from the software or should I be alarmed and reinstall the system?
In data martedì 28 novembre 2023 12:39:58 CET, Stakanov ha scritto: And I forgott OS is Tumbleweed
On 2023-11-28 12:39, Stakanov wrote:
Eventi sicurezza host 2023-08-27 07:22:35: <span style="color:red;"></span><span style="font- weight:bold;color:red;">✘</span> Il kernel non è integro
in English this is: security event host: the kernel isn't integer
I think it refers to integrity. Maybe because it is not using UEFI and certification failed. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.5 (Laicolasse))
In data martedì 28 novembre 2023 14:39:20 CET, Carlos E. R. ha scritto:
On 2023-11-28 12:39, Stakanov wrote:
Eventi sicurezza host
2023-08-27 07:22:35: <span style="color:red;"></span><span style="font-
weight:bold;color:red;">✘</span> Il kernel non è integro
in English this is: security event host: the kernel isn't integer
I think it refers to integrity. Maybe because it is not using UEFI and certification failed.
-- Cheers / Saludos,
Carlos E. R.
(from openSUSE 15.5 (Laicolasse))
Do you happen to know in which partition the UEFI check does take place? I have grub on a disk /boot (raid) and the root on a separate raid. Now I do not know if this could cause the uefi check to have problems, but I admit the setup is maybe somewhat rare? Looks like this: entropy@localhost:~> lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 119,2G 0 disk └─md127 9:127 0 119,2G 0 raid1 └─md127p1 259:0 0 119G 0 part /boot/efi sdb 8:16 0 119,2G 0 disk └─md127 9:127 0 119,2G 0 raid1 └─md127p1 259:0 0 119G 0 part /boot/efi sdc 8:32 0 3,6T 0 disk └─sdc1 8:33 0 3,6T 0 part └─md0 9:0 0 3,6T 0 raid1 /var/lib/libvirt sdd 8:48 0 232,9G 0 disk └─sdd1 8:49 0 232,9G 0 part └─md126 9:126 0 232,9G 0 raid1 /var /usr/local /root /srv /opt /boot/grub2/x86_64-efi /boot/grub2/i386-pc /.snapshots / sde 8:64 0 232,9G 0 disk └─sde1 8:65 0 232,9G 0 part └─md126 9:126 0 232,9G 0 raid1 /var /usr/local /root /srv /opt /boot/grub2/x86_64-efi /boot/grub2/i386-pc /.snapshots / sdf 8:80 0 7,3T 0 disk └─sdf1 8:81 0 7,3T 0 part └─md1 9:1 0 7,3T 0 raid1 └─md1p1 259:1 0 7,3T 0 part /home sdg 8:96 0 7,3T 0 disk └─sdg1 8:97 0 7,3T 0 part └─md1 9:1 0 7,3T 0 raid1 └─md1p1 259:1 0 7,3T 0 part /home sdh 8:112 0 3,6T 0 disk └─sdh1 8:113 0 3,6T 0 part └─md0 9:0 0 3,6T 0 raid1 /var/lib/libvirt sdi 8:128 1 0B 0 disk sdj 8:144 1 0B 0 disk sdk 8:160 1 0B 0 disk sdl 8:176 1 0B 0 disk Do you see something looking odd?
On 2023-11-28 15:45, Stakanov wrote:
In data martedì 28 novembre 2023 14:39:20 CET, Carlos E. R. ha scritto:
On 2023-11-28 12:39, Stakanov wrote:
Eventi sicurezza host
2023-08-27 07:22:35: <span style="color:red;"></span><span style="font-
weight:bold;color:red;">✘</span> Il kernel non è integro
in English this is: security event host: the kernel isn't integer
I think it refers to integrity. Maybe because it is not using UEFI and certification failed.
Do you happen to know in which partition the UEFI check does take place?
During grub boot. Secure booting has to be enabled.
I have grub on a disk /boot (raid) and the root on a separate raid. Now I do not know if this could cause the uefi check to have problems, but I admit the setup is maybe somewhat rare? Looks like this:
entropy@localhost:~> lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 119,2G 0 disk └─md127 9:127 0 119,2G 0 raid1 └─md127p1 259:0 0 119G 0 part /boot/efi sdb 8:16 0 119,2G 0 disk └─md127 9:127 0 119,2G 0 raid1 └─md127p1 259:0 0 119G 0 part /boot/efi sdc 8:32 0 3,6T 0 disk └─sdc1 8:33 0 3,6T 0 part └─md0 9:0 0 3,6T 0 raid1 /var/lib/libvirt sdd 8:48 0 232,9G 0 disk └─sdd1 8:49 0 232,9G 0 part └─md126 9:126 0 232,9G 0 raid1 /var /usr/local /root /srv /opt /boot/grub2/x86_64-efi /boot/grub2/i386-pc /.snapshots / sde 8:64 0 232,9G 0 disk └─sde1 8:65 0 232,9G 0 part └─md126 9:126 0 232,9G 0 raid1 /var /usr/local /root /srv /opt /boot/grub2/x86_64-efi /boot/grub2/i386-pc /.snapshots / sdf 8:80 0 7,3T 0 disk └─sdf1 8:81 0 7,3T 0 part └─md1 9:1 0 7,3T 0 raid1 └─md1p1 259:1 0 7,3T 0 part /home sdg 8:96 0 7,3T 0 disk └─sdg1 8:97 0 7,3T 0 part └─md1 9:1 0 7,3T 0 raid1 └─md1p1 259:1 0 7,3T 0 part /home sdh 8:112 0 3,6T 0 disk └─sdh1 8:113 0 3,6T 0 part └─md0 9:0 0 3,6T 0 raid1 /var/lib/libvirt sdi 8:128 1 0B 0 disk sdj 8:144 1 0B 0 disk sdk 8:160 1 0B 0 disk sdl 8:176 1 0B 0 disk
Do you see something looking odd?
I don't know :-? -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.5 (Laicolasse))
In data martedì 28 novembre 2023 15:52:31 CET, Carlos E. R. ha scritto:
On 2023-11-28 15:45, Stakanov wrote:
In data martedì 28 novembre 2023 14:39:20 CET, Carlos E. R. ha scritto:
On 2023-11-28 12:39, Stakanov wrote:
Eventi sicurezza host
2023-08-27 07:22:35: <span style="color:red;"></span><span style="font-
weight:bold;color:red;">✘</span> Il kernel non è integro
in English this is: security event host: the kernel isn't integer
I think it refers to integrity. Maybe because it is not using UEFI and certification failed.
Do you happen to know in which partition the UEFI check does take place?
During grub boot.
Secure booting has to be enabled.
In Linux it is
I don't know :-?
-- Cheers / Saludos,
Carlos E. R.
(from openSUSE 15.5 (Laicolasse))
I will check if the BIOS settings are right
On Tue, 28 Nov 2023, 16:15:40 +0100, Stakanov wrote:
In data martedì 28 novembre 2023 15:52:31 CET, Carlos E. R. ha scritto:
[...] During grub boot. Secure booting has to be enabled.
In Linux it is
Are you sure? IIRC, secure boot has to be enabled explicitly. You can check your setting in /etc/sysconfig/boot: $ grep SEC /etc/sysconfig/bootloader SECURE_BOOT="no" This is the setting on my systems. Again, I don't remember the default, but I'm doubtful it's "yes". Cheers. l8er manfred
In data martedì 28 novembre 2023 17:11:55 CET, Manfred Hollstein ha scritto:
On Tue, 28 Nov 2023, 16:15:40 +0100, Stakanov wrote:
In data martedì 28 novembre 2023 15:52:31 CET, Carlos E. R. ha scritto:
[...] During grub boot. Secure booting has to be enabled.
In Linux it is
Are you sure? IIRC, secure boot has to be enabled explicitly. You can check your setting in /etc/sysconfig/boot:
$ grep SEC /etc/sysconfig/bootloader SECURE_BOOT="no"
This is the setting on my systems. Again, I don't remember the default, but I'm doubtful it's "yes".
Cheers.
l8er manfred
[sudo] password di root: SECURE_BOOT="yes" hence it is. I will have to check the BIOS (just searching for the password that I forgot lol, long time no use.....
In data martedì 28 novembre 2023 23:28:48 CET, Stakanov ha scritto:
In data martedì 28 novembre 2023 17:11:55 CET, Manfred Hollstein ha scritto:
On Tue, 28 Nov 2023, 16:15:40 +0100, Stakanov wrote:
In data martedì 28 novembre 2023 15:52:31 CET, Carlos E. R. ha scritto:
[...] During grub boot. Secure booting has to be enabled.
In Linux it is
Are you sure? IIRC, secure boot has to be enabled explicitly. You can
check your setting in /etc/sysconfig/boot: $ grep SEC /etc/sysconfig/bootloader SECURE_BOOT="no"
This is the setting on my systems. Again, I don't remember the default, but I'm doubtful it's "yes".
Cheers.
l8er manfred
[sudo] password di root: SECURE_BOOT="yes"
hence it is. I will have to check the BIOS (just searching for the password that I forgot lol, long time no use.....
More info (unfortunately copying from "info" (firmware security) does give all nefarious colour codes (no idea why): If you happen to know with what command I can achieve the output from the command line I will provide. Interestingly the output is even a wild mix of German and Italian (which is my GUI language, why German does appear, it is nowhere set, root is EN, so no idea), which makes readability low even for me. In synthesis it complains that the UEFI partition "may be set up wrongly" but does not provide details. It says TPM2 is not active (but it is) It says "secureboot HSI 1 and HSI 2 informations are wrong (TPM is active, the CPU is AMD socket 4, recognized normally in info and IOMMU is definitely active). As all this is wrong in the output, I doubt the issue is on my side but before filing a bug report maybe somebody knows if this software is maybe beta, or maybe is known to have issues? It sends you to GIT but in GIT I did not find anything usable (at least to my eyes). And that's all about it. <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/ TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This file was created with the aha Ansi HTML Adapter. <a href="https:// github.com/theZiz/aha">https://github.com/theZiz/aha</a> --> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="application/xml+xhtml; charset=UTF-8"/> <title>stdin</title> </head> <body> <pre> <span style="color:red;"></span><span style="font- weight:bold;color:red;">AVVERTENZA</span>: Die UEFI-ESP-Partition ist möglicherweise nicht korrekt eingerichtet Per maggiori informazioni, consultare <a href="https://github.com/fwupd/fwupd/ wiki/PluginFlag:esp-not-valid.">https://github.com/fwupd/fwupd/wiki/ PluginFlag:esp-not-valid.</a> ID sicurezza host: <span style="font-weight:bold;">HSI:0! (v1.9.9)</span> <span style="font-weight:bold;">HSI-1</span> ✔ BIOS Firmware-Aktualisierungen:<span style="color:green;"></span><span style="font-weight:bold;color:green;">Abilitato</span> ✔ Variabili bootservice UEFI: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Bloccato</span> ✘ CPU supportata: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Non valido</span> ✘ Piattaforma saldata: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Sconosciuto</span> ✘ TPM v2.0: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Non trovato</span> <span style="font-weight:bold;">HSI-2</span> ✘ Debug piattaforma: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Sconosciuto</span> ✘ IOMMU: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Non trovato</span> ✘ Protezione scrittura SPI: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Sconosciuto</span> <span style="font-weight:bold;">HSI-3</span> ✘ Protezione DMA pre-boot: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Non valido</span> ✘ Protezione replay SPI: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Sconosciuto</span> ✘ Suspend-to-idle: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Disabilitato</span> ✘ Suspend-to-ram: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Abilitato</span> <span style="font-weight:bold;">HSI-4</span> ✘ Protezione rollback del processore:<span style="color:red;"></span><span style="font-weight:bold;color:red;">Sconosciuto</span> ✘ RAM cifrata: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Sconosciuto</span> <span style="font-weight:bold;">Suffisso di runtime -!</span> ✔ Plugin fwupd: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Integro</span> ✔ Swap Linux: <span style="color:green;"></span><span style="font-weight:bold;color:green;">Disabilitato</span> ✘ Avvio sicuro UEFI: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Disabilitato</span> ✘ Kernel Linux: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Non integro</span> ✘ Lockdown kernel Linux: <span style="color:red;"></span><span style="font-weight:bold;color:red;">Disabilitato</span> Questo sistema ha un livello di sicurezza HSI basso. » <a href="https://fwupd.github.io/hsi.html#low-security-level">https:// fwupd.github.io/hsi.html#low-security-level</a> Questo sistema presenta dei problemi di runtime HSI. » <a href="https://fwupd.github.io/hsi.html#hsi-runtime-suffix">https:// fwupd.github.io/hsi.html#hsi-runtime-suffix</a> Eventi sicurezza host 2023-08-27 07:22:35: <span style="color:red;"></span><span style="font- weight:bold;color:red;">✘</span> Il kernel non è integro </pre> </body> </html>
participants (3)
-
Carlos E. R. -
Manfred Hollstein -
Stakanov