Bug 1658675
| Summary: | Fedora 29 - efi-lockdown patch causes -EPERM for some debugfs files even though CONFIG_LOCK_DOWN_KERNEL is not set | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | IBM Bug Proxy <bugproxy> |
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 29 | CC: | airlied, bskeggs, bugproxy, bugzilla, dan, dhowells, dominik, ewk, hannsj_uhl, hdegoede, ichavero, itamar, jarodwilson, jcline, jeremy, jforbes, jglisse, jkachuck, john.j5live, jonathan, josef, kernel-maint, linville, mchehab, mikhail.v.gavrilov, mjg59, steved |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel-5.1.8-300.fc30 kernel-5.1.8-200.fc29 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-12 14:48:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1688305 | ||
|
Description
IBM Bug Proxy
2018-12-12 16:17:35 UTC
== Comment: #0 - Dominik Klein <dominik.klein.com> - 2018-12-10 04:15:39 == There seems to be a bug in the efi-lockdown patch as applied on top of vanilla for Fedora kernels starting with 4.16: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=848a1061b38f861a4a93aceff77738578e99bc28 The earliest kernel the problem was observed in is 4.16.3-200.fc27.s390x and it seems to be present in all kernels since (latest kernel checked was 4.19.6-300.fc29.s390x). The problem is that part of the patch modifies kernel behavior independently of CONFIG_LOCK_DOWN_KERNEL being set or not causing issues on two debugfs files on s390x. Vasily Gorbik has already analyzed the problem and has posted a proposed fix here: https://lkml.org/lkml/2018/11/21/634 https://lkml.org/lkml/2018/11/21/635 Adding David to CC explicitly, so he can review the proposed fix. problem seen by someone on the devel list too - https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/KPMGRRIWRTMHDKHOGA353OQAF6IPM22T/#L37AR4DXRN6KKWVIB3A6EGHG4UZBVGIB fixed with https://src.fedoraproject.org/rpms/kernel/c/dc45afc7d99fb906c7fab2fefbc7d28f766ff5d4?branch=master *** Bug 1664012 has been marked as a duplicate of this bug. *** This issue also affected to x86_64 hardware for example don't allowed read debugfs for umr tool which debugging AMD GPU. ------- Comment From dominik.klein.com 2019-01-18 05:02 EDT------- Verified the fix with kernel-4.20.3-200.fc29. Couldn't verify for F28 since the fix doesn't seem to be contained in the latest Koji build there (kernel-4.19.16-200.fc28). Correct, it will land in F28 with the 4.20 rebases there, likely next week. ------- Comment From dominik.klein.com 2019-01-24 04:28 EDT------- Verified for F28 as well with kernel-4.20.4-100.fc28 (from Koji). With latest Fedora kernels again "Operation not permitted" when I ties access to debugfs. # cat /sys/kernel/debug/dri/0/amdgpu_gca_config | xxd -e - cat: /sys/kernel/debug/dri/0/amdgpu_gca_config: Operation not permitted [root@localhost app]# uname -r 5.1.0-0.rc7.git1.1.fc31.x86_64 I suspect Vasily's changes got lost when the lockdown patchset was rebased mid-April. IBM, could you work on upstreaming them again? (In reply to Dan Horák from comment #11) > I suspect Vasily's changes got lost when the lockdown patchset was rebased mid-April. I am checked your assumption. And yes, after reverting commits 26a34633c242 and 4b5e4234be65 the problem was gone. another report in https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org/message/BWLWJXG3K25AWACNVKH46YM4PFHES4QR/ (In reply to Dan Horák from comment #13) > another report in > https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org/ > message/BWLWJXG3K25AWACNVKH46YM4PFHES4QR/ That is a Fedora Rawhide system: kernel: efi: EFI v1.10 by Apple 5.2.0-0.rc3.git1.1.fc31.x86_64 Secure Boot is not available on this ancient pre-UEFI system I have another computer running Fedora 30: kernel: efi: EFI v2.40 by INSYDE Corp. 5.1.7-300.fc30.x86_64 # mokutil --sb-state SecureBoot enabled ------- Comment From dominik.klein.com 2019-06-07 07:04 EDT------- I just tried with rawhide. I manually applied the original patch from https://lkml.org/lkml/2018/11/21/635 on top of the prepped source tree from kernel-5.2.0-0.rc3.git0.1.fc31.src.rpm which worked just fine without any warnings and the resulting kernel doesn't exhibit the -EPERM issue. For now, could you make sure that it's included in the SRPMs again? As far as upstreaming - where would be the right place to get this fixed at the source? Where do you source it from for your efi-lockdown patchset? ------- Comment From dominik.klein.com 2019-06-07 07:18 EDT------- If I'm reading this correctly, "debugfs: Restrict debugfs when the kernel is locked down" is authored by David Howells. Could we get him in on this discussion so that he could fix the bug in his original patch? That way we hopefully wouldn't have to revisit this yet again in the future. Jeremy already committed the fix in all branches (https://src.fedoraproject.org/rpms/kernel/c/228a4ee828871783564b53c5fa20d4079c5aeb03?branch=master), so next builds will contain it. Jeremy (and co), please see the upstreaming question in comment #15/#16. (In reply to IBM Bug Proxy from comment #15) > ------- Comment From dominik.klein.com 2019-06-07 07:04 EDT------- > As far as upstreaming - where would be the right place to get this fixed at > the source? Where do you source it from for your efi-lockdown patchset? The latest pull requests have come from Matthew Garrett from the lock_down branch of https://github.com/mjg59/linux. He'd probably be the best person to contact with this fix. FEDORA-2019-c03eda3cc6 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c03eda3cc6 FEDORA-2019-83858fc57b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-83858fc57b kernel-5.1.8-300.fc30, kernel-headers-5.1.8-300.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c03eda3cc6 kernel-5.1.8-200.fc29, kernel-headers-5.1.8-200.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-83858fc57b ------- Comment From dominik.klein.com 2019-06-11 07:51 EDT------- Can confirm that the problem is fixed with the Testing kernels for F29 and F30 as well as in rawhide. kernel-core-5.1.6-200.fc29.s390x: doesn't work kernel-core-5.1.8-200.fc29.s390x: works kernel-core-5.1.7-300.fc30.s390x: doesn't work kernel-core-5.1.8-300.fc30.s390x: works kernel-core-5.2.0-0.rc3.git3.1.fc31.s390x: works kernel-5.1.8-300.fc30, kernel-headers-5.1.8-300.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. kernel-5.1.8-200.fc29, kernel-headers-5.1.8-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |