Bug 2333706
| Summary: | Kernel 6.12.6 kernel lockdown disabled | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | grumpey0 | ||||
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 41 | CC: | acaringi, adscvr, airlied, alciregi, alex, asn, bskeggs, carnil, hdegoede, hpa, jforbes, josef, kernel-maint, larouxn, linville, masami256, mcascell, mchehab, noamraz8, ptalbert, steved, suraj.ghimire7, travier, vg.aetera | ||||
| Target Milestone: | --- | Keywords: | Regression, Security | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | kernel-6.12.15-100.fc40 kernel-6.12.15-200.fc41 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2025-02-20 02:27:04 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 2345615 | ||||||
| Attachments: |
|
||||||
|
Description
grumpey0
2024-12-21 22:59:11 UTC
Created attachment 2063450 [details]
Journal of 6.12.6 booting with lsm.debug set on the kernel.
Linux Kernel 6.11.11-300.fc41.x86_64 cat /sys/kernel/security/lockdown none [integrity] confidentiality After `dnf upgrade --refresh` and which installs Linux Kernel 6.12.8-200.fc41.x86_64 as of today: cat /sys/kernel/security/lockdown [none] integrity confidentiality Just noticed this on my machine as well with kernel 6.12.9-200.fc41.x86_64.
I've poked around a bit and am pretty sure the culprit is upstream commit
77b644c39d6a ("init/main.c: Initialize early LSMs after arch code, static
keys and calls."). That moved the call to early_security_init() to after
setup_arch(), but the downstream lockdown-on-secure-boot patch calls the
lockdown hook immediately after setting `EFI_SECURE_BOOT` there.
Basically, it looks like the lockdown hook is now invoked before lockdown has
even been registered.
Right, this is being looked at, the timing was just not particularly good as everything was blowing up at once. In the meantime, the kernel command line options and runtime enable should work (runtime disable still does not by design). Thanks, Justin! I can confirm that runtime enable works with at least 6.12.11: # uname -r 6.12.11-200.fc41.x86_64 # cat /sys/kernel/security/lockdown [none] integrity confidentiality # echo integrity > /sys/kernel/security/lockdown # cat /sys/kernel/security/lockdown none [integrity] confidentiality # dmesg |tail -n 1 [ 2227.603314] Kernel is locked down from securityfs; see man kernel_lockdown.7 # fwupdmgr security ... Runtime Suffix -! ✔ fwupd plug-ins: Untainted ✔ Linux kernel lockdown: Enabled ✔ Linux swap: Encrypted ✔ Linux kernel: Untainted FEDORA-2025-1df4e96976 (kernel-6.12.14-100.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2025-1df4e96976 FEDORA-2025-cca2fcc70c has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cca2fcc70c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cca2fcc70c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-b268fceaec has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b268fceaec` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b268fceaec See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-b268fceaec (kernel-6.12.15-100.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-cca2fcc70c (kernel-6.12.15-200.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. |