Description of problem:
Since installing F28 on a new laptop and (apparently) mistakenly choosing UEFI boot instead of old BIOS-mode, I've had a couple of problems
My existing Brother USB printer can no longer be controlled via "scanimage" from sane-backends. That generates a "Lockdown: scanimage: ioperm is restricted; see man kernel_lockdown.7" kernel error
...and just now I went to try out wireguard - a "next gen" VPN solution which has a kernel module. They have a repo for installing it, but it's "wireguard-dkms" built-on-the-fly kernel module fails to load with "Lockdown: modprobe: Loading of unsigned module is restricted" too
"sane-backends" actually comes from Fedora-updates, so frankly Fedora should have enabled "ioperm" to work, and I guess you'd argue Wireguard should somehow figure out how to digitally sign their kernel modules (via dkms? I'd think those two are mutually exclusive?), but as a end-user this is all "too hard" for me (like selinux) - so I just want to shoot it in the head
Can you tell me how I can disable this lockdown "feature"? Some exotic kernel-hack is *not* how my system is going to get hacked - I don't want my system to be military-grade secure if that means I can't do the things I want to do on it
So any hint would be appreciated. Google doesn't seem to find instructions for me (I'm hoping you're not going to say I have to reinstall :-(
You can disable lockdown by disabling secure boot - run
sudo mokutil --disable-validation
and reboot, and then follow the prompts. However, please open a bug against sane-backends - drivers for USB devices shouldn't be calling ioperm(). I'll close this bug since this is working as intended from the kernel's perspective, but thanks for the report of the breakage.
I ran the mokutil command from the console as root and had to enter a password? I made one up and afterwards rebooted. However - there are no "prompts"...
I am running F28 as a server - non-GUI. I assume these "prompts" are GUI-only? Also the wireguard module failed to load: "modprobe: Loading of unsigned module is restricted" - so Lockdown is still in place
Any more hints please :-)
The prompts are provided in the system firmware, so if it's a headless device you'll need to use the remote console to confirm them.
Wow - I see what you mean. That did the trick. After the reboot and weird password challenges I got to disable secureboot and then it came up properly - and now I can load the wireguard kernel module :-)
For the record you can disable kernel lockdown via sys-rq:
sudo bash -c 'echo 1 > /proc/sys/kernel/sysrq'
sudo bash -c 'echo x > /proc/sysrq-trigger'
> For the record you can disable kernel lockdown via sys-rq:
> sudo bash -c 'echo 1 > /proc/sys/kernel/sysrq'
> sudo bash -c 'echo x > /proc/sysrq-trigger'
Thanks for the hint. Is this modification permanent / does it survive reboots? Where is this documented? Thank yoU!
no sadly above is not enough. in a running system, this enables the resume to hibernate to disk correctly, but once the system is powered on again and the kernel starts above steps needs to be done before trying to resume the image from disk again.
this is why I did patch dracut a bit. see attached patch.
this is just a hack, as my swap is encrypted anyway.
Created attachment 1619783 [details]
disable lockdown in dracut before resume via sysrq trigger