In order for userspace code to know that it must sign OOT modules, the secureboot / sig-enforce / lockdown mechanism's status needs to be exposed to it. Previous codesets exported a /sys/ or /proc/ file exposing this extra state, e.g. as /sys/kernel/security/securelevel, but efi-lockdown.patch appears to lack this. This absence kills programs such as systemtap that can deal with secureboot, but only if they know they need to.
Please add (back) a way for unprivileged userspace to know whether this kernel-lockdown mode is in effect.
see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552
I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y now, a /sys/kernel/security/lockdown file exists, but is not readable to unprivileged users. If it were readable, we could work with it.
(In reply to Frank Ch. Eigler from comment #1)
> see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552
> I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
> now, a /sys/kernel/security/lockdown file exists, but is not readable to
> unprivileged users. If it were readable, we could work with it.
I really can't help here. I wrote the initial patches in like the Fedora 21 timeframe. They have morphed significantly since then, and I have no idea what the state of the code is. Matthew Garrett or one of the other Fedora kernel maintainers are in a better spot than I am to help.
Looks like an easy fix, I'll see about sending a patch upstream.
in the upstream: 60cf7c5ed5f7 ("lockdown: Allow unprivileged users to see lockdown status")
Indeed, and it's also in 5.7.5+.