Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1658675 - Fedora 29 - efi-lockdown patch causes -EPERM for some debugfs files even though CONFIG_LOCK_DOWN_KERNEL is not set
Summary: Fedora 29 - efi-lockdown patch causes -EPERM for some debugfs files even thou...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 29
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1664012 (view as bug list)
Depends On:
Blocks: 1688305
TreeView+ depends on / blocked
 
Reported: 2018-12-12 16:17 UTC by IBM Bug Proxy
Modified: 2019-10-28 13:56 UTC (History)
27 users (show)

Fixed In Version: kernel-5.1.8-300.fc30 kernel-5.1.8-200.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-12 14:48:00 UTC
Type: ---


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
IBM Linux Technology Center 173995 0 None None None 2019-07-24 08:08:09 UTC

Description IBM Bug Proxy 2018-12-12 16:17:35 UTC

Comment 1 IBM Bug Proxy 2018-12-12 17:16:51 UTC
== Comment: #0 - Dominik Klein <dominik.klein@de.ibm.com> - 2018-12-10 04:15:39 ==
There seems to be a bug in the efi-lockdown patch as applied on top of vanilla for Fedora kernels starting with 4.16:
https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=848a1061b38f861a4a93aceff77738578e99bc28

The earliest kernel the problem was observed in is 4.16.3-200.fc27.s390x and it seems to be present in all kernels since (latest kernel checked was 4.19.6-300.fc29.s390x).

The problem is that part of the patch modifies kernel behavior independently of CONFIG_LOCK_DOWN_KERNEL being set or not causing issues on two debugfs files on s390x.

Vasily Gorbik has already analyzed the problem and has posted a proposed fix here:
https://lkml.org/lkml/2018/11/21/634
https://lkml.org/lkml/2018/11/21/635

Comment 2 Dan Horák 2019-01-04 14:03:01 UTC
Adding David to CC explicitly, so he can review the proposed fix.

Comment 5 Mikhail 2019-01-16 16:35:34 UTC
*** Bug 1664012 has been marked as a duplicate of this bug. ***

Comment 6 Mikhail 2019-01-16 16:38:39 UTC
This issue also affected to x86_64 hardware for example don't allowed read debugfs for umr tool which debugging AMD GPU.

Comment 7 IBM Bug Proxy 2019-01-18 10:10:30 UTC
------- Comment From dominik.klein@de.ibm.com 2019-01-18 05:02 EDT-------
Verified the fix with kernel-4.20.3-200.fc29. Couldn't verify for F28 since the fix doesn't seem to be contained in the latest Koji build there (kernel-4.19.16-200.fc28).

Comment 8 Justin M. Forbes 2019-01-18 12:37:53 UTC
Correct, it will land in F28 with the 4.20 rebases there, likely next week.

Comment 9 IBM Bug Proxy 2019-01-24 09:30:32 UTC
------- Comment From dominik.klein@de.ibm.com 2019-01-24 04:28 EDT-------
Verified for F28 as well with kernel-4.20.4-100.fc28 (from Koji).

Comment 10 Mikhail 2019-05-02 11:59:41 UTC
With latest Fedora kernels again "Operation not permitted" when I ties access to debugfs.

# cat /sys/kernel/debug/dri/0/amdgpu_gca_config | xxd -e -
cat: /sys/kernel/debug/dri/0/amdgpu_gca_config: Operation not permitted

[root@localhost app]# uname -r
5.1.0-0.rc7.git1.1.fc31.x86_64

Comment 11 Dan Horák 2019-05-02 12:09:55 UTC
I suspect Vasily's changes got lost when the lockdown patchset was rebased mid-April.

IBM, could you work on upstreaming them again?

Comment 12 Mikhail 2019-05-02 21:54:57 UTC
(In reply to Dan Horák from comment #11)
> I suspect Vasily's changes got lost when the lockdown patchset was rebased mid-April.

I am checked your assumption. And yes, after reverting commits 26a34633c242 and 4b5e4234be65 the problem was gone.

Comment 14 Chris Murphy 2019-06-06 21:27:25 UTC
(In reply to Dan Horák from comment #13)
> another report in
> https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org/
> message/BWLWJXG3K25AWACNVKH46YM4PFHES4QR/

That is a Fedora Rawhide system:
kernel: efi: EFI v1.10 by Apple
5.2.0-0.rc3.git1.1.fc31.x86_64
Secure Boot is not available on this ancient pre-UEFI system


I have another computer running Fedora 30:
kernel: efi: EFI v2.40 by INSYDE Corp.
5.1.7-300.fc30.x86_64
# mokutil --sb-state
SecureBoot enabled

Comment 15 IBM Bug Proxy 2019-06-07 11:10:33 UTC
------- Comment From dominik.klein@de.ibm.com 2019-06-07 07:04 EDT-------
I just tried with rawhide. I manually applied the original patch from https://lkml.org/lkml/2018/11/21/635 on top of the prepped source tree from kernel-5.2.0-0.rc3.git0.1.fc31.src.rpm which worked just fine without any warnings and the resulting kernel doesn't exhibit the -EPERM issue. For now, could you make sure that it's included in the SRPMs again?

As far as upstreaming - where would be the right place to get this fixed at the source? Where do you source it from for your efi-lockdown patchset?

Comment 16 IBM Bug Proxy 2019-06-07 11:20:21 UTC
------- Comment From dominik.klein@de.ibm.com 2019-06-07 07:18 EDT-------
If I'm reading this correctly, "debugfs: Restrict debugfs when the kernel is locked down" is authored by David Howells. Could we get him in on this discussion so that he could fix the bug in his original patch? That way we hopefully wouldn't have to revisit this yet again in the future.

Comment 17 Dan Horák 2019-06-07 11:24:04 UTC
Jeremy already committed the fix in all branches (https://src.fedoraproject.org/rpms/kernel/c/228a4ee828871783564b53c5fa20d4079c5aeb03?branch=master), so next builds will contain it.

Jeremy (and co), please see the upstreaming question in comment #15/#16.

Comment 18 Jeremy Cline 2019-06-07 14:59:52 UTC
(In reply to IBM Bug Proxy from comment #15)
> ------- Comment From dominik.klein@de.ibm.com 2019-06-07 07:04 EDT-------
> As far as upstreaming - where would be the right place to get this fixed at
> the source? Where do you source it from for your efi-lockdown patchset?

The latest pull requests have come from Matthew Garrett from the lock_down branch of https://github.com/mjg59/linux. He'd probably be the best person to contact with this fix.

Comment 19 Fedora Update System 2019-06-10 15:19:55 UTC
FEDORA-2019-c03eda3cc6 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c03eda3cc6

Comment 20 Fedora Update System 2019-06-10 15:19:56 UTC
FEDORA-2019-83858fc57b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-83858fc57b

Comment 21 Fedora Update System 2019-06-11 01:19:18 UTC
kernel-5.1.8-300.fc30, kernel-headers-5.1.8-300.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c03eda3cc6

Comment 22 Fedora Update System 2019-06-11 01:45:37 UTC
kernel-5.1.8-200.fc29, kernel-headers-5.1.8-200.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-83858fc57b

Comment 23 IBM Bug Proxy 2019-06-11 12:02:11 UTC
------- Comment From dominik.klein@de.ibm.com 2019-06-11 07:51 EDT-------
Can confirm that the problem is fixed with the Testing kernels for F29 and F30 as well as in rawhide.

kernel-core-5.1.6-200.fc29.s390x: doesn't work
kernel-core-5.1.8-200.fc29.s390x: works

kernel-core-5.1.7-300.fc30.s390x: doesn't work
kernel-core-5.1.8-300.fc30.s390x: works

kernel-core-5.2.0-0.rc3.git3.1.fc31.s390x: works

Comment 24 Fedora Update System 2019-06-12 14:48:00 UTC
kernel-5.1.8-300.fc30, kernel-headers-5.1.8-300.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2019-06-13 01:38:26 UTC
kernel-5.1.8-200.fc29, kernel-headers-5.1.8-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.