1. Please describe the problem: output of fwupdmgr security on 6.12.6 Runtime Suffix -! ✔ fwupd plug-ins: Untainted ✔ CET OS Support: Supported ✔ Linux swap: Encrypted ✔ Linux kernel: Untainted ✘ Linux kernel lockdown: Disabled 2. What is the Version-Release number of the kernel: 6.12.6-200.fc41.x86_64 3. Did it work previously in Fedora? If so, what kernel version did the issue *first* appear? Old kernels are available for download at https://koji.fedoraproject.org/koji/packageinfo?packageID=8 : This appears to be working with 6.11.4 kernel. 4. Can you reproduce this issue? If so, please provide the steps to reproduce the issue below: Yes, boot with a 6.12.X kernel. 5. Does this problem occur with the latest Rawhide kernel? To install the Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by ``sudo dnf update --enablerepo=rawhide kernel``: 6. Are you running any modules that not shipped with directly Fedora's kernel?: No 7. Please attach the kernel logs. You can get the complete kernel log for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the issue occurred on a previous boot, use the journalctl ``-b`` flag.
Created attachment 2063450 [details] Journal of 6.12.6 booting with lsm.debug set on the kernel.
Linux Kernel 6.11.11-300.fc41.x86_64 cat /sys/kernel/security/lockdown none [integrity] confidentiality After `dnf upgrade --refresh` and which installs Linux Kernel 6.12.8-200.fc41.x86_64 as of today: cat /sys/kernel/security/lockdown [none] integrity confidentiality
Just noticed this on my machine as well with kernel 6.12.9-200.fc41.x86_64. I've poked around a bit and am pretty sure the culprit is upstream commit 77b644c39d6a ("init/main.c: Initialize early LSMs after arch code, static keys and calls."). That moved the call to early_security_init() to after setup_arch(), but the downstream lockdown-on-secure-boot patch calls the lockdown hook immediately after setting `EFI_SECURE_BOOT` there. Basically, it looks like the lockdown hook is now invoked before lockdown has even been registered.
Right, this is being looked at, the timing was just not particularly good as everything was blowing up at once. In the meantime, the kernel command line options and runtime enable should work (runtime disable still does not by design).
Thanks, Justin! I can confirm that runtime enable works with at least 6.12.11: # uname -r 6.12.11-200.fc41.x86_64 # cat /sys/kernel/security/lockdown [none] integrity confidentiality # echo integrity > /sys/kernel/security/lockdown # cat /sys/kernel/security/lockdown none [integrity] confidentiality # dmesg |tail -n 1 [ 2227.603314] Kernel is locked down from securityfs; see man kernel_lockdown.7 # fwupdmgr security ... Runtime Suffix -! ✔ fwupd plug-ins: Untainted ✔ Linux kernel lockdown: Enabled ✔ Linux swap: Encrypted ✔ Linux kernel: Untainted
FEDORA-2025-1df4e96976 (kernel-6.12.14-100.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2025-1df4e96976
FEDORA-2025-cca2fcc70c has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cca2fcc70c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cca2fcc70c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-b268fceaec has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b268fceaec` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b268fceaec See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-b268fceaec (kernel-6.12.15-100.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-cca2fcc70c (kernel-6.12.15-200.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.