I am very pleased with Opensuse Tumbleweed. I came back from Debian Testing after almost 4 years. Now it is a very stable distribution for me. And Wayland works well.
I installed Kernel Stable repository from: https://download.opensuse.org/repositories/Kernel:/stable/standard to try newer kernel. This is kernel 6.4.12-1. I registered signing key for kernel. System works stable.
I noticed that HSI shows Linux kernel as tained. When I use default kernel 6.11.8-1 HSI shows kernel as untained.
What does it mean for me? Shoud I go back to use kernel 6.11.8-1?
Show the actual command output. And show
cat /proc/sys/kernel/tainted
in both cases.
This is the same result in both cases.
Information center for kernel 6.11.8 shows:
HSI-4
Runtime Suffix -!
Linux kernel: Untainted
Linux kernel lockdown: Enabled
Linux swap: Disabled
fwupd plugins: Untainted
Information center for kernel 6.12.4 shows:
HSI-4
Runtime Suffix -!
Linux kernel: Untainted
Linux kernel lockdown: Disabled
Linux swap: Disabled
fwupd plugins: Untainted
Linux kernel lockdown is marked as red.
It is untainted in both cases. You starting post claimed that in one case it is “tainted”. Where do you see it?
It was my mistake. I was thinking about linux kernel lockdown.
Show
dmesg | grep -i lockdown
in both cases.
Kernel 6.11.8-1
rektal@tumble:~> dmesg | grep -i lockdown
[ 0.000000] [ T0] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[ 0.085759] [ T0] LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,bpf,ima,evm
[ 0.610737] [ T1] Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7
[ 6.019516] [ T1247] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[ 6.024124] [ T1266] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[ 6.027295] [ T1274] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[ 6.030517] [ T1282] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[ 6.033527] [ T1289] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[ 6.035849] [ T1293] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[ 6.806073] [ T1581] Lockdown: Xorg.bin: raw io port access is restricted; see man kernel_lockdown.7
[ 8.321544] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 8.322616] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 8.322804] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.094007] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.098724] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.098899] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.099066] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.099077] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.582233] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.597864] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.598051] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.598224] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 16.598236] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 170.545114] [ T1250] lockdown_is_locked_down: 5 callbacks suppressed
[ 170.545118] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 170.549985] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 170.550143] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 170.550279] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[ 170.550290] [ T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Kernel 6.12.4-2
rektal@tumble:~> dmesg | grep -i lockdown
[ 0.086549] [ T0] LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,bpf,ima,evm
Which package exactly have you installed?
uname -a
for both kernels?
rektal@tumble:~> uname -a
Linux tumble 6.12.4-2.g65674ea-default #1 SMP PREEMPT_DYNAMIC Thu Dec 12 17:01:34 UTC 2024 (65674ea) x86_64 x86_64 x86_64 GNU/Linux
rektal@tumble:~> uname -a
Linux tumble 6.11.8-1-default #1 SMP PREEMPT_DYNAMIC Thu Nov 14 12:54:01 UTC 2024 (099023b) x86_64 x86_64 x86_64 GNU/Linux
bor@uefi:~> uname -r
6.12.4-2.g65674ea-default
bor@uefi:~> mokutil --sb-state
SecureBoot disabled
bor@uefi:~>
No idea why so far.
This is red herring.
bor@uefi:~> mokutil --sb-state
SecureBoot enabled
bor@uefi:~> uname -r
6.12.4-2.g65674ea-default
bor@uefi:~> cat /sys/kernel/security/lockdown
[none] integrity confidentiality
bor@uefi:~>
I have
rektal@tumble:~> mokutil --sb-state
SecureBoot enabled
in both cases.
I have installed kernel 6.12.5-2.gdfae15e-default today.
This is output:
rektal@tumble:~> mokutil --sb-state
SecureBoot enabled
rektal@tumble:~> dmesg | grep -i lockdown
[ 0.086016] [ T0] LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,bpf,ima,evm
Lsm=lockdown is red.
I will stay on kernel 6.11.8-1-default.
@rektal that’s showing your grep text (as in here it is…)
I don’t know that. Thank you.
But HSI still shows linux kernel lockdown is disabled.
Is it safe to disable linux kernel lockdown ?
Define “safe”. Besides, nothing stops you from adding lockdown=integrity
to the kernel command line.
Anyway, the problem is in SUSE custom patch that became incompatible with the current upstream kernel.
No lockdown on Secure Boot with kernel:Stable? - openSUSE Kernel - openSUSE Mailing Lists
I see there is a bugzilla thread about it:
https://bugzilla.opensuse.org/show_bug.cgi?id=1234646
I have installed kernel 6.12.6-1.gfb072de-default today and linux kernel lockdown is enabled again.
The case is solved.