Kernel stable repo - HSI- - kernel is tained

I am very pleased with Opensuse Tumbleweed. I came back from Debian Testing after almost 4 years. Now it is a very stable distribution for me. And Wayland works well.
I installed Kernel Stable repository from: https://download.opensuse.org/repositories/Kernel:/stable/standard to try newer kernel. This is kernel 6.4.12-1. I registered signing key for kernel. System works stable.
I noticed that HSI shows Linux kernel as tained. When I use default kernel 6.11.8-1 HSI shows kernel as untained.
What does it mean for me? Shoud I go back to use kernel 6.11.8-1?

Show the actual command output. And show

cat /proc/sys/kernel/tainted

in both cases.

This is the same result in both cases.

Information center for kernel 6.11.8 shows:

HSI-4

Runtime Suffix -!
:heavy_check_mark: Linux kernel: Untainted
:heavy_check_mark: Linux kernel lockdown: Enabled
:heavy_check_mark: Linux swap: Disabled
:heavy_check_mark: fwupd plugins: Untainted

Information center for kernel 6.12.4 shows:
HSI-4

Runtime Suffix -!
:heavy_check_mark: Linux kernel: Untainted
:heavy_check_mark: Linux kernel lockdown: Disabled
:heavy_check_mark: Linux swap: Disabled
:heavy_check_mark: fwupd plugins: Untainted

Linux kernel lockdown is marked as red.

It is untainted in both cases. You starting post claimed that in one case it is “tainted”. Where do you see it?

It was my mistake. I was thinking about linux kernel lockdown.

Show

dmesg | grep -i lockdown

in both cases.

Kernel 6.11.8-1

rektal@tumble:~> dmesg | grep -i lockdown
[    0.000000] [      T0] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.085759] [      T0] LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,bpf,ima,evm
[    0.610737] [      T1] Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7
[    6.019516] [   T1247] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[    6.024124] [   T1266] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[    6.027295] [   T1274] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[    6.030517] [   T1282] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[    6.033527] [   T1289] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[    6.035849] [   T1293] Lockdown: numlockbios: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[    6.806073] [   T1581] Lockdown: Xorg.bin: raw io port access is restricted; see man kernel_lockdown.7
[    8.321544] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[    8.322616] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[    8.322804] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.094007] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.098724] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.098899] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.099066] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.099077] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.582233] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.597864] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.598051] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.598224] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[   16.598236] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[  170.545114] [   T1250] lockdown_is_locked_down: 5 callbacks suppressed
[  170.545118] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[  170.549985] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[  170.550143] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[  170.550279] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
[  170.550290] [   T1250] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7

Kernel 6.12.4-2

rektal@tumble:~> dmesg | grep -i lockdown
[    0.086549] [      T0] LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,bpf,ima,evm

Which package exactly have you installed?

uname -a

for both kernels?

rektal@tumble:~> uname -a
Linux tumble 6.12.4-2.g65674ea-default #1 SMP PREEMPT_DYNAMIC Thu Dec 12 17:01:34 UTC 2024 (65674ea) x86_64 x86_64 x86_64 GNU/Linux

rektal@tumble:~> uname -a
Linux tumble 6.11.8-1-default #1 SMP PREEMPT_DYNAMIC Thu Nov 14 12:54:01 UTC 2024 (099023b) x86_64 x86_64 x86_64 GNU/Linux

bor@uefi:~> uname -r
6.12.4-2.g65674ea-default
bor@uefi:~> mokutil --sb-state 
SecureBoot disabled
bor@uefi:~> 

No idea why so far.

This is red herring.

bor@uefi:~> mokutil --sb-state 
SecureBoot enabled
bor@uefi:~> uname -r
6.12.4-2.g65674ea-default
bor@uefi:~> cat /sys/kernel/security/lockdown 
[none] integrity confidentiality
bor@uefi:~> 

I have

rektal@tumble:~> mokutil --sb-state
SecureBoot enabled

in both cases.

I have installed kernel 6.12.5-2.gdfae15e-default today.
This is output:

rektal@tumble:~> mokutil --sb-state
SecureBoot enabled
rektal@tumble:~> dmesg | grep -i lockdown
[    0.086016] [      T0] LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,bpf,ima,evm

Lsm=lockdown is red.

I will stay on kernel 6.11.8-1-default.

@rektal that’s showing your grep text (as in here it is…) :wink:

I don’t know that. :slight_smile: Thank you.

But HSI still shows linux kernel lockdown is disabled.

Is it safe to disable linux kernel lockdown ?

Define “safe”. Besides, nothing stops you from adding lockdown=integrity to the kernel command line.

Anyway, the problem is in SUSE custom patch that became incompatible with the current upstream kernel.

No lockdown on Secure Boot with kernel:Stable? - openSUSE Kernel - openSUSE Mailing Lists

I see there is a bugzilla thread about it:
https://bugzilla.opensuse.org/show_bug.cgi?id=1234646

I have installed kernel 6.12.6-1.gfb072de-default today and linux kernel lockdown is enabled again.
The case is solved.