LSM module lockdown prevents /sys/kernel/debug access under Secure Boot
#3
Comments
|
@nijek Do you have a custom kernel installed? Kind of looks like what happened here as well #1 (comment) . Try running |
|
I tried Ubuntu 21.10 in a VM and everything worked fine. |
|
I'm using the default ubuntu kernel. It worked after I disabled secure boot.
|
|
If I run the script directally I get this:
|
You need to run it with sudo, when running manually. |
|
Can confirm that the latency_ns issue is related to secure boot, disabling it on my system made the script work fine, but whenever I re-enable it it stops working again. |
Good to know. I will add a warning to README and investigate if it can be fixed. |
|
@nijek @not-a-dev-stein I might have found the solution. Would you mind running This is what I have: (you can also do The important part here is the lockdown part. When a Secure Boot is enabled it disables all access to To disable lockdown try modifying boot settings a |
igo95862
changed the title
lockdown prevents /sys/kernel/debug access under Secure Boot
|
Tried it and got the same error as before. |
If you run |
|
It didn't, what I got was: |
|
Ok I will look in to that more. People say that using Alt+Sysrq+X might disable lockdown mode: https://unix.stackexchange.com/questions/652867/disable-kernel-lockdown-in-runtime |
|
Also try |
|
@nijek @not-a-dev-stein I tested on my laptop with Secure Boot enabled and I don't have any issues reading or writing in to debugfs. I believe that both Fedora and Ubuntu ships some tighter security lockdown (because they shipped it before it was included in kernel upstream) but Arch Linux uses the upstream kernel one. When I do I believe there is a |
Hello, I'm using ubuntu 21.10
When I try to "systemctl enable --now set-cfs-tweaks.service" even with sudo I get an error.
when I run systemctl status set-cfs-tweaks.service I get this:
× set-cfs-tweaks.service - Set CFS tweaks
Loaded: loaded (/lib/systemd/system/set-cfs-tweaks.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2021-11-24 18:18:45 -03; 10s ago
Process: 5499 ExecStart=/usr/sbin/set-cfs-zen-tweaks.bash (code=exited, status=1/FAILURE)
Main PID: 5499 (code=exited, status=1/FAILURE)
CPU: 13ms
nov 24 18:18:45 nikolai systemd[1]: Starting Set CFS tweaks...
nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Targeted preemption latency for CPU-bound tasks: 4ms
nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Minimal preemption granularity for CPU-bound tasks: 0.4ms
nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Wake-up granularity: 0.5ms
nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Task migration cost: 0.25ms
nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Amount of runtime to allocate from global to local pool: 3ms
nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: /usr/sbin/set-cfs-zen-tweaks.bash: line 57: /sys/kernel/debug/sched/latency_ns: Operation not permitted
nov 24 18:18:45 nikolai systemd[1]: set-cfs-tweaks.service: Main process exited, code=exited, status=1/FAILURE
nov 24 18:18:45 nikolai systemd[1]: set-cfs-tweaks.service: Failed with result 'exit-code'.
nov 24 18:18:45 nikolai systemd[1]: Failed to start Set CFS tweaks.
The text was updated successfully, but these errors were encountered: