On Wed, Oct 30, 2024 at 10:58 AM Christian <ch...@argonautx.net> wrote:
> Hi Thomas, thank you for your help. So far I couldn't see anything in my > cmdline which is kernel_lockdown related. And I grep'ed the whole /etc > and /boot directory recursively. Nothing. And neither in the dmesg, > there is no "lsm=" line. Only in the kernel .config is > CONFIG_SECURITY_LOCKDOWN=y, enabled. So yes the kernel supports it. > Debian Live boot system couldn't either boot up my new PC, but Ubuntu > did. WIth Ubuntu I was able to boot it with Desktop and everthing, but > they used Nouveu driver. Try booting with Trixie (testing), https://www.debian.org/CD/live/ It may just be that the stable kernel is simply too old for your hardware. I am currently running Trixie and have not had any problems with it. If you do install Trixie and it asks you if you want to install accesibility tools... select NO! Otherwise it will install and run everything and you will waste lots of time figuring out how to disable them. And dmesg dumped this out: > [ 0.209551] LSM: initializing > lsm=lockdown,capability,landlock,yama,apparmor,ima,evm > > I couldn't find out where this parameters are set. Even on the Ubuntu > Live system I didn't find a file with just one single line with the > words lsm= or lockdown (case insensitive) > > Thank you > > BR Christian > > > > Hi, > > > > Christian wrote: > >> [ 47.042454] Lockdown: Xorg: raw io port access is restricted; see > man kernel_lockdown.7 > >> I think it's still SecureBoot, but what is it this time? Can anyone help > > At least the above log snippet seems to be related to SecureBoot. > > In > > > https://manpages.debian.org/bookworm/manpages/kernel_lockdown.7.en.html > > i see > > > > "On an EFI-enabled x86 or arm64 machine, lockdown will be > automatically > > enabled if the system boots in EFI Secure Boot mode. > > Coverage > > When lockdown is in effect, a number of features are disabled or have > > their use restricted. This includes special device files and kernel > > services that allow direct access of the kernel image:" > > [...] > > NOTES > > The Kernel Lockdown feature is enabled by > CONFIG_SECURITY_LOCKDOWN_LSM. > > The lsm=lsm1,...,lsmN command line parameter controls the sequence > of > > the initialization of Linux Security Modules. It must contain the > > string lockdown to enable the Kernel Lockdown feature. If the > command > > line parameter is not specified, the initialization falls back to > the > > value of the deprecated security= command line parameter and further > > to the value of CONFIG_LSM." > > > > So i guess you have to look into your boot configuration for kernel > > parameter "lockdown". > > > > On > > https://bbs.archlinux.org/viewtopic.php?id=290866 > > i see this statement by espritlibre: > > > > "Re: Secure boot and Nvidia > > i have secure boot enabled, but lockdown disabled (for another > > reason). loading the nvidia module does taint the kernel, but loads > > and work just fine with prime-run on a hybrid systme. i'm not signing > > OOT modules, just kernel and efi stuff." > > > > (Whatever "prime-run" might be ...) > > > > > > Have a nice day :) > > > > Thomas > > > > -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀
