Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Qubes 4.0 is not booting with boot parameters "lockdown=integrity" or "lockdown=confidentiality" #5497

Closed
n1m1 opened this issue Dec 2, 2019 · 17 comments
Closed

Qubes 4.0 is not booting with boot parameters "lockdown=integrity" or "lockdown=confidentiality" #5497

n1m1 opened this issue Dec 2, 2019 · 17 comments
Labels
C: other P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. r4.0-dom0-stable r4.1-dom0-stable
Milestone
Release 4.0 updates

Comments

@n1m1
Copy link

n1m1 commented Dec 2, 2019
edited
Loading

Qubes OS version:

Qubes 4.0 with AEM enabled.

Affected component(s) or functionality:

Boot.

Steps to reproduce the behavior:

  1. Install kernel 5.4.1 in Dom0
  2. Set lockdown=integrity or lockdown=confidentuality in /etc/default/grub
  3. grub2-mkconfig -o /boot/grub2/grub.cfg
  4. Reboot the system with kernel 5.4

Expected or desired behavior:

The system boots and seals the keys for AEM.

Actual behavior:

The system hangs on. On the monitor I can see

Waiting for device XXX to be attached

Nevertheless, the USB drive with /boot partition is ALREADY attached.

I've also tried to boot the system from the USB drive without AEM, but without success.

General notes:

It is totally possible that this is not a bug, but it is actually how the lockdown feature is supposed to work (and thus, it is not compatible with AEM or booting with an external device). TBH I have no idea and I am not tech-savvy enough to give an answer to this question.

I have consulted the following relevant documentation:

I am aware of the following related, non-duplicate issues:
@andrewdavidwong andrewdavidwong added C: other P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug labels Dec 2, 2019
@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone Dec 2, 2019
@marmarek
Copy link
Member

marmarek commented Dec 2, 2019

We don't fully support kernel lockdown yet (that's why it's disabled by default).

Can you give more details about the problem? Try booting without quiet and rhgh kernel options to see more messages.

@n1m1
Copy link
Author

n1m1 commented Dec 4, 2019

Hi,
this is the message which I can see when I boot the system without quiet and `rhgh' parameters:

Lockdown: systemd-udev: unsigned module loading is restricted: see man kernel_lockdown.7

(which apparently can't be found with man on Dom0 : No manual entry for kernel_lockdown.7

If this is not enough, please, tell me how to save the log messages which appears during the boot process (I am using AEM with an external USB drive).

Cheers.

@marmarek
Copy link
Member

marmarek commented Dec 4, 2019

That's interesting, indeed dom0 kernel modules in this package are not signed, but VM modules built at the same time are. Something is wrong with the packaging process.

@marmarek marmarek mentioned this issue Dec 5, 2019
Closed
@marmarek
Copy link
Member

marmarek commented Dec 5, 2019

Looks like signatures are stripped together with debug symbols...
Upstream Fedora package has some code to sign modules again after handling debug info, I'll include that.

@marmarek marmarek reopened this Dec 6, 2019
@marmarek
Copy link
Member

marmarek commented Dec 6, 2019

While the above solves module signatures issue, lockdown=integrity still breaks Qubes, specifically PCI passthrough. Libvirt daemon is prevented from configuring PCI devices:

Lockdown: libvirtd: direct PCI access is restricted; see man kernel_lockdown.7

This makes it impossible to start sys-net and sys-usb. I'll need to look into it deeper, but I'm afraid there may be no nice way around it. The not nice way would be disabling this particular restriction.

@n1m1
Copy link
Author

n1m1 commented Dec 6, 2019

While the above solves module signatures issue, lockdown=integrity still breaks Qubes, specifically PCI passthrough. Libvirt daemon is prevented from configuring PCI devices:

Lockdown: libvirtd: direct PCI access is restricted; see man kernel_lockdown.7

This makes it impossible to start sys-net and sys-usb. I'll need to look into it deeper, but I'm afraid there may be no nice way around it. The not nice way would be disabling this particular restriction.

Hello and thanks for the time you have spent in order to investigate the issue. Apologies for my ignorance but I am curious about it: does this mean that lockdown is not compatible with Qubes OS?

Cheers

@n1m1 n1m1 changed the title Qubes 4.0 is not booting with boot parameter "lockdown=integrity" or "lockdown=confidentiality" Qubes 4.0 is not booting with boot parameters "lockdown=integrity" or "lockdown=confidentiality" Dec 6, 2019
@marmarek
Copy link
Member

marmarek commented Dec 6, 2019

Yes, this is what it means, at least right now.
You can try using lockdown in VMs (modify kernelopts property).

@n1m1
Copy link
Author

n1m1 commented Dec 6, 2019

Hi, thanks for your answer.
I have enabled lockdown=integrity in a VM. It boots as expected. According to dmesg

[ 0.000000] Kernel is locked down from command line; see man kernel_lockdown.7

@qubesos-bot
Copy link

Automated announcement from builder-github

The package kernel-latest-5.4.2-1.qubes has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Dec 8, 2019
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package kernel-latest-5.4.2-1.qubes has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Dec 8, 2019
Closed
@n1m1
Copy link
Author

n1m1 commented Dec 8, 2019
edited by marmarek
Loading

Hello,
I am running linux-kernel-latest v5.4.2-1 . Apparently it has solved the issue. I have been able to boot Dom0 with lockdown=integrity and lockdown=confidentiality without problems. In both cases sys-usb and sys-net were running as expected.

Now, I am using lockdown in integrity mode. According to dmesg | grep lockdown (in Dom0):

[    2.021825] Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[   38.082721] Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[   78.846228] Lockdown: Xorg: raw io port access is restricted; see man kernel_lockdown.7
[   79.421837] Lockdown: x86_energy_perf: raw MSR access is restricted; see man kernel_lockdown.7

Cheers

@marmarek
Copy link
Member

marmarek commented Dec 8, 2019

That's interesting, maybe libvirt need to access PCI config space depends on the hardware (and options like permissive mode, strict reset). We'll need to investigate it if/when we'll want to enable it by default.
Anyway, I'm glad it solved the problem for you.

@marmarek marmarek closed this as completed Dec 8, 2019
@n1m1
Copy link
Author

n1m1 commented Dec 8, 2019

@marmarek , thanks a lot for your help. I will keep testing lockdown in the next days. If something changes, I will report it here promptly.

@n1m1
Copy link
Author

n1m1 commented Dec 9, 2019
edited
Loading

Hi,
another small bit of information related to this issue (not sure it is useful). I have enabled lockdown=integrity also in sys-usb and sys-net throught kernelopts. Both boot and work as expected. According to dmesg lockdown is working. However, if some issue emerges, I will open a new specific ticket in order to track it properly.

Cheers.

@qubesos-bot
Copy link

Automated announcement from builder-github

The package kernel-latest-5.4.10-1.qubes has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package kernel-5.4.21-1.qubes has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

This was referenced Feb 26, 2020
Closed
Closed
@qubesos-bot qubesos-bot mentioned this issue Mar 8, 2020
Closed
This was referenced Mar 15, 2020
Closed
Closed
@qubesos-bot qubesos-bot mentioned this issue Mar 31, 2020
Closed
@qubesos-bot qubesos-bot mentioned this issue Apr 16, 2020
Closed
@qubesos-bot qubesos-bot mentioned this issue May 2, 2020
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package kernel-5.4.38-1.qubes has been pushed to the r4.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: other P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. r4.0-dom0-stable r4.1-dom0-stable
Projects
None yet
Milestone
Release 4.0 updates
Development

No branches or pull requests
4 participants
@marmarek @n1m1 @andrewdavidwong @qubesos-bot