odi-3
(Angelo Schirinzi)
1
In GNOME Settings this strange message appeared, which two days ago was definitely not present. Yet it is dated May 25th. How can I find out the cause?
odi-3
(Angelo Schirinzi)
2
From research I think it’s probably a bug in kernel 6.12. But I’d like to have confirmation on that…
rodtells
(Rodrigo Telles)
3
I am having the same problem. Kernel 6.12.4 and now just updated to 6.12.5, the problem continues.
litemotiv
(Olivier)
5
Where and when in the settings does the notice appear?
What does the following command report back?
$ cat /sys/kernel/security/lockdown
Can you provide a source / link?
lockdown
is enabled by default on kernel 6.12.5 on Fedora, but it normally shouldn’t produce that message in the Gnome settings:
$ cat /boot/config-$(uname -r) | grep LOCKDOWN
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
rodtells
(Rodrigo Telles)
6
In GNOME: Settings → Privacy and Security → Device security
(I am translating from pt-br, so it may have different words)
The command you provided came back this:
[none] integrity confidentiality
litemotiv
(Olivier)
7
Aha, i have the same message there, but with a different date:
Since lockdown is enabled in the kernel config, perhaps it is to be expected then. I’m not sure which specific settings are being referred to.
odi-3
(Angelo Schirinzi)
8
[none] integrity confidentiality
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
litemotiv
(Olivier)
9
[Edit] I’m scratching this comment since what i wrote may be incorrect.
1 Like
grumpey
(Joe)
10
It does appear to be an issue with 6.12 based on taking a quick look with 6.11.4
Booting on 6.11.4:
output of fwupdmgr security
Runtime Suffix -!
✔ fwupd plug-ins: Untainted
✔ CET OS Support: Supported
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ Linux kernel: Untainted
Booting with 6.12.6
Runtime Suffix -!
✔ fwupd plug-ins: Untainted
✔ CET OS Support: Supported
✔ Linux swap: Encrypted
✔ Linux kernel: Untainted
✘ Linux kernel lockdown: Disabled
Filed, 2333706 – Kernel 6.12.6 kernel lockdown disabled
Thanks.
1 Like
odi-3
(Angelo Schirinzi)
11
Thank you for reporting it on the bug tracker
I really hope that this error is not significant and I can safely update my system and install apps etc.
(I just got this error on a fresh Fedora install, after updating the system)
odi-3
(Angelo Schirinzi)
13
I don’t think the bug affects the system in everyday use.
prexecom
(Mike Reardon)
14
I am on a Tuxedo laptop with F41 KDE. I have had the issue for the last four upgrades, around 6.11.11 and recently with 6.12.5. As far as I can tell, it is a bug, but I am no expert.
The temporary fix seems to be:
ls /boot
to determine which initrfs .img is missing
then
sudo su
dracut --kver 6.12.5-200.fc41.x86_64
The above allows me to reboot into recent upgrade
Ok, well, this may be the bug that I’ve discovered a year ago or so. I think I’ve reported it too, but nothing’s been done. I may be forgetting something, but there was an issue with the kernel config.
I compile Fedora kernel manually. Previous default kernels had kernel lockdown not enabled by default, so I would change the config manually and turn lockdown on, try to compile, but the config would always disable kernel lockdown.
So I started looking into this, and one of the kernel config options that was required for kernel lockdown to be turned on forced something else off that was required for the kernel lockdown to be on. Something like that. So I am having to manually edit the kernel config default options (that stipulate what’s required for what to be on), and my kernel compiles with the lockdown option enabled and set properly. I wonder if this is why the default kernel compiles without the lockdown enabled.
Merry Christmas!
grumpey
(Joe)
16
This doesn’t appear to be the same issue.
You may want to check and see if, System Updater Not Creating initramfs every time it updates the kernel
Thanks
grumpey
(Joe)
17
Thanks, I’m not sure that’s the same issue because lockdown was showing as enabled on my two machines running 6.11 before upgrading to 6.12.