In GNOME Settings this strange message appeared, which two days ago was definitely not present. Yet it is dated May 25th. How can I find out the cause?

From research I think it’s probably a bug in kernel 6.12. But I’d like to have confirmation on that…

I am having the same problem. Kernel 6.12.4 and now just updated to 6.12.5, the problem continues.

Where and when in the settings does the notice appear?

What does the following command report back?

$ cat /sys/kernel/security/lockdown

Can you provide a source / link?

lockdown is enabled by default on kernel 6.12.5 on Fedora, but it normally shouldn’t produce that message in the Gnome settings:

$ cat /boot/config-$(uname -r) | grep LOCKDOWN

CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y

In GNOME: Settings → Privacy and Security → Device security
(I am translating from pt-br, so it may have different words)

The command you provided came back this:
[none] integrity confidentiality

Aha, i have the same message there, but with a different date:

Since lockdown is enabled in the kernel config, perhaps it is to be expected then. I’m not sure which specific settings are being referred to.

[none] integrity confidentiality

CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y

[Edit] I’m scratching this comment since what i wrote may be incorrect.

1 Like

It does appear to be an issue with 6.12 based on taking a quick look with 6.11.4

Booting on 6.11.4:
output of fwupdmgr security

Runtime Suffix -!
✔ fwupd plug-ins:                Untainted
✔ CET OS Support:                Supported
✔ Linux kernel lockdown:         Enabled
✔ Linux swap:                    Encrypted
✔ Linux kernel:                  Untainted

Booting with 6.12.6

Runtime Suffix -!
✔ fwupd plug-ins:                Untainted
✔ CET OS Support:                Supported
✔ Linux swap:                    Encrypted
✔ Linux kernel:                  Untainted
✘ Linux kernel lockdown:         Disabled

Filed, 2333706 – Kernel 6.12.6 kernel lockdown disabled

Thanks.

1 Like

Thank you for reporting it on the bug tracker

I really hope that this error is not significant and I can safely update my system and install apps etc.

(I just got this error on a fresh Fedora install, after updating the system)

I don’t think the bug affects the system in everyday use.

I am on a Tuxedo laptop with F41 KDE. I have had the issue for the last four upgrades, around 6.11.11 and recently with 6.12.5. As far as I can tell, it is a bug, but I am no expert.

The temporary fix seems to be:

ls /boot
to determine which initrfs .img is missing

then
sudo su
dracut --kver 6.12.5-200.fc41.x86_64

The above allows me to reboot into recent upgrade

Ok, well, this may be the bug that I’ve discovered a year ago or so. I think I’ve reported it too, but nothing’s been done. I may be forgetting something, but there was an issue with the kernel config.

I compile Fedora kernel manually. Previous default kernels had kernel lockdown not enabled by default, so I would change the config manually and turn lockdown on, try to compile, but the config would always disable kernel lockdown.

So I started looking into this, and one of the kernel config options that was required for kernel lockdown to be turned on forced something else off that was required for the kernel lockdown to be on. Something like that. So I am having to manually edit the kernel config default options (that stipulate what’s required for what to be on), and my kernel compiles with the lockdown option enabled and set properly. I wonder if this is why the default kernel compiles without the lockdown enabled.

Merry Christmas!

This doesn’t appear to be the same issue.
You may want to check and see if, System Updater Not Creating initramfs every time it updates the kernel

Thanks

Thanks, I’m not sure that’s the same issue because lockdown was showing as enabled on my two machines running 6.11 before upgrading to 6.12.