search

igo95862 / cfs-zen-tweaks

Tweak Linux CPU scheduler for desktop responsiveness
GNU General Public License v2.0
172 stars 12 forks source link

LSM module `lockdown` prevents `/sys/kernel/debug` access under Secure Boot #3

Open nijek opened 2 years ago

nijek commented 2 years ago

Hello, I'm using ubuntu 21.10 When I try to "systemctl enable --now set-cfs-tweaks.service" even with sudo I get an error.

when I run systemctl status set-cfs-tweaks.service I get this:

× set-cfs-tweaks.service - Set CFS tweaks Loaded: loaded (/lib/systemd/system/set-cfs-tweaks.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2021-11-24 18:18:45 -03; 10s ago Process: 5499 ExecStart=/usr/sbin/set-cfs-zen-tweaks.bash (code=exited, status=1/FAILURE) Main PID: 5499 (code=exited, status=1/FAILURE) CPU: 13ms

nov 24 18:18:45 nikolai systemd[1]: Starting Set CFS tweaks... nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Targeted preemption latency for CPU-bound tasks: 4ms nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Minimal preemption granularity for CPU-bound tasks: 0.4ms nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Wake-up granularity: 0.5ms nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Task migration cost: 0.25ms nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: Amount of runtime to allocate from global to local pool: 3ms nov 24 18:18:45 nikolai set-cfs-zen-tweaks.bash[5499]: /usr/sbin/set-cfs-zen-tweaks.bash: line 57: /sys/kernel/debug/sched/latency_ns: Operation not permitted nov 24 18:18:45 nikolai systemd[1]: set-cfs-tweaks.service: Main process exited, code=exited, status=1/FAILURE nov 24 18:18:45 nikolai systemd[1]: set-cfs-tweaks.service: Failed with result 'exit-code'. nov 24 18:18:45 nikolai systemd[1]: Failed to start Set CFS tweaks.

igo95862 commented 2 years ago

@nijek Do you have a custom kernel installed?

Kind of looks like what happened here as well https://github.com/igo95862/cfs-zen-tweaks/issues/1#issuecomment-974662838 .

Try running cat /proc/version or cat /proc/version_signature and posting output.

igo95862 commented 2 years ago

I tried Ubuntu 21.10 in a VM and everything worked fine.

nijek commented 2 years ago

I'm using the default ubuntu kernel. It worked after I disabled secure boot.

nikolai@nikolai:debs$ cat /proc/version Linux version 5.13.0-21-generic (buildd@lgw01-amd64-052) (gcc (Ubuntu 11.2.0-7ubuntu2) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.37) #21-Ubuntu SMP Tue Oct 19 08:59:28 UTC 2021 nikolai@nikolai:debs$ cat /proc/version_signature Ubuntu 5.13.0-21.21-generic 5.13.18

nijek commented 2 years ago

If I run the script directally I get this:

nikolai@nikolai:cfs-zen-tweaks-1.2.0$ ./set-cfs-zen-tweaks.bash Targeted preemption latency for CPU-bound tasks: 4ms Minimal preemption granularity for CPU-bound tasks: 0.4ms Wake-up granularity: 0.5ms Task migration cost: 0.25ms Amount of runtime to allocate from global to local pool: 3ms Detected kernel <5.13. Using legacy locations. ./set-cfs-zen-tweaks.bash: line 57: /proc/sys/kernel/sched_latency_ns: No such file or directory

igo95862 commented 2 years ago

If I run the script directally I get this:

You need to run it with sudo, when running manually.

not-a-dev-stein commented 2 years ago

Can confirm that the latency_ns issue is related to secure boot, disabling it on my system made the script work fine, but whenever I re-enable it it stops working again.

igo95862 commented 2 years ago

Can confirm that the latency_ns issue is related to secure boot, disabling it on my system made the script work fine, but whenever I re-enable it it stops working again.

Good to know. I will add a warning to README and investigate if it can be fixed.

igo95862 commented 2 years ago

@nijek @not-a-dev-stein I might have found the solution.

Would you mind running zcat /proc/config.gz | grep CONFIG_LSM and posting output?

This is what I have:

CONFIG_LSM="landlock,lockdown,yama,bpf"

(you can also do cat /sys/kernel/security/lsm)

The important part here is the lockdown part. When a Secure Boot is enabled it disables all access to /sys/kernel/debug.

To disable lockdown try modifying boot settings a lsm= kernel parameter with the list of lsm modules without lockdown. For example, in my case it will be lsm=landlock,yama,bpf

not-a-dev-stein commented 2 years ago

Tried it and got the same error as before.

igo95862 commented 2 years ago

Tried it and got the same error as before.

If you run cat /sys/kernel/security/lsm does lockdown still show up?

not-a-dev-stein commented 2 years ago

It didn't, what I got was: capability,yama,selinux,bpf,landlock

igo95862 commented 2 years ago

Ok I will look in to that more.

People say that using Alt+Sysrq+X might disable lockdown mode: https://unix.stackexchange.com/questions/652867/disable-kernel-lockdown-in-runtime

igo95862 commented 2 years ago

Also try cat /sys/kernel/security/lockdown

igo95862 commented 2 years ago

@nijek @not-a-dev-stein I tested on my laptop with Secure Boot enabled and I don't have any issues reading or writing in to debugfs. I believe that both Fedora and Ubuntu ships some tighter security lockdown (because they shipped it before it was included in kernel upstream) but Arch Linux uses the upstream kernel one.

When I do cat /sys/kernel/security/lockdown on my Secure Boot system I get [none] integrity confidentiality.

I believe there is a lockdown= kernel boot parameter that controls the level of lockdown. Maybe setting it to none will allow reading/ writing to debugfs.