Forced into emergency mode due to "Failed to mount boot-efi.mount" error

[krishjainx]

Fedora 36, stock kernel: 5.18.9-200.fc36.x86_64

UEFI secure boot is enabled, LUKS encrypted. Module correctly installed, tested, signed and it loads. Grub commandline:

slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 mce=0 loglevel=0 spectre_v2=on spec_store_bypass_disable=on ipv6.disable=1

With lkrg installed and enabled on Fedora 36 at boot one sees the emergency mode prompt and prior to this the error message "Failed to mount boot-efi.mount - /boot/efi". The logs show "[p_lkrg] Blocked usermodehelper execution of [/usr/sbin/modprobe]".

In emergency mode, while LKRG is active mounting /boot/efi fails and says that vfat is not recognised and to check dmesg which outputs "Blocked usermodehelper execution of [/usr/sbin/modprobe]" again. When I unload LKRG and then attempt it again as expected it works.

After some more digging I learnt that lkrg requires kprobes and thus I disabled lockdown in "confidentiality" mode. However, the issue still remains.

I am unable to diagnose the source of this issue, do you know how to fix this issue?

Thank you!

[krishjainx]

Update: I added the sysctl "lkrg.umh_validate=0" and that fixes the issue but that disables validation of uses of usermodehelper which is not desired. So what can be done about this? @Adam-pi3 @solardiz pinged so that this issue gets noticed. Thank you. Apologies if pinging isn't courteous

[solardiz]

We use a hard-coded allow list of known programs invoked via UMH. It currently includes /sbin/modprobe, but not /usr/sbin/modprobe. We probably need to add the latter, but I am wondering whether the issue would also occur for other programs - did Fedora make a global change perhaps causing /usr/sbin paths to be used, or is this an isolated occurrence?

[krishjainx]

I'm not completely sure but I do believe that Fedora uses /usr/sbin/modprobe by default. Which distribution have you tested lkrg on? RHEL or CentOS Stream?

[solardiz]

@Krish-sysadmin We test on many different distributions - including automated testing here on GitHub Actions using many different distros and kernel versions. However, for some of the distros we only test LKRG build, not its correct operation. That includes Fedora. We also manually test/use LKRG on various distros.

Does the fix I committed earlier today work for you on Fedora 36? If it does, then please try reverting your lockdown setting to Fedora's default - it will probably work as well. Please let us know of your results of all of these tests. Thank you!

Regarding DKMS, that's off-topic on this issue, but I don't mind if someone more familiar with it and/or having tested it specifically with LKRG on Fedora answers.

[krishjainx]

Does the fix I committed earlier today work for you on Fedora 36? If it does, then please try reverting your lockdown setting to Fedora's default - it will probably work as well. Please let us know of your results of all of these tests. Thank you!

Yup it does fix it. Thanks a ton.

Regarding DKMS, I realise its off topic, but I'm curious how you use lkrg personally? How do you get it to work on kernel upgrades? Thanks again

[solardiz]

@Krish-sysadmin I rebuild LKRG manually.

[solardiz]

@Krish-sysadmin As I already told you elsewhere, there isn't "the one" distro I use. There are many. One of those you might not have tried yet is Qubes OS, but I don't use LKRG there (except for testing in VMs) - little point in doing so, given Qubes' different security model.

We do indeed have that DKMS configuration file in the tree here, and it's indeed for rebuilding LKRG via DKMS. However, LKRG is not a one-man project, and personally I don't use DKMS to rebuild LKRG.

We should probably add instructions on setting up LKRG with DKMS, however I'd leave that and answering your further questions on it to someone who actually uses that.

[solardiz]

@Krish-sysadmin I use multiple distros on multiple computers. I'm not comfortable discussing my personal use further.

[krishjainx]

Ok. Could you tell me the distros on which not only LKRG build is tested but also its correct operation? Like Fedora is not

[solardiz]

@Krish-sysadmin In GitHub Actions, it's several versions of Ubuntu. In our manual testing, it's also CentOS 7 and Alma/Rocky Linux 8.

[krishjainx]

So Fedora, RHEL or like Debian/Ubuntu are safer bets than say Arch Linux or Void Linux

[solardiz]

Arch Linux in particular has LKRG packaged, so presumably it works there: https://aur.archlinux.org/packages/lkrg-dkms

Anyway, we'd appreciate it if you continue testing on your Fedora, including with its default lockdown setting.

[krishjainx]

Pull request #200 @solardiz