search

microsoft / azurelinux

Linux OS for Azure 1P services and edge appliances
MIT License
4.31k stars 546 forks source link

AZL3: How to remove lockdown kernel parameter in ISO #10746

Open ankithmr opened 1 month ago

ankithmr commented 1 month ago

I am using AZL3 iso and customizing it for our HPE servers. I need to disable lockdown=integrity parameter in the base ISO. I tried removing it from grub.cfg but still the OS is coming up with "lockdown=integrity" parameter. It seems the parameter is coming from somewhere else. Can you please share the correct way to update it in ISO ?

I tried it in the following file: 

set timeout=0

# The use of mariner.media=CDROM is a workaround that our installer does not require
# but it is observed to be needed to boot on some hardware/SoCs.
menuentry "Azure Linux" {
    search --label CDROM --set root
    linux /isolinux/vmlinuz root=/dev/ram0 mariner.media=CDROM lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 console=tty0 console=ttyS0,115200n8
    initrd /isolinux/initrd.img
}
elsaco commented 1 month ago

@ankithmr are you using Secure Boot? From man page: On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the system boots in EFI Secure Boot mode

ankithmr commented 1 month ago

I checked the bios setting and secure boot is disabled.

"SecureBootStatus": "Disabled"

zcobol commented 4 weeks ago

If the secure boot is disabled, removing lockdown=integrity from the boot menu (on startup or edit /boot/grub2/grub.cfg) should work:

zcobol@texas:~$ ssh zcobol@192.168.124.57
Welcome to Microsoft Azure Linux 3.0 (x86_64)
Last login: Thu Oct 17 17:39:47 2024 from 192.168.124.1
zcobol@august [ ~ ]$ sudo dmesg | grep -i secure
[    0.000000] secureboot: Secure boot disabled
[    0.285800] Loaded X.509 cert 'Microsoft Corporation: Mariner Secure Boot(Production Signing): b42d6b9e2809b7b9097cff9e9b0194b86e80bf95'
zcobol@august [ ~ ]$ cat /proc/cmdline 
BOOT_IMAGE=/boot/vmlinuz-6.6.51.1-5.azl3 root=UUID=b3ee3f09-b879-4633-befa-a2616848d8cf ro selinux=0 rd.auto=1 net.ifnames=0
zcobol@august [ ~ ]$ cat /sys/kernel/security/lockdown 
[none] integrity confidentiality
ankithmr commented 4 weeks ago

Sorry probably I wasn't clear in my first message. I want to make sure that it is removed in the ISO itself. We use an automated installation process and want to remove it in the ISO.

I already tried by removing the parameter from grub file and recreated the ISO but it doesn't help

zcobol commented 4 weeks ago

@ankithmr you need to build your own ISO image. First modify https://github.com/microsoft/azurelinux/blob/3.0/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg and remove lockdown=integrity then run make iso and choose the image config you want. There are several options in toolkit/imageconfigs folder.