search

pop-os / system76-scheduler

Auto-configure CFS and process priorities for improved desktop responsiveness
Mozilla Public License 2.0
548 stars 34 forks source link

Incompatibility with Secure Boot & Lockdown #50

Open KyleGospo opened 2 years ago

KyleGospo commented 2 years ago

On Linux distros with Secure Boot enabled Kernel Lockdown can prevent access to /sys/kernel/debug/*, rendering system76-scheduler unable to tune the scheduler:

May 24 09:59:37 daedalus system76-scheduler[240248]: failed to set value in /sys/kernel/debug/sched/latency_ns: Operation not permitted (os error 1)
May 24 09:59:37 daedalus system76-scheduler[240248]: failed to set value in /sys/kernel/debug/sched/min_granularity_ns: Operation not permitted (os error 1)
May 24 09:59:37 daedalus system76-scheduler[240248]: failed to set value in /sys/kernel/debug/sched/wakeup_granularity_ns: Operation not permitted (os error 1)
May 24 09:59:37 daedalus system76-scheduler[240248]: failed to set value in /sys/kernel/debug/sched/preempt: Operation not permitted (os error 1)

Outside of a kernel patch to add new params outside of debug there may not be a way around this as those params can only be tweaked at boot in this scenario from what I can tell. Might just need to update documentation to warn the user about this.

bdaase commented 2 years ago

What are the implications of this inability to tweaks these values (I am wondering since I see the above log messages)? Do we still expect to see improvements from system76-scheduler?

mmstick commented 2 years ago

Applications can only do what the kernel permits, so if the kernel doesn't allow it, it can't be done.

mbana commented 2 years ago

Hello, if you find a solution to this, please let me know. I doubt it.

Enabling SecureBoot does not allow one to write to debugfs.

Perhaps, enabling writing to to debugfs can be enabled by adding a udev rule. I'm not sure.

What is the Kernel config parameter that prohibits writing to debugfs whilst SecureBoot is enabled?

skewballfox commented 1 year ago

What is the Kernel config parameter that prohibits writing to debugfs whilst SecureBoot is enabled?

probably already found this out but I'm pretty sure it's lockdown. you can get the current state of lockdown via cat /sys/kernel/security/lockdown and access it's man page via man lockdown 7. if it's in integrity mode I think debugfs is read-only.

I'm seeing similar issues for linux-zen and qemu, so it might be worthwhile to search through there previous issues/comments to see if anyone found a solution that doesn't just involve disabling it, but so far I haven't found anything to indicate you could use a udev rule to work around this.