Receiving "iopl: Operation not permitted"/"You need to be root" error

zamaudio / intelmetool

My tool for working with Intel Management Engine - RETIRED REPO (see coreboot for new upstream)

https://review.coreboot.org/plugins/gitiles/coreboot/+/refs/heads/master/util/intelmetool

Other

156 stars 25 forks source link

Receiving "iopl: Operation not permitted"/"You need to be root" error #20

Open troyready opened 6 years ago

troyready commented 6 years ago

Attempting to run intelmetool on my Ubuntu 17.10 notebook:

root@mysystem:/home/myuser/intelmetool# rmmod mei_me
root@mysystem:/home/myuser/intelmetool# rmmod mei
root@mysystem:/home/myuser/intelmetool# cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-4.13.0-21-generic.efi.signed root=UUID=UUIDHERE ro iomem=relaxed quiet splash vt.handoff=7
root@mysystem:/home/myuser/intelmetool# ./intelmetool
iopl: Operation not permitted
You need to be root

Tried executing it via sudo as well and received the same error. Didn't have any issues compiling (only received a me.c: In function 'mei_dump': me.c64:18: warning variable 'csr' set but not used [-Wunused-but-set-variable]/struct mei_csr *csr; warning).

Appreciate all the work you've put into this and would love to help troubleshoot if I can!

zamaudio commented 6 years ago

No idea, I just tried on a system with 4.14.7-300.fc27.x86_64 and iomem=relaxed and it worked... Maybe Ubuntu has some special kernel patches applied that prevents pci i/o space from being mapped? Can you try running it again and then paste the output of dmesg | tail.

zamaudio commented 6 years ago

Maybe paste also cat /boot/config-$(uname -r) |grep DEVMEM

troyready commented 6 years ago

Nothing notable from dmesg (nothing added after running the intelmetool command; last entries are ALLOWED apparmor entries for chromium and wifi association)

for DEVMEM settings:

root@mysystem:/home/myuser/intelmetool# cat /boot/config-$(uname -r) |grep DEVMEM
CONFIG_DEVMEM=y
CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
CONFIG_STRICT_DEVMEM=y
# CONFIG_IO_STRICT_DEVMEM is not set

zamaudio commented 6 years ago

You can try the mekernel branch of intelmetool instead. I just updated it so you can build the kernel module and insert it, and then check dmesg for its output.

cbarcenas commented 3 years ago

I got this error too, and tracked the issue down.

iopl() returns an error EPERM (Operation not permitted) - even when invoked as root - if the kernel is in "lockdown mode". One of the things that lockdown mode does is disables userspace access to privileged I/O.

You can check if you are in lockdown mode as follows:

$ cat /sys/kernel/security/lockdown 
none [integrity] confidentiality

Modern Linux distributions - such as Debian, in my case - will automatically enter lockdown mode (integrity) when the kernel is booted with EFI Secure Boot enabled. To fix the issue I simply disabled Secure Boot and restarted my machine.

eloydegen commented 2 years ago

Issue is fixed with this commit: https://review.coreboot.org/c/coreboot/+/63702

@zamaudio can you close this issue?

zamaudio commented 2 years ago

@eloydegen first of all, your change applies to inteltool not intelmetool. Second, this repository is retired. I am no longer maintaining it, it is there to preserve history. See coreboot/util for upstream. Thanks.

eloydegen commented 2 years ago

@zamaudio I see, my apologies!