From: Disha Goel <disgoel@linux.ibm.com>
To: Daniel Wagner <dwagner@suse.de>
Cc: "Shin'ichiro Kawasaki" <shinichiro.kawasaki@wdc.com>,
linux-block@vger.kernel.org
Subject: Re: [PATCH blktests] blktrace/001: Skip test when kernel lockdown is enabled
Date: Mon, 11 May 2026 13:16:03 +0530 [thread overview]
Message-ID: <1621bb15-b425-42d8-9ced-b3886dce1060@linux.ibm.com> (raw)
In-Reply-To: <440d1e82-e54f-4709-829b-24d8fb16246e@flourine.local>
On 08/05/26 11:09 pm, Daniel Wagner wrote:
> On Fri, May 08, 2026 at 04:51:41PM +0530, Disha Goel wrote:
>> After further investigation, I've identified the root cause. This
>> failure is seen on SLES 16.x and RHEL 10.x with 6.12-based kernels when
>> Secure Boot is enabled (kernel lockdown active).
>
> SLES ships an bunch of additional patches which hardens the lockdown
> feature a bit more. IIRC these are the same as RHEL uses. Not sure if
> this is the source of the problem though.
>
> https://raw.githubusercontent.com/openSUSE/kernel-source/refs/heads/SL-16.1/series.conf
>
> # Lock down functions for secure boot
> patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch
> patches.suse/lockdown-fix-kernel-lockdown-enforcement-issue-when-secure.patch
> patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch
> patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch
> patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch
>
> The patches are in https://github.com/openSUSE/kernel-source/tree/SL-16.1/patches.suse
Hi Daniel,
Thank you for pointing me to the SUSE lockdown patches. After analysing
them, I found that the second patch (lockdown-fix-kernel-lockdown-
enforcement-issue-when-secure.patch) is causing the issue.
This patch fixes bsc#1237521 by directly calling lockdown hooks, but it
appears to be too restrictive - it blocks blktrace from accessing
debugfs even though upstream kernel 7.1+ allows this with lockdown enabled.
The patch works around a timing issue but has the side effect of
blocking legitimate debugging tools. Is this intentional, or should
debugging tools like blktrace be allowed even with lockdown enabled?
--
Regards,
Disha
next prev parent reply other threads:[~2026-05-11 7:46 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 14:11 [PATCH blktests] blktrace/001: Skip test when kernel lockdown is enabled Disha Goel
2026-04-29 13:52 ` Shin'ichiro Kawasaki
2026-05-08 11:21 ` Disha Goel
2026-05-08 17:39 ` Daniel Wagner
2026-05-11 7:46 ` Disha Goel [this message]
2026-05-11 7:58 ` Daniel Wagner
2026-05-09 10:35 ` Shin'ichiro Kawasaki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1621bb15-b425-42d8-9ced-b3886dce1060@linux.ibm.com \
--to=disgoel@linux.ibm.com \
--cc=dwagner@suse.de \
--cc=linux-block@vger.kernel.org \
--cc=shinichiro.kawasaki@wdc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox