| View previous topic :: View next topic |
| Author |
Message |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55186
Location: 56N 3W
|
 Posted: Sat Apr 26, 2025 3:09 pm Post subject: |
 |
|
pingtoo,
Test with a decompressed kernel than. It's in the build tree. vmlinux ?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
 |
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1642
Location: Richmond Hill, Canada
|
| Posted: Sat Apr 26, 2025 3:53 pm Post subject: |
|
|
| NeddySeagoon wrote: | pingtoo,
Test with a decompressed kernel than. It's in the build tree. vmlinux ? |
I don't know yet. But I will include this idea in instruction for alecStewart1 |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1642
Location: Richmond Hill, Canada
|
| Posted: Sat Apr 26, 2025 8:40 pm Post subject: |
|
|
alecStewart1,
We will focus on kernel so for now ignore initrd and the automated install helper tool for now. we will be doing most manually.
We will start out by gather information and setup reference point for runtime comparison,- please wgetpaste your gentoo-bin-dist .config and your custom kernel .config. I will be examining kernel source code, so I need to see full content, not just diff.
- please create a boot entry for gentoo-bin-dist. we will use this a reference for how successfully boot kernel messages should be.
- command line arguments; "earlycon=efifb keep_bootcon ignore_loglevel efi=debug"
- please create a boot entry for your custom kernel with same boot parameters as the gentoo-bin-dist boot entry.
- please share output of efibootmgr -u after you did above steps.
- please share output of "file /path/to/your/custom_kernel_image_file". So we can understand the format of the file.
- optional but good to have is use "app-misc/binwalk" to example custom kernel image_file.
- binwalk /path/to/your/custom_kernel_image_file
- I like to see directory content in linux/drivers/frmware/efi/libstub/*. because I am examining source code and I like to know which file got compiled.
- I suggest we build a kernel with gcc with minimal CFLAGS to get a referance point. we will use this as base to build up to how you want to customize.
- ls -la linux/drivers/firmware/efi/listub/
Additional ideas we might need to do if not able find clues,- copy decompressed kernel to /efi/
- create boot entry for decompressed kernel image file. May require grub
My current idea is that maybe the custom kernel compress gone wrong, so I like to see messages at very top of boot that show "EFI stub: ..."
If possible I like to see entire boot messages. for both custom kernel and gentoo-bin-dist. |
|
| Back to top |
|
|
alecStewart1
Apprentice
Joined: 03 Jul 2022
Posts: 240
|
| Posted: Sat Apr 26, 2025 11:11 pm Post subject: |
|
|
| NeddySeagoon wrote: |
alecStewart1,
Is there any chance of getting a serial console on a real serial port?
|
No idea, sorry.
| NeddySeagoon wrote: |
Is measured boot or secure boot in use?
They can stop things dead too.
|
Nope. I didn't do anything else fancy with the actual boot process.
| NeddySeagoon wrote: |
We can try some analysis.
Post your and pastebin your current non working kernel .config file.
Getting a console will be a step in the right direction and that's all I would aim to do, to start with. |
lspci -nnk
| Code: |
00:00.0 Host bridge [0600]: Intel Corporation Device [8086:4648] (rev 02)
DeviceName: Onboard - Other
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
00:01.0 PCI bridge [0604]: Intel Corporation 12th Gen Core Processor PCI Express x16 Controller #1 [8086:460d] (rev 02)
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: pcieport
00:02.0 Display controller [0380]: Intel Corporation AlderLake-S GT1 [8086:4680] (rev 0c)
DeviceName: Onboard - Video
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: i915
Kernel modules: i915, xe
00:06.0 PCI bridge [0604]: Intel Corporation 12th Gen Core Processor PCI Express x4 Controller #0 [8086:464d] (rev 02)
Kernel driver in use: pcieport
00:08.0 System peripheral [0880]: Intel Corporation 12th Gen Core Processor Gaussian & Neural Accelerator [8086:464f] (rev 02)
DeviceName: Onboard - Other
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
00:0a.0 Signal processing controller [1180]: Intel Corporation Platform Monitoring Technology [8086:467d] (rev 01)
DeviceName: Onboard - Other
Kernel driver in use: intel_vsec
Kernel modules: intel_vsec
00:14.0 USB controller [0c03]: Intel Corporation Alder Lake-S PCH USB 3.2 Gen 2x2 XHCI Controller [8086:7ae0] (rev 11)
DeviceName: Onboard - Other
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: xhci_hcd
00:14.2 RAM memory [0500]: Intel Corporation Alder Lake-S PCH Shared SRAM [8086:7aa7] (rev 11)
DeviceName: Onboard - Other
00:14.3 Network controller [0280]: Intel Corporation Alder Lake-S PCH CNVi WiFi [8086:7af0] (rev 11)
DeviceName: Onboard - Ethernet
Subsystem: Intel Corporation Wi-Fi 6 AX201 160MHz [8086:0094]
Kernel driver in use: iwlwifi
Kernel modules: iwlwifi
00:16.0 Communication controller [0780]: Intel Corporation Alder Lake-S PCH HECI Controller #1 [8086:7ae8] (rev 11)
DeviceName: Onboard - Other
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: mei_me
Kernel modules: mei_me
00:17.0 SATA controller [0106]: Intel Corporation Alder Lake-S PCH SATA Controller [AHCI Mode] [8086:7ae2] (rev 11)
DeviceName: Onboard - SATA
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: ahci
00:1c.0 PCI bridge [0604]: Intel Corporation Alder Lake-S PCH PCI Express Root Port #1 [8086:7ab8] (rev 11)
Kernel driver in use: pcieport
00:1c.3 PCI bridge [0604]: Intel Corporation Device [8086:7abb] (rev 11)
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: pcieport
00:1f.0 ISA bridge [0601]: Intel Corporation Z690 Chipset LPC/eSPI Controller [8086:7a84] (rev 11)
DeviceName: Onboard - Other
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
00:1f.3 Audio device [0403]: Intel Corporation Alder Lake-S HD Audio Controller [8086:7ad0] (rev 11)
DeviceName: Onboard - Sound
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel, snd_soc_avs, snd_sof_pci_intel_tgl
00:1f.4 SMBus [0c05]: Intel Corporation Alder Lake-S PCH SMBus Controller [8086:7aa3] (rev 11)
DeviceName: Onboard - Other
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: i801_smbus
Kernel modules: i2c_i801
00:1f.5 Serial bus controller [0c80]: Intel Corporation Alder Lake-S PCH SPI Controller [8086:7aa4] (rev 11)
DeviceName: Onboard - Other
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: intel-spi
Kernel modules: spi_intel_pci
01:00.0 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD/ATI] Navi 10 XL Upstream Port of PCI Express Switch [1002:1478] (rev c1)
Kernel driver in use: pcieport
02:00.0 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD/ATI] Navi 10 XL Downstream Port of PCI Express Switch [1002:1479]
Subsystem: Advanced Micro Devices, Inc. [AMD/ATI] Navi 10 XL Downstream Port of PCI Express Switch [1002:1479]
Kernel driver in use: pcieport
03:00.0 VGA compatible controller [0300]: Advanced Micro Devices, Inc. [AMD/ATI] Navi 22 [Radeon RX 6700/6700 XT/6750 XT / 6800M/6850M XT] [1002:73df] (rev c1)
Subsystem: Micro-Star International Co., Ltd. [MSI] Radeon RX 6700 XT Mech 2X 12G [MSI] [1462:3980]
Kernel driver in use: amdgpu
Kernel modules: amdgpu
03:00.1 Audio device [0403]: Advanced Micro Devices, Inc. [AMD/ATI] Navi 21/23 HDMI/DP Audio Controller [1002:ab28]
Subsystem: Advanced Micro Devices, Inc. [AMD/ATI] Navi 21/23 HDMI/DP Audio Controller [1002:ab28]
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
04:00.0 Non-Volatile memory controller [0108]: Samsung Electronics Co Ltd NVMe SSD Controller SM981/PM981/PM983 [144d:a808]
Subsystem: Samsung Electronics Co Ltd SSD 970 EVO/PRO [144d:a801]
Kernel driver in use: nvme
Kernel modules: nvme
06:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller I225-V [8086:15f3] (rev 03)
Subsystem: Micro-Star International Co., Ltd. [MSI] Device [1462:7d32]
Kernel driver in use: igc
Kernel modules: igc
|
Kernel config:
https://dpaste.com/27VV9Y2MT |
|
| Back to top |
|
|
alecStewart1
Apprentice
Joined: 03 Jul 2022
Posts: 240
|
| Posted: Sat Apr 26, 2025 11:14 pm Post subject: |
|
|
| pingtoo wrote: | alecStewart1,
We will focus on kernel so for now ignore initrd and the automated install helper tool for now. we will be doing most manually.
We will start out by gather information and setup reference point for runtime comparison,- please wgetpaste your gentoo-bin-dist .config and your custom kernel .config. I will be examining kernel source code, so I need to see full content, not just diff.
- please create a boot entry for gentoo-bin-dist. we will use this a reference for how successfully boot kernel messages should be.
- command line arguments; "earlycon=efifb keep_bootcon ignore_loglevel efi=debug"
- please create a boot entry for your custom kernel with same boot parameters as the gentoo-bin-dist boot entry.
- please share output of efibootmgr -u after you did above steps.
- please share output of "file /path/to/your/custom_kernel_image_file". So we can understand the format of the file.
- optional but good to have is use "app-misc/binwalk" to example custom kernel image_file.
- binwalk /path/to/your/custom_kernel_image_file
- I like to see directory content in linux/drivers/frmware/efi/libstub/*. because I am examining source code and I like to know which file got compiled.
- I suggest we build a kernel with gcc with minimal CFLAGS to get a referance point. we will use this as base to build up to how you want to customize.
- ls -la linux/drivers/firmware/efi/listub/
Additional ideas we might need to do if not able find clues,- copy decompressed kernel to /efi/
- create boot entry for decompressed kernel image file. May require grub
My current idea is that maybe the custom kernel compress gone wrong, so I like to see messages at very top of boot that show "EFI stub: ..."
If possible I like to see entire boot messages. for both custom kernel and gentoo-bin-dist. |
Will do. I'll post all of this in a bit. |
|
| Back to top |
|
|
alecStewart1
Apprentice
Joined: 03 Jul 2022
Posts: 240
|
| Posted: Sat Apr 26, 2025 11:58 pm Post subject: |
|
|
gentoo-kernel-bin:
http://dpaste.com/H9CGB8L7T
custom kernel .config:
http://dpaste.com/F4LTZEAF8
Boot entries:
| Code: | BootCurrent: 01FD
Timeout: 0 seconds
BootOrder: 0002,0000,01FD,0201,0001
Boot0000* Debug (Gentoo Bin Dist) HD(1,GPT,d5d977e1-f515-574f-8949-caf8f2c41559,0x800,0x80000)/\EFI\Gentoo\vmlinuz-6.14.4-gentoo-dist.efi earlycon=efifb keep_bootcon ignore_loglevel efi=debug initrd=\EFI\Gentoo\amd-uc.img initrd=\EFI\Gentoo\intel-uc.img initrd=\EFI\Gentoo\initramfs-6.14.4-gentoo-dist.img
Boot0001* UEFI: Patriot Memory PMAP, Partition 2 PciRoot(0x0)/Pci(0x14,0x0)/USB(10,0)/HD(2,GPT,3c14bf9d-d220-4e30-9902-40b3f5d1d6eb,0x23c,0x1680)
Boot0002* Debug (CachyOS Sources) HD(1,GPT,d5d977e1-f515-574f-8949-caf8f2c41559,0x800,0x80000)/\EFI\BOOT\BOOTx64.EFI earlycon=efifb keep_bootcon ignore_loglevel efi=debug initrd=\EFI\BOOT\amd-uc.img initrd=\EFI\BOOT\intel-uc.img initrd=\EFI\BOOT\initramfs.cpio
Boot01FD* UMC 1 Gentoo Linux 6.14.4 HD(1,GPT,d5d977e1-f515-574f-8949-caf8f2c41559,0x800,0x80000)/\EFI\Gentoo\vmlinuz-6.14.4-gentoo-dist.efi ro earlyprintk=efi efi=debug debug loglevel=8 init_on_alloc=1 init_on_free=1 spectre_v2=on spec_store_bypass_disable=seccomp randomize_kstack_offset=on random.trust_cpu=off pti=on page_poison=1 page_alloc.shuffle=1 hardened_usercopy=1 mce=0 vsyscall=none rng_core.default_quality=512 apparmor=1 security=apparmor lsm=landlock,lockdown,yama,loadpin,safesetid,smack,tomoyo,apparmor,ipe,bpf driver=free amdgpu.modeset=1 video=DP-1:2560x1440@165 zswap.enabled=1 zswap.compressor=zstd zswap.zpool=zsmalloc zswap.max_pool_percent=15 initrd=\EFI\Gentoo\amd-uc.img initrd=\EFI\Gentoo\intel-uc.img initrd=\EFI\Gentoo\initramfs-6.14.4-gentoo-dist.img
Boot0201* UEFI OS HD(1,GPT,d5d977e1-f515-574f-8949-caf8f2c41559,0x800,0x80000)/\EFI\BOOT\BOOTX64.EFI |
File description of custom kernel image:
| Code: |
file /efi/EFI/BOOT/BOOTx64.EFI
/efi/EFI/BOOT/BOOTx64.EFI: Linux kernel x86 boot executable bzImage, version 6.14.3 (root@gentoo) #1 SMP PREEMPT_DYNAMIC Fri Apr 25 21:55:09 CDT 2025, RO-rootFS, swap_dev 0XE, Normal VGA
|
File description of custom kernel initramfs:
| Code: |
file /efi/EFI/BOOT/initramfs.cpio
/efi/EFI/BOOT/initramfs.cpio: Zstandard compressed data (v0.8+), Dictionary ID: None
|
binwalk output:
| Code: |
/efi/EFI/BOOT/BOOTx64.EFI
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
21188 0x52C4 ZSTD compressed data, total size: 15518682 bytes
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
ls -la /usr/src/linux-6.14.3-cachyos/drivers/firmware/efi/libstub/
| Code: |
total 1196
drwxr-xr-x 1 root root 2238 Apr 25 23:16 ./
drwxr-xr-x 1 root root 872 Apr 25 23:16 ../
-rw-r--r-- 1 root root 1176 Apr 25 21:50 alignedmem.o
-rw-r--r-- 1 root root 56749 Apr 25 21:50 .alignedmem.o.cmd
-rw-r--r-- 1 root root 1056 Apr 25 21:50 alignedmem.stub.o
-rw-r--r-- 1 root root 537 Apr 25 21:50 .alignedmem.stub.o.cmd
-rw-r--r-- 1 root root 11176 Apr 25 21:50 efi-stub-helper.o
-rw-r--r-- 1 root root 57631 Apr 25 21:50 .efi-stub-helper.o.cmd
-rw-r--r-- 1 root root 11064 Apr 25 21:50 efi-stub-helper.stub.o
-rw-r--r-- 1 root root 572 Apr 25 21:50 .efi-stub-helper.stub.o.cmd
-rw-r--r-- 1 root root 4656 Apr 25 21:50 file.o
-rw-r--r-- 1 root root 56897 Apr 25 21:50 .file.o.cmd
-rw-r--r-- 1 root root 4528 Apr 25 21:50 file.stub.o
-rw-r--r-- 1 root root 495 Apr 25 21:50 .file.stub.o.cmd
-rw-r--r-- 1 root root 7336 Apr 25 21:50 gop.o
-rw-r--r-- 1 root root 57362 Apr 25 21:50 .gop.o.cmd
-rw-r--r-- 1 root root 7224 Apr 25 21:50 gop.stub.o
-rw-r--r-- 1 root root 488 Apr 25 21:50 .gop.stub.o.cmd
-rw-r--r-- 1 root root 2778 Apr 25 21:50 lib.a
-rw-r--r-- 1 root root 985 Apr 25 21:50 .lib.a.cmd
-rw-r--r-- 1 root root 3264 Apr 25 21:50 lib-cmdline.o
-rw-r--r-- 1 root root 11415 Apr 25 21:50 .lib-cmdline.o.cmd
-rw-r--r-- 1 root root 3144 Apr 25 21:50 lib-cmdline.stub.o
-rw-r--r-- 1 root root 544 Apr 25 21:50 .lib-cmdline.stub.o.cmd
-rw-r--r-- 1 root root 1056 Apr 25 21:50 lib-ctype.o
-rw-r--r-- 1 root root 4866 Apr 25 21:50 .lib-ctype.o.cmd
-rw-r--r-- 1 root root 936 Apr 25 21:50 lib-ctype.stub.o
-rw-r--r-- 1 root root 530 Apr 25 21:50 .lib-ctype.stub.o.cmd
-rw-r--r-- 1 root root 1720 Apr 25 21:50 mem.o
-rw-r--r-- 1 root root 56651 Apr 25 21:50 .mem.o.cmd
-rw-r--r-- 1 root root 1608 Apr 25 21:50 mem.stub.o
-rw-r--r-- 1 root root 488 Apr 25 21:50 .mem.stub.o.cmd
-rw-r--r-- 1 root root 2056 Apr 25 21:50 pci.o
-rw-r--r-- 1 root root 59261 Apr 25 21:50 .pci.o.cmd
-rw-r--r-- 1 root root 1944 Apr 25 21:50 pci.stub.o
-rw-r--r-- 1 root root 488 Apr 25 21:50 .pci.stub.o.cmd
-rw-r--r-- 1 root root 2128 Apr 25 21:50 printk.o
-rw-r--r-- 1 root root 57404 Apr 25 21:50 .printk.o.cmd
-rw-r--r-- 1 root root 2000 Apr 25 21:50 printk.stub.o
-rw-r--r-- 1 root root 509 Apr 25 21:50 .printk.stub.o.cmd
-rw-r--r-- 1 root root 1528 Apr 25 21:50 randomalloc.o
-rw-r--r-- 1 root root 56763 Apr 25 21:50 .randomalloc.o.cmd
-rw-r--r-- 1 root root 1408 Apr 25 21:50 randomalloc.stub.o
-rw-r--r-- 1 root root 544 Apr 25 21:50 .randomalloc.stub.o.cmd
-rw-r--r-- 1 root root 3096 Apr 25 21:50 random.o
-rw-r--r-- 1 root root 56693 Apr 25 21:50 .random.o.cmd
-rw-r--r-- 1 root root 2984 Apr 25 21:50 random.stub.o
-rw-r--r-- 1 root root 509 Apr 25 21:50 .random.stub.o.cmd
-rw-r--r-- 1 root root 1976 Apr 25 21:50 relocate.o
-rw-r--r-- 1 root root 56721 Apr 25 21:50 .relocate.o.cmd
-rw-r--r-- 1 root root 1864 Apr 25 21:50 relocate.stub.o
-rw-r--r-- 1 root root 523 Apr 25 21:50 .relocate.stub.o.cmd
-rw-r--r-- 1 root root 2120 Apr 25 21:50 secureboot.o
-rw-r--r-- 1 root root 56749 Apr 25 21:50 .secureboot.o.cmd
-rw-r--r-- 1 root root 2000 Apr 25 21:50 secureboot.stub.o
-rw-r--r-- 1 root root 537 Apr 25 21:50 .secureboot.stub.o.cmd
-rw-r--r-- 1 root root 896 Apr 25 21:50 skip_spaces.o
-rw-r--r-- 1 root root 5561 Apr 25 21:50 .skip_spaces.o.cmd
-rw-r--r-- 1 root root 776 Apr 25 21:50 skip_spaces.stub.o
-rw-r--r-- 1 root root 544 Apr 25 21:50 .skip_spaces.stub.o.cmd
-rw-r--r-- 1 root root 1184 Apr 25 21:50 smbios.o
-rw-r--r-- 1 root root 56693 Apr 25 21:50 .smbios.o.cmd
-rw-r--r-- 1 root root 1072 Apr 25 21:50 smbios.stub.o
-rw-r--r-- 1 root root 509 Apr 25 21:50 .smbios.stub.o.cmd
-rw-r--r-- 1 root root 3704 Apr 25 21:50 tpm.o
-rw-r--r-- 1 root root 60982 Apr 25 21:50 .tpm.o.cmd
-rw-r--r-- 1 root root 3584 Apr 25 21:50 tpm.stub.o
-rw-r--r-- 1 root root 488 Apr 25 21:50 .tpm.stub.o.cmd
-rw-r--r-- 1 root root 5464 Apr 25 21:50 vsprintf.o
-rw-r--r-- 1 root root 11431 Apr 25 21:50 .vsprintf.o.cmd
-rw-r--r-- 1 root root 5352 Apr 25 21:50 vsprintf.stub.o
-rw-r--r-- 1 root root 523 Apr 25 21:50 .vsprintf.stub.o.cmd
-rw-r--r-- 1 root root 2152 Apr 25 21:50 x86-5lvl.o
-rw-r--r-- 1 root root 56925 Apr 25 21:50 .x86-5lvl.o.cmd
-rw-r--r-- 1 root root 2032 Apr 25 21:50 x86-5lvl.stub.o
-rw-r--r-- 1 root root 523 Apr 25 21:50 .x86-5lvl.stub.o.cmd
-rw-r--r-- 1 root root 11400 Apr 25 21:50 x86-stub.o
-rw-r--r-- 1 root root 60829 Apr 25 21:50 .x86-stub.o.cmd
-rw-r--r-- 1 root root 11288 Apr 25 21:50 x86-stub.stub.o
-rw-r--r-- 1 root root 523 Apr 25 21:50 .x86-stub.stub.o.cmd
|
|
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5627
Location: Bavaria
|
| Posted: Sun Apr 27, 2025 12:06 am Post subject: |
|
|
alecStewart1,
I can fully understand your desire for a secure system because I am paranoid about security myself ... BUT ... you have to know what is useful for what. An example: The 4 LSMs “SeLinux, AppArmor, Tomoyo and Smack” are mutually exclusive -> you can only have one active. Yes, you can compile all of them into the kernel, but you can only activate one of them. And I really don't think you are using "Smack":
| Code: | | CONFIG_DEFAULT_SECURITY_SMACK=y |
Change it back to:
| Code: | | DEFAULT_SECURITY_DAC |
You have to do this in "make menuconfig" (like everything else - never edit the .config) - here:
| Code: | Security options --->
First legacy 'major LSM' to be initialized (Unix Discretionary Access Controls) ---> |
This one is even worse:
| Code: | CONFIG_IMA=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y |
Deactivate IMA completely. (Yes, I have written a Wiki article on IMA ... there are also some links to this article ... if you read other articles carefully).
Currently with this kernel .config you would get a kernel panic if you would start this kernel WITHOUT initramfs, because these options are NOT statically included:
| Code: | CONFIG_NVME_CORE=m
CONFIG_BLK_DEV_NVME=m |
+
Filesystem of your root partition must be also statically included ... One of them (I dont know your FS of rootP):
| Code: | # CONFIG_EXT4_FS is not set
CONFIG_BTRFS_FS=m |
Deactivate this:
| Code: | CONFIG_NVME_KEYRING=m
CONFIG_NVME_AUTH=m |
To be on the safe side enable this statically:
This option very often causes problems (black screen) and should be urgently deactivated:
| Code: | | CONFIG_SYSFB_SIMPLEFB=y |
To be on the safe side, the default should be used here; set it to gzip:
| Code: | | CONFIG_KERNEL_ZSTD=y |
To be on the safe side disable all these:
| Code: | CONFIG_RESET_ATTACK_MITIGATION=y
CONFIG_EFI_EARLYCON=y
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y |
To be on the safe side enable this statically:
| Code: | | CONFIG_KEYBOARD_ATKBD=m |
You dont need this (at the moment it is not stable; i915 is sufficient)
Enable this:
| Code: | | # CONFIG_IRQ_REMAP is not set |
You maybe need one of LPSS; enabling both is okay; you dont need LPC_SCH:
| Code: | CONFIG_LPC_SCH=m
# CONFIG_MFD_INTEL_LPSS_ACPI is not set
# CONFIG_MFD_INTEL_LPSS_PCI is not set |
You have gentoo-sources with Use-flag "experimental" and choosed this:
| Code: | | CONFIG_MALDERLAKE=y |
I dont know if there are problems with this in combination with CLANG ... maybe our developer @sam or @mpagano can tell more about it.
This is not related to your problem ... but to be complete ... you will need one of them ... yes, you have an AlderLake ... but some systems need TigerLake instead ... with both enabled you will have no problems:
| Code: | # CONFIG_PINCTRL_ALDERLAKE is not set
# CONFIG_PINCTRL_TIGERLAKE is not set |
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5627
Location: Bavaria
|
| Posted: Sun Apr 27, 2025 9:40 am Post subject: |
|
|
Now I had a look at your boot entries ... there are no kernel command line parameters IN your kernel configured:
| Code: | | # CONFIG_CMDLINE_BOOL is not set |
This means, you must give ALL necessary parameters via a bootmanager OR via UEFI (you already know this) ... BUT ... there is no "root=...." in your UEFI parameters (I dont konw which entry you want take to boot this kernel, but I miss the parameter root=... in some entries).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1642
Location: Richmond Hill, Canada
|
| Posted: Sun Apr 27, 2025 12:58 pm Post subject: |
|
|
alecStewart1,
Thank you very much for generating all these information, much appreciated.
Quick comment, I am bit of surprise that binwalk for your custom kernel only show one line. may be I need to find options for binwalk to dig deeper. But in the mean time can you do binwalk to gentoo-bin-dist kernel so we can compare?
Also by any chance you get boot messages output from gentoo-bin-dist and your custom kernel? it is ok to take picture too, I would like to see top part of both. Note: for gentoo-bin-dist, I am asking "Boot0000* Debug (Gentoo Bin Dist)" because this use same kernel command line arguments so it is easier to control.
I will work on it now, this may take a bit of time because I will need to examine source code and possible rebuild your custom kernel to verify. so might be quiet for a day or two.
pietinger,
| Quote: | This means, you must give ALL necessary parameters via a bootmanager OR via UEFI (you already know this) ... BUT ... there is no "root=...." in your UEFI parameters (I dont konw which entry you want take to boot this kernel, but I miss the parameter root=... in some entries).
|
This is left out intentionally for now because we want to focus on getting boot messages display. At the moment we don't know if kernel actually start execute or not because all we got is efi stub load initrd and nothing else. |
|
| Back to top |
|
|
alecStewart1
Apprentice
Joined: 03 Jul 2022
Posts: 240
|
| Posted: Sun Apr 27, 2025 3:38 pm Post subject: |
|
|
| pingtoo wrote: | alecStewart1,
Thank you very much for generating all these information, much appreciated.
Quick comment, I am bit of surprise that binwalk for your custom kernel only show one line. may be I need to find options for binwalk to dig deeper. But in the mean time can you do binwalk to gentoo-bin-dist kernel so we can compare?
Also by any chance you get boot messages output from gentoo-bin-dist and your custom kernel? it is ok to take picture too, I would like to see top part of both. Note: for gentoo-bin-dist, I am asking "Boot0000* Debug (Gentoo Bin Dist)" because this use same kernel command line arguments so it is easier to control.
I will work on it now, this may take a bit of time because I will need to examine source code and possible rebuild your custom kernel to verify. so might be quiet for a day or two.
|
Appreciate it. Nothing more interesting from the gentoo-bin-dist kernel, unfortunately:
| Code: |
binwalk3 -v extractions/vmlinuz-6.14.4-gentoo-dist.efi
/home/alec/binwalks/extractions/vmlinuz-6.14.4-gentoo-dist.efi
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
21196 0x52CC gzip compressed data, operating system: Unix, timestamp: 1970-01-01 00:00:00, total size: 20831019 bytes
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Analyzed 1 file for 85 file signatures (187 magic patterns) in 162.0 milliseconds
|
I tried the -e option, which is to extract, so that's why you see that extractions/ directory...but binwalk still doesn't produce anything interesting. |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1642
Location: Richmond Hill, Canada
|
| Posted: Sun Apr 27, 2025 4:09 pm Post subject: |
|
|
alecStewart1,
Thanks.
Any chance get boot messages?
If no easy way for capture boot messages, can you describe the boot process? from the beginning at power on moment until you think machine stopped. Do you get a chance to use 'F2'/"F12"/"DEL"/"F11" or something to let you into BIOS setup so you can select boot menu?
Once boot a entry (especially the non-functional one) what happen? does something from EFI Boot Service (firmware) gave information on what it trying? Then when "EFI stub: ..." show was there any more lines than those you posted?
Is there any fan sound/keyboard LED indicator lit? does ethernet led lit?
I did compare gentoo-bin-dist and your custom kernel config and I am not seeing anything obvious for causing not display boot messages on screen, so it could be something deeper in the configuration or something else. However I like you to try one thing on your custom kernel config is to set CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y. The intention is to allow preboot messages left on the screen so it will not be blank out by frame buffer driver. Let me know if you can test this or not. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5627
Location: Bavaria
|
| Posted: Sun Apr 27, 2025 4:36 pm Post subject: |
|
|
| pingtoo wrote: | | [...] try one thing on your custom kernel config is to set CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y. The intention is to allow preboot messages left on the screen so it will not be blank out by frame buffer driver. Let me know if you can test this or not. |
The AMDGPU (and also i915) module are configured as <M>odule, so we should see in every case some boot messages (yes, I have also controlled console in kernel .config; all good).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55186
Location: 56N 3W
|
| Posted: Sun Apr 27, 2025 6:48 pm Post subject: |
|
|
pietinger,
EFI Framebuffer will start first.
Once the modules and firmware for AMDGPU and i915 load, the kernel will switch one one of them.
If it chooses AMDGPU and there is no firmware provided, there may never be any messages on the EFI framebuffer as the switch to the broken console driver will be very quick.
Pedantic point. i915 only needs firmware for power management. It will still operate without the firmware.
-- edit --
Turning off both AMDGPU and i915 in the kernel takes that choice away from the kernel and just leaves EFI framebuffer.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5627
Location: Bavaria
|
| Posted: Sun Apr 27, 2025 7:33 pm Post subject: |
|
|
| NeddySeagoon wrote: | | Once the modules and firmware for AMDGPU and i915 load, the kernel will switch one one of them. |
Yes ... I know ... IF AMDGPU is a module (yes; it is; I checked the kernel .config) THEN it will be initialised AFTER kernel has access to its root partition (*) and THEN the kernel is able (and does it) to load needed firmware files from /lib/firmware. Therefore it is okay if CONFIG_EXTRA_FIRMWARE="" is empty ... (okay not really; if no initramfs is in use THEN there should be the CPU microcode; but it was not relevant to this problem)
*) If kernel has no acces to its root partition we get a kernel panic ... and we should see it in framebuffer console ... because he has a correct CONFIG_PANIC_TIMEOUT=0
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
alecStewart1
Apprentice
Joined: 03 Jul 2022
Posts: 240
|
| Posted: Tue Apr 29, 2025 2:05 am Post subject: |
|
|
Alright, I got something from booting in the debugging kernel images. I'll see if I can post the images somehow, but what I see is:
| Code: |
Missing ENDBR: 0xfffffffae967fd0
-------------[ cut here ]-------------
kernel BUG at /arch/x86/kernel/cet.c:132!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G T 6.14.3 #2
Tainted: [T]=RANDSTRUCT
// bunch of other memory and register addresses
PKRU: 5555554
Kernel panic - not syncing: Fatal exception in interrupt
|
I'll see if I can upload the images.
EDIT:
https://postimg.cc/gallery/3ktsLDf |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55186
Location: 56N 3W
|
| Posted: Tue Apr 29, 2025 11:21 am Post subject: |
|
|
alecStewart1,
is a bad thing.
| Code: | | Oops: invalid opcode: |
either means that the kernel was built to use instructions that your CPU is missing or the CPU has tried to execute something that is not code.
The difference between code and data is context.
You use Clang to build your kernel. It would be interesting to see if a gcc:14 kernel does the same thing. Not gcc:15 yet as there are known problems with some kernel and gcc:15.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1642
Location: Richmond Hill, Canada
|
| Posted: Tue Apr 29, 2025 12:49 pm Post subject: |
|
|
| alecStewart1 wrote: | Alright, I got something from booting in the debugging kernel images. I'll see if I can post the images somehow, but what I see is:
| Code: |
Missing ENDBR: 0xfffffffae967fd0
-------------[ cut here ]-------------
kernel BUG at /arch/x86/kernel/cet.c:132!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G T 6.14.3 #2
Tainted: [T]=RANDSTRUCT
// bunch of other memory and register addresses
PKRU: 5555554
Kernel panic - not syncing: Fatal exception in interrupt
|
I'll see if I can upload the images.
EDIT:
https://postimg.cc/gallery/3ktsLDf |
Now we have arrive to the initial goal (have boot message display on screen).
I think next we can address is to verify this is a build issue or configuration issue. It is a lot easier to verify build by follow Neddy suggestion use GCC with No special optimization. If the "GCC" route again produce same result as this current (Kernel panic, PKRU:5555554) thingy than consider it is a configuration issue, for configuration I suggest try to remove advance options in CachyOS kernel source one by one to test if anything will lead to success boot.
further I suggest you keep this current setting (all files used in this boot entry. i.e. ESP:/EFI/kernl.efi initrd.efi, these names just example), And create new boot entry with newly compiled file set (possible locate them in different director in ESP) so there is a reference point.
Also I notice the CLANG compiler you used for this time is (clang 20.1.3, LLD 20.1.3) which is not yet define as stable. so that could also be some thing to test. i.e. switch to clang 19 for example to test build.
In the mean time I will continue my path for setting up VM to test your kernel .config.
[soap opera]
Who would though making a VM(X86_64) on MacBook Pro M2(MBP) is such slow operation.
for instance install sys-kernel/gentoo-kernel-bin on a Gentoo qcow2 disk will require install dev-build/cmake | Code: | gentoo ~ # qlop
2025-04-28T22:01:23 >>> sys-boot/gnu-efi: 2′27″
2025-04-28T22:03:50 >>> app-arch/libarchive: 12′57″
2025-04-28T22:16:47 >>> app-crypt/rhash: 2′24″
2025-04-28T22:19:11 >>> app-crypt/sbsigntools: 3′04″
2025-04-28T22:22:15 >>> dev-libs/jsoncpp: 2′30″
2025-04-28T22:24:45 >>> dev-libs/libuv: 4′23″
2025-04-28T22:29:08 >>> dev-build/cmake: 4:07:16
2025-04-29T02:36:24 >>> dev-util/pahole: 4′06″
2025-04-29T02:40:31 >>> sys-kernel/gentoo-kernel-bin: 30′28″
2025-04-29T03:10:59 >>> virtual/dist-kernel: 1′07″ |
Admittedly the slowness is primary my own doing, i.e. Did not setup VM using multiple core and not using binary packages
[/soap opera] |
|
| Back to top |
|
|
alecStewart1
Apprentice
Joined: 03 Jul 2022
Posts: 240
|
| Posted: Tue Apr 29, 2025 9:10 pm Post subject: |
|
|
I think one thing that might cause the MISSING ENDBR issue is:
| Code: | | KLDFLAGS="-fuse-ld=mold -Wl,-O2 -Wl,--sort-common -Wl,--as-needed -Wl,--strip-debug -Wl,--icf=safe -Wl,-z,rewrite-endbr -flto=thin" |
-z,rewrite-endbr is a mold specific option:
https://github.com/rui314/mold/blob/main/docs/mold.md#mold-specific-options
| Quote: |
As a security measure, some CPU instruction sets have recently gained a feature to protect control flow integrity by disallowing indirect branches by default. If the feature is enabled, the instruction that is executed immediately after an indirect branch must be an branch target marker instruction, or a CPU-level fault will raise. The marker instruction is also known as "landing pad" instruction, to which indirect branches can land. This feature makes ROP attacks harder to conduct.
To use the feature, a function whose pointer is taken needs to begin with a landing pad because a function call via a function pointer is compiled to an indirect branch. On the other hand, if a function is called only directly (i.e. referred to only by direct branch instructions), it doesn't have to begin with it.
By default, the compiler always emits a landing pad at the beginning of each global function because it doesn't know whether or not the function's pointer is taken in another translation unit. As a result, the resulting binary has more attack surface than necessary.
If --rewrite-endbr is given, mold conducts a whole program analysis to identify functions whose addresses are actually taken and rewrites landing pads with no-ops for non-address-taken functions, reducing the attack surface.
This feature is currently available only on x86-64.
|
So I should probably not use that option...
I also don't know if --icf=safe really does anything for me here:
| Quote: |
It is not uncommon for a program to contain many identical functions that differ only in name. For example, a C++ template std::vector is very likely to be instantiated to the identical code for std::vector<int> and std::vector<unsigned> because the container cares only about the size of the parameter type. Identical Code Folding (ICF) is a size optimization to identify and merge such identical functions.
[ ... ]
--icf=safe is a flag to merge functions only when it is safe to do so. That is, if a program does not take an address of a function, it is safe to merge that function with other function, as you cannot compare a function pointer with something else without taking an address of a function.
--icf=safe needs to be used with a compiler that supports .llvm_addrsig section which contains the information as to what symbols are address-taken. LLVM/Clang supports that section by default. Since GCC does not support it yet, you cannot use --icf=safe with GCC (it doesn't do any harm but can't optimize at all.)
|
For the KCFLAGS I've set:
| Code: |
KCFLAGS="-O2 -march=alderlake -pipe -mno-cldemote -mno-kl -mno-sgx -mno-widekl -mshstk -fstack-protector-strong -fomit-frame-pointer -flto=thin -fzero-call-used-regs=used" -j12
|
I would hope -fzero-call-used-regs=unused would work, but maybe not.
If I use the CONFIG_KERNEL_FOR_PERFOMANCE_O3 or whatever the exact option is, I should probably have -O3 and not -O2. How can I make sure that CPU_FLAGS_X86 is looked at when manually building the kernel like this, or does that even matter? |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1642
Location: Richmond Hill, Canada
|
| Posted: Wed Apr 30, 2025 12:56 pm Post subject: |
|
|
| Don't know what to say, I am not familiar with compiler optimization. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55186
Location: 56N 3W
|
| Posted: Wed Apr 30, 2025 3:44 pm Post subject: |
|
|
alecStewart1,
Make it work first, then you can discover what breaks it.
If you use KLDFLAGS and friends, you get to keep all the pieces.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Kernel & Hardware
