| View previous topic :: View next topic |
| Author |
Message |
CaptainBlood
Advocate
Joined: 24 Jan 2010
Posts: 3864
|
 Posted: Sat May 11, 2024 4:20 pm Post subject: Lockdown: systemd-logind: hibernation is restricted |
 |
|
Working hibernate experience dating back to 4.19 kernel here, somehow depreciated... 
Title is snippet from dmesg when attempting to hibernate here, e.g. from lxde on old no UEFI, MBR only laptop.
kernel config | Code: | | CONFIG_SECURITY_LOCKDOWN_LSM=y |
seems to be causing the trouble along which | Code: | CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y |
all blindly set here as a security measures.
I'm looking for a simple way to a working hibernate with reduced security downgrade if required.
Possible paths to solution may include (not limited to):
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y instead. (Asking first instead of trying because kernel build is VERY slow)
kernel command line lsm=...
/etc/group for per user granting...
A bit of context:
openrc along with without-systemd repository overlay here. | Code: | eix elogind
Installed versions: 252.9^t(07:10:55 29/03/2024)(cgroup-hybrid pam policykit -acl -audit -debug -doc -selinux -test) |
No apparmor, selinux, smack, tomoyo configured here.
Any advice, experience or idea to share in this respect?
Thks 4 ur attention, interest & support.[/code]
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Last edited by CaptainBlood on Sat May 11, 2024 4:56 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22672
|
| Posted: Sat May 11, 2024 4:51 pm Post subject: |
|
|
You removed a critical part of the kernel's message: | Code: | | pr_notice_ratelimited("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n" |
Per man kernel_lockdown: | Code: | NOTES
The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
The lsm=lsm1,...,lsmN command line parameter controls the sequence of
the initialization of Linux Security Modules. It must contain the
string lockdown to enable the Kernel Lockdown feature. |
According to that manual page, removing lockdown from lsm= should suffice. Have you tried that? |
|
| Back to top |
|
|
CaptainBlood
Advocate
Joined: 24 Jan 2010
Posts: 3864
|
| Posted: Sat May 11, 2024 5:01 pm Post subject: |
|
|
I've read that part though...
For some reason very unsure about it's meaning for my use case.
U're giving me confidence to try... Nice.
EDIT: Misread. Initial kernel cmd line has no lsm=.
Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Other Things Gentoo
