Comment 7 for bug 1851056

Valtteri Vainikka (vrln) wrote :

>these messages actually come from the kernel, I believe they are expected (maybe only in secure boot >mode, I haven't looked into the new 'lockdown' stuff yet). The lack of 'kernel_lockdown' manpage >appears to be already reported in bug 1767971.

This PC is indeed using secure boot. Here are the relevant lockdown messages when using the updated systemd package from your repository:

[ 0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7
[ 0.595817] Lockdown: swapper/0: Hibernation is restricted; see man kernel_lockdown.7
[ 1.904409] Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[ 1.907029] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7
[ 3.768797] Lockdown: Xorg: ioperm is restricted; see man kernel_lockdown.7

I did a bunch of searches on this and while I'm far from an expert, they seemed to confirm your mention that they are most likely to be expected (my interpretation of the search results: this lockdown system is meant to be automatically enabled in modern kernel versions at least when booting with secure boot). These exact same lockdown messages regarding systemd are also there on a fully updated Fedora 31, which I dual boot on this same PC.

> Hmm, that probably needs a further look...

Not sure if this is of any use, but there is also a "local system does not support BPF/cgroup firewalling." systemd message on the just released Fedora 31, although it refers to a different .slice. Both distributions note that BPF is restricted by the secure boot induced lockdown. Here are the logs:

#Ubuntu 19.10 with updated systemd from PPA
[ 0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7
#Some other stuff in between
[ 1.907029] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7
#Some other stuff in between
[ 1.982629] systemd[1]: system-systemd\x2dfsck.slice: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling.

#Fedora 31 with testing updates enabled
[ 0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7
#Some other stuff in between
[ 1.289561] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7
#some other stuff in between
[ 1.317449] systemd[1]: system-systemd\x2dhibernate\x2dresume.slice: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling.

> great; thnx!

No problem, reporting it was the least I could do. Thanks a lot for finding a fix for it and the swift replies in general! While the firewall actually worked fine it was a fairly scary looking warning. As for the new bug report, let me know if/when you want me to file it.