Not a member yet? Why not Sign up today
Create an account  

  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
XanMod Kernel

(04-11-2018, 10:17 PM)CybDex Wrote: Sounds rather violently for a patch-name.. cos i dont want the kernel to HAVE to have signed modules Smile

Wanna post the patch for me to take a quick look? (Tomorrow.. cos im beat atm...)

https://deb.xanmod.org/experimental/efi-...n/patches/
https://www.fsfla.org/svn/fsfla/software...nt/master/
Reply

An example about why bbr+cake should be tested for concurrent loss-based flows, like qBitTorrent:
Code:
4 persons connected, combination, mean speed, max. speed peak:
- scenario 1, bbr+fq_codel, 2.91 Mbs, 3.36 Mbs
- scenario 2, bbr+cake, 2.49 Mbs, 3.44 Mbs
- scenario 3, cubic+fq_codel, 2.89 Mbs, 3.32 Mbs
- scenario 4, cubic+cake = 2.66 Mbps, 3.28 Mbs
* This is only an example, no major conclusions can be obtained, thanks Roberto.
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

(05-11-2018, 04:57 PM)tropic Wrote: An example about why bbr+cake should be tested for concurrent loss-based flows, like qBitTorrent:
Code:
4 persons connected, combination, mean speed, max. speed peak:
- scenario 1, bbr+fq_codel, 2.91 Mbs, 3.36 Mbs
- scenario 2, bbr+cake, 2.49 Mbs, 3.44 Mbs
- scenario 3, cubic+fq_codel, 2.89 Mbs, 3.32 Mbs
- scenario 4, cubic+cake = 2.66 Mbps, 3.28 Mbs
* This is only an example, no major conclusions can be obtained, thanks Roberto.

In iperf3, with 100 simultaneous connections, tcp, wifi full 300mpbs 90% signal, cake: +~15% mbps w/ less latency with same resource use. In real world, on internal network: (-) latency and (+) responsive (server w/ bbr+cake and client w/ cubic+pfifo_fast). Well. I'm not advocating the new qdisc. A fair test is server/route w/ cake. Another reason: Fq_codel, by development activity, has not received any more implementations.

The user chooses the qdisc that best suits him. By default I will keep the cake for having the most active development.
Reply

(04-11-2018, 11:32 PM)Alexandre Frade Wrote: https://deb.xanmod.org/experimental/efi-...n/patches/
https://www.fsfla.org/svn/fsfla/software...nt/master/

Thanks Smile I dont believe i would need a full "efi-lockdown" patch, cos i dont really want to DO that.. i just want to get rid of the pesky message that the kernel module supposedly is not signed by a trusted key. It seems as those are meant to actually get a full blown "lockdown" kernel, no?

I found this: https://lkml.org/lkml/2018/10/23/105
Sounded very promising by the looks of it, cos when you import your own MOK keys with "mokutil", they get put in the secondary_trusted_key store.. (i would think).

No such luck.

DKMS signs modules if you have the "shim-signed" package. MOK keys put in
Code:
/var/lib/shim-signed/mok/MOK.priv and /var/lib/shim-signed/mok/MOK.der
Added this MOK cert with mokutil (although i would think that to be totally unnecessary), but to no avail.

Afaik i think there is a discrepancy with where (or how) 4.18 + 4.19 kernel reads the "trusted" keys vs. previous kernels.

Add the DKMS MOK certificates like this:
Code:
sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
Set password, reboot and import MOK.
Module created for kernel 4.15.0-38-generic with dkms:
Code:
[    3.384191] nvidia: loading out-of-tree module taints kernel.
[    3.384194] nvidia: module license 'NVIDIA' taints kernel.
[    3.384195] Disabling lock debugging due to kernel taint
[    3.391653] intel_rapl: Found RAPL domain package
[    3.391654] intel_rapl: Found RAPL domain core
[    3.391655] intel_rapl: Found RAPL domain dram
[    3.391860] nvidia-nvlink: Nvlink Core is being initialized, major device number 235
[    3.392207] nvidia 0000:01:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=none:owns=io+mem
[    3.392266] NVRM: loading NVIDIA UNIX x86_64 Kernel Module  396.54.09  Thu Oct 11 21:43:28 PDT 2018 (using threaded interrupts)
[    3.397183] usb 3-1: set resolution quirk: cval->res = 384
[    3.397331] usbcore: registered new interface driver snd-usb-audio
[    3.398112] nvidia-modeset: Loading NVIDIA Kernel Mode Setting Driver for UNIX platforms  396.54.09  Fri Oct 12 01:14:08 PDT 2018
[    3.399482] [drm] [nvidia-drm] [GPU ID 0x00000100] Loading driver
[    3.399483] [drm] Initialized nvidia-drm 0.0.0 20160202 for 0000:01:00.0 on minor 0
Reboot to 4.19.1 kernel with same dkms created modules (AND the same certificate obviously)
Code:
[    3.447448] PKCS#7 signature not signed with a trusted key
[    3.447452] fbcon: Taking over console
[    3.447502] Console: switching to colour frame buffer device 128x48
[    3.447549] nvidia: loading out-of-tree module taints kernel.
[    3.447558] nvidia: module license 'NVIDIA' taints kernel.
[    3.447581] Disabling lock debugging due to kernel taint
[    3.451654] nvidia: module verification failed: signature and/or required key missing - tainting kernel
[    3.459231] nvidia-nvlink: Nvlink Core is being initialized, major device number 234
[    3.459424] nvidia 0000:01:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=none:owns=io+mem
[    3.459469] NVRM: loading NVIDIA UNIX x86_64 Kernel Module  396.54.09  Thu Oct 11 21:43:28 PDT 2018 (using threaded interrupts)
[    3.463956] PKCS#7 signature not signed with a trusted key
[    3.464810] nvidia-modeset: Loading NVIDIA Kernel Mode Setting Driver for UNIX platforms  396.54.09  Fri Oct 12 01:14:08 PDT 2018
[    3.465277] PKCS#7 signature not signed with a trusted key
[    3.466062] [drm] [nvidia-drm] [GPU ID 0x00000100] Loading driver
[    3.466063] [drm] Initialized nvidia-drm 0.0.0 20160202 for 0000:01:00.0 on minor 0

Have not tested with the 4.18 kernel, but from what i gather of ppls problems with this, i would think this also happens with 4.18 tbh. I just did not notice it really, until i decided it would be a super feature to have my motherboard logo displayed when booting (as i described in an earlier post).
Reply

Quote:In iperf3, with 100 simultaneous connections, tcp, wifi full 300mpbs 90% signal, cake: +~15% mbps w/ less latency with same resource use. In real world, on internal network: (-) latency and (+) responsive (server w/ bbr+cake and client w/ cubic+pfifo_fast). Well. I'm not advocating the new qdisc. A fair test is server/route w/ cake. Another reason: Fq_codel, by development activity, has not received any more implementations. The user chooses the qdisc that best suits him. By default I will keep the cake for having the most active development.

+1
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

CybDex, 2º Round:
https://deb.xanmod.org/experimental/uefi-sb+lockdown/
Reply

(05-11-2018, 08:50 PM)Alexandre Frade Wrote: CybDex, 2º Round:
https://deb.xanmod.org/experimental/uefi-sb+lockdown/

Thanks a LOT for your help with this Alexandre Smile

Ended up using the first 5 patches (000-005), and skipping the efi-lockdown patches for my own hack-compile-

I did not attempt to test a full "bios secure boot" with 4.19.1-xanmod2_2, as i guess this would mean to import the certs to my system efi... or something of that nature... even if the Ubuntu 18.04 kernel 4.15.0-38-generic actually lists secure boot as enabled when enable "secure boot" in the motherboard EFI bios.
Quote:[    0.000000] Secure boot enabled and kernel locked down
vs. 4.19.1-xanmod2_2:
Quote:[    0.000000] secureboot: Secure boot could not be determined (mode 0)

I might experiment with it some more using this patchset, but for now the kernel module signing bug that i think came with 4.18 is solved, as long as you import the /var/lib/shim-signed/mok/MOK.der cert to your efi shim using:
Code:
sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
, then reboot and complete the MOK import. (atleast for Ubuntu). That way when dkms signs kernel modules (eg. nVidia), they gets "approved".
If you use custom drivers that dont use dkms - eg. virtualbox manually installed, you have to sign the modules yourself if you use the EFI lockdown patchset and enable "CONFIG_LOCK_DOWN_KERNEL=y". If you dont enable this, the modules still load with a "taint" message. They did NOT load with 4.19.1-xanmod2_2 before i signed them manually.

If you (or me.. or others) wanna experiment with it, i guess it could be a nice feature to provide a "secure boot" xanmod kernel? I kinda think Cannonical use some "official" certificates to sign their kernels for Ubuntu, so if is to be made a package to be installed it would need :
1. recipe to add efi bootloader MOK certificate
2. Your own certificate that dont change between releases

Just theory for my part, as i dont really know too much about this. But i know ppl that dual-boot win10 and ubuntu struggles with custom kernels cos they have to disable secure boot.... and that is something the win10 install are not too keen on Smile (You can disable ubuntu secure boot with "sudo mokutil --disable-validation", and still have secure boot enabled in the bios tho..)
Reply

I will see it calmly at the end of the year to test with a secureboot locked uefi mb (without CSM). Ty CybDex.
Reply

Works really well with dkms aswell tbh.
If you need to sign non-dkms kernel modules like virtualbox ones, you can:
Code:
#!/bin/bash

sudo -v

echo "Signing the following VirtualBox drivers"

for filename in /lib/modules/$(uname -r)/misc/*.ko; do
    sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der $filename

    echo "$filename"
done
Need to be booted with the current kernel + remember to do a
Code:
sudo update-initramfs -u
after this, and viola, the virtualbox modules is signed aswell Smile
(Atleast get rid of any pesky messages, cos i know its still not running "Secure boot" until its enabled all the way).
Reply

Quote:233b9d7df0e1 x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation

Is some serious piece of crud... :Sad  Atleast in its current form...
Reply

http://lkml.iu.edu/hypermail/linux/kerne...04610.html

Not included in 4.19.3 tho, so 4.19.2 and 4.19.3 has the current form of "STIPB" patch included, and possibly a huge hampering of performance.

https://www.phoronix.com/scan.php?page=article&item=linux-420-stibp&num=1

EDIT:
Or do as proposed perhaps?
https://lkml.org/lkml/2018/11/22/283

Patch:

Code:
arch/x86/kernel/cpu/bugs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index c37e66e..21a8f39 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -331,7 +331,7 @@
        if (!boot_cpu_has(X86_FEATURE_STIBP))
                return false;

-       return true;
+       return false;
 }

 static void update_stibp_msr(void *info)
--
2.9.4
Reply

STIBP-update for upcoming 4.19.4 (rc1?) it seems:
https://lkml.org/lkml/2018/11/22/55

Meaning it probably will be reverted completely for 4.19.4 until a better patchset improves performance i guess.

Might not patch cleanly as its posted on 4.19.3, but will check that later tonight Smile
Reply

where i can config any setup like rtt TIME in cake?

https://dl.lochnair.net/Bufferbloat/Cake/tc-cake.8.html
Reply



[-]
Quick Reply
Message
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Forum Jump:


Users browsing this thread:
1 Guest(s)