[SOLVED] Secureboot + Kernel Lockdown = No boot condition after kernel upgrade

ctrlspace

New Member
Jan 27, 2020
8
1
1
29
Hey guys,

One of my servers recently upgraded to 5.4.44* which appears to follow the convention many other distros have chosen, enforcing kernel lockdown mode when secureboot is enabled. Secureboot is critical to our security posture for protecting our servers against evil maid attacks and disabling it is an untenable solution.

On my debian system I've been running with secureboot enabled and lockdown enforcing for months without issue, however it appears that a stock proxmox install has kernel taint/unsigned modules which causes significant issues when lockdown is enforced as the current kernel does.

These are production systems, please disable enabling kernel lockdown by default in the pve kernel until the system can be booted without throwing these errors.

Happy to provide additional details. Reverting my systems to 5.3 resolved this issue as that version appears to not have the kernel lockdown feature.

Regards!
 
Just confirming that the latest pve-kernel package DOES include the fix and I have tested it.

Fixed version is pve-kernel-5.4.44-2 and appears to be available in both the no-sub and enterprise repos. The only "broken" package version is pve-kernel-5.4.44-1. Anything prior didn't have the issue.
 
  • Like
Reactions: fabian

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!