Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AZL3: How to remove lockdown kernel parameter in ISO #10746

Open
ankithmr opened this issue Oct 16, 2024 · 5 comments
Open

AZL3: How to remove lockdown kernel parameter in ISO #10746

ankithmr opened this issue Oct 16, 2024 · 5 comments
Labels
question Further information is requested

Comments

@ankithmr
Copy link

ankithmr commented Oct 16, 2024
edited
Loading

I am using AZL3 iso and customizing it for our HPE servers. I need to disable lockdown=integrity parameter in the base ISO.
I tried removing it from grub.cfg but still the OS is coming up with "lockdown=integrity" parameter. It seems the parameter is coming from somewhere else. Can you please share the correct way to update it in ISO ?

I tried it in the following file:

set timeout=0

# The use of mariner.media=CDROM is a workaround that our installer does not require
# but it is observed to be needed to boot on some hardware/SoCs.
menuentry "Azure Linux" {
    search --label CDROM --set root
    linux /isolinux/vmlinuz root=/dev/ram0 mariner.media=CDROM lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 console=tty0 console=ttyS0,115200n8
    initrd /isolinux/initrd.img
}
@ankithmr ankithmr added the question Further information is requested label Oct 16, 2024
@elsaco
Copy link

elsaco commented Oct 16, 2024

@ankithmr are you using Secure Boot? From man page: On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the system boots in EFI Secure Boot mode

@ankithmr
Copy link
Author

I checked the bios setting and secure boot is disabled.

"SecureBootStatus": "Disabled"

@zcobol
Copy link

zcobol commented Oct 17, 2024

If the secure boot is disabled, removing lockdown=integrity from the boot menu (on startup or edit /boot/grub2/grub.cfg) should work:

zcobol@texas:~$ ssh [email protected]
Welcome to Microsoft Azure Linux 3.0 (x86_64)
Last login: Thu Oct 17 17:39:47 2024 from 192.168.124.1
zcobol@august [ ~ ]$ sudo dmesg | grep -i secure
[    0.000000] secureboot: Secure boot disabled
[    0.285800] Loaded X.509 cert 'Microsoft Corporation: Mariner Secure Boot(Production Signing): b42d6b9e2809b7b9097cff9e9b0194b86e80bf95'
zcobol@august [ ~ ]$ cat /proc/cmdline 
BOOT_IMAGE=/boot/vmlinuz-6.6.51.1-5.azl3 root=UUID=b3ee3f09-b879-4633-befa-a2616848d8cf ro selinux=0 rd.auto=1 net.ifnames=0
zcobol@august [ ~ ]$ cat /sys/kernel/security/lockdown 
[none] integrity confidentiality

@ankithmr
Copy link
Author

Sorry probably I wasn't clear in my first message. I want to make sure that it is removed in the ISO itself. We use an automated installation process and want to remove it in the ISO.

I already tried by removing the parameter from grub file and recreated the ISO but it doesn't help

@zcobol
Copy link

zcobol commented Oct 18, 2024
edited
Loading

@ankithmr you need to build your own ISO image. First modify https://github.com/microsoft/azurelinux/blob/3.0/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg and remove lockdown=integrity then run make iso and choose the image config you want. There are several options in toolkit/imageconfigs folder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elsaco @ankithmr @zcobol