Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot import ec_sys anymore after upgrade to Ubuntu Kinetic Kudu #265

Open
jirislav opened this issue Oct 22, 2022 · 1 comment
Open

Cannot import ec_sys anymore after upgrade to Ubuntu Kinetic Kudu #265

jirislav opened this issue Oct 22, 2022 · 1 comment

Comments

@jirislav
Copy link

jirislav commented Oct 22, 2022

Hi,

I've decided to share my problem and a possible solution to this issue described above.

What's the problem

$ sudo systemctl status isw@<TAB>

FileNotFoundError: [Errno 2] No such file or directory: '/sys/kernel/debug/ec/ec0/io'
$ sudo modprobe ec_sys
modprobe: ERROR: could not insert 'ec_sys': Operation not permitted
$ sudo dmesg | grep -B1 ec_sys
[   14.628156] Lockdown: systemd-modules: unsafe module parameters is restricted; see man kernel_lockdown.7
[   14.628578] ec_sys: `1' invalid for parameter `write_support'
$ man kernel_lockdown.7
The  Kernel  Lockdown feature is designed to prevent both direct and indirect
access to a running kernel image, attempting to protect against unauthorized
modification of the kernel image and to prevent access to security and cryptographic
data located in kernel memory, whilst still permitting driver modules to be loaded.

Research

After some research, I've found out that disabling Secure Boot from BIOS could be an option. That's not what I like (but you might be OK with it).

What seems to be a good solution for me is to use this module: https://github.com/MusiKid/acpi_ec

  • it simply creates /dev/ec file socket
  • the code's quite clean and straightforward

Installation procedure

  • look at the releases page for the latest version
  • download .deb and install (which didn't work for me) or install manually from source code (which did work)

Example deb installation:

cd /opt
sudo wget https://github.com/musikid/acpi_ec/releases/download/v1.0.2/acpi-ec_1.0.2_all.deb
sudo dpkg -i acpi-ec_1.0.2_all.deb # Didn't work for me ..
sudo reboot

Example source-code installation:

sudo -i
cd /opt
git clone https://github.com/musikid/acpi_ec.git
cd acpi_ec
# Make sure your env is clean
./uninstall.sh &>/dev/null
apt remove -y acpi-ec 2>/dev/null
# Perform installation
./install.sh
# In my case, I needed to run the keys-setup.sh
scripts/keys-setup.sh
reboot

# In grub, enroll the MOK using the password you chose
# Then, run the signing procedure
sudo /usr/src/linux-headers-5.19.0-21-generic/scripts/sign-file sha512 /opt/scripts/mok.priv  /opt/scripts/mok.der /var/lib/dkms/acpi_ec/v1.0.2/5.19.0-21-generic/x86_64/module/acpi_ec.ko
sudo /usr/src/linux-headers-5.19.0-21-generic/scripts/sign-file sha512 /opt/scripts/mok.priv  /opt/scripts/mok.der /usr/lib/modules/5.19.0-21-generic/updates/dkms/acpi_ec.ko
sudo reboot

After reboot, verify you can see the /dev/ec socket. If so, you have two options:

  • edit the /usr/bin/isw python script to point there
  • create symlink from the expected path to point there
    • I'm unsure it would survive in /sys/kernel/debug after reboot, slight modification of isw systemd file could be an option

It works for me 🎉 :

image

Cleanup

Don't forget to clean-up your setup:

  • remove /etc/modules-load.d/isw-ec_sys.conf file (which tries to import broken ec_sys module)
    • you might have it in /etc/modules-load.d/modules.conf (then just remove the line)
  • remove ec_sys.write_support=1 from /etc/default/grub and run update-grub2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants