Arch Linux

cautiouscauliflower

Member

Registered: 2025-01-16

Posts: 4

Unable to lift kernel lockdown mode with UEFI Secure Boot Disabled

Hello dear arch users, I have finally decided to give up trying to reason with ChatGPT and am here to ask real humans.

So, I recently installed Arch on my main Desktop PC with a weird partition layout because I am trying to dual boot Arch and Windows, which I sadly need for some work things.

I want to use Secure Boot and got as far as installing Arch successfully alongside my Windows install, both on /dev/sda, with my root and home encrypted via luks.

I then used

sbctl create-keys

to generate my Secure Boot keys, which successfully generated the keys and has since been successfully signing everything every time I get a kernel update. So far, so good.
I then tried to do 

sbctl enroll-keys

, which got me:
"
‼ File is immutable: /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
‼ File is immutable: /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
‼ File is immutable: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
You need to chattr -i files in efivars
"

Okay, that is weird, but I didn't know how to proceed and ChatGPT told me to just chattr -i the files, so I tried that, which got me:
"chattr: Operation not supported while reading flags on /sys/firmware/efi/efivars"

After telling that to ChatGPT, it told me to check if I was sure Secure Boot was off in my BIOS. I had checked multiple times and it was off.
It then told me to check if kernel lockdown mode is on, which I did:

sudo dmesg | grep -i 'lockdown'

The output was: "LSM: initializing lsm=capability,landlock,lockdown,yama,bpf"

So, yes, kernel lockdown is on. Okay, so I asked it how to turn it off. It told me to edit my arch-zen.conf and to add "lockdown=none" in the options, so I did. My "/boot/loader/entries/arch-zen.conf" now looks like this:
"
title Zen
linux /vmlinuz-linux-zen
initrd /intel-ucode.img
initrd /initramfs-linux-zen.img
options cryptdevice=UUID=2776e400-f227-4a32-9090-61a586386c13:cryptroot root=/dev/mapper/cryptroot rw quiet splash nvidia_drm.modeset=1 lockdown=none
"

After this, I rebooted and ran

 dmesg | grep -i 'lockdown'

again, the output of which was:
"
0.000000] Command line: initrd=\intel-ucode.img initrd=\initramfs-linux-zen.img cryptdevice=UUID=2776e400-f227-4a32-9090-61a586386c13:cryptroot root=/dev/mapper/cryptroot rw quiet splash nvidia_drm.modeset=1 lockdown=off
[    0.000000] Malformed early option 'lockdown'
[    0.046920] Kernel command line: initrd=\intel-ucode.img initrd=\initramfs-linux-zen.img cryptdevice=UUID=2776e400-f227-4a32-9090-61a586386c13:cryptroot root=/dev/mapper/cryptroot rw quiet splash nvidia_drm.modeset=1 lockdown=off
[    0.170221] LSM: initializing lsm=capability,landlock,lockdown,yama,bpf
"

So, kernel lockdown mode is still on.

I then verified that SecureBoot is off and in SetupMode:

od -An -t u1 -j4 -N1 /sys/firmware/efi/efivars/SecureBoot-*

got me "0", so SecureBoot is off.

od -An -t u1 -j4 -N1 /sys/firmware/efi/efivars/SetupMode-*

got me "1", so SetupMode is on.

At this point, I had no idea what was going on and why kernel lockdown was being forced, so I rebooted into BIOS and checked again that SecureBoot really is off. It's an MSI Motherboard and SecureBoot itself is off and the mode is set to "Custom" which is MSIs mode that allows for enrolling your own keys, etc. (Basically modifying SecureBoot keys as you wish)

I have no idea how to proceed from here and it's honestly been a rollercoaster ride for me because this is the first time I installed arch without archinstall.

Some further information that may be useful:

My root is cryptroot because I encrypted /dev/sda6 with luks.
My home is crypthome because I encrypted /dev/sda7 with luks.
/dev/sda5 is /boot.
/dev/sda8 is swap.

Windows EFI is on /dev/sda1
/dev/sda2 is listed by cfdisk as "Microsoft reserved"
Windows main filesystem exists on /dev/sda3
Windows Recovery Environment exists on /dev/sda4

I regretfully need nvidia-drm to be on because my graphics card doesn't work otherwise.
I, for reasons I don't remember myself, currently use arch-zen and arch-hardened, but not normal arch. I just never needed normal arch on my last arch install done via archinstall.

Please help and please keep instructions easy to understand as I have no idea what I am doing.

Thanks a lot in advance
~ V

Edit: Adjusted codeblocks from using Markdown syntax to using BBCode syntax (hopefully they look better now)

Last edited by cautiouscauliflower (2025-01-16 14:57:52)

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 23,897

Re: Unable to lift kernel lockdown mode with UEFI Secure Boot Disabled

Stop listening to ShitGPT for anything linux related, it will only make matters worse. That message you identified is completely normal and absolutely not indicative of lockdown being enabled --- and it isn't going to be without you knowingly doing that.

Things getting blocked on an efivars level is much more likely to be UEFI related and in this case your UEFI probably saved your ass, because sbctl enroll-keys without the -m option will try to wipe microsofts keys which is not something you want to do on a dual boot and highly discouraged, what happens if you enroll-keys with the -m option?

cautiouscauliflower

Member

Registered: 2025-01-16

Posts: 4

Re: Unable to lift kernel lockdown mode with UEFI Secure Boot Disabled

Hey V1del,

getting a response from a forum moderator this fast is incredible, thank you. I largely agree with your stance on LLMs, I was just getting desperate after days of trying myself.

Okay, so

sbctl -m enroll-keys

gets me: "unknown shorthand flag: 'm' in -m", running

sbctl --m enroll-keys

gets me "unknown flag: --m".

Please tell me if I am doing something wrong and bear with me if I do stupid stuff, I'm new to modifying anything at this level.

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 23,897

Re: Unable to lift kernel lockdown mode with UEFI Secure Boot Disabled

-m comes after enroll-keys: https://wiki.archlinux.org/title/Unifie … with_sbctl

And to prevent the obvious d'oh: You're running sbctl as root right? FWIW MSI have a notoriously bad UEFI implementation, it's very possible this won't even work anyway due to how their UEFI is implemented.

Last edited by V1del (2025-01-16 16:33:01)

cautiouscauliflower

Member

Registered: 2025-01-16

Posts: 4

Re: Unable to lift kernel lockdown mode with UEFI Secure Boot Disabled

Hey, thank you.

running

 sudo sbctl enroll-keys -m

gets me:
"
‼ File is immutable: /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
‼ File is immutable: /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
‼ File is immutable: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
You need to chattr -i files in efivarfs
"

Head_on_a_Stick

Member

From: The Wirral

Registered: 2014-02-20

Posts: 8,738

Website

Re: Unable to lift kernel lockdown mode with UEFI Secure Boot Disabled

"chattr: Operation not supported while reading flags on /sys/firmware/efi/efivars"

Is efivarfs mounted rw?

grep efivarfs /proc/self/mounts

---

Para todos todo, para nosotros nada

cautiouscauliflower

Member

Registered: 2025-01-16

Posts: 4

Re: Unable to lift kernel lockdown mode with UEFI Secure Boot Disabled

Hey Head_on_a_Stick,
running

grep efivarfs /proc/self/mounts

gets me "efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0" so it is mounted as read write.

I have no idea what is going on here tbh, I can post a picture of my BIOS settings later, Secure Boot really is off and my system behaves as if it isn't (if that makes any sense).

Edit: "idea" to "no idea"

Last edited by cautiouscauliflower (2025-01-16 18:34:33)