Highlighted
Orion205 Top Student
Top Student
6 0 0
Message 1 of 6
139
Flag Post
HP Recommended

Sender license for HP System with UEFI Secure Boot

HP Z8 G4 Workstation
Linux

I have a new Z8 G4 workstation running Fedora 28.  I know that's not a supported OS for Remote Graphics Sender, but I think the issue I have is not related to the OS version.

 

I first setup RGS when UEFI Secure Boot was turned off, and it all worked fine.

Now, UEFI Secure Boot is enabled, and that triggers Linux to turn on kernel lockdown.  This prevents direct access to /dev/mem, and the rgsmbiosreader command cannot find BIOS information.  Therefore, RG Sender doesn't treat the system as an HP System, and gets no license.

Other tools such as dmidecode now use the new /sys filesystem to get such information, by accessing /sys/firmware/dmi/tables/DMI for example.  But rgsmbiosreader still tries direct /dev/mem access.

 

In order to get Sender features to work,  I have to disable UEFI Secure Boot.  This is not an ideal situation.  I hope that a future version of RG Sender will be updated to work with kernel lockdown.

5 REPLIES
Grad Student Grad Student
Grad Student
251 16 24
Message 2 of 6
112
Flag Post
HP Recommended

Sender license for HP System with UEFI Secure Boot

Can you uninstall RGS, put the system back into UEFI, and the reinstall?  Working on a Z8 G4 now with RHEL 7.5 and in UEFI and it works fine.

I work on the behalf of HP.

I work on behalf of HP
Reply
0 Kudos
Orion205 Top Student
Top Student
6 0 0
Message 3 of 6
107
Flag Post
HP Recommended

Sender license for HP System with UEFI Secure Boot

Thanks.

Can you confirm you have kernel lockdown due to Secure Boot?

When I run 

dmesg | grep lockdown

I get this result:

[    0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7
[    1.691202] Lockdown: swapper/0: Hibernation is restricted; see man kernel_lockdown.7
[    2.520587] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7
[   39.708481] Lockdown: Xorg: ioperm is restricted; see man kernel_lockdown.7
[   41.164570] Lockdown: rgsmbiosreader: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7

That last line is the kicker.  Remote Graphics is trying to test if it's an HP system and fails.  If you see that first line, but not the last one, then indeed it's working for you and not for me.

 

I'm not sure if you have secure boot enabled, or if your RHEL is configured to lock down the kernel if so.

Reply
0 Kudos
Grad Student Grad Student
Grad Student
251 16 24
Message 4 of 6
92
Flag Post
HP Recommended

Sender license for HP System with UEFI Secure Boot

Okay, I did some follow up on this with our Linux (Non-RGS team) and found out this is actually an issue with the way out license checks for validation.  Apologies for not fully understanding what was going on.  Will update you most likely tomorrow or Friday.  Not sure how difficult this fix will be.

I work on the behalf of HP.

I work on behalf of HP
Reply
0 Kudos
Orion205 Top Student
Top Student
6 0 0
Message 5 of 6
48
Flag Post
HP Recommended

Sender license for HP System with UEFI Secure Boot

Thanks Kelly.  I'm guessing it's not an easy fix?

 

I've noticed that the Linux BIOS update utility also runs into problems with kernel lockdown.  That package comes with a kernel module that must be compiled and installed in order to update BIOS, but the kernel module doesn't get signed and so can't be loaded unless the lockdown is lifted.

 

So I'm guessing that none of the Linux development machines is setup with kernel lockdown.  I'll have to operate with the lockdown lifted for now.

Reply
0 Kudos
Grad Student Grad Student
Grad Student
251 16 24
Message 6 of 6
41
Flag Post
HP Recommended

Sender license for HP System with UEFI Secure Boot

From what I am being told, this should not be a difficult fix and I have already filed the defect.  It has already been assigned to be fixed.  I will reach out to you when I have a test build for you to try.

Kelly

I work on behalf of HP
Reply
0 Kudos
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation