Re: Sender license for HP System with UEFI Secure Boot - HP Support Community

Orion205 · ‎11-12-2018

I have a new Z8 G4 workstation running Fedora 28. I know that's not a supported OS for Remote Graphics Sender, but I think the issue I have is not related to the OS version.

I first setup RGS when UEFI Secure Boot was turned off, and it all worked fine.

Now, UEFI Secure Boot is enabled, and that triggers Linux to turn on kernel lockdown. This prevents direct access to /dev/mem, and the rgsmbiosreader command cannot find BIOS information. Therefore, RG Sender doesn't treat the system as an HP System, and gets no license.

Other tools such as dmidecode now use the new /sys filesystem to get such information, by accessing /sys/firmware/dmi/tables/DMI for example. But rgsmbiosreader still tries direct /dev/mem access.

In order to get Sender features to work, I have to disable UEFI Secure Boot. This is not an ideal situation. I hope that a future version of RG Sender will be updated to work with kernel lockdown.

KellyRGS · ‎11-13-2018

Can you uninstall RGS, put the system back into UEFI, and the reinstall? Working on a Z8 G4 now with RHEL 7.5 and in UEFI and it works fine.

I work on the behalf of HP.

I am an HP employee.

Orion205 · ‎11-13-2018

Thanks.

Can you confirm you have kernel lockdown due to Secure Boot?

When I run

dmesg | grep lockdown

I get this result:

[    0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7
[    1.691202] Lockdown: swapper/0: Hibernation is restricted; see man kernel_lockdown.7
[    2.520587] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7
[   39.708481] Lockdown: Xorg: ioperm is restricted; see man kernel_lockdown.7
[   41.164570] Lockdown: rgsmbiosreader: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7

That last line is the kicker. Remote Graphics is trying to test if it's an HP system and fails. If you see that first line, but not the last one, then indeed it's working for you and not for me.

I'm not sure if you have secure boot enabled, or if your RHEL is configured to lock down the kernel if so.

KellyRGS · ‎11-14-2018

Okay, I did some follow up on this with our Linux (Non-RGS team) and found out this is actually an issue with the way out license checks for validation. Apologies for not fully understanding what was going on. Will update you most likely tomorrow or Friday. Not sure how difficult this fix will be.

I work on the behalf of HP.

I am an HP employee.

Orion205 · ‎11-30-2018

Thanks Kelly. I'm guessing it's not an easy fix?

I've noticed that the Linux BIOS update utility also runs into problems with kernel lockdown. That package comes with a kernel module that must be compiled and installed in order to update BIOS, but the kernel module doesn't get signed and so can't be loaded unless the lockdown is lifted.

So I'm guessing that none of the Linux development machines is setup with kernel lockdown. I'll have to operate with the lockdown lifted for now.

KellyRGS · ‎11-30-2018

From what I am being told, this should not be a difficult fix and I have already filed the defect. It has already been assigned to be fixed. I will reach out to you when I have a test build for you to try.

Kelly

I am an HP employee.

Sender license for HP System with UEFI Secure Boot

Create an account on the HP Community to personalize your profile and ask a question