Bug#1021245: linux-image-5.10.0-18-rt-amd64: can't access EFIVARS when using rt version of kernel

Wed, 05 Oct 2022 01:09:14 -0700 

Hi Bastian

Thanks for the explanation. Feel free to close the ticket then, however I do 
have one question.
I did some test by creating my own kernel module and inserting it, which 
doesn't work (operation not permitted) indicating that the chain of trust is 
kept in-tact. (please confirm this is true)
However mokutil requires EFI variables, making configuration quite a pain in 
the ass, I know how to start with efi=runtime to allow it, but I want to make 
this process as seamless as possible for our customers who might need to load 
and sign ethercat modules. Do you have a suggestion on how to handle this?

thanks!

Niek
________________________________
From: Bastian Blank <wa...@debian.org>
Sent: Tuesday, October 4, 2022 2:46 PM
To: Niek Nooijens / IAB <niek.nooij...@omron.com>; 1021...@bugs.debian.org 
<1021...@bugs.debian.org>
Subject: Re: Bug#1021245: linux-image-5.10.0-18-rt-amd64: can't access EFIVARS 
when using rt version of kernel

On Tue, Oct 04, 2022 at 11:46:39AM +0200, niek nooijens wrote:
> when Using the normal linux-image 5.10.0-18 I can use efibootmgr to change 
> boot variables and /sys/firmware/efi/efivars is populated.
> when using the real-time variant efibootmgr and efivar report "efi variables 
> are not supported on this system" and /sys/firmware/efi/efivars is empty.
> trying to insert the /lib/modules/kernel/fs/efivarfs/efivarfs.ko kernel 
> module will result in a FAIL "no such file or directory" as well as modprobe.
> I therefore conclude this is a bug, and problematic since I need to load 
> signed kernel-modules for our industrial etherCAT stack and really need the 
> whole EFI/secure-boot/mok chain to work on the rt_kernel.

This is no bug.  The EFI runtime services are explicitly disabled.  The
reason is:

| The EFI runtime services are disabled by default when PREEMPT_RT is enabled,
| because measurements have shown that some EFI functions calls might take too
| much time to complete, causing large latencies which is an issue for Real-Time
| kernels.

You can enable it by adding "efi=runtime" to the kernel command line.

Bastian

--
I have never understood the female capacity to avoid a direct answer to
any question.
                -- Spock, "This Side of Paradise", stardate 3417.3

Reply via email to