Hello out there, I have an issue with my new Debian installation. I
choose stable for now, to keep it simple. So used the stable
installation ISO to install Debian on a MSI Z690-A with a Intel Core
I7-14700 and a GeForce RTX 4060Ti. The Nouveau driver did not work with
this card so I installed the Nvidia driver and everything to build it.
Then I created my MOK key and enrolled them. So the nvidia-current
module is signed now and is getting loaded as nvidia_drm, nvidia_modeset
and nvidia. But something still prevents the X server from starting:

[   304.354] (II) NVIDIA GLX Module  535.183.01  Sun May 12 19:37:53 UTC 2024
[   304.355] (II) NVIDIA: The X server supports PRIME Render Offload.
[   308.891] (EE) NVIDIA(GPU-0): Failed to initialize the NVIDIA GPU at PCI:1:0:0.  Please
[   308.891] (EE) NVIDIA(GPU-0):     check your system's kernel log for additional error
[   308.891] (EE) NVIDIA(GPU-0):     messages and refer to Chapter 8: Common Problems in the
[   308.891] (EE) NVIDIA(GPU-0):     README for additional information. [   308.891] (EE) NVIDIA(GPU-0): Failed to initialize the NVIDIA
graphics device!
[   308.891] (EE) NVIDIA(0): Failing initialization of X screen
[   308.891] (II) UnloadModule: "nvidia"
[   308.891] (II) UnloadSubModule: "glxserver_nvidia"
[   308.891] (II) Unloading glxserver_nvidia

and dmesg gives me this:

[   40.344811] nvidia: module license 'NVIDIA' taints kernel.
[   40.344811] Disabling lock debugging due to kernel taint

....

[   46.716241] NVRM: GPU 0000:01:00.0: RmInitAdapter failed!
(0x23:0x65:1426)
[   46.716422] NVRM: GPU 0000:01:00.0: rm_init_adapter failed, device
minor number 0

....

[   47.042454] Lockdown: Xorg: raw io port access is restricted; see man kernel_lockdown.7
[   51.092248] NVRM: GPU 0000:01:00.0: RmInitAdapter failed!
(0x23:0x65:1426)
[   51.092330] NVRM: GPU 0000:01:00.0: rm_init_adapter failed, device
minor number 0
[   55.097874] NVRM: GPU 0000:01:00.0: RmInitAdapter failed!
(0x23:0x65:1426)
[   55.097953] NVRM: GPU 0000:01:00.0: rm_init_adapter failed, device
minor number 0

the last two lines repeats 1000++ times

I think it's still SecureBoot, but what is it this time? Can anyone help


Thank you in advance


BR Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Christian wrote:

[   47.042454] Lockdown: Xorg: raw io port access is restricted; see man kernel_lockdown.7
I think it's still SecureBoot, but what is it this time? Can anyone help

At least the above log snippet seems to be related to SecureBoot.
In
https://manpages.debian.org/bookworm/manpages/kernel_lockdown.7.en.html
i see

"On an EFI-enabled x86 or arm64 machine, lockdown will be automatically
enabled if the system boots in EFI Secure Boot mode.
Coverage
When lockdown is in effect, a number of features are disabled or have
their use restricted. This includes special device files and kernel
services that allow direct access of the kernel image:"
[...]
NOTES
The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
The lsm=lsm1,...,lsmN command line parameter controls the sequence of
the initialization of Linux Security Modules. It must contain the
string lockdown to enable the Kernel Lockdown feature. If the command
line parameter is not specified, the initialization falls back to the
value of the deprecated security= command line parameter and further
to the value of CONFIG_LSM."

So i guess you have to look into your boot configuration for kernel
parameter "lockdown".

On
https://bbs.archlinux.org/viewtopic.php?id=290866
i see this statement by espritlibre:

"Re: Secure boot and Nvidia
i have secure boot enabled, but lockdown disabled (for another
reason). loading the nvidia module does taint the kernel, but loads
and work just fine with prime-run on a hybrid systme. i'm not signing
OOT modules, just kernel and efi stuff."

(Whatever "prime-run" might be ...)


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

NVIDIA is a major pain in the ass with Linux. Which is why I do not
use them.

Actually this is more Linux being a major pain in the ass to Nvidia.

Hmm... I haven't seen any sign that Nvidia suffers much, so I think it's
more clearly a pain inflicted on Linux.


Stefan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Thomas, thank you for your help. So far I couldn't see anything in my cmdline which is kernel_lockdown related. And I grep'ed the whole /etc
and /boot directory recursively. Nothing. And neither in the dmesg,
there is no "lsm=" line. Only in the kernel .config is CONFIG_SECURITY_LOCKDOWN=y, enabled. So yes the kernel supports it.
Debian Live boot system couldn't either boot up my new PC, but Ubuntu
did. WIth Ubuntu I was able to boot it with Desktop and everthing, but
they used Nouveu driver. And dmesg dumped this out:
[    0.209551] LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,ima,evm

I couldn't find out where this parameters are set. Even on the Ubuntu
Live system I didn't find a file with just one single line with the
words lsm= or lockdown (case insensitive)

Thank you

BR Christian

Hi,

Christian wrote:

[   47.042454] Lockdown: Xorg: raw io port access is restricted; see man kernel_lockdown.7
I think it's still SecureBoot, but what is it this time? Can anyone help

At least the above log snippet seems to be related to SecureBoot.
In
https://manpages.debian.org/bookworm/manpages/kernel_lockdown.7.en.html
i see

"On an EFI-enabled x86 or arm64 machine, lockdown will be automatically
enabled if the system boots in EFI Secure Boot mode.
Coverage
When lockdown is in effect, a number of features are disabled or have
their use restricted. This includes special device files and kernel
services that allow direct access of the kernel image:"
[...]
NOTES
The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
The lsm=lsm1,...,lsmN command line parameter controls the sequence of
the initialization of Linux Security Modules. It must contain the
string lockdown to enable the Kernel Lockdown feature. If the command
line parameter is not specified, the initialization falls back to the
value of the deprecated security= command line parameter and further
to the value of CONFIG_LSM."

So i guess you have to look into your boot configuration for kernel
parameter "lockdown".

On
https://bbs.archlinux.org/viewtopic.php?id=290866
i see this statement by espritlibre:

"Re: Secure boot and Nvidia
i have secure boot enabled, but lockdown disabled (for another
reason). loading the nvidia module does taint the kernel, but loads
and work just fine with prime-run on a hybrid systme. i'm not signing
OOT modules, just kernel and efi stuff."

(Whatever "prime-run" might be ...)

Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello out there, I have an issue with my new Debian installation. I
choose stable for now, to keep it simple. So used the stable
installation ISO to install Debian on a MSI Z690-A with a Intel Core
I7-14700 and a GeForce RTX 4060Ti. The Nouveau driver did not work with
this card so I installed the Nvidia driver and everything to build it.
Then I created my MOK key and enrolled them. So the nvidia-current
module is signed now and is getting loaded as nvidia_drm, nvidia_modeset
and nvidia. But something still prevents the X server from starting:

[ 304.354] (II) NVIDIA GLX Module 535.183.01 Sun May 12 19:37:53 UTC
2024
[ 304.355] (II) NVIDIA: The X server supports PRIME Render Offload.
[ 308.891] (EE) NVIDIA(GPU-0): Failed to initialize the NVIDIA GPU at PCI:1:0:0. Please
[ 308.891] (EE) NVIDIA(GPU-0): check your system's kernel log for additional error
[ 308.891] (EE) NVIDIA(GPU-0): messages and refer to Chapter 8:
Common Problems in the
[ 308.891] (EE) NVIDIA(GPU-0): README for additional information.
[ 308.891] (EE) NVIDIA(GPU-0): Failed to initialize the NVIDIA
graphics device!
[ 308.891] (EE) NVIDIA(0): Failing initialization of X screen

According to your log messages The NVIDIA card fails to initialize before X fails. NVIDIA is a major pain in the ass with Linux. Which is why I do not use them.

[ 308.891] (EE) NVIDIA(GPU-0): Failed to initialize the NVIDIA
graphics device!
[ 308.891] (EE) NVIDIA(0): Failing initialization of X screen

Did the installer have graphics when you installed it? You could try
booting from the live USB image for bookworm and trixie and see how that works out. If your graphics card is really new then you may have to run Trixie to support it.

Hello Timothy, thank you for your help. Well I did. I used the Debian
Live System (Testing version) to boot into my new PC, but I stalled
really early. And I couln't even open a console or connect to the system
via SSH. At least I could see with nmap that it fetched an IP address.
The Debian installer offered me graphics but this is "just" framebuffer
I guess? With Ubuntu I was able to start the system. With a very (s)low resolution though but it worked. It used the Nouveau driver.


Thanks


BR Christian

[ 308.891] (II) UnloadModule: "nvidia"
[ 308.891] (II) UnloadSubModule: "glxserver_nvidia"
[ 308.891] (II) Unloading glxserver_nvidia

and dmesg gives me this:

[ 40.344811] nvidia: module license 'NVIDIA' taints kernel.
[ 40.344811] Disabling lock debugging due to kernel taint

....

[ 46.716241] NVRM: GPU 0000:01:00.0: RmInitAdapter failed!
(0x23:0x65:1426)
[ 46.716422] NVRM: GPU 0000:01:00.0: rm_init_adapter failed, device
minor number 0

....

[ 47.042454] Lockdown: Xorg: raw io port access is restricted; see man
kernel_lockdown.7
[ 51.092248] NVRM: GPU 0000:01:00.0: RmInitAdapter failed!
(0x23:0x65:1426)
[ 51.092330] NVRM: GPU 0000:01:00.0: rm_init_adapter failed, device
minor number 0
[ 55.097874] NVRM: GPU 0000:01:00.0: RmInitAdapter failed!
(0x23:0x65:1426)
[ 55.097953] NVRM: GPU 0000:01:00.0: rm_init_adapter failed, device
minor number 0

the last two lines repeats 1000++ times

I think it's still SecureBoot, but what is it this time? Can anyone help


Thank you in advance


BR Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Kevin, thank you for support. I choosed Nvidia again deliberately
because I want to play with Tesorflow, Scikit-Learn and GPT. And yes I
had my experiences with Nvidia over the year as well. But I decided to
take Nvidia again. Maybe there are more people like me, giving up the installation silently for another distro?

BR Christian

29 Oct 2024 17:38:39 Timothy M Butterworth <timothy.m.butterworth@gmail.com>:

NVIDIA is a major pain in the ass with Linux. Which is why I do not
use them.

Actually this is more Linux being a major pain in the ass to Nvidia.

When secure boot is enabled lockdown is automatically enabled. Really debian should provide an Nvidia package that explains the issue, sets lockdown none and runs update-grub. Unfortunately I don't believe the kernel allows just enabling raw io to even

signed modules. You can look up some things like disabling debugfs to restore some of lockdowns security. I think kernel memory access is kept disabled.


--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Timothy, I did so. I used Debian Testing/Trixie, which I also use
on my current old system (build 2015) with apt pinning and everything...
The ISO I used was debian-live-testing-amd64-xfce.iso.

BR Christian

On Wed, Oct 30, 2024 at 10:58 AM Christian <chris@argonautx.net> wrote:

Hi Thomas, thank you for your help. So far I couldn't see anything in my
cmdline which is kernel_lockdown related. And I grep'ed the whole /etc
and /boot directory recursively. Nothing. And neither in the dmesg,
there is no "lsm=" line. Only in the kernel .config is
CONFIG_SECURITY_LOCKDOWN=y, enabled. So yes the kernel supports it.
Debian Live boot system couldn't either boot up my new PC, but Ubuntu
did. WIth Ubuntu I was able to boot it with Desktop and everthing, but
they used Nouveu driver.

Try booting with Trixie (testing), https://www.debian.org/CD/live/ It may just be that the stable kernel is simply too old for your hardware. I am currently running Trixie and have not had any problems with it. If you do install Trixie and it asks you if you want to install accesibility tools... select NO! Otherwise it will install and run everything and you will waste lots of time figuring out how to disable them.

And dmesg dumped this out:

[ 0.209551] LSM: initializing
lsm=lockdown,capability,landlock,yama,apparmor,ima,evm

I couldn't find out where this parameters are set. Even on the Ubuntu
Live system I didn't find a file with just one single line with the
words lsm= or lockdown (case insensitive)

Thank you

BR Christian

Hi,

Christian wrote:

[ 47.042454] Lockdown: Xorg: raw io port access is restricted; see

man kernel_lockdown.7

I think it's still SecureBoot, but what is it this time? Can anyone help >>> At least the above log snippet seems to be related to SecureBoot.

In

https://manpages.debian.org/bookworm/manpages/kernel_lockdown.7.en.html

i see

"On an EFI-enabled x86 or arm64 machine, lockdown will be

automatically

enabled if the system boots in EFI Secure Boot mode.
Coverage
When lockdown is in effect, a number of features are disabled or have >>> their use restricted. This includes special device files and kernel >>> services that allow direct access of the kernel image:"
[...]
NOTES
The Kernel Lockdown feature is enabled by

CONFIG_SECURITY_LOCKDOWN_LSM.

The lsm=lsm1,...,lsmN command line parameter controls the sequence

of

the initialization of Linux Security Modules. It must contain the
string lockdown to enable the Kernel Lockdown feature. If the

command

line parameter is not specified, the initialization falls back to

the

value of the deprecated security= command line parameter and further >>> to the value of CONFIG_LSM."

So i guess you have to look into your boot configuration for kernel
parameter "lockdown".

On
https://bbs.archlinux.org/viewtopic.php?id=290866
i see this statement by espritlibre:

"Re: Secure boot and Nvidia
i have secure boot enabled, but lockdown disabled (for another
reason). loading the nvidia module does taint the kernel, but loads >>> and work just fine with prime-run on a hybrid systme. i'm not signing >>> OOT modules, just kernel and efi stuff."

(Whatever "prime-run" might be ...)


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Christian wrote:

So far I couldn't see anything in my
cmdline which is kernel_lockdown related.

If this means that you already looked into

/proc/cmdline

then i am out of ideas why the kernel log reported

[   47.042454] Lockdown: Xorg: raw io port access is restricted; see man kernel_lockdown.7

Well, it is not clear whether this is really the showstopper for Xorg
on Nvidia's driver. There were error messages before the "Lockdown"
message.

Kevin Chadwick wrote:

Have you tried disabling secure boot?

If this is possible then we would at least learn whether Secure Boot is
the origin of the problem or just a red herring.


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

So far I couldn't see anything in my
cmdline which is kernel_lockdown related.

If this means that you already looked into

/proc/cmdline

then i am out of ideas why the kernel log reported

[   47.042454] Lockdown: Xorg: raw io port access is restricted; see man >>> kernel_lockdown.7

Turns out, the parameters for kernel_lockdown are fixed defined in include/config/auto.conf but can be enhanced by writing these rules to
the kernel cmdline.

In /sys/kernel/security/lockdown can one see all activated components.
But it looks that it's not possible to delete certain parameters. Which
can be changed however is the state of kernel_lockdown in /sys/kernel/security/lockdown

Well, it is not clear whether this is really the showstopper for Xorg
on Nvidia's driver. There were error messages before the "Lockdown"
message.

Kevin Chadwick wrote:

Have you tried disabling secure boot?

If this is possible then we would at least learn whether Secure Boot is
the origin of the problem or just a red herring.

Well yes, and it's pretty confusing because I disabled secure boot, and
the problems remained. Which makes me really clueless, because there is
not much information left on the dmesg. Maybe its something with BIOS or
ACPI? By adding loglevel=3 to the cmdline I got something more:

[    0.277298] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.SADX], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277301] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277304] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.SADS], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277306] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277306] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x0014)
[    0.277307] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14._DSM], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277308] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277309] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x0014)
[    0.277310] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.BTRT], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277311] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277312] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x5B84)
[    0.277325] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.DBTR], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277326] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277327] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x5B84)
[    0.277328] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14._PRR], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277329] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277329] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x0014)
[    0.277330] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.BRDY], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277331] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277334] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.BGAP], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277335] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277337] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.BRDS], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277338] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277339] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x0014)
[    0.277340] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.ECKY], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277341] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277342] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.ECKV], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277343] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277344] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x0014)
[    0.277345] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.GPCX], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277346] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277349] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.GPC], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277350] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277351] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x0014)
[    0.277352] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.GLAX], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277352] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277355] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.GLAI], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277356] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277356] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x0014)
[    0.277357] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.BTLY], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277358] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277360] ACPI BIOS Error (bug): Failure creating named object [\_SB.PC00.XHCI.RHUB.HS14.BTLC], AE_ALREADY_EXISTS (20220331/dswload2-326) [    0.277361] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20220331/psobject-220)
[    0.277362] ACPI: Skipping parse of AML opcode: OpcodeName
unavailable (0x0014)
[    0.278459] ACPI: 12 ACPI AML tables successfully acquired and loaded [    0.284491] ACPI: Dynamic OEM Table Load:
[    0.284496] ACPI: SSDT 0xFFFF913A02036600 0001AB (v02 PmRef Cpu0Psd  00003000 INTL 20200717)
[    0.284906] ACPI: \_SB_.PR00: _OSC native thermal LVT Acked

But most hits at $SEARCHENGINE showed this is nothing to worry. And I
need to start a new thread anyway.

Has anyone any more successions ?

Thank you


BR Christian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)