Rasdaemon does not work when kernel lockdown is enabled

[bluikko]

Modern distributions enable kernel lockdown by default when UEFI and Secure Boot are enabled.
This breaks rasdaemon because it has no direct access to MSR or debugfs:

kernel: Lockdown: rasdaemon: Direct MSR access is restricted; see man kernel_lockdown.7
kernel: Lockdown: rasdaemon: debugfs is restricted; see man kernel_lockdown.7

I do not know how rasdaemon works but it sounds like perhaps the architecture must change to keep rasdaemon working with kernel lockdown.

The obvious workarounds would be either disable Secure Boot or kernel lockdown - both of which decrease the overall system security and may not be allowed due to company or compliance policies.

As more servers move to modern distributions and Secure Boot this problem will just get more common until it renders rasdaemon obsolete unless it can evolve.

[gabrielesvelto]

FYI I'm running rasdaemon with kernel lockdown set to use the integrity mode and it seems to work fine. I think the problem is restricted to the confidentiality mode, as that would likely prevent information from being extracted from the kernel.