Initial configuration:
rockylinux 9 server that has been secured to the “French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level” profile.
Hardware:
Supermicro H8sgl-f board with an opteron 6212.
The OS is as encrypted as I could get it, the /boot is located on a USB device while the actual operating system is located on an LVM inside a single PCIe to M.2 SSD drive due to old bios restrictions.
when attempting to add a kvm I discovered that the kvm kernal module was not installed. when attempting to use “sudo modprobe kvm_amd” the system fails to add irqbypass with the error “operation not permitted”
I also tried to use su root, with and without sudo without any change in result.
I tried checking dmesg for more info but it is mostly flooded with watchdog messages and grepping for the keywords “kernal”, “mod”, “kvm”, and “irq”, did not yield anything particular interesting. googling the issue told me to check for cpu support
lscpu shows “AMD-V”.
cat /proc/cpuinfo |grep svm flag is also present.
Double checked the bios and it does show SVM enabled.
I’m really at a loss as the module I need are on the system (checked using modinfo kvm_adm, kvm, & irqbypass respectively) and as far as I can tell nothing is wrong with any particular component. I think the secure profile has locked down the kernal but I didn’t see any message is dmesg for me to look through.
would appreciate any nudge in the right direction. Thank you.
Note: not an EFI system, secure boot doesn’t exist.
I have added those packages, and can run them but I was getting strange errors and lsmod shows that it’s missing kvm… checking that boot config…
CONFIG_KVM=m
CONFIG_HAVE_KVM_IRQ_BYPASS=y
is what it is set to, changing to match what you said, saving and rebooting the machine.
modprobe -a kvm -vvv
modprobe: INFO: custom logging function 0x55ab6f0d7840 registered
insmod /lib/modules/5.14.0-70.22.1.el9_0.x86_64/kernel/virt/lib/irqbypass.ko.xz
modprobe: INFO: Failed to insert module ‘/lib/modules/5.14.0-70.22.1.el9_0.x86_64/kernel/virt/lib/irqbypass.ko.xz’: Operation not permitted
modprobe: ERROR: could not insert ‘kvm’: Operation not permitted
modprobe: INFO: context 0x55ab6f197590 released
First:
The content of /boot/*config is only informational. Changing it has no effect of course. See also the comment at the very top of that file.
Second:
If there is a “y” in a specific line of boot config, that means the feature is builtin (statically, not as a module). That means you cannot load it as a module, because it is already existent. And of course, you cannot see it with lsmod either (because it is not a module). Anyway, the functionality is available.
Apart from that, im MY config, those ARE all built as a module (“m”):
So if you have =y somewhere in those, and you did not edit the file yourself, then you have a different kernel installed. I’d assume you edited it → See my first remark
And:
modprobe: ERROR: could not insert ‘kvm’: Operation not permitted
running modprobe as my regular user account using Sudo Get’s Operation not permitted
running su root, then running modprobe get’s operation not permitted
running su root, then running sudo modprobe get’s operation not permitted
Also my config file shows CONFIG_HAVE_KVM_IRQ_BYPASS=y before I edited the file, kvm was shown as a module (I’ll go change that back to reflect the current state) however my “lsmod” is missing irqbypass as a loaded module which is required for KVM
Also my config file shows CONFIG_HAVE_KVM_IRQ_BYPASS=y before I edited the file, kvm was shown as a module (I’ll go change that back to reflect the current state) however my “lsmod” is missing irqbypass as a loaded module which is required for KVM
That is expected and ok. Read my message again (the “Second” part explains it).
If you get " Operation not permitted", then there is somethin else preventing you from loadin modules.
Rocky9 has these very restricted security policies (or was it profiles) that can be selected during initial installation.
Perhaps you have enabled one of those? If yes, I that’s probably the reason. Unfortunately I don’t have experience with those.
Perhaps you can try the following (as root):
setenforce 0
modprobe kvm
If it works after running setenforce 0, then you have some selinux-related problem. Otherwise somebody with better knowledge about these security profiles might be able to help you.
Later … I just read your first sentence:
“French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level” profile.
Well there you have it, this profile most likely prevents anyone (even root) from loading modules.
AH thanks much, sorry about this. I’m going to try and load maintenance mode / recovery mode, see if I can bypass the security using this method. if not I’ll have to reload the whole thing… again. I’d like to have it locked down because all I want it to do is run the Virtual machines which is the software packages I selected at the beginning which I assumed would mean it would have added the appropriate kernel modules. I’ll report back if that works if not I’ll mark a solution bring a thread to close as this appears to be somewhat intended behavior.
I probably should have figured but the security profile appear to prevent loading kernal modules at any stage of system, rescue, emergency, autoload. None of that matters if it doesn’t come default in the kernal it doesn’t get loaded period. As much as I would like to use this security profile I am going to recognize I am out of my depth and slow my role. Thank you again to everyone here who helped me figure this out. Time to reload linux and harden it one thing at a time as I learn.