Anomaly: Kernel Panic with Lenovo Laptop and Intel 3rd Gen. Graphics Controller

F N

unread,

Oct 13, 2020, 8:09:34 AM10/13/20

to HardenedBSD Users

Hello,

after performing an update with:

- /usr/ports <- git 75cb556c8fb4

- hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5

it leads to an error free ports update.

After that, an amd64 workstation with a Radeon Graphics Controller is able to start

a one monitor X11/XFCE4 session as normal user via startx without any issues.

Same set of update on a amd64 Lenovo Laptop G500 and an Intel 3rd Gen. Graphics Controller leads to a kernel panic after executing the startx cmd.

Due to the fact that this laptop is running with an encrypted zfs hard drive

I'm currently only able to provide a screenshot of the KP.

Any hints on how to proceed would be highly appreciated.

Regards

Frank

Screenshot_2020-10-13 13-02-10.png

F N

unread,

Oct 14, 2020, 5:09:33 PM10/14/20

to HardenedBSD Users, F N

Hello,

after update to status:

hbsd:

hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5

git:

380fb9a5c20

all make actions run without any complains.

After reboot and start of x11/xfce4 with startx as normal user, the same KP remains stable as given in the screenshot above.

I'm currently back via beadm to the latest known working version with status:

hbsd:

hbsd-v1200060-ccf1860cdb5e742539361a32cfa34cc85c3bfa0d

git:

3c408432f182

which is dated around the 9. of August 2020.

I'm guessing the xf86-video-intel driver is now doing nasty things left over from some Linux structure not given within (H)BSD.

If I switch to xf86-video-vesa it will work without a KP but I will lost my ability to run an additional monitor which is currently a requirement for this node.

On a different workstation with Radeon graphics controller the same latest update as above work w/o issues.

Any hints would be highly appreciated .

Regards

Frank

Shawn Webb

unread,

Oct 14, 2020, 7:21:38 PM10/14/20

to F N, HardenedBSD Users

There's likely a mismatch between base and packages. There's a new
package build for 12-STABLE/amd64 going on right now. 12-STABLE/amd64
packages will be updated in the next few days.

In the meantime, make sure your /usr/src matches your running kernel,
and rebuild your xorg drivers from ports directly.

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

GPG Key ID: 0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

signature.asc

F N

unread,

Mar 13, 2021, 2:01:11 PM3/13/21

to HardenedBSD Users, Shawn Webb, HardenedBSD Users, F N

Hello,

after a bunch of serious deadlines in the last months my days got kind of de-railed.

In a short version, the situation as of now is:

@Shawn

- I corrected my wrong configuration of the port and src gits, now I'm using:

- https://git-01.md.hardenedbsd.org/HardenedBSD/HardenedBSD.git
- https://git-01.md.hardenedbsd.org/HardenedBSD/hardenedbsd-ports.git

After correcting the above entries and new git clones, I re-compiled world, kernel and all ports.

Unfortunately the kernel panic survived all this.

After a hardware failure on a different machine, I started with a complete new hardware and

changed the unit under test now to this new machine.

Here on the new machine I decided to start with a brand new install of a 13-stable with 32g ram and 4 x 500g drives in a r1 zfs raid

to get rid of the kernel panics with the 12-stable machine above acting as a proof of concept for the dual head display.

After performing the 13-stable install, correcting the zfs system to contain usr and var, I installed beadm without any issues.

Then I performed some hours ago a hbsd-update and pkg upgrade without any issues too.

Then I installed on this fresh 13-stable secadm with

- pkg install secadm

- pkg install secadm-kmod

also without any noticeable issues.

Then I loaded manually the secadm kernel module with

- kldload secadm

and the message on the screen and the exit code indicated a successful load of this module.

Then I typed the command "uname -a" to be sure that I'm really on the correct engine,

and the machine reboots immediately.

After several tests with the load instruction for the secadm module in /boot/loader.conf, /etc/rc.conf and manually again, it turns

out that several commands (pwd, ls, id, hostname, dig) after the secadm module load action will cause a reboot.

Also, you just have to wait some minutes (1 - 10 currently) aft loading the secadm module and the machine will reboot without any manual interaction.

Now I'm confused and any help would be highly appreciated.

Thanks,

Frank

Shawn Webb

unread,

Mar 13, 2021, 6:36:20 PM3/13/21

to F N, HardenedBSD Users

Hey there,

You'll want to update your git repos to point to:

1. https://git.hardenedbsd.org/hardenedbsd/hardenedbsd.git
1. https://git.hardenedbsd.org/hardenedbsd/hardenedbsd-ports.git

Our self-hosted Gitea deployment resulted in too many headaches to
really be sustainable for your project. We've since migrated to
self-hosted GitLab.

I've been working on tracking down a regression that is preventing our
package builds from succeeding. Thus, our package repos are a bit
behind. If you use a new build of HardenedBSD 13-STABLE, the kernel
modules from the package repos could cause issues (like the one you're
seeing).

What you'll want to do is:

1. Make sure that your /usr/src matches the installed/running kernel.
2. Build the port from our ports tree.

The steps for 1 are as follows:

1. Take note of the output of `uname -a`.
2. In /usr/src: Run: git reset --hard <git commit hash from uname>

For example, if my uname is as follows:

FreeBSD hbsd-laptop-02 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD #1
hardened/current/master-n189993-6cf555329da: Mon Feb 8 12:25:08 EST
2021
shawn@hbsd-laptop-02:/usr/obj/usr/src/amd64.amd64/sys/HARDENEDBSD
amd64

Then I would run this command in /usr/src:

git reset --hard 6cf555329da

At this point you can build and install the kernel module from ports.
Again, the pre-built module in the package repo is out-of-date, which
is why you need to compile it yourself from the ports tree.

I hope this helps.

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

signature.asc

F N

unread,

Mar 13, 2021, 11:19:08 PM3/13/21

to HardenedBSD Users, Shawn Webb, HardenedBSD Users, F N

Hi,

thanks for the message and the fast reply.

According to the lead given, the following actions where performed on the clean 13-stable install

on the new machine:

00 # uname -a
-> no git commit id was provided so far
   in the output aft installing 13-stable memstick img
-> also no git clone was performed on this new machine,
   so currently no need for a git reset

01 # pkg install beadm
02 # pkg install git-lite
03 # pkg install ccache

04 # hbsd-update -I -V -b `date "+%Y%m%dT%H%M%S"`
-> already latest
-> hbsd-v1300061-20c9347d553a13366518ec51f450eb398bfdfee6

05 # pkg update && pkg upgrade

06 # git clone --single-branch --branch hardened/13-stable/master https://git.hardenedbsd.org/hardenedbsd/hardenedbsd.git /usr/src
07 # git pull
-> already latest

08 # git clone https://git.hardenedbsd.org/hardenedbsd/hardenedbsd-ports.git /usr/ports
09 # git pull
-> already latest

10 # cd /usr/src
11 # make buildworld

-> adding new entry to kernel config
   otherwise make was failing in the
   past tests later on with gstreamer1 building
   the xfce4 meta port

   options COMPAT_FREEBSD11

12 # make buildkernel

13 # shutdown now

14 # zfs set readonly=off zroot
15 # zfs mount -a

16 # cd /usr/src
17 # make installkernel

18 # mergemaster -p
-> no changes needed, keeping local /etc/groups /etc/passwd.master

19 # make installworld

20 # mergemaster -iF
-> all upstream changes accepted,
   kept local passwd.master/group
   and needed adjustments for
   lan related ops, e.g. proxy/resolver

21 # make delete-old

22 # shutdown -r now

23 # cd /usr/ports && git pull

24 # cd /usr/ports/ports-mgt/portmaster
25 # make install clean

26 # sysctl hardening.pax.mprotect.status=1
27 # sysctl hardening.pax.pageexec.status=1
28 # sysctl hardening.pax.disallow_map32bit.status=1
29 # sysctl hardening.pax.aslr.status=1
30 # sysctl hardening.pax.segvguard.status=1

31 # portmaster -af -F

32 # portmaster -y --no-confirm -Daf

33 # make delete-old-libs

34 # shutdown -r now

35 # uname -a
-> output of kernel commit id is 146ee079687

36 # cd /usr/src && git log | head
-> output of commit id is identical with
   output of step 35, therefore I'm
   assuming no further action
   related to git reset is needed here

37 # portmaster -Daf
-> all clear, no issues detectable

38 # shutdown -r now

39 # kldload secadm
-> msg ok, exit code "0"

40 # kldstat
===>>> Kernel panic & reboot ...

Well, I'm confused, again :-)

Any ideas left so far?

Thanks,

Frank

Shawn Webb

unread,

Mar 14, 2021, 8:37:42 AM3/14/21

to F N, HardenedBSD Users

Your portmaster run is the problem here. It doesn't think secadm-kmod
needs to be reinstalled. Instead of portmaster, just do this as root:

cd /usr/ports/hardenedbsd/secadm-kmod
make
make deinstall reinstall

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

signature.asc

F N

unread,

Mar 14, 2021, 11:22:12 AM3/14/21

to HardenedBSD Users, Shawn Webb, HardenedBSD Users, F N

Thank you for your message.

Well, I was suspecting something like that too, but it seems to be the case that we can not blame portmaster, at least not in this case.

After performing the following actions:

01 # cd /usr/ports

02 # git pull

-> updates present but not related to this system setup

03 # portmaster -advw

-> no changes introduced

04 # cd /usr/ports/hardenedbsd/secadm-kmod

===> In the second run aft 1st reboot 05 # make clean

06 # make

07 # make deinstall reinstall

08 # find / -type f -name 'secadm.ko' -ls

-> only one file outside ports found in /boot/modules with correct time stamp

09 # kldload secadm

-> msg ok, exit code "0"

10 # kldstat

>>> leads to immediate fast reboot ...

Hm, still confused :-)

I have no current experience in debugging with gdb or similar and I cannot get hold of the error message before the reboot.

Even a video taken from the screen can not get the message currently.

Really no idea what I''m doing wrong or at least maybe in the wrong order.

Shawn Webb

unread,

Mar 14, 2021, 12:45:21 PM3/14/21

to F N, HardenedBSD Users

Looks like I'm seeing some breakage. I'll take a look later this week.

Are you using secadm to toggle exploit mitigations? If so, you should
be able to use hbsdcontrol (assuming on a local filesystem, not a
remote one like NFS.)

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

signature.asc