Modprobe doesn't load the ec_sys module in write_support mode under secure boot

Support and Help
,
1

Hello,

I’m trying Linux on my HP Omen laptop and to use it correctly I need to access the ec_sys module to allow the fan on my laptop to just work as they should.

The problem I have is that logically ec_sys is a signed module like every one else but for some reason it can’t launch when the secure boot is enabled.
Now, because I’m just trying Linux I still need the secure boot for my windows partition.

Because of this, I need help understanding if I forgot something or if it’s just a module that can’t be activated under secure boot.

Thanks in advance.

Ubuntu Version:

Kubuntu 25.04

Desktop Environment (if applicable):

KDE Plasma

Problem Description:

I want to load the ec_sys module with modprobe via sudo modprobe ec_sys but I get the following error :

modprobe: ERROR: could not insert 'ec_sys': Operation not permitted

Edit : this error is partially solved.
Now the module does not trigger a lockdown ( the Operation not permitted from before ) and load but the ec_sys can’t be activated in write_support which I need :

Relevant System Information:

Kernel 6.14.0-15-generic
AMD CPU : Ryzen 7 5800H + IGPU : vega 8
Nvidia GPU : Nvidia RTX 3070 laptop

Screenshots or Error Messages:

thomas@thomas-omen:~$ sudo modprobe ec_sys
modprobe: ERROR: could not insert 'ec_sys': Operation not permitted

thomas@thomas-omen:~$ modinfo ec_sys
filename:       /lib/modules/6.14.0-15-generic/kernel/drivers/acpi/ec_sys.ko.zst
license:        GPL
description:    ACPI EC sysfs access driver
author:         Thomas Renninger <trenn@suse.de>
srcversion:     7B80B30E54D4FA19D32B573
depends:        
intree:         Y
name:           ec_sys
retpoline:      Y
vermagic:       6.14.0-15-generic SMP preempt mod_unload modversions 
sig_id:         PKCS#7
signer:         Build time autogenerated kernel key
sig_key:        5C:CD:05:C4:3B:D0:13:31:5A:0E:54:A4:86:75:66:81:ED:2E:5E:FA
sig_hashalgo:   sha512
signature:      AD:F6:2F:61:5E:01:22:EB:7D:87:0E:80:59:62:B8:0E:B4:D1:0B:2A:
                8B:24:AE:86:C1:5E:11:CA:B8:77:8C:89:F4:02:4D:8E:14:4F:34:22:
                66:A1:DB:8B:C4:5B:0B:55:0B:CD:DD:28:0D:E4:0A:5C:A6:F0:5B:BF:
                09:F7:25:D8:68:EB:7B:A1:CA:3C:F9:1A:22:C6:4D:2C:66:6E:FF:1A:
                24:2D:AB:4B:0F:B4:2A:4A:BE:33:E9:93:5E:10:FA:E4:26:EB:4A:11:
                5C:E4:0E:F1:40:1A:23:B6:0F:77:81:20:E5:E9:DB:40:D1:33:FD:5F:
                99:B4:C8:59:59:FA:35:F7:1B:FC:10:22:83:A8:84:66:8A:F2:49:B8:
                82:1C:79:AC:1C:A8:FB:AE:FB:72:88:DD:40:AF:45:A6:02:C2:CC:2C:
                F5:67:EE:D0:1A:44:60:09:67:15:B0:D0:FC:D0:0D:05:E7:BC:4D:60:
                70:35:BE:C0:E7:CE:1A:F5:FC:F1:84:9C:0E:2A:2B:1A:62:0A:A6:20:
                DA:FD:72:F7:84:FE:C4:8E:88:83:7F:E6:9D:F3:AA:9F:C4:8A:AC:A7:
                19:F4:CE:F6:9A:55:1E:55:52:9F:56:95:9F:79:FD:83:D1:2E:C4:54:
                DB:21:57:A3:A6:71:4C:30:59:CA:2E:12:17:08:6C:C2:46:90:60:7E:
                DE:3F:D3:B0:B2:46:16:C2:B4:A4:75:3C:CB:20:81:38:DD:1C:27:4C:
                4B:69:5A:C6:E9:1D:14:19:BB:D8:43:66:23:E0:F7:B9:9D:E9:E5:86:
                93:20:C3:CF:6F:50:87:A7:4C:4E:FF:30:16:76:9A:72:19:C8:AB:3C:
                68:3E:3C:BB:19:E1:1E:6D:69:6F:32:31:DD:87:F2:A9:BD:CD:65:49:
                FF:02:E3:40:A4:20:AF:55:EF:7B:46:1E:02:9A:BC:2F:A3:68:6A:36:
                80:80:88:74:18:C6:F3:58:7B:DA:C7:20:D2:C5:88:31:47:E3:BA:78:
                C1:40:06:EB:FF:2D:9A:CF:59:3C:42:F8:D2:89:1E:E5:E3:45:58:D1:
                8E:61:AF:25:FE:0D:C8:F3:C4:07:5A:C3:64:F9:10:72:92:5D:D5:25:
                CC:44:12:E6:4C:91:52:A4:B0:C0:C6:6A:2A:D1:99:E3:D0:17:E0:A4:
                BE:75:F0:D9:32:A6:BE:77:65:D4:5B:18:75:F9:A2:7C:5B:25:2B:DA:
                68:2D:E8:B3:92:5C:4F:7C:75:47:54:C5:31:43:BD:FE:D2:C9:45:0D:
                47:32:E5:16:12:F1:48:61:02:70:D9:A5:8D:8E:7F:59:9A:C4:0E:48:
                E3:E4:9F:D1:3A:AA:58:6E:8D:97:95:EE
parm:           write_support:Dangerous, reboot and removal of battery may be needed. (bool)

What I’ve Tried:

  • Signing the vmlinux file as found in some discussion on other platform : created a kernel panic at boot.
  • Adding the files of this response on askubuntu : did nothing as everything is configured but only work without secure boot

What I’ve not Tried:

Signing myself the module but in theory that would just be a bad idea as it should just be able to load like any other module.

2

have you looked at

 dmesg | grep modprobe

It might have a hint.

A permissions issue when using modprobe might not always mean a lack of privileges and can sometimes stem from an internal lockdown, which we can still overcome.

3

Hi,

Thanks for your quick reply.

You are right, it’s effectively a lockdown.

If you know how I can bypass it, that would be great.

I found this method, but apparently this doesn’t work anymore as the sudo command returned an error :

thomas@thomas-omen:~$ 
sudo echo 1 > /proc/sys/kernel/sysrq
sudo echo x > /proc/sysrq-trigger
bash: /proc/sys/kernel/sysrq: Permission denied
bash: /proc/sysrq-trigger: Permission denied

Thanks !

thomas@thomas-omen:~$ sudo dmesg | grep modprobe
[   30.362675] systemd[1]: Created slice system-modprobe.slice - Slice /system/modprobe.
[   30.378306] systemd[1]: Starting modprobe@configfs.service - Load Kernel Module configfs...
[   30.379037] systemd[1]: Starting modprobe@drm.service - Load Kernel Module drm...
[   30.379884] systemd[1]: Starting modprobe@efi_pstore.service - Load Kernel Module efi_pstore...
[   30.380799] systemd[1]: Starting modprobe@fuse.service - Load Kernel Module fuse...
[   30.387892] systemd[1]: modprobe@configfs.service: Deactivated successfully.
[   30.388048] systemd[1]: Finished modprobe@configfs.service - Load Kernel Module configfs.
[   30.388294] systemd[1]: modprobe@drm.service: Deactivated successfully.
[   30.388449] systemd[1]: Finished modprobe@drm.service - Load Kernel Module drm.
[   30.388677] systemd[1]: modprobe@fuse.service: Deactivated successfully.
[   30.388848] systemd[1]: Finished modprobe@fuse.service - Load Kernel Module fuse.
[  105.405204] Lockdown: modprobe: unsafe module parameters is restricted; see man kernel_lockdown.7
4

Need to be a super user to start ie:

sudo -s

That should change your terminal prompt to this `#`
Now that should give you the permission to change things safely.

echo 1 > /proc/sys/kernel/sysrq
echo x > /proc/sysrq-trigger

See if it loads now.
1 Like
5

Unfortunately no that still doesn’t work :

root@thomas-omen:/home/thomas# echo 1 > /proc/sys/kernel/sysrq
root@thomas-omen:/home/thomas# echo x > /proc/sysrq-trigger
root@thomas-omen:/home/thomas# modprobe ec_sys
modprobe: ERROR: could not insert 'ec_sys': Operation not permitted
root@thomas-omen:/home/thomas# exit
exit
thomas@thomas-omen:~$ sudo modprobe ec_sys
modprobe: ERROR: could not insert 'ec_sys': Operation not permitted

I even tested to load the module via both user but without luck.

Did I do something wrong ?

6

I’m not sure you did anything on your end, let me give a try.

root@me-Legion-5-zfs:/home/me#  echo 1 > /proc/sys/kernel/sysrq
root@me-Legion-5-zfs:/home/me# echo x > /proc/sysrq-trigger
root@me-Legion-5-zfs:/home/me# modprobe ec_sys

No errors seen on my end, but lets peek if it loaded. (I’m now a normal user exit root)

lsmod | grep ec_sys

My return is good:

lsmod | grep ec_sys
ec_sys                 12288  0

Can you think of anything you manually changed recently?

7

Well apart from having the secure boot activated on my end nothing.

I installed this Linux 2 days ago and only added the nvidia drivers, heroic launcher and steam to test some games, that are on a ntfs drive that I mount later after the boot of the os.

Nothing should affect to way the system load the kernel modules ( well apart from nvidia but that was through the official tool that comes with kubuntu )

The only strange thing I could notice is a total freeze of the system completely random where even the “Magic System Request Key” can’t help.

I don’t have the time to reinstall today but I will try to reinstall again this week-end and come back to post the result.

Thanks for your time !

8

Understood, and Please do report back. I don’t feel nVidia is play here though.

dpkg -l | grep -i nvidia|grep 570
rc  libnvidia-compute-570:amd64                     570.144-0ubuntu0~gpu25.04.1                amd64        NVIDIA libcompute package
rc  linux-modules-nvidia-570-open-6.14.0-13-generic 6.14.0-13.13+1                             amd64        Linux kernel nvidia modules for version 6.14.0-13
rc  linux-modules-nvidia-570-open-6.14.0-15-generic 6.14.0-15.15+3                             amd64        Linux kernel nvidia modules for version 6.14.0-15

But I have had those nasty little lockups myself.

1 Like
9

Hi,

I’m here to report back.

So, my old installation was somehow both working and corrupted…
For that I suspect my usb drive on which I booted the installer.

Now, on this new installation, there is still a consistent strange behavior which is that if I load the module on boot via a config file like /etc/modprobe.d/ec_sys.conf.
Then the load doesn’t work and I get the same errors as yesterday when trying to load it manually.

But, if this config file is not here then I can only load it in read-only :

thomas@thomas-omen:~$ sudo modprobe ec_sys write_support=1
modprobe: ERROR: could not insert 'ec_sys': Operation not permitted
thomas@thomas-omen:~$ sudo modprobe ec_sys
thomas@thomas-omen:~$ sudo modprobe ec_sys write_support=1
thomas@thomas-omen:~$ sudo cat /sys/module/ec_sys/parameters/write_support 
N

That’s a really strange behavior, why does the second modprobe to enable write_support doesn’t return an error but do nothing at the end ?

If you have an idea I will gladly take it as it start to get a little complicated for me and the research I’ve done doesn’t have this specific problem.

PS : For now I did not have a freeze on this new system, I will try to use it a little more to see if it come back.
I can’t use it for a long period of time as without the fan control working my CPU will spike at 100°C easily.

Edit : Two things

  1. I just got a freeze so that’s something else than my broken install from yesterday.
    I hope that this will be fixed by october when the support of Win 10 end.
    That would be my sort of end of testing date to switch to linux if I can fix all of my problems

  2. I just tested adding the ec_sys.write_support=1 line on the grub default boot parameters but I got the same result as the config file

10

Looks like your kernel runs in lockdown mode. Disable it by removing it from the kernel cmdline. In Grub select the entry of the system, press e, remove from the cmdline “lockdown=XYZ” if it exists, boot the system and try loading your module. If it is working remove the lockdown mode from the grub.cfg and update grub.

11

Hi,

I just checked and I have not the lockdown parameter in the grub.cfg file.

If you look at my last message you can see that this lockdown is only triggered if I add an option to load the module ec_sys on write_support be it via /etc/modprobe.d/ec_sys.conf or by adding ec_sys.write_support=1 in grub.cfg.

I do not know why I can only load this module via the command sudo modprobe ec_sys.
And more than that, the sudo modprobe ec_sys write_support=1 do nothing but also does not trigger a lockdown in the logs.

If you have an idea I will gladly take it.

Thank you !

thomas@thomas-omen:~$ sudo dmesg | grep "modprobe"
[   30.400490] systemd[1]: Created slice system-modprobe.slice - Slice /system/modprobe.
[   30.414391] systemd[1]: Starting modprobe@configfs.service - Load Kernel Module configfs...
[   30.415060] systemd[1]: Starting modprobe@drm.service - Load Kernel Module drm...
[   30.415722] systemd[1]: Starting modprobe@efi_pstore.service - Load Kernel Module efi_pstore...
[   30.416403] systemd[1]: Starting modprobe@fuse.service - Load Kernel Module fuse...
[   30.422832] systemd[1]: modprobe@configfs.service: Deactivated successfully.
[   30.422987] systemd[1]: Finished modprobe@configfs.service - Load Kernel Module configfs.
[   30.423209] systemd[1]: modprobe@drm.service: Deactivated successfully.
[   30.423365] systemd[1]: Finished modprobe@drm.service - Load Kernel Module drm.
[   30.423577] systemd[1]: modprobe@fuse.service: Deactivated successfully.
[   30.423725] systemd[1]: Finished modprobe@fuse.service - Load Kernel Module fuse.
thomas@thomas-omen:~$ sudo modprobe ec_sys
thomas@thomas-omen:~$ sudo modprobe ec_sys write_support=1
thomas@thomas-omen:~$ sudo dmesg | grep "modprobe"
[   30.400490] systemd[1]: Created slice system-modprobe.slice - Slice /system/modprobe.
[   30.414391] systemd[1]: Starting modprobe@configfs.service - Load Kernel Module configfs...
[   30.415060] systemd[1]: Starting modprobe@drm.service - Load Kernel Module drm...
[   30.415722] systemd[1]: Starting modprobe@efi_pstore.service - Load Kernel Module efi_pstore...
[   30.416403] systemd[1]: Starting modprobe@fuse.service - Load Kernel Module fuse...
[   30.422832] systemd[1]: modprobe@configfs.service: Deactivated successfully.
[   30.422987] systemd[1]: Finished modprobe@configfs.service - Load Kernel Module configfs.
[   30.423209] systemd[1]: modprobe@drm.service: Deactivated successfully.
[   30.423365] systemd[1]: Finished modprobe@drm.service - Load Kernel Module drm.
[   30.423577] systemd[1]: modprobe@fuse.service: Deactivated successfully.
[   30.423725] systemd[1]: Finished modprobe@fuse.service - Load Kernel Module fuse.
thomas@thomas-omen:~$ sudo cat /sys/module/ec_sys/parameters/write_support 
N
12 
ogra@acheron:~$ modinfo ec_sys|grep write
parm:           write_support:Dangerous, reboot and removal of battery may be needed. (bool)

Did you remove your battery yet ? Looks like the built in ec_sys module might require it … (also, are you sure you really want this at all given it might potentially damage your hardware when used with wrong parameters)

1 Like
13

Hello,

The battery removal part doesn’t concern my laptop as the ec reset every 2 min if no write has been done to it.

And yes, I do need to have write support because without them the fan on my laptop are controlled by the uefi and are locked at like 70% speed or so.
So when I need to use the cpu at more than 40% it quickly heat up and thermal throttle…

For the safety measures don’t worry as even the hp official driver on windows control everything by writing to it.
On my side, I’ve already tested to read and write on the registers on windows and I now know which one I should use.

If you want to look more into it, I based my tests on this project that already identified a lot of registers for the ec on the omen laptops :
OmenMon ec-registers identifiers

And I know exactly what the script I want to execute will do.
In fact I already tried it with secure boot off and it worked exactly like on windows.

Thank you for asking !

1 Like
14

Hi all !

So I found this project acpi_ec that does what I didn’t test which is self signing the module.
He does it by adding ec_sys under a different name, making it independent of acpi.h and always accepting write_support.

And that works !!

I still don’t believe this solution to be the normal one, now that modprobe allow the ec_sys module to load.

But until modprobe actually allow this module to be loaded in write_support, I will be forced to use this new module with my own signature.

I hope that in the future something is done to make this module work correctly under secure boot.

Thanks a lot for all your suggestion !

15

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.