3

On fedora 37, I am trying to enable kernel log messages for wireguard by executing this command in a root-shell:

echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

Unfortunately, this results in an error: operation not permitted: /sys/kernel/debug/dynamic_debug/control.

I can see in dmesg that the reason for this error is: debugfs access is restricted; see man kernel_lockdown.7.
Kernel lockdown is automatically enabled due to secure boot being enabled.

Is there any other way to enable the wireguard log messages with secure boot / kernel lockdown enabled, e.g. via kernel cmdline or modprobe options?

Zulakis
  • 4,153
  • 14
  • 48
  • 76

1 Answers1

4

To temporary enable wireguard kernel log messages, execute:

sudo modprobe -r wireguard && sudo modprobe wireguard dyndbg

reference: https://www.kernel.org/doc/html/v5.0/admin-guide/dynamic-debug-howto.html#debug-messages-at-module-initialization-time

You can view the log message with sudo dmesg -T --follow | grep wireguard

If you want to permanently enable wireguard kernel log messages, create a modprobe configuration /etc/modprobe.d/wireguard.conf with content options wireguard dyndbg and execute sudo modprobe -r wireguard && sudo modprobe wireguard

Zulakis
  • 4,153
  • 14
  • 48
  • 76
Saxtheowl
  • 1,112
  • 5
  • 8
  • This results in `wireguard: unknown parameter 'debug' ignored` in dmesg. – Zulakis Apr 20 '23 at 11:41
  • Im kinda lost then, maybe disable secure boot or build a costum kernel or request the wireguard dev to provide a module for your demand – Saxtheowl Apr 20 '23 at 14:54
  • 2
    It works with `options wireguard dyndbg` :) Reference: https://www.kernel.org/doc/html/v5.0/admin-guide/dynamic-debug-howto.html#debug-messages-at-module-initialization-time If you update your answer, I'll accept it :-) – Zulakis Apr 20 '23 at 18:49
  • To temporary enable wireguard debugging: `sudo modprobe -r wireguard && sudo modprobe wireguard dyndbg` – Zulakis Apr 20 '23 at 18:53
  • great, done :)) – Saxtheowl Apr 20 '23 at 20:01