intelmetool icon indicating copy to clipboard operation
intelmetool copied to clipboard
verified publisher icon zamaudio

Receiving "iopl: Operation not permitted"/"You need to be root" error

Open troyready opened this issue 8 years ago • 8 comments

Attempting to run intelmetool on my Ubuntu 17.10 notebook:

root@mysystem:/home/myuser/intelmetool# rmmod mei_me
root@mysystem:/home/myuser/intelmetool# rmmod mei
root@mysystem:/home/myuser/intelmetool# cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-4.13.0-21-generic.efi.signed root=UUID=UUIDHERE ro iomem=relaxed quiet splash vt.handoff=7
root@mysystem:/home/myuser/intelmetool# ./intelmetool
iopl: Operation not permitted
You need to be root

Tried executing it via sudo as well and received the same error. Didn't have any issues compiling (only received a me.c: In function 'mei_dump': me.c64:18: warning variable 'csr' set but not used [-Wunused-but-set-variable]/ struct mei_csr *csr; warning).

Appreciate all the work you've put into this and would love to help troubleshoot if I can!

troyready avatar Jan 04 '18 08:01 troyready

No idea, I just tried on a system with 4.14.7-300.fc27.x86_64 and iomem=relaxed and it worked... Maybe Ubuntu has some special kernel patches applied that prevents pci i/o space from being mapped? Can you try running it again and then paste the output of dmesg | tail.

zamaudio avatar Jan 04 '18 09:01 zamaudio

Maybe paste also cat /boot/config-$(uname -r) |grep DEVMEM

zamaudio avatar Jan 04 '18 09:01 zamaudio

Nothing notable from dmesg (nothing added after running the intelmetool command; last entries are ALLOWED apparmor entries for chromium and wifi association)

for DEVMEM settings:

root@mysystem:/home/myuser/intelmetool# cat /boot/config-$(uname -r) |grep DEVMEM
CONFIG_DEVMEM=y
CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
CONFIG_STRICT_DEVMEM=y
# CONFIG_IO_STRICT_DEVMEM is not set

troyready avatar Jan 04 '18 09:01 troyready

You can try the mekernel branch of intelmetool instead. I just updated it so you can build the kernel module and insert it, and then check dmesg for its output.

zamaudio avatar Jan 06 '18 09:01 zamaudio

I got this error too, and tracked the issue down.

iopl() returns an error EPERM (Operation not permitted) - even when invoked as root - if the kernel is in "lockdown mode". One of the things that lockdown mode does is disables userspace access to privileged I/O.

You can check if you are in lockdown mode as follows:

$ cat /sys/kernel/security/lockdown 
none [integrity] confidentiality

Modern Linux distributions - such as Debian, in my case - will automatically enter lockdown mode (integrity) when the kernel is booted with EFI Secure Boot enabled. To fix the issue I simply disabled Secure Boot and restarted my machine.

cbarcenas avatar Dec 28 '20 03:12 cbarcenas

Issue is fixed with this commit: https://review.coreboot.org/c/coreboot/+/63702

@zamaudio can you close this issue?

eloydegen avatar Apr 18 '22 19:04 eloydegen

@eloydegen first of all, your change applies to inteltool not intelmetool. Second, this repository is retired. I am no longer maintaining it, it is there to preserve history. See coreboot/util for upstream. Thanks.

zamaudio avatar Apr 18 '22 23:04 zamaudio

@zamaudio I see, my apologies!

eloydegen avatar Apr 18 '22 23:04 eloydegen