Skip to content

Docs: Add Ubuntu, consistent steps for BPF LSM and note on already open GPU file descriptors #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MaEtUgR wants to merge 2 commits into
base: main
Choose a base branch
from
+106 −37
Open

Docs: Add Ubuntu, consistent steps for BPF LSM and note on already open GPU file descriptors #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
92b876b
docs: add instructions for Ubuntu and consistent steps for the requir…
MaEtUgR Jun 22, 2026
fa4e24c
docs: add a not that the approach blocks further access but doesn't r…
MaEtUgR Jun 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 75 additions & 8 deletions docs/getting-started/installation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,10 @@ using AUR:
yay -S cardwire
```

then enable and start the service
Then [enable BPF LSM](#enabling-bpf-lsm) and start the service:

```bash
sudo systemctl enable cardwired.service

sudo systemctl start cardwired.service
sudo systemctl enable cardwired --now
```

## Nix
Expand All @@ -29,6 +27,8 @@ cardwire = {
};
```

The NixOS module configures BPF LSM automatically — no manual kernel parameter changes needed.

@luytan luytan Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bpf is enabled by default on nixos, the module doesnt enable it


configuration.nix:

```nix
Expand All @@ -51,15 +51,82 @@ Using Terra

```bash
sudo dnf install cardwire
```

Then [enable BPF LSM](#enabling-bpf-lsm) and start the service:

```bash
sudo systemctl enable cardwired --now
```

## Ubuntu

Install build dependencies:

```bash
sudo apt install clang libbpf-dev linux-headers-$(uname -r)
```

Install Rust (if not already installed):

```bash
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
```

Then clone and build:

sudo systemctl enable cardwired.service
```bash
git clone https://github.com/OpenGamingCollective/cardwire.git
make build
sudo make install
```

sudo systemctl start cardwired.service
Then [enable BPF LSM](#enabling-bpf-lsm) and start the service:

```bash
sudo systemctl enable cardwired --now
```

## Enabling BPF LSM (with GRUB)

Check your kernel's default LSM list:

On Ubuntu/Fedora:

@luytan luytan Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bpf is also enabled by default on fedora, i tested on a Fedora 44 KDE edition VM, maybe we should add a warning to not touch the grub config if bpf is already enabled? or remove Fedora?

```bash
grep CONFIG_LSM= /boot/config-$(uname -r)
```

On Arch and other distros:
```bash
zcat /proc/config.gz | grep CONFIG_LSM=
```

> Outputs e.g. `CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor"`

Edit `/etc/default/grub` and append `bpf` to `GRUB_CMDLINE_LINUX_DEFAULT`, keeping all existing entries:

```
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
```

> [!IMPORTANT]
> Do not set `lsm=bpf` alone — that drops other active security policies. Always append `bpf` to the existing list from the command above.

Apply and reboot:

| Distro | Command |
|--------|---------|
| Ubuntu | `sudo update-grub` |
| Fedora | `sudo grub2-mkconfig -o /boot/grub2/grub.cfg` |
| Arch | `sudo grub-mkconfig -o /boot/grub/grub.cfg` |

```bash
sudo reboot
```

## Other distros

For now, other distros must clone the repo and use `make` to build and install Cardwire.
For now, other distros must clone the repo and use `make` to build and install Cardwire. You will also need to enable BPF LSM manually — see the [Enabling BPF LSM](#enabling-bpf-lsm) section above.

Build dependencies:

Expand All @@ -77,7 +144,7 @@ sudo make install
> [!CAUTION]
> Makefile wasn't tested, use with caution.

> [!IMPORTANT]
> [!IMPORTANT]
> For mainstream distros, i will be making an official install methods, like a copr for Fedora and a .deb for Debian based.

## Non-systemd distros
Expand Down
13 changes: 6 additions & 7 deletions docs/getting-started/requirements.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,15 @@ uname -r
```

Built with `CONFIG_BPF_LSM` enabled

On e.g. Ubuntu/Fedora:
```bash
zcat /proc/config.gz | grep CONFIG_BPF_LSM
grep CONFIG_BPF_LSM /boot/config-$(uname -r)
```
> returns `CONFIG_BPF_LSM=y` if it's enabled

Enabled in the boot cmdline
On other distros possibly:
```bash
cat /proc/cmdline
zcat /proc/config.gz | grep CONFIG_BPF_LSM
```
> Must contains `lsm=bpf` (If empty/doesnt contain bpf, please read Caution)

> [!CAUTION]
> Most distros already enable bpf, only change the cmdline if cardwired doesnt launch
> returns `CONFIG_BPF_LSM=y` if it's enabled
47 changes: 25 additions & 22 deletions docs/getting-started/usage.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,55 +9,58 @@ cardwire list
```

For each detected GPU, the command will return:
- An identifier (`ID`). These are used for manual blocking and unblocking.
- An identifier (`ID`). These are used for manual blocking and unblocking.
- The GPU's name (`NAME`)
- The GPU's PCI address (`PCI`)
- The GPU's PCI address (`PCI`)
- The associated render node (`RENDER`)
- The associated device node (`CARD`)
- Whether the GPU has been identified as the default GPU (`DEFAULT`). Default GPUs will remain available when cardwire is set to integrated.
- Whether the GPU is currently blocked (`BLOCKED`)
- The associated device node (`CARD`)
- Whether the GPU has been identified as the default GPU (`DEFAULT`). Default GPUs will remain available when cardwire is set to integrated.
- Whether the GPU is currently blocked (`BLOCKED`)

## Mode switching
## Mode switching

GPU modes can be switched using the `cardwire set` command.
GPU modes can be switched using the `cardwire set` command.

To have cardwire block all GPUs except the default GPU, use:
To have cardwire block all GPUs except the default GPU, use:

```
cardwire set integrated
```
```

> [!NOTE]
> The block only applies to new file opens. Processes that already have the GPU open (e.g. the compositor) will keep their access until they restart. A session logout/login is required for the GPU to fully power down. Check `cardwire gpu --lsof 1` to verify thre's no process keeping e.g. the dedicated GPU awake.

@luytan luytan Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo on "thre's no process keeping e.g. the dedicated GPU awake", a session logout/login shouldn't be required, even if the compositor has the dGPU's render/card node open, the dGPU can still enter D3Cold as long as the fd is not actively keeping the GPU awake (e.g. the GPU is idle, and the driver/compositor allow runtime suspend)


To have cardwire allow access to all GPUs, use
To have cardwire allow access to all GPUs, use

```
cardwire set hybrid
```
cardwire set hybrid
```

## Manual blocking and unblocking
## Manual blocking and unblocking


> [!IMPORTANT]
> [!IMPORTANT]
> To prevent system breakage, cardwire will not block default GPUs, even when explicitly instructed to do so.

If more granular control over several GPUs is required, cardwire also allows manually blocking individual GPUs by ID. To do so, it needs to be set to manual mode:
If more granular control over several GPUs is required, cardwire also allows manually blocking individual GPUs by ID. To do so, it needs to be set to manual mode:

```
cardwire set manual
```
cardwire set manual
```

Once set to manual, GPU states can then be set by ID; to find the correct ID, see [Querying GPUs](#Querying-GPUs).
Once set to manual, GPU states can then be set by ID; to find the correct ID, see [Querying GPUs](#Querying-GPUs).

To block the GPU with ID `1`:
To block the GPU with ID `1`:

```
cardwire gpu 1 --block
```

To unblock:
To unblock:

```
```
cardwire gpu 1 --unblock
```
```

## Battery Auto Switch Mode

Expand Down