A few fixes on kdump LUKS support

Resolves: https://issues.redhat.com/browse/RHEL-124989 Upstream: kdump-utils Conflict: none Fixes three situations where kdump can fail by, - adding "KeyringMode=shared" to the kdump.service unit file so it can access the LUKS volume keys - fixing the SELinux label of crypttab file - allowing users to use "sudo kdumpctl" Signed-off-by: Coiby Xu <coxu@redhat.com>
2025-11-10 11:50:11 +08:00 · 2025-11-10 11:50:11 +08:00 · a9643ff732
commit a9643ff732
parent 9cecd7eb47
4 changed files with 257 additions and 0 deletions
--- a/0003-Allow-kdump.service-to-access-LUKS-volume-keys.patch
+++ b/0003-Allow-kdump.service-to-access-LUKS-volume-keys.patch
@ -0,0 +1,43 @@
+From 280d4b6237b1f3bcad9cfba5e51b4f55d8b718c9 Mon Sep 17 00:00:00 2001
+From: Coiby Xu <coxu@redhat.com>
+Date: Mon, 3 Nov 2025 09:26:21 +0800
+Subject: [PATCH 3/5] Allow kdump.service to access LUKS volume keys
+
+Resoles: https://issues.redhat.com/browse/RHEL-124989
+
+Currently kdump.service fails to read LUKS volume keys,
+
+    kdumpctl[4001]: Nothing to read on input.
+    kdumpctl[3624]: kdump: Error: Could not unlock the LUKS device.
+    kdumpctl[3624]: kdump: Failed to get logon key kdump-cryptsetup:vk-eed43d84-d79f-4b6d-8159-c859bb1915ee. Run 'kdumpctl restart' manually to start kdump.
+    kdumpctl[3624]: kdump: kexec: failed to prepare for a LUKS target
+    kdumpctl[3624]: kdump: Starting kdump: [FAILED]
+    systemd[1]: kdump.service: Main process exited, code=exited, status=1/FAILURE
+    systemd[1]: kdump.service: Failed with result 'exit-code'.
+    systemd[1]: Failed to start kdump.service - Crash recovery kernel arming.
+
+Use KeyringMode=shared to link the user keyring of root to the session
+keyring so kdump.service can access the LUKS volume keys stored in
+root's user keyring. For more details on KeyringMode, man systemd.exec.
+
+Fixes: d9677e17 ("Support dumping to a LUKS-encrypted target")
+Signed-off-by: Coiby Xu <coxu@redhat.com>
+---
+ kdump.service | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kdump.service b/kdump.service
+index 84de7af2..a8771a81 100644
+--- a/kdump.service
+++ b/kdump.service
+@@ -11,6 +11,7 @@ ExecStop=/usr/bin/kdumpctl stop
+ ExecReload=/usr/bin/kdumpctl reload
+ RemainAfterExit=yes
+ StartLimitInterval=0
+KeyringMode=shared
+ 
+ [Install]
+ WantedBy=multi-user.target
+-- 
+2.51.1
+
--- a/0004-Restore-SELinux-label-of-crypttab-file.patch
+++ b/0004-Restore-SELinux-label-of-crypttab-file.patch
@ -0,0 +1,80 @@
+From fe2891da11ce088ce14f7b2913bd3123b8f7c727 Mon Sep 17 00:00:00 2001
+From: Coiby Xu <coxu@redhat.com>
+Date: Mon, 3 Nov 2025 09:55:07 +0800
+Subject: [PATCH 4/5] Restore SELinux label of crypttab file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently, for LUKS encrypted dump target, the system can have booting
+problem with relatively older selinux-policy e.g. 40.13.21-1.el10 or
+38.1.65-1.el9.noarch,
+
+    [***   ] Job dev-disk-by\x2duuid-55f4fce1\x2…tart running (1min 21s / 1min 30s)
+    ...
+    [ TIME ] Timed out waiting for device dev-d…f4fce1-cd7f-43a6-8729-f0edcd048d73.
+    [DEPEND] Dependency failed for luks.mount - /luks.
+    [DEPEND] Dependency failed for local-fs.target - Local File Systems.
+    [DEPEND] Dependency failed for selinux-auto…k the need to relabel after reboot.
+    ...
+    [FAILED] Failed to start kdump.service - Crash recovery kernel arming.
+    See 'systemctl status kdump.service' for details.
+    You are in emergency mode. After logging in, type "journalctl -xb" to view
+    system logs, "systemctl reboot" to reboot, or "exit"
+    to continue bootup.
+        [    4.375155] systemd-cryptsetup-generator[690]: Failed to open /etc/crypttab: Permission denied
+        [    4.376555] audit: type=1400 audit(1762134586.538:4): avc:  denied  { open } for  pid=690 comm="systemd-cryptse" path="/etc/crypttab" dev="vda3" ino=16916076 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
+
+This happens because the updated crypttab file for LUKS dump target has
+incorrect SELinux label as it's created by mktemp. As a result, SELinux
+will prevent systemd-cryptsetup-generator from accessing crypttab and
+the encrypted dump target can fail to mount,
+
+    # ls -Z /etc/crypttab
+    unconfined_u:object_r:user_tmp_t:s0 /etc/crypttab
+
+Restore the SELinux label of crypttab to fix this issue,
+    # ls -Z /etc/crypttab
+    unconfined_u:object_r:etc_t:s0 /etc/crypttab
+
+Although this issue no longer happens to newer selinux-policy like
+policy-42.1.9-1.el10.noarch, it's better to restore the SELinux label of
+crypttab file.
+
+Fixes: 4e0d4cae ("Add kdumpctl setup-crypttab subcommand")
+Signed-off-by: Coiby Xu <coxu@redhat.com>
+---
+ kdumpctl                             | 1 +
+ spec/kdumpctl_setup_crypttab_spec.sh | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/kdumpctl b/kdumpctl
+index 6988ace1..e0aca1a6 100755
+--- a/kdumpctl
+++ b/kdumpctl
+@@ -1316,6 +1316,7 @@ setup_crypttab()
+ 		return 0
+ 	else
+ 		mv "$temp_file" "$CRYPTTAB_FILE"
+		restorecon "$CRYPTTAB_FILE"
+ 		dinfo "Success! $CRYPTTAB_FILE has been updated."
+ 
+ 		# Parse status updates and report on each changed UUID
+diff --git a/spec/kdumpctl_setup_crypttab_spec.sh b/spec/kdumpctl_setup_crypttab_spec.sh
+index bfcd8dc6..0250e02b 100644
+--- a/spec/kdumpctl_setup_crypttab_spec.sh
+++ b/spec/kdumpctl_setup_crypttab_spec.sh
+@@ -5,6 +5,10 @@ Describe "kdumpctl "
+ 	dinfo() {
+ 		echo "$1"
+ 	}
+	restorecon() {
+		:
+	}
+
+ 	Describe "setup_crypttab()"
+ 		# Set up global variables and mocks for each test
+ 		# shellcheck disable=SC2016 # expand expression later
+-- 
+2.51.1
+
--- a/0005-Allow-sudo-kdumpctl-for-LUKS-dump-target.patch
+++ b/0005-Allow-sudo-kdumpctl-for-LUKS-dump-target.patch
@ -0,0 +1,131 @@
+From c08d151016ab4d62addc2ec8089a756c0d89d583 Mon Sep 17 00:00:00 2001
+From: Coiby Xu <coxu@redhat.com>
+Date: Wed, 5 Nov 2025 10:14:28 +0800
+Subject: [PATCH 5/5] Allow "sudo kdumpctl" for LUKS dump target
+
+Some users may run kdumcptl after "sudo su" or use "sudo kdumpctl". And
+kdump will fail,
+    # sudo kdumcptl restart
+    request_key: Required key not available
+    keyctl_set_timeout: Invalid argument
+    kexec_file_load failed: Required key not available
+    kdump: kexec: failed to load kdump kernel
+
+This happens because the LUKS keys is can only be searched (keyctl request)
+by the process but not by the user and sudo process inherits the session
+keyring (@s) of the original user (test in the following example),
+
+    [test@localhost ~]$ sudo keyctl add user testkey testdata @u
+    711801750
+    [test@localhost ~]$ sudo grep testkey /proc/keys
+    2a6d3b96 I--Q---     1 perm 3f010000     0     0 user      testkey: 8
+    [test@localhost ~]$ sudo keyctl show 711801750
+    Keyring
+    Unable to dump key: Permission denied
+
+The permission "3f010000" means the process has all the permissions but
+user only has the view permission i.e. "sudo keyctl show/list @u" will list
+all the keys but "sudo keyctl show KEY_ID" won't work.
+
+Automatically use "sudo -i" which will use the session keyring (@s) of
+the root to support "sudo kdumpctl". Note "sudo -i kexec" is also
+needed in order for the process to read the keys in the kernel space.
+
+Reported-by: Li Tian <litian@redhat.com>
+Signed-off-by: Coiby Xu <coxu@redhat.com>
+---
+ kdumpctl | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/kdumpctl b/kdumpctl
+index e0aca1a6..cb10f5bd 100755
+--- a/kdumpctl
+++ b/kdumpctl
+@@ -737,7 +737,8 @@ function load_kdump_kernel_key()
+ 	if ! [[ -f /proc/device-tree/ibm,secure-boot ]]; then
+ 		return
+ 	fi
+-
+	# %.ima keyring is writable to the user, no need to use
+	# "sudo -i keyctl"
+ 	keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer"
+ }
+ 
+@@ -760,6 +761,7 @@ load_kdump()
+ 		return 1
+ 	fi
+ 
+	[[ ${KEYCTL_CMD[0]} == sudo ]] && KEXEC="sudo -i $KEXEC"
+ 	ddebug "$KEXEC ${args[*]}"
+ 	if $KEXEC "${args[@]}"; then
+ 		dinfo "kexec: loaded kdump kernel"
+@@ -1084,6 +1086,9 @@ remove_luks_vol_keys()
+ 	local _key_line _key_id _key_desc _status=1
+ 
+ 	# Get all keys from @u keyring and process each line
+	# sudo process by default only has the permission to list the keys
+	# stored in user keyring i.e. "sudo keyctl list" can work not
+	# "sudo keyctl unlink/show"
+ 	while read -r _key_line; do
+ 		# Skip header lines and empty lines
+ 		[[ $_key_line =~ ^[0-9]+: ]] || continue
+@@ -1100,7 +1105,7 @@ remove_luks_vol_keys()
+ 
+ 		# Check if key description starts with LUKS_KEY_PRFIX
+ 		if [[ $_key_desc == "$LUKS_KEY_PRFIX"* ]]; then
+-			keyctl unlink "$_key_id"
+			"${KEYCTL_CMD[@]}" unlink "$_key_id"
+ 			_status=0
+ 		fi
+ 	done < <(keyctl list @u 2> /dev/null || true)
+@@ -1142,11 +1147,22 @@ _get_luks_key_by_unlock()
+ 	return 1
+ }
+ 
+# Some users may use "sudo kdumpctl". sudo process by default inherits the
+# session keyring (@s) of the original user which means it can't read LUKS keys
+# stored in root's user (@u) which is only linked to root's session keyring.
+# So use "sudo -i keyctl" and "sudo kexec" automatically in order to be able to
+# search and read the LUKS key(s).
+KEYCTL_CMD=(keyctl)
+ prepare_luks()
+ {
+ 	local _key_id _key_des _luks_unlock_cmd
+ 	declare -a _luks_devs
+ 
+	# Use "sudo -i" to use the root's session keyring to access LUKS keys
+	if ! keyctl show @s | grep -qs "_uid.0$"; then
+		KEYCTL_CMD=(sudo -i keyctl)
+	fi
+
+ 	mapfile -t _luks_devs < <(get_all_kdump_crypt_dev)
+ 
+ 	if [[ ${#_luks_devs[@]} -lt 1 ]]; then
+@@ -1174,10 +1190,13 @@ prepare_luks()
+ 	for _devuuid in "${_luks_devs[@]}"; do
+ 		_key_dir=$LUKS_CONFIGFS/$_devuuid
+ 		_key_des=$LUKS_KEY_PRFIX$_devuuid
+-		if _key_id=$(keyctl request logon "$_key_des" 2> /dev/null); then
+		if _key_id=$("${KEYCTL_CMD[@]}" request logon "$_key_des" 2> /dev/null); then
+ 			ddebug "Succesfully get @u::%logon:$_key_des"
+ 		elif _get_luks_key_by_unlock "$_devuuid" "$_key_des"; then
+-			_key_id=$(keyctl request logon "$_key_des")
+			if ! _key_id=$("${KEYCTL_CMD[@]}" request logon "$_key_des"); then
+				derror "Probably you are using 'sudo kdumpctl' or 'sudo su', please retry with 'sudo -i kdumpctl'"
+				return 1
+			fi
+ 			ddebug "Succesfully get @u::%logon:$_key_des after cryptsetup"
+ 		else
+ 			derror "Failed to get logon key $_key_des. Run 'kdumpctl restart' manually to start kdump."
+@@ -1185,7 +1204,7 @@ prepare_luks()
+ 		fi
+ 
+ 		# Let the key expire after 300 seconds
+-		keyctl timeout "$_key_id" 300
+		"${KEYCTL_CMD[@]}" timeout "$_key_id" 300
+ 		mkdir "$_key_dir"
+ 		printf "%s" "$_key_des" > "$_key_dir"/description
+ 	done
+-- 
+2.51.1
+
--- a/kdump-utils.spec
+++ b/kdump-utils.spec
@ -10,6 +10,9 @@ URL: https://github.com/rhkdump/kdump-utils
 Source0: https://github.com/rhkdump/kdump-utils/archive/v%{version}/%{name}-%{version}.tar.gz
 Patch01: 0001-Strip-surrounding-quotes-from-configuration-values.patch
 Patch02: 0002-unit-tests-Add-case-for-quoted-configuration-values.patch
+Patch03: 0003-Allow-kdump.service-to-access-LUKS-volume-keys.patch
+Patch04: 0004-Restore-SELinux-label-of-crypttab-file.patch
+Patch05: 0005-Allow-sudo-kdumpctl-for-LUKS-dump-target.patch

 %ifarch ppc64 ppc64le
 Requires(post): servicelog