diff --git a/0003-Allow-kdump.service-to-access-LUKS-volume-keys.patch b/0003-Allow-kdump.service-to-access-LUKS-volume-keys.patch new file mode 100644 index 0000000..7688b5a --- /dev/null +++ b/0003-Allow-kdump.service-to-access-LUKS-volume-keys.patch @@ -0,0 +1,43 @@ +From 280d4b6237b1f3bcad9cfba5e51b4f55d8b718c9 Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Mon, 3 Nov 2025 09:26:21 +0800 +Subject: [PATCH 3/5] Allow kdump.service to access LUKS volume keys + +Resoles: https://issues.redhat.com/browse/RHEL-124989 + +Currently kdump.service fails to read LUKS volume keys, + + kdumpctl[4001]: Nothing to read on input. + kdumpctl[3624]: kdump: Error: Could not unlock the LUKS device. + kdumpctl[3624]: kdump: Failed to get logon key kdump-cryptsetup:vk-eed43d84-d79f-4b6d-8159-c859bb1915ee. Run 'kdumpctl restart' manually to start kdump. + kdumpctl[3624]: kdump: kexec: failed to prepare for a LUKS target + kdumpctl[3624]: kdump: Starting kdump: [FAILED] + systemd[1]: kdump.service: Main process exited, code=exited, status=1/FAILURE + systemd[1]: kdump.service: Failed with result 'exit-code'. + systemd[1]: Failed to start kdump.service - Crash recovery kernel arming. + +Use KeyringMode=shared to link the user keyring of root to the session +keyring so kdump.service can access the LUKS volume keys stored in +root's user keyring. For more details on KeyringMode, man systemd.exec. + +Fixes: d9677e17 ("Support dumping to a LUKS-encrypted target") +Signed-off-by: Coiby Xu +--- + kdump.service | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kdump.service b/kdump.service +index 84de7af2..a8771a81 100644 +--- a/kdump.service ++++ b/kdump.service +@@ -11,6 +11,7 @@ ExecStop=/usr/bin/kdumpctl stop + ExecReload=/usr/bin/kdumpctl reload + RemainAfterExit=yes + StartLimitInterval=0 ++KeyringMode=shared + + [Install] + WantedBy=multi-user.target +-- +2.51.1 + diff --git a/0004-Restore-SELinux-label-of-crypttab-file.patch b/0004-Restore-SELinux-label-of-crypttab-file.patch new file mode 100644 index 0000000..5decd92 --- /dev/null +++ b/0004-Restore-SELinux-label-of-crypttab-file.patch @@ -0,0 +1,80 @@ +From fe2891da11ce088ce14f7b2913bd3123b8f7c727 Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Mon, 3 Nov 2025 09:55:07 +0800 +Subject: [PATCH 4/5] Restore SELinux label of crypttab file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently, for LUKS encrypted dump target, the system can have booting +problem with relatively older selinux-policy e.g. 40.13.21-1.el10 or +38.1.65-1.el9.noarch, + + [*** ] Job dev-disk-by\x2duuid-55f4fce1\x2…tart running (1min 21s / 1min 30s) + ... + [ TIME ] Timed out waiting for device dev-d…f4fce1-cd7f-43a6-8729-f0edcd048d73. + [DEPEND] Dependency failed for luks.mount - /luks. + [DEPEND] Dependency failed for local-fs.target - Local File Systems. + [DEPEND] Dependency failed for selinux-auto…k the need to relabel after reboot. + ... + [FAILED] Failed to start kdump.service - Crash recovery kernel arming. + See 'systemctl status kdump.service' for details. + You are in emergency mode. After logging in, type "journalctl -xb" to view + system logs, "systemctl reboot" to reboot, or "exit" + to continue bootup. + [ 4.375155] systemd-cryptsetup-generator[690]: Failed to open /etc/crypttab: Permission denied + [ 4.376555] audit: type=1400 audit(1762134586.538:4): avc: denied { open } for pid=690 comm="systemd-cryptse" path="/etc/crypttab" dev="vda3" ino=16916076 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 + +This happens because the updated crypttab file for LUKS dump target has +incorrect SELinux label as it's created by mktemp. As a result, SELinux +will prevent systemd-cryptsetup-generator from accessing crypttab and +the encrypted dump target can fail to mount, + + # ls -Z /etc/crypttab + unconfined_u:object_r:user_tmp_t:s0 /etc/crypttab + +Restore the SELinux label of crypttab to fix this issue, + # ls -Z /etc/crypttab + unconfined_u:object_r:etc_t:s0 /etc/crypttab + +Although this issue no longer happens to newer selinux-policy like +policy-42.1.9-1.el10.noarch, it's better to restore the SELinux label of +crypttab file. + +Fixes: 4e0d4cae ("Add kdumpctl setup-crypttab subcommand") +Signed-off-by: Coiby Xu +--- + kdumpctl | 1 + + spec/kdumpctl_setup_crypttab_spec.sh | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/kdumpctl b/kdumpctl +index 6988ace1..e0aca1a6 100755 +--- a/kdumpctl ++++ b/kdumpctl +@@ -1316,6 +1316,7 @@ setup_crypttab() + return 0 + else + mv "$temp_file" "$CRYPTTAB_FILE" ++ restorecon "$CRYPTTAB_FILE" + dinfo "Success! $CRYPTTAB_FILE has been updated." + + # Parse status updates and report on each changed UUID +diff --git a/spec/kdumpctl_setup_crypttab_spec.sh b/spec/kdumpctl_setup_crypttab_spec.sh +index bfcd8dc6..0250e02b 100644 +--- a/spec/kdumpctl_setup_crypttab_spec.sh ++++ b/spec/kdumpctl_setup_crypttab_spec.sh +@@ -5,6 +5,10 @@ Describe "kdumpctl " + dinfo() { + echo "$1" + } ++ restorecon() { ++ : ++ } ++ + Describe "setup_crypttab()" + # Set up global variables and mocks for each test + # shellcheck disable=SC2016 # expand expression later +-- +2.51.1 + diff --git a/0005-Allow-sudo-kdumpctl-for-LUKS-dump-target.patch b/0005-Allow-sudo-kdumpctl-for-LUKS-dump-target.patch new file mode 100644 index 0000000..0235d71 --- /dev/null +++ b/0005-Allow-sudo-kdumpctl-for-LUKS-dump-target.patch @@ -0,0 +1,131 @@ +From c08d151016ab4d62addc2ec8089a756c0d89d583 Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Wed, 5 Nov 2025 10:14:28 +0800 +Subject: [PATCH 5/5] Allow "sudo kdumpctl" for LUKS dump target + +Some users may run kdumcptl after "sudo su" or use "sudo kdumpctl". And +kdump will fail, + # sudo kdumcptl restart + request_key: Required key not available + keyctl_set_timeout: Invalid argument + kexec_file_load failed: Required key not available + kdump: kexec: failed to load kdump kernel + +This happens because the LUKS keys is can only be searched (keyctl request) +by the process but not by the user and sudo process inherits the session +keyring (@s) of the original user (test in the following example), + + [test@localhost ~]$ sudo keyctl add user testkey testdata @u + 711801750 + [test@localhost ~]$ sudo grep testkey /proc/keys + 2a6d3b96 I--Q--- 1 perm 3f010000 0 0 user testkey: 8 + [test@localhost ~]$ sudo keyctl show 711801750 + Keyring + Unable to dump key: Permission denied + +The permission "3f010000" means the process has all the permissions but +user only has the view permission i.e. "sudo keyctl show/list @u" will list +all the keys but "sudo keyctl show KEY_ID" won't work. + +Automatically use "sudo -i" which will use the session keyring (@s) of +the root to support "sudo kdumpctl". Note "sudo -i kexec" is also +needed in order for the process to read the keys in the kernel space. + +Reported-by: Li Tian +Signed-off-by: Coiby Xu +--- + kdumpctl | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/kdumpctl b/kdumpctl +index e0aca1a6..cb10f5bd 100755 +--- a/kdumpctl ++++ b/kdumpctl +@@ -737,7 +737,8 @@ function load_kdump_kernel_key() + if ! [[ -f /proc/device-tree/ibm,secure-boot ]]; then + return + fi +- ++ # %.ima keyring is writable to the user, no need to use ++ # "sudo -i keyctl" + keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer" + } + +@@ -760,6 +761,7 @@ load_kdump() + return 1 + fi + ++ [[ ${KEYCTL_CMD[0]} == sudo ]] && KEXEC="sudo -i $KEXEC" + ddebug "$KEXEC ${args[*]}" + if $KEXEC "${args[@]}"; then + dinfo "kexec: loaded kdump kernel" +@@ -1084,6 +1086,9 @@ remove_luks_vol_keys() + local _key_line _key_id _key_desc _status=1 + + # Get all keys from @u keyring and process each line ++ # sudo process by default only has the permission to list the keys ++ # stored in user keyring i.e. "sudo keyctl list" can work not ++ # "sudo keyctl unlink/show" + while read -r _key_line; do + # Skip header lines and empty lines + [[ $_key_line =~ ^[0-9]+: ]] || continue +@@ -1100,7 +1105,7 @@ remove_luks_vol_keys() + + # Check if key description starts with LUKS_KEY_PRFIX + if [[ $_key_desc == "$LUKS_KEY_PRFIX"* ]]; then +- keyctl unlink "$_key_id" ++ "${KEYCTL_CMD[@]}" unlink "$_key_id" + _status=0 + fi + done < <(keyctl list @u 2> /dev/null || true) +@@ -1142,11 +1147,22 @@ _get_luks_key_by_unlock() + return 1 + } + ++# Some users may use "sudo kdumpctl". sudo process by default inherits the ++# session keyring (@s) of the original user which means it can't read LUKS keys ++# stored in root's user (@u) which is only linked to root's session keyring. ++# So use "sudo -i keyctl" and "sudo kexec" automatically in order to be able to ++# search and read the LUKS key(s). ++KEYCTL_CMD=(keyctl) + prepare_luks() + { + local _key_id _key_des _luks_unlock_cmd + declare -a _luks_devs + ++ # Use "sudo -i" to use the root's session keyring to access LUKS keys ++ if ! keyctl show @s | grep -qs "_uid.0$"; then ++ KEYCTL_CMD=(sudo -i keyctl) ++ fi ++ + mapfile -t _luks_devs < <(get_all_kdump_crypt_dev) + + if [[ ${#_luks_devs[@]} -lt 1 ]]; then +@@ -1174,10 +1190,13 @@ prepare_luks() + for _devuuid in "${_luks_devs[@]}"; do + _key_dir=$LUKS_CONFIGFS/$_devuuid + _key_des=$LUKS_KEY_PRFIX$_devuuid +- if _key_id=$(keyctl request logon "$_key_des" 2> /dev/null); then ++ if _key_id=$("${KEYCTL_CMD[@]}" request logon "$_key_des" 2> /dev/null); then + ddebug "Succesfully get @u::%logon:$_key_des" + elif _get_luks_key_by_unlock "$_devuuid" "$_key_des"; then +- _key_id=$(keyctl request logon "$_key_des") ++ if ! _key_id=$("${KEYCTL_CMD[@]}" request logon "$_key_des"); then ++ derror "Probably you are using 'sudo kdumpctl' or 'sudo su', please retry with 'sudo -i kdumpctl'" ++ return 1 ++ fi + ddebug "Succesfully get @u::%logon:$_key_des after cryptsetup" + else + derror "Failed to get logon key $_key_des. Run 'kdumpctl restart' manually to start kdump." +@@ -1185,7 +1204,7 @@ prepare_luks() + fi + + # Let the key expire after 300 seconds +- keyctl timeout "$_key_id" 300 ++ "${KEYCTL_CMD[@]}" timeout "$_key_id" 300 + mkdir "$_key_dir" + printf "%s" "$_key_des" > "$_key_dir"/description + done +-- +2.51.1 + diff --git a/kdump-utils.spec b/kdump-utils.spec index 63352b2..ed2f732 100644 --- a/kdump-utils.spec +++ b/kdump-utils.spec @@ -10,6 +10,9 @@ URL: https://github.com/rhkdump/kdump-utils Source0: https://github.com/rhkdump/kdump-utils/archive/v%{version}/%{name}-%{version}.tar.gz Patch01: 0001-Strip-surrounding-quotes-from-configuration-values.patch Patch02: 0002-unit-tests-Add-case-for-quoted-configuration-values.patch +Patch03: 0003-Allow-kdump.service-to-access-LUKS-volume-keys.patch +Patch04: 0004-Restore-SELinux-label-of-crypttab-file.patch +Patch05: 0005-Allow-sudo-kdumpctl-for-LUKS-dump-target.patch %ifarch ppc64 ppc64le Requires(post): servicelog