A few fixes on kdump LUKS support

Resolves: https://issues.redhat.com/browse/RHEL-124989
Upstream: kdump-utils
Conflict: none

Fixes three situations where kdump can fail by,
- adding "KeyringMode=shared" to the kdump.service unit file so it can access the LUKS volume keys
- fixing the SELinux label of crypttab file
- allowing users to use "sudo kdumpctl"

Signed-off-by: Coiby Xu <coxu@redhat.com>

.gitignore

@@ -1 +1,6 @@
-kdump-utils-1.0.51.tar.gz
+/kdump-utils-1.0.42.tar.gz
+/kdump-utils-1.0.43.tar.gz
+/kdump-utils-1.0.45.tar.gz
+/kdump-utils-1.0.51.tar.gz
+/kdump-utils-1.0.54.tar.gz
+/kdump-utils-1.0.58.tar.gz

0001-Strip-surrounding-quotes-from-configuration-values.patch

@@ -0,0 +1,77 @@
+From 1a733872aeab1d1dcc0b063cd05afe61bbeb1c33 Mon Sep 17 00:00:00 2001
+From: Lichen Liu <lichliu@redhat.com>
+Date: Tue, 14 Oct 2025 11:30:29 +0800
+Subject: [PATCH 1/2] Strip surrounding quotes from configuration values
+
+The documentation for kdump.conf suggests values can be enclosed in
+double quotes, as in 'core_collector "makedumpfile -l --message-level 7 -d 31"'.
+
+However, the parsing logic did not strip these quotes, causing the
+system to treat them as part of the value. This led to errors, such
+as attempting to execute the command '"makedumpfile', which would
+fail with a "command not found" error.
+
+```
+kdump.sh[599]: /lib/kdump-lib-initramfs.sh: line 145: "makedumpfile: command not found
+kdump[601]: saving vmcore failed, _exitcode:127
+kdump[603]: saving the /run/initramfs/kexec-dmesg.log to /sysroot//var/crash/127.0.0.1-2025-09-17-19:25:10/
+kdump[609]: saving vmcore failed
+[FAILED] Failed to start Kdump Vmcore Save Service.
+```
+
+This patch fixes the issue by removing surrounding double quotes from
+configuration values when they are read. This ensures that quoted
+values are handled correctly and behave as documented.
+
+Signed-off-by: Lichen Liu <lichliu@redhat.com>
+---
+ dracut/99kdumpbase/module-setup.sh | 2 +-
+ kdump-lib-initramfs.sh             | 5 +++--
+ kdumpctl                           | 1 +
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dracut/99kdumpbase/module-setup.sh b/dracut/99kdumpbase/module-setup.sh
+index 1c223ed..4dc11ac 100755
+--- a/dracut/99kdumpbase/module-setup.sh
++++ b/dracut/99kdumpbase/module-setup.sh
+@@ -719,7 +719,7 @@ kdump_install_conf() {
+     kdump_read_conf > "${initdir}/tmp/$$-kdump.conf"
+ 
+     while read -r _opt _val; do
+-        # remove inline comments after the end of a directive.
++        [[ $_val == \"*\" ]] && _val=${_val:1:-1}
+         case "$_opt" in
+             raw)
+                 _pdev=$(persistent_policy="by-id" kdump_get_persistent_dev "$_val")
+diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh
+index 558295a..c4bc6d2 100755
+--- a/kdump-lib-initramfs.sh
++++ b/kdump-lib-initramfs.sh
+@@ -29,9 +29,10 @@ kdump_read_conf()
+ kdump_get_conf_val()
+ {
+ 	# For lines matching "^\s*$1\s+", remove matched part (config name including space),
+-	# remove tailing comment, space, then store in hold space. Print out the hold buffer on last line.
++	# remove tailing comment, space and the surrounding quotes, then store in hold space.
++	# Print out the hold buffer on last line.
+ 	[ -f "$KDUMP_CONFIG_FILE" ] &&
+-		sed -n -e "/^\s*\($1\)\s\+/{s/^\s*\($1\)\s\+//;s/#.*//;s/\s*$//;h};\${x;p}" $KDUMP_CONFIG_FILE
++		sed -n -e "/^\s*\($1\)\s\+/{s/^\s*\($1\)\s\+//;s/#.*//;s/\s*$//;s/^\"\(.*\)\"$/\1/;h};\${x;p}" $KDUMP_CONFIG_FILE
+ }
+ 
+ is_mounted()
+diff --git a/kdumpctl b/kdumpctl
+index dd69318..6375efa 100755
+--- a/kdumpctl
++++ b/kdumpctl
+@@ -324,6 +324,7 @@ _set_config()
+ 		fi
+ 		return 1
+ 	fi
++	[[ $_val == \"*\" ]] && _val=${_val:1:-1}
+ 	OPT[$opt]="$val"
+ }
+ 
+-- 
+2.51.1
+

0001-powerpc-fix-early-exit-from-udev-on-hotplug-event-fo.patch

@@ -1,35 +0,0 @@
-From 679a1c5a96e4b5fac06f2045db97db21e6a62ff8 Mon Sep 17 00:00:00 2001
-From: Sourabh Jain <sourabhjain@linux.ibm.com>
-Date: Wed, 8 Jan 2025 12:11:10 +0530
-Subject: [PATCH] powerpc: fix early exit from udev on hotplug event for fadump
-
-Sysfs /sys/kernel/fadump/hotplug_ready contains 1 if hotplug is
-supported by fadump.
-
-Now to exit early the RUN command should grep 0 from
-/sys/kernel/fadump/hotplug_ready instead of 1.
-
-Fix it by updating RUN command.
-
-Fixes: b4e3d3724cf3 ("fadump/udev: do not re-register fadump if kernel hotplug ready")
-Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
----
- 98-kexec.rules.ppc64 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/98-kexec.rules.ppc64 b/98-kexec.rules.ppc64
-index 85fe0b1..ac6d42a 100644
---- a/98-kexec.rules.ppc64
-+++ b/98-kexec.rules.ppc64
-@@ -17,7 +17,7 @@ LABEL="kdump_reload_mem"
- 
- # Don't re-register fadump if /sys/kernel/fadump/hotplug_ready sysfs is set to 1.
- 
--RUN+="/bin/sh -c '/usr/bin/systemctl is-active kdump.service || exit 0; ! test -f /sys/kernel/fadump/hotplug_ready || cat /sys/kernel/fadump/hotplug_ready | grep 1 || exit 0; /usr/bin/systemd-run --quiet --no-block /usr/lib/udev/kdump-udev-throttler'"
-+RUN+="/bin/sh -c '/usr/bin/systemctl is-active kdump.service || exit 0; ! test -f /sys/kernel/fadump/hotplug_ready || cat /sys/kernel/fadump/hotplug_ready | grep 0 || exit 0; /usr/bin/systemd-run --quiet --no-block /usr/lib/udev/kdump-udev-throttler'"
- 
- GOTO="kdump_reload_end"
- 
--- 
-2.41.0
-

0002-99-kdump.conf-Omit-nouveau-and-amdgpu-module.patch

@@ -1,34 +0,0 @@
-From 77a0246cde3505777cfa1f9c2a1a834e76b7eed6 Mon Sep 17 00:00:00 2001
-From: Lichen Liu <lichliu@redhat.com>
-Date: Mon, 13 Jan 2025 17:39:56 +0800
-Subject: [PATCH] 99-kdump.conf: Omit nouveau and amdgpu module
-
-Resolves: https://issues.redhat.com/browse/RHEL-52304
-
-The GPU module provides no significant utility in second kernel, and it
-introduces firmware that occupies lots of memory, which is critical in
-the constrained environment of kdump. Omit it helps reduce memory usage
-and optimize the crash recovery process.
-
-See also:
-https://access.redhat.com/solutions/6977793
-https://access.redhat.com/solutions/7100186
-
-Signed-off-by: Lichen Liu <lichliu@redhat.com>
----
- 99-kdump.conf | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/99-kdump.conf b/99-kdump.conf
-index 80d6e43..696c7ac 100644
---- a/99-kdump.conf
-+++ b/99-kdump.conf
-@@ -1,3 +1,4 @@
- dracutmodules=''
- add_dracutmodules=' kdumpbase '
- omit_dracutmodules=' rdma plymouth resume ifcfg earlykdump '
-+omit_drivers+=' nouveau amdgpu '
-\ No newline at end of file
--- 
-2.47.0
-

0002-unit-tests-Add-case-for-quoted-configuration-values.patch

@@ -0,0 +1,45 @@
+From e44958cad8bd997322b213a88881fe874641050d Mon Sep 17 00:00:00 2001
+From: Lichen Liu <lichliu@redhat.com>
+Date: Tue, 14 Oct 2025 11:43:04 +0800
+Subject: [PATCH 2/2] unit tests: Add case for quoted configuration values
+
+This adds a unit test to ensure `kdump_get_conf_val` correctly strips
+surrounding quotes from configuration options. This test case covers the
+bug fixed in the previous commit.
+
+Signed-off-by: Lichen Liu <lichliu@redhat.com>
+---
+ spec/kdump-lib-initramfs_spec.sh | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/spec/kdump-lib-initramfs_spec.sh b/spec/kdump-lib-initramfs_spec.sh
+index 2cb85bb..acabc2f 100644
+--- a/spec/kdump-lib-initramfs_spec.sh
++++ b/spec/kdump-lib-initramfs_spec.sh
+@@ -12,6 +12,7 @@ Describe 'kdump-lib-initramfs'
+ 			#|dracut_args --omit-drivers "cfg80211 snd" --add-drivers "ext2 ext3"
+ 			#|sshkey /root/.ssh/kdump_id_rsa
+ 			#|ssh user@my.server.com
++			#|core_collector "makedumpfile -l --message-level 7 -d 31"
+ 		}
+ 		kdump_config >$KDUMP_CONFIG_FILE
+ 		Context 'Given different cases'
+@@ -21,6 +22,7 @@ Describe 'kdump-lib-initramfs'
+ 			#  - complicate value for dracut_args
+ 			#  - Given two parameters, retrive one parameter that has value specified
+ 			#  - Given two parameters (in reverse order), retrive one parameter that has value specified
++			#  - values are enclosed in quotes
+ 			Parameters
+ 				"#1" nfs my.server.com:/export/tmp
+ 				"#2" ssh user@my.server.com
+@@ -28,6 +30,7 @@ Describe 'kdump-lib-initramfs'
+ 				"#4" dracut_args '--omit-drivers "cfg80211 snd" --add-drivers "ext2 ext3"'
+ 				"#5" 'ssh\|aaa' user@my.server.com
+ 				"#6" 'aaa\|ssh' user@my.server.com
++				"#7" core_collector "makedumpfile -l --message-level 7 -d 31"
+ 			End
+ 
+ 			It 'should handle all cases correctly'
+-- 
+2.51.1
+

0003-99-kdump.conf-Omit-hwdb-dracut-module.patch

@@ -1,43 +0,0 @@
-From 966dc0845980d2150a6614387ce6a05c79e1eb80 Mon Sep 17 00:00:00 2001
-From: Lichen Liu <lichliu@redhat.com>
-Date: Tue, 21 Jan 2025 14:04:28 +0800
-Subject: [PATCH] 99-kdump.conf: Omit hwdb dracut module
-
-The hwdb (udev hardware database) file `/etc/udev/hwdb.bin` is currently
-included in the initramfs, taking up approximately 13MB of space. This is
-a significant size for kdump initramfs, which may lead more OOM issues.
-
-Certain advanced device initializations that rely on hwdb (e.g., custom
-keyboard mappings, specific touchpad configurations) may not work in the
-kdump environment.
-
-However, kdump do not require hwdb in the most cases, as critical devices
-like storage, network, and basic input devices are typically handled by
-standard udev rules and kernel drivers.
-
-This change prioritizes reducing initramfs size over retaining hardware
-database functionality, as the latter is rarely critical in the kdump
-environment.
-
-Resolves: https://issues.redhat.com/browse/RHEL-57731
-
-Signed-off-by: Lichen Liu <lichliu@redhat.com>
----
- 99-kdump.conf | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/99-kdump.conf b/99-kdump.conf
-index 696c7ac..1301c44 100644
---- a/99-kdump.conf
-+++ b/99-kdump.conf
-@@ -1,4 +1,4 @@
- dracutmodules=''
- add_dracutmodules=' kdumpbase '
--omit_dracutmodules=' rdma plymouth resume ifcfg earlykdump '
--omit_drivers+=' nouveau amdgpu '
-\ No newline at end of file
-+omit_dracutmodules=' hwdb rdma plymouth resume ifcfg earlykdump '
-+omit_drivers+=' nouveau amdgpu '
--- 
-2.47.0
-

0003-Allow-kdump.service-to-access-LUKS-volume-keys.patch

@@ -0,0 +1,43 @@
+From 280d4b6237b1f3bcad9cfba5e51b4f55d8b718c9 Mon Sep 17 00:00:00 2001
+From: Coiby Xu <coxu@redhat.com>
+Date: Mon, 3 Nov 2025 09:26:21 +0800
+Subject: [PATCH 3/5] Allow kdump.service to access LUKS volume keys
+
+Resoles: https://issues.redhat.com/browse/RHEL-124989
+
+Currently kdump.service fails to read LUKS volume keys,
+
+    kdumpctl[4001]: Nothing to read on input.
+    kdumpctl[3624]: kdump: Error: Could not unlock the LUKS device.
+    kdumpctl[3624]: kdump: Failed to get logon key kdump-cryptsetup:vk-eed43d84-d79f-4b6d-8159-c859bb1915ee. Run 'kdumpctl restart' manually to start kdump.
+    kdumpctl[3624]: kdump: kexec: failed to prepare for a LUKS target
+    kdumpctl[3624]: kdump: Starting kdump: [FAILED]
+    systemd[1]: kdump.service: Main process exited, code=exited, status=1/FAILURE
+    systemd[1]: kdump.service: Failed with result 'exit-code'.
+    systemd[1]: Failed to start kdump.service - Crash recovery kernel arming.
+
+Use KeyringMode=shared to link the user keyring of root to the session
+keyring so kdump.service can access the LUKS volume keys stored in
+root's user keyring. For more details on KeyringMode, man systemd.exec.
+
+Fixes: d9677e17 ("Support dumping to a LUKS-encrypted target")
+Signed-off-by: Coiby Xu <coxu@redhat.com>
+---
+ kdump.service | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kdump.service b/kdump.service
+index 84de7af2..a8771a81 100644
+--- a/kdump.service
++++ b/kdump.service
+@@ -11,6 +11,7 @@ ExecStop=/usr/bin/kdumpctl stop
+ ExecReload=/usr/bin/kdumpctl reload
+ RemainAfterExit=yes
+ StartLimitInterval=0
++KeyringMode=shared
+ 
+ [Install]
+ WantedBy=multi-user.target
+-- 
+2.51.1
+

0004-Check-proc-sys-crypto-fips_enabled-to-tell-if-FIPS-h.patch

@@ -1,36 +0,0 @@
-From 722b45982e954d47e507d4aa33fbe8003da34d91 Mon Sep 17 00:00:00 2001
-From: Coiby Xu <coxu@redhat.com>
-Date: Mon, 17 Feb 2025 11:02:05 +0800
-Subject: [PATCH] Check /proc/sys/crypto/fips_enabled to tell if FIPS has been
- enabled
-
-Resolves: https://issues.redhat.com/browse/RHEL-75539
-
-A proposal [1] has been submitted to remove fips-mode-setup from Fedora
-42. And we are suggested to tell if FIPS has been enabled by check if
-/proc/sys/crypto/fips_enabled has 1.
-
-[1] https://fedoraproject.org/wiki/Changes/RemoveFipsModeSetup#Feedback
-[2] https://developers.redhat.com/articles/2024/02/27/handling-fips-mode-upstream-projects-rhel#
-
-Signed-off-by: Coiby Xu <coxu@redhat.com>
----
- mkdumprd | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/mkdumprd b/mkdumprd
-index c51d28f4..047a32ea 100644
---- a/mkdumprd
-+++ b/mkdumprd
-@@ -424,7 +424,7 @@ if ! is_fadump_capable; then
- 
- 	dracut_args+=(--no-hostonly-default-device)
- 
--	if fips-mode-setup --is-enabled 2> /dev/null; then
-+	if [[ $(cat /proc/sys/crypto/fips_enabled) == 1  ]]; then
- 		dracut_args+=(--add-device "$(findmnt -n -o SOURCE --target /boot)")
- 	fi
- fi
--- 
-2.48.1
-

0004-Restore-SELinux-label-of-crypttab-file.patch

@@ -0,0 +1,80 @@
+From fe2891da11ce088ce14f7b2913bd3123b8f7c727 Mon Sep 17 00:00:00 2001
+From: Coiby Xu <coxu@redhat.com>
+Date: Mon, 3 Nov 2025 09:55:07 +0800
+Subject: [PATCH 4/5] Restore SELinux label of crypttab file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently, for LUKS encrypted dump target, the system can have booting
+problem with relatively older selinux-policy e.g. 40.13.21-1.el10 or
+38.1.65-1.el9.noarch,
+
+    [***   ] Job dev-disk-by\x2duuid-55f4fce1\x2…tart running (1min 21s / 1min 30s)
+    ...
+    [ TIME ] Timed out waiting for device dev-d…f4fce1-cd7f-43a6-8729-f0edcd048d73.
+    [DEPEND] Dependency failed for luks.mount - /luks.
+    [DEPEND] Dependency failed for local-fs.target - Local File Systems.
+    [DEPEND] Dependency failed for selinux-auto…k the need to relabel after reboot.
+    ...
+    [FAILED] Failed to start kdump.service - Crash recovery kernel arming.
+    See 'systemctl status kdump.service' for details.
+    You are in emergency mode. After logging in, type "journalctl -xb" to view
+    system logs, "systemctl reboot" to reboot, or "exit"
+    to continue bootup.
+        [    4.375155] systemd-cryptsetup-generator[690]: Failed to open /etc/crypttab: Permission denied
+        [    4.376555] audit: type=1400 audit(1762134586.538:4): avc:  denied  { open } for  pid=690 comm="systemd-cryptse" path="/etc/crypttab" dev="vda3" ino=16916076 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
+
+This happens because the updated crypttab file for LUKS dump target has
+incorrect SELinux label as it's created by mktemp. As a result, SELinux
+will prevent systemd-cryptsetup-generator from accessing crypttab and
+the encrypted dump target can fail to mount,
+
+    # ls -Z /etc/crypttab
+    unconfined_u:object_r:user_tmp_t:s0 /etc/crypttab
+
+Restore the SELinux label of crypttab to fix this issue,
+    # ls -Z /etc/crypttab
+    unconfined_u:object_r:etc_t:s0 /etc/crypttab
+
+Although this issue no longer happens to newer selinux-policy like
+policy-42.1.9-1.el10.noarch, it's better to restore the SELinux label of
+crypttab file.
+
+Fixes: 4e0d4cae ("Add kdumpctl setup-crypttab subcommand")
+Signed-off-by: Coiby Xu <coxu@redhat.com>
+---
+ kdumpctl                             | 1 +
+ spec/kdumpctl_setup_crypttab_spec.sh | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/kdumpctl b/kdumpctl
+index 6988ace1..e0aca1a6 100755
+--- a/kdumpctl
++++ b/kdumpctl
+@@ -1316,6 +1316,7 @@ setup_crypttab()
+ 		return 0
+ 	else
+ 		mv "$temp_file" "$CRYPTTAB_FILE"
++		restorecon "$CRYPTTAB_FILE"
+ 		dinfo "Success! $CRYPTTAB_FILE has been updated."
+ 
+ 		# Parse status updates and report on each changed UUID
+diff --git a/spec/kdumpctl_setup_crypttab_spec.sh b/spec/kdumpctl_setup_crypttab_spec.sh
+index bfcd8dc6..0250e02b 100644
+--- a/spec/kdumpctl_setup_crypttab_spec.sh
++++ b/spec/kdumpctl_setup_crypttab_spec.sh
+@@ -5,6 +5,10 @@ Describe "kdumpctl "
+ 	dinfo() {
+ 		echo "$1"
+ 	}
++	restorecon() {
++		:
++	}
++
+ 	Describe "setup_crypttab()"
+ 		# Set up global variables and mocks for each test
+ 		# shellcheck disable=SC2016 # expand expression later
+-- 
+2.51.1
+

0005-Allow-sudo-kdumpctl-for-LUKS-dump-target.patch

@@ -0,0 +1,131 @@
+From c08d151016ab4d62addc2ec8089a756c0d89d583 Mon Sep 17 00:00:00 2001
+From: Coiby Xu <coxu@redhat.com>
+Date: Wed, 5 Nov 2025 10:14:28 +0800
+Subject: [PATCH 5/5] Allow "sudo kdumpctl" for LUKS dump target
+
+Some users may run kdumcptl after "sudo su" or use "sudo kdumpctl". And
+kdump will fail,
+    # sudo kdumcptl restart
+    request_key: Required key not available
+    keyctl_set_timeout: Invalid argument
+    kexec_file_load failed: Required key not available
+    kdump: kexec: failed to load kdump kernel
+
+This happens because the LUKS keys is can only be searched (keyctl request)
+by the process but not by the user and sudo process inherits the session
+keyring (@s) of the original user (test in the following example),
+
+    [test@localhost ~]$ sudo keyctl add user testkey testdata @u
+    711801750
+    [test@localhost ~]$ sudo grep testkey /proc/keys
+    2a6d3b96 I--Q---     1 perm 3f010000     0     0 user      testkey: 8
+    [test@localhost ~]$ sudo keyctl show 711801750
+    Keyring
+    Unable to dump key: Permission denied
+
+The permission "3f010000" means the process has all the permissions but
+user only has the view permission i.e. "sudo keyctl show/list @u" will list
+all the keys but "sudo keyctl show KEY_ID" won't work.
+
+Automatically use "sudo -i" which will use the session keyring (@s) of
+the root to support "sudo kdumpctl". Note "sudo -i kexec" is also
+needed in order for the process to read the keys in the kernel space.
+
+Reported-by: Li Tian <litian@redhat.com>
+Signed-off-by: Coiby Xu <coxu@redhat.com>
+---
+ kdumpctl | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/kdumpctl b/kdumpctl
+index e0aca1a6..cb10f5bd 100755
+--- a/kdumpctl
++++ b/kdumpctl
+@@ -737,7 +737,8 @@ function load_kdump_kernel_key()
+ 	if ! [[ -f /proc/device-tree/ibm,secure-boot ]]; then
+ 		return
+ 	fi
+-
++	# %.ima keyring is writable to the user, no need to use
++	# "sudo -i keyctl"
+ 	keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer"
+ }
+ 
+@@ -760,6 +761,7 @@ load_kdump()
+ 		return 1
+ 	fi
+ 
++	[[ ${KEYCTL_CMD[0]} == sudo ]] && KEXEC="sudo -i $KEXEC"
+ 	ddebug "$KEXEC ${args[*]}"
+ 	if $KEXEC "${args[@]}"; then
+ 		dinfo "kexec: loaded kdump kernel"
+@@ -1084,6 +1086,9 @@ remove_luks_vol_keys()
+ 	local _key_line _key_id _key_desc _status=1
+ 
+ 	# Get all keys from @u keyring and process each line
++	# sudo process by default only has the permission to list the keys
++	# stored in user keyring i.e. "sudo keyctl list" can work not
++	# "sudo keyctl unlink/show"
+ 	while read -r _key_line; do
+ 		# Skip header lines and empty lines
+ 		[[ $_key_line =~ ^[0-9]+: ]] || continue
+@@ -1100,7 +1105,7 @@ remove_luks_vol_keys()
+ 
+ 		# Check if key description starts with LUKS_KEY_PRFIX
+ 		if [[ $_key_desc == "$LUKS_KEY_PRFIX"* ]]; then
+-			keyctl unlink "$_key_id"
++			"${KEYCTL_CMD[@]}" unlink "$_key_id"
+ 			_status=0
+ 		fi
+ 	done < <(keyctl list @u 2> /dev/null || true)
+@@ -1142,11 +1147,22 @@ _get_luks_key_by_unlock()
+ 	return 1
+ }
+ 
++# Some users may use "sudo kdumpctl". sudo process by default inherits the
++# session keyring (@s) of the original user which means it can't read LUKS keys
++# stored in root's user (@u) which is only linked to root's session keyring.
++# So use "sudo -i keyctl" and "sudo kexec" automatically in order to be able to
++# search and read the LUKS key(s).
++KEYCTL_CMD=(keyctl)
+ prepare_luks()
+ {
+ 	local _key_id _key_des _luks_unlock_cmd
+ 	declare -a _luks_devs
+ 
++	# Use "sudo -i" to use the root's session keyring to access LUKS keys
++	if ! keyctl show @s | grep -qs "_uid.0$"; then
++		KEYCTL_CMD=(sudo -i keyctl)
++	fi
++
+ 	mapfile -t _luks_devs < <(get_all_kdump_crypt_dev)
+ 
+ 	if [[ ${#_luks_devs[@]} -lt 1 ]]; then
+@@ -1174,10 +1190,13 @@ prepare_luks()
+ 	for _devuuid in "${_luks_devs[@]}"; do
+ 		_key_dir=$LUKS_CONFIGFS/$_devuuid
+ 		_key_des=$LUKS_KEY_PRFIX$_devuuid
+-		if _key_id=$(keyctl request logon "$_key_des" 2> /dev/null); then
++		if _key_id=$("${KEYCTL_CMD[@]}" request logon "$_key_des" 2> /dev/null); then
+ 			ddebug "Succesfully get @u::%logon:$_key_des"
+ 		elif _get_luks_key_by_unlock "$_devuuid" "$_key_des"; then
+-			_key_id=$(keyctl request logon "$_key_des")
++			if ! _key_id=$("${KEYCTL_CMD[@]}" request logon "$_key_des"); then
++				derror "Probably you are using 'sudo kdumpctl' or 'sudo su', please retry with 'sudo -i kdumpctl'"
++				return 1
++			fi
+ 			ddebug "Succesfully get @u::%logon:$_key_des after cryptsetup"
+ 		else
+ 			derror "Failed to get logon key $_key_des. Run 'kdumpctl restart' manually to start kdump."
+@@ -1185,7 +1204,7 @@ prepare_luks()
+ 		fi
+ 
+ 		# Let the key expire after 300 seconds
+-		keyctl timeout "$_key_id" 300
++		"${KEYCTL_CMD[@]}" timeout "$_key_id" 300
+ 		mkdir "$_key_dir"
+ 		printf "%s" "$_key_des" > "$_key_dir"/description
+ 	done
+-- 
+2.51.1
+

0005-kdump-lib.sh-Adjust-default-crashkernel-reservation-.patch

@@ -1,64 +0,0 @@
-From fe18f933baed9eaa18e0c2427aaca4640d8f6fa1 Mon Sep 17 00:00:00 2001
-From: Lichen Liu <lichliu@redhat.com>
-Date: Thu, 6 Mar 2025 10:21:43 +0800
-Subject: [PATCH] kdump-lib.sh: Adjust default crashkernel reservation for
- x86_64 and s390x
-
-With new kernel features being added, both the kernel itself and the initramfs
-have gradually increased in size.
-
-Previously, we used squashfs to package and reduce the initramfs size. However,
-since squashfs will be replaced by erofs, we have transitioned to erofs. The
-compression algorithms supported by erofs differ from those used in squashfs.
-In previous squashfs implementations, we used zstd compression, but in RHEL-10,
-the erofs implementation in the kernel does not yet support zstd decompression.
-As a result, we had to switch to other compression algorithms, leading to
-changes in the initramfs size.
-
-In some scenarios, the previous 192M crashkernel reservation is no longer
-sufficient. Recent NFS testing has shown that at least 238M is required to
-successfully capture a vmcore. Given this, we have updated the default
-crashkernel reservation to start from 2G, with 256M allocated for crash
-recovery.
-
-Since 256M is a significant portion of memory on smaller systems, we have
-decided not to reserve crashkernel memory by default on systems with less
-than 2G of RAM. However, users can still manually adjust the `crashkernel=`
-setting via tools like `grubby` if needed.
-
-Signed-off-by: Lichen Liu <lichliu@redhat.com>
-Signed-off-by: Coiby Xu <coxu@redhat.com>
----
- crashkernel-howto.txt | 2 +-
- kdump-lib.sh          | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/crashkernel-howto.txt b/crashkernel-howto.txt
-index 2e99a34e..bd369cb8 100644
---- a/crashkernel-howto.txt
-+++ b/crashkernel-howto.txt
-@@ -17,7 +17,7 @@ Latest kexec-tools provides "kdumpctl get-default-crashkernel" to retrieve
- the default crashkernel value,
- 
- 	$ echo $(kdumpctl get-default-crashkernel)
--	1G-4G:192M,4G-64G:256M,64G-:512M
-+	2G-64G:256M,64G-:512M
- 
- It will be taken as the default value of 'crashkernel=', you can use
- this value as a reference for setting crashkernel value manually.
-diff --git a/kdump-lib.sh b/kdump-lib.sh
-index 5bdc4929..143f5056 100755
---- a/kdump-lib.sh
-+++ b/kdump-lib.sh
-@@ -1005,7 +1005,7 @@ kdump_get_arch_recommend_crashkernel()
- 	_arch=$(uname -m)
- 
- 	if [[ $_arch == "x86_64" ]] || [[ $_arch == "s390x" ]]; then
--		_ck_cmdline="1G-4G:192M,4G-64G:256M,64G-:512M"
-+		_ck_cmdline="2G-64G:256M,64G-:512M"
- 		is_sme_or_sev_active && ((_delta += 64))
- 	elif [[ $_arch == "aarch64" ]]; then
- 		local _running_kernel
--- 
-2.48.1
-

0006-kdump-lib.sh-Fix-all-1G-boundry-to-2G.patch

@@ -1,96 +0,0 @@
-From ca42bd690ae5e15ac5c026c646aad18fb74d0836 Mon Sep 17 00:00:00 2001
-From: Lichen Liu <lichliu@redhat.com>
-Date: Thu, 6 Mar 2025 13:58:02 +0800
-Subject: [PATCH] kdump-lib.sh: Fix all 1G boundry to 2G
-
-According to the current system requirements of Fedora[1] and RHEL[2], at least
-2G physical memory is required to install the operating system, so it is not
-meaningful to reserve crashkernel from 1G.
-
-This patch updates the default value of crashkernel for aarch64 architecture to
-reserve from 2G.
-
-Also updated the testing part.
-
-See Also:
-[1] Fedora Minimum System Configuration: https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/hardware_overview/#hardware_overview-specs
-[2] Prerequisites for enabling virtualization on RHEL: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_and_managing_virtualization/assembly_enabling-virtualization-in-rhel-9_configuring-and-managing-virtualization#proc_enabling-virtualization-in-rhel-9_assembly_enabling-virtualization-in-rhel-9
-
-Signed-off-by: Lichen Liu <lichliu@redhat.com>
-Signed-off-by: Coiby Xu <coxu@redhat.com>
----
- kdump-lib.sh                             |  4 ++--
- spec/kdump-lib_spec.sh                   | 12 ++++++------
- spec/kdumpctl_manage_crashkernel_spec.sh |  4 ++--
- 3 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/kdump-lib.sh b/kdump-lib.sh
-index 143f5056..0961f469 100755
---- a/kdump-lib.sh
-+++ b/kdump-lib.sh
-@@ -1011,7 +1011,7 @@ kdump_get_arch_recommend_crashkernel()
- 		local _running_kernel
- 
- 		# Base line for 4K variant kernel. The formula is based on x86 plus extra = 64M
--		_ck_cmdline="1G-4G:256M,4G-64G:320M,64G-:576M"
-+		_ck_cmdline="2G-4G:256M,4G-64G:320M,64G-:576M"
- 		if [[ -z "$2" ]]; then
- 			_running_kernel=$(_get_kdump_kernel_version)
- 		else
-@@ -1021,7 +1021,7 @@ kdump_get_arch_recommend_crashkernel()
- 		# the naming convention of 64k variant suffixes with +64k, e.g. "vmlinuz-5.14.0-312.el9.aarch64+64k"
- 		if echo "$_running_kernel" | grep -q 64k; then
- 			# Without smmu, the diff of MemFree between 4K and 64K measured on a high end aarch64 machine is 82M.
--			# Picking up 100M to cover this diff. And finally, we have "1G-4G:356M;4G-64G:420M;64G-:676M"
-+			# Picking up 100M to cover this diff. And finally, we have "2G-4G:356M;4G-64G:420M;64G-:676M"
- 			((_delta += 100))
- 			# On a 64K system, the extra 384MB is calculated by: cmdq_num * 16 bytes + evtq_num * 32B + priq_num * 16B
- 			# While on a 4K system, it is negligible
-diff --git a/spec/kdump-lib_spec.sh b/spec/kdump-lib_spec.sh
-index f13372c7..daacb797 100644
---- a/spec/kdump-lib_spec.sh
-+++ b/spec/kdump-lib_spec.sh
-@@ -51,11 +51,11 @@ Describe 'kdump-lib'
- 	Describe "_crashkernel_add()"
- 		Context "For valid input values"
- 			Parameters
--				"1G-4G:256M,4G-64G:320M,64G-:576M" "100M" "1G-4G:356M,4G-64G:420M,64G-:676M"
--				"1G-4G:256M" "100" "1G-4G:268435556" # avoids any rounding when size % 1024 != 0
--				"1G-4G:256M,4G-64G:320M,64G-:576M@4G" "100M" "1G-4G:356M,4G-64G:420M,64G-:676M@4G"
--				"1G-4G:1G,4G-64G:2G,64G-:3G@4G" "100M" "1G-4G:1124M,4G-64G:2148M,64G-:3172M@4G"
--				"1G-4G:10000K,4G-64G:20000K,64G-:40000K@4G" "100M" "1G-4G:112400K,4G-64G:122400K,64G-:142400K@4G"
-+				"2G-4G:256M,4G-64G:320M,64G-:576M" "100M" "2G-4G:356M,4G-64G:420M,64G-:676M"
-+				"2G-4G:256M" "100" "2G-4G:268435556" # avoids any rounding when size % 1024 != 0
-+				"2G-4G:256M,4G-64G:320M,64G-:576M@4G" "100M" "2G-4G:356M,4G-64G:420M,64G-:676M@4G"
-+				"2G-4G:1G,4G-64G:2G,64G-:3G@4G" "100M" "2G-4G:1124M,4G-64G:2148M,64G-:3172M@4G"
-+				"2G-4G:10000K,4G-64G:20000K,64G-:40000K@4G" "100M" "2G-4G:112400K,4G-64G:122400K,64G-:142400K@4G"
- 				"1,high" "1" "2,high"
- 				"1K,low" "1" "1025,low"
- 				"128G-1T:4G" "0" "128G-1T:4G"
-@@ -74,7 +74,7 @@ Describe 'kdump-lib'
- 		End
- 		Context "For invalid input values"
- 			Parameters
--				"1G-4G:256M.4G-64G:320M" "100M"
-+				"2G-4G:256M.4G-64G:320M" "100M"
- 				"foo" "1"
- 				"1" "bar"
- 			End
-diff --git a/spec/kdumpctl_manage_crashkernel_spec.sh b/spec/kdumpctl_manage_crashkernel_spec.sh
-index 3255d9aa..5817b519 100644
---- a/spec/kdumpctl_manage_crashkernel_spec.sh
-+++ b/spec/kdumpctl_manage_crashkernel_spec.sh
-@@ -4,8 +4,8 @@ Describe 'Management of the kernel crashkernel parameter.'
- 	Include ./kdumpctl
- 	kernel1=/boot/vmlinuz-5.15.6-100.fc34.x86_64
- 	kernel2=/boot/vmlinuz-5.14.14-200.fc34.x86_64
--	old_ck=1G-4G:162M,4G-64G:256M,64G-:512M
--	new_ck=1G-4G:196M,4G-64G:256M,64G-:512M
-+	old_ck=2G-4G:162M,4G-64G:256M,64G-:512M
-+	new_ck=2G-4G:196M,4G-64G:256M,64G-:512M
- 	KDUMP_SPEC_TEST_RUN_DIR=$(mktemp -u /tmp/spec_test.XXXXXXXXXX)
- 	GRUB_CFG="$KDUMP_SPEC_TEST_RUN_DIR/grub.cfg"
- 
--- 
-2.48.1
-

README.md

@@ -0,0 +1,3 @@
+# kdump-utils
+
+The kdump-utils package

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name:  kernel-qe.kernel-ci.general-kdump.tier0.functional}

kdump-utils.spec

@@ -1,29 +1,18 @@
-## START: Set by rpmautospec
-## (rpmautospec version 0.6.5)
-## RPMAUTOSPEC: autorelease, autochangelog
-%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 10;
-    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
-    print(release_number + base_release_number - 1);
-}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
-## END: Set by rpmautospec
-
 # kdump-utils has no debug source
 %global debug_package %{nil}
 Name: kdump-utils
-Version:1.0.51
+Version:1.0.58
 Release: %autorelease -b 1
 Summary: Kernel crash dump collection utilities
 
 License: GPL-2.0-only
 URL: https://github.com/rhkdump/kdump-utils
 Source0: https://github.com/rhkdump/kdump-utils/archive/v%{version}/%{name}-%{version}.tar.gz
-Patch01: 0001-powerpc-fix-early-exit-from-udev-on-hotplug-event-fo.patch
+Patch01: 0001-Strip-surrounding-quotes-from-configuration-values.patch
-Patch02: 0002-99-kdump.conf-Omit-nouveau-and-amdgpu-module.patch
+Patch02: 0002-unit-tests-Add-case-for-quoted-configuration-values.patch
-Patch03: 0003-99-kdump.conf-Omit-hwdb-dracut-module.patch
+Patch03: 0003-Allow-kdump.service-to-access-LUKS-volume-keys.patch
-Patch04: 0004-Check-proc-sys-crypto-fips_enabled-to-tell-if-FIPS-h.patch
+Patch04: 0004-Restore-SELinux-label-of-crypttab-file.patch
-Patch05: 0005-kdump-lib.sh-Adjust-default-crashkernel-reservation-.patch
+Patch05: 0005-Allow-sudo-kdumpctl-for-LUKS-dump-target.patch
-Patch06: 0006-kdump-lib.sh-Fix-all-1G-boundry-to-2G.patch
 
 %ifarch ppc64 ppc64le
 Requires(post): servicelog
@@ -136,64 +125,4 @@ fi
 %doc supported-kdump-targets.txt
 
 %changelog
-## START: Generated by rpmautospec
+%autochangelog
-* Thu Mar 06 2025 Coiby Xu <coxu@redhat.com> - 1.0.51-10
-- kdump-lib.sh: Fix all 1G boundry to 2G
-
-* Thu Mar 06 2025 Lichen Liu <lichliu@redhat.com> - 1.0.51-9
-- Bump release for RHEL-75539
-
-* Thu Mar 06 2025 Coiby Xu <coxu@redhat.com> - 1.0.51-8
-- kdump-lib.sh: Adjust default crashkernel reservation for x86_64 and s390x
-
-* Thu Mar 06 2025 Coiby Xu <coxu@redhat.com> - 1.0.51-7
-- Check /proc/sys/crypto/fips_enabled to tell if FIPS has been enabled
-
-* Tue Feb 11 2025 Lichen Liu <lichliu@redhat.com> - 1.0.51-6
-- Let %%post scriptlet always exit successfully
-
-* Tue Jan 21 2025 Lichen Liu <lichliu@redhat.com> - 1.0.51-5
-- 99-kdump.conf: Omit hwdb dracut module
-
-* Tue Jan 21 2025 Lichen Liu <lichliu@redhat.com> - 1.0.51-4
-- 99-kdump.conf: Omit nouveau and amdgpu module
-
-* Mon Jan 13 2025 Lichen Liu <lichliu@redhat.com> - 1.0.51-3
-- Release kdump-utils-1.0.51-3
-
-* Mon Jan 13 2025 Pingfan Liu <piliu@redhat.com> - 1.0.51-2
-- powerpc: fix early exit from udev on hotplug event for fadump
-
-* Wed Dec 11 2024 Lichen Liu <lichliu@redhat.com> - 1.0.51-1
-- Rebase to upstream 1.0.51
-
-* Fri Nov 15 2024 Philipp Rudo <prudo@redhat.com> - 1.0.45-5
-- Allow ssh opts to be processed correctly
-
-* Fri Nov 01 2024 Coiby Xu <coxu@redhat.com> - 1.0.45-4
-- Set up crashkernel value for osbuild
-
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.0.45-3
-- Bump release for October 2024 mass rebuild:
-
-* Sun Oct 20 2024 Tao Liu <ltao@redhat.com> - 1.0.45-2
-- Return the correct exit code of rebuild initrd
-
-* Fri Oct 11 2024 Lichen Liu <lichliu@redhat.com> - 1.0.45-1
-- Rebase to upstream v1.0.45
-
-* Mon Sep 30 2024 Lichen Liu <lichliu@redhat.com> - 1.0.43-3
-- Release 1.0.43-2
-
-* Fri Sep 27 2024 Philipp Rudo <prudo@redhat.com> - 1.0.43-2
-- Enable erofs support for the kdump initrd
-
-* Mon Jul 15 2024 Lichen Liu <lichliu@redhat.com> - 1.0.43-1
-- Release 1.0.43-1
-
-* Wed Jul 10 2024 Lichen Liu <lichliu@redhat.com> - 1.0.42-2
-- Enable gating test
-
-* Wed Jul 10 2024 Lichen Liu <lichliu@redhat.com> - 1.0.42-1
-- Initial import for CentOS Stream 10
-## END: Generated by rpmautospec

sources

@@ -1 +1,2 @@
-SHA512 (kdump-utils-1.0.51.tar.gz) = 4dcad4cfa8f4434e93d712675de296a49791e430b4f697c8dcfbaddbe148b53f5ef5a77d022cf7175a7650d907346def77139370ffd27ef2f6a0f6b8c9dbfa12
+SHA512 (kdump-utils-1.0.54.tar.gz) = 8eb5b105c5614d2d206151a2261e639fa74958602fb741a725e114f7be87e866910ee530786f6e39988b15b47c477f53d22a7b563ed0aa1a09b9e96f4bb8744c
+SHA512 (kdump-utils-1.0.58.tar.gz) = b464ff17211eee6b1af795ddcd3497d72653665a888b1905830121a6226fd441ff7ad88336ac08db29453deedb7567d64e447d7ed9c5cdc615a8e85e0e1b46af