rpms
/
kexec-tools
7
0
Fork 0
Code Issues Pull Requests Releases Activity
kexec-tools/dracut-early-kdump.sh

77 lines
1.7 KiB
Bash
Raw Normal View History

Add early kdump support in initramfs. Kdump service starts too late, so early crashes will have no chance to get kdump kernel booting, this will cause crash information to be lost. It is necessary to add a dracut module in order to load crash kernel and initramfs as early as possible. You can provide "rd.early kdump" in grub commandline to enable, then the early kdump will load those files like the normal kdump, which is disabled by default. For the normal kdump service, it can check whether the early kdump has loaded the crash kernel and initramfs. It has no conflict with the early kdump. If you rebuild the new initramfs for early kdump, the new initramfs size will become large, because it will put the vmlinuz and kdump initramfs into the new initramfs. In addition, early kdump doesn't support fadump. Signed-off-by: Lianbo Jiang <lijiang@redhat.com> Reviewed-by: Kazuhito Hagio <khagio@redhat.com> Acked-by: Dave Young <dyoung@redhat.com>
2018-05-22 10:15:08 +00:00
#! /bin/sh
KEXEC=/sbin/kexec
standard_kexec_args="-p"
kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default UEFI Secure boot is a signature verification mechanism, designed to prevent malicious code being loaded and executed at the early boot stage. This makes sure that code executed is trusted by firmware. Previously, with kexec_file_load() interface, kernel prevents unsigned kernel image from being loaded if secure boot is enabled. So kdump will detect whether secure boot is enabled firstly, then decide which interface is chosen to execute, kexec_load() or kexec_file_load(). Otherwise unsigned kernel loading will fail if secure boot enabled, and kexec_file_load() is entered. Now, the implementation of kexec_file_load() is adjusted in below commit. With this change, if CONFIG_KEXEC_SIG_FORCE is not set, unsigned kernel still has a chance to be allowed to load under some conditions. commit 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE") And in the current Fedora, the CONFIG_KEXEC_SIG_FORCE is not set, only the CONFIG_KEXEC_SIG and CONFIG_BZIMAGE_VERIFY_SIG are set on x86_64 by default. It's time to spread kexec_file_load() onto all systems of x86_64, including Secure-boot platforms and legacy platforms. Please refer to the following form. .----------------------------------------------------------------------. | . | signed kernel | unsigned kernel | | . types |-----------------------|-----------------------| | . |Secure boot| Legacy |Secure boot| Legacy | | . |-----------|-----------|-----------|-----------| | options . | prev| now | prev| now | | | prev| now | | . |(file|(file|(only|(file| prev| now |(only|(file| | . |load)|load)|load)|load)| | |load)|load)| |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set |succ |succ |succ |succ | X | X |succ |succ | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y |succ |succ |succ |fail | X | X |succ |fail | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG is not set | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |succ | X | X |succ |succ | |not set | | | | | | | | | ---------------------------------------------------------------------- Note: [1] The 'X' indicates that the 1st kernel(unsigned) can not boot when the Secure boot is enabled. Hence, in this patch, if on x86_64, let's use the kexec_file_load() only. See if anything wrong happened in this case, in Fedora firstly for the time being. Signed-off-by: Lianbo Jiang <lijiang@redhat.com> Acked-by: Kairui Song <kasong@redhat.com>
2020-01-16 05:47:35 +00:00
KDUMP_FILE_LOAD=""
Add early kdump support in initramfs. Kdump service starts too late, so early crashes will have no chance to get kdump kernel booting, this will cause crash information to be lost. It is necessary to add a dracut module in order to load crash kernel and initramfs as early as possible. You can provide "rd.early kdump" in grub commandline to enable, then the early kdump will load those files like the normal kdump, which is disabled by default. For the normal kdump service, it can check whether the early kdump has loaded the crash kernel and initramfs. It has no conflict with the early kdump. If you rebuild the new initramfs for early kdump, the new initramfs size will become large, because it will put the vmlinuz and kdump initramfs into the new initramfs. In addition, early kdump doesn't support fadump. Signed-off-by: Lianbo Jiang <lijiang@redhat.com> Reviewed-by: Kazuhito Hagio <khagio@redhat.com> Acked-by: Dave Young <dyoung@redhat.com>
2018-05-22 10:15:08 +00:00
EARLY_KDUMP_INITRD=""
EARLY_KDUMP_KERNEL=""
EARLY_KDUMP_CMDLINE=""
EARLY_KDUMP_KERNELVER=""
EARLY_KEXEC_ARGS=""
. /etc/sysconfig/kdump
. /lib/dracut-lib.sh
. /lib/kdump-lib.sh
prepare_parameters()
{
EARLY_KDUMP_CMDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
KDUMP_BOOTDIR=$(check_boot_dir "${KDUMP_BOOTDIR}")
earlykdump: generate symlink with stable name to kernel image and iniramfs There is currently a problem with earlykdump image building, when a user is upgrading kernel, dracut will generate new initramfs for the new kernel, and earlykdump will install currently running version of kernel into the initramfs, and remain the version based kernel image naming untouched. But after a reboot the new kernel is running, and it will try to load the image corresponding to the new kernel version by file naming. This patch fixes the problem by creating a symlink with unified stable naming to the installed kernel image and initramfs, and use the symlink instand so it will always work despite the kernel version number change. Signed-off-by: Kairui Song <kasong@redhat.com> Acked-by: Dave Young <dyoung@redhat.com>
2019-01-10 10:07:41 +00:00
EARLY_KDUMP_KERNEL="${KDUMP_BOOTDIR}/${KDUMP_IMG}-earlykdump${KDUMP_IMG_EXT}"
EARLY_KDUMP_INITRD="${KDUMP_BOOTDIR}/initramfs-earlykdump.img"
Add early kdump support in initramfs. Kdump service starts too late, so early crashes will have no chance to get kdump kernel booting, this will cause crash information to be lost. It is necessary to add a dracut module in order to load crash kernel and initramfs as early as possible. You can provide "rd.early kdump" in grub commandline to enable, then the early kdump will load those files like the normal kdump, which is disabled by default. For the normal kdump service, it can check whether the early kdump has loaded the crash kernel and initramfs. It has no conflict with the early kdump. If you rebuild the new initramfs for early kdump, the new initramfs size will become large, because it will put the vmlinuz and kdump initramfs into the new initramfs. In addition, early kdump doesn't support fadump. Signed-off-by: Lianbo Jiang <lijiang@redhat.com> Reviewed-by: Kazuhito Hagio <khagio@redhat.com> Acked-by: Dave Young <dyoung@redhat.com>
2018-05-22 10:15:08 +00:00
}
early_kdump_load()
{
check_kdump_feasibility
if [ $? -ne 0 ]; then
return 1
fi
if is_fadump_capable; then
echo "WARNING: early kdump doesn't support fadump."
return 1
fi
check_current_kdump_status
if [ $? == 0 ]; then
return 1
fi
prepare_parameters
EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default UEFI Secure boot is a signature verification mechanism, designed to prevent malicious code being loaded and executed at the early boot stage. This makes sure that code executed is trusted by firmware. Previously, with kexec_file_load() interface, kernel prevents unsigned kernel image from being loaded if secure boot is enabled. So kdump will detect whether secure boot is enabled firstly, then decide which interface is chosen to execute, kexec_load() or kexec_file_load(). Otherwise unsigned kernel loading will fail if secure boot enabled, and kexec_file_load() is entered. Now, the implementation of kexec_file_load() is adjusted in below commit. With this change, if CONFIG_KEXEC_SIG_FORCE is not set, unsigned kernel still has a chance to be allowed to load under some conditions. commit 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE") And in the current Fedora, the CONFIG_KEXEC_SIG_FORCE is not set, only the CONFIG_KEXEC_SIG and CONFIG_BZIMAGE_VERIFY_SIG are set on x86_64 by default. It's time to spread kexec_file_load() onto all systems of x86_64, including Secure-boot platforms and legacy platforms. Please refer to the following form. .----------------------------------------------------------------------. | . | signed kernel | unsigned kernel | | . types |-----------------------|-----------------------| | . |Secure boot| Legacy |Secure boot| Legacy | | . |-----------|-----------|-----------|-----------| | options . | prev| now | prev| now | | | prev| now | | . |(file|(file|(only|(file| prev| now |(only|(file| | . |load)|load)|load)|load)| | |load)|load)| |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set |succ |succ |succ |succ | X | X |succ |succ | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y |succ |succ |succ |fail | X | X |succ |fail | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG is not set | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |succ | X | X |succ |succ | |not set | | | | | | | | | ---------------------------------------------------------------------- Note: [1] The 'X' indicates that the 1st kernel(unsigned) can not boot when the Secure boot is enabled. Hence, in this patch, if on x86_64, let's use the kexec_file_load() only. See if anything wrong happened in this case, in Fedora firstly for the time being. Signed-off-by: Lianbo Jiang <lijiang@redhat.com> Acked-by: Kairui Song <kasong@redhat.com>
2020-01-16 05:47:35 +00:00
if [ "$KDUMP_FILE_LOAD" == "on" ]; then
echo "Using kexec file based syscall."
Add early kdump support in initramfs. Kdump service starts too late, so early crashes will have no chance to get kdump kernel booting, this will cause crash information to be lost. It is necessary to add a dracut module in order to load crash kernel and initramfs as early as possible. You can provide "rd.early kdump" in grub commandline to enable, then the early kdump will load those files like the normal kdump, which is disabled by default. For the normal kdump service, it can check whether the early kdump has loaded the crash kernel and initramfs. It has no conflict with the early kdump. If you rebuild the new initramfs for early kdump, the new initramfs size will become large, because it will put the vmlinuz and kdump initramfs into the new initramfs. In addition, early kdump doesn't support fadump. Signed-off-by: Lianbo Jiang <lijiang@redhat.com> Reviewed-by: Kazuhito Hagio <khagio@redhat.com> Acked-by: Dave Young <dyoung@redhat.com>
2018-05-22 10:15:08 +00:00
EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
fi
$KEXEC ${EARLY_KEXEC_ARGS} $standard_kexec_args \
--command-line="$EARLY_KDUMP_CMDLINE" \
--initrd=$EARLY_KDUMP_INITRD $EARLY_KDUMP_KERNEL
if [ $? == 0 ]; then
echo "kexec: loaded early-kdump kernel"
return 0
else
echo "kexec: failed to load early-kdump kernel"
return 1
fi
}
set_early_kdump()
{
if getargbool 0 rd.earlykdump; then
echo "early-kdump is enabled."
early_kdump_load
else
echo "early-kdump is disabled."
fi
return 0
}
set_early_kdump