import CS kexec-tools-2.0.26-14.el8

2024-03-27 19:54:38 +00:00 · 2024-03-27 19:54:38 +00:00 · 02fbb13546
commit 02fbb13546
parent 4e334b5cd7
6 changed files with 90 additions and 56 deletions
--- a/SOURCES/dracut-early-kdump.sh
+++ b/SOURCES/dracut-early-kdump.sh
@ -49,11 +49,6 @@ early_kdump_load()

    EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")

-    if is_secure_boot_enforced; then
-        dinfo "Secure Boot is enabled. Using kexec file based syscall."
-        EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
-    fi
-
    # Here, only output the messages, but do not save these messages
    # to a file because the target disk may not be mounted yet, the
    # earlykdump is too early.
--- a/SOURCES/dracut-module-setup.sh
+++ b/SOURCES/dracut-module-setup.sh
@ -363,6 +363,14 @@ _get_nic_driver() {
    ethtool -i "$1" | sed -n -E "s/driver: (.*)/\1/p"
 }

+_get_hpyerv_physical_driver() {
+    local _physical_nic
+
+    _physical_nic=$(find /sys/class/net/"$1"/ -name 'lower_*' | sed -En "s/\/.*lower_(.*)/\1/p")
+    [[ -n $_physical_nic ]] || return
+    _get_nic_driver "$_physical_nic"
+}
+
 kdump_install_nic_driver() {
    local _netif _driver _drivers

@ -382,6 +390,11 @@ kdump_install_nic_driver() {
        elif [[ $_driver == "team" ]]; then
            # install the team mode drivers like team_mode_roundrobin.ko as well
            _driver='=drivers/net/team'
+        elif [[ $_driver == "hv_netvsc" ]]; then
+            # A Hyper-V VM may have accelerated networking
+            # https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview
+            # Install the driver of physical NIC as well
+            _drivers+=("$(_get_hpyerv_physical_driver "$_netif")")
        fi

        _drivers+=("$_driver")
@ -1127,6 +1140,15 @@ install() {
      's/\(^[[:space:]]*reserved_memory[[:space:]]*=\)[[:space:]]*[[:digit:]]*/\1 1024/' \
      ${initdir}/etc/lvm/lvm.conf &>/dev/null

+    # Skip initrd-cleanup.service and initrd-parse-etc.service becasue we don't
+    # need to switch root. Instead of removing them, we use ConditionPathExists
+    # to check if /proc/vmcore exists to determine if we are in kdump.
+    sed -i '/\[Unit\]/a ConditionPathExists=!\/proc\/vmcore' \
+        "${initdir}/${systemdsystemunitdir}/initrd-cleanup.service" &> /dev/null
+
+    sed -i '/\[Unit\]/a ConditionPathExists=!\/proc\/vmcore' \
+        "${initdir}/${systemdsystemunitdir}/initrd-parse-etc.service" &> /dev/null
+
    # Save more memory by dropping switch root capability
    dracut_no_switch_root
 }
--- a/SOURCES/kdump-lib.sh
+++ b/SOURCES/kdump-lib.sh
@ -529,11 +529,24 @@ get_dracut_args_target()
    echo $1 | grep "\-\-mount" | sed "s/.*--mount .\(.*\)/\1/" | cut -d' ' -f1
 }

+get_reserved_mem_size()
+{
+	local reserved_mem_size=0
+
+	if is_fadump_capable; then
+		reserved_mem_size=$(< /sys/kernel/fadump/mem_reserved)
+	else
+		reserved_mem_size=$(< /sys/kernel/kexec_crash_size)
+	fi
+
+	echo "$reserved_mem_size"
+}
+
 check_crash_mem_reserved()
 {
    local mem_reserved

-    mem_reserved=$(cat /sys/kernel/kexec_crash_size)
+    mem_reserved=$(get_reserved_mem_size)
    if [ $mem_reserved -eq 0 ]; then
        derror "No memory reserved for crash kernel"
        return 1
@ -700,6 +713,15 @@ prepare_kexec_args()
            fi
        fi
    fi
+
+    # For secureboot enabled machines, use new kexec file based syscall.
+    # Old syscall will always fail as it does not have capability to do
+    # kernel signature verification.
+    if is_secure_boot_enforced; then
+        dinfo "Secure Boot is enabled. Using kexec file based syscall."
+        kexec_args="$kexec_args -s"
+    fi
+
    echo $kexec_args
 }

--- a/SOURCES/kdumpctl
+++ b/SOURCES/kdumpctl
@ -538,28 +538,22 @@ check_fs_modified()
 check_system_modified()
 {
 	local ret
+	local CONF_ERROR=2
+	local CONF_MODIFY=1
+	local CONF_NO_MODIFY=0
+	local conf_status=$CONF_NO_MODIFY

 	[[ -f $TARGET_INITRD ]] || return 1

-	check_files_modified
+	for _func in check_files_modified check_fs_modified check_drivers_modified; do
+		$_func
 		ret=$?
-	if [ $ret -ne 0 ]; then
-		return $ret
-	fi
+		# return immediately if an error occurred.
+		[[ $ret -eq "$CONF_ERROR" ]] && return "$ret"
+		[[ $ret -eq "$CONF_MODIFY" ]] && { conf_status="$CONF_MODIFY"; }
+	done

-	check_fs_modified
-	ret=$?
-	if [ $ret -ne 0 ]; then
-		return $ret
-	fi
-
-	check_drivers_modified
-	ret=$?
-	if [ $ret -ne 0 ]; then
-		return $ret
-	fi
-
-	return 0
+	return $conf_status
 }

 check_rebuild()
@ -653,20 +647,7 @@ function load_kdump_kernel_key()
                return
        fi

-        KDUMP_KEY_ID=$(cat /usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer |
-                        keyctl padd asymmetric kernelkey-$RANDOM %:.ima)
-}
-
-# remove a previously loaded key. There's no real security implication
-# to leaving it around, we choose to do this because it makes it easier
-# to be idempotent and so as to reduce the potential for confusion.
-function remove_kdump_kernel_key()
-{
-	if [ -z "$KDUMP_KEY_ID" ]; then
-		return
-	fi
-
-	keyctl unlink $KDUMP_KEY_ID %:.ima
+	keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer"
 }

 # Load the kdump kernel specified in /etc/sysconfig/kdump
@ -679,15 +660,6 @@ load_kdump()
 	KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
 	KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")

-	# For secureboot enabled machines, use new kexec file based syscall.
-	# Old syscall will always fail as it does not have capability to
-	# to kernel signature verification.
-	if is_secure_boot_enforced; then
-		dinfo "Secure Boot is enabled. Using kexec file based syscall."
-		KEXEC_ARGS="$KEXEC_ARGS -s"
-		load_kdump_kernel_key
-	fi
-
 	ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL"

 	# The '12' represents an intermediate temporary file descriptor
@ -708,9 +680,7 @@ load_kdump()
 	set +x
 	exec 2>&12 12>&-

-	remove_kdump_kernel_key
-
-	if [ $ret == 0 ]; then
+	if [[ $ret == 0 ]]; then
 		dinfo "kexec: loaded kdump kernel"
 		return 0
 	else
@ -848,7 +818,7 @@ propagate_ssh_key()

 show_reserved_mem()
 {
-    local mem=$(cat /sys/kernel/kexec_crash_size)
+    local mem=$(get_reserved_mem_size)
    local mem_mb=$(expr $mem / 1024 / 1024)

    dinfo "Reserved "$mem_mb"MB memory for crash kernel"
@ -1009,7 +979,13 @@ start_fadump()

 start_dump()
 {
-	if [ $DEFAULT_DUMP_MODE == "fadump" ]; then
+	# On secure boot enabled Power systems, load kernel signing key on .ima for signature
+	# verification using kexec file based syscall.
+	if [[ "$(uname -m)" == ppc64le ]] && is_secure_boot_enforced; then
+		load_kdump_kernel_key
+	fi
+
+	if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then
 		start_fadump
 	else
 		load_kdump
@ -1270,7 +1246,7 @@ do_estimate() {
 	# The default value when using crashkernel=auto
 	baseline_size=$((baseline * size_mb))
 	# Current reserved crashkernel size
-	reserved_size=$(cat /sys/kernel/kexec_crash_size)
+	reserved_size=$(get_reserved_mem_size)
 	# A pre-estimated value for userspace usage and kernel
 	# runtime allocation, 64M should good for most cases
 	runtime_size=$((64 * size_mb))
--- a/SOURCES/supported-kdump-targets.txt
+++ b/SOURCES/supported-kdump-targets.txt
@ -35,7 +35,8 @@ updating lists accordingly.
 Supported Dump targets
 ----------------------
 storage:
-        LVM volume (no thinp)
+        LVM volume
+        Thin provisioning volume
        FC disks (qla2xxx, lpfc, bnx2fc, bfa)
        software initiator based iSCSI
        software RAID (mdraid)
@ -79,7 +80,6 @@ Unsupported Dump targets
 ------------------------
 storage:
        BIOS RAID
-        Thin provisioning volume
        Software iSCSI with iBFT (bnx2i, cxgb3i, cxgb4i)
        Software iSCSI with hybrid (be2iscsi)
        FCoE
--- a/SPECS/kexec-tools.spec
+++ b/SPECS/kexec-tools.spec
@ -1,6 +1,6 @@
 Name: kexec-tools
 Version: 2.0.26
-Release: 8%{?dist}
+Release: 14%{?dist}
 License: GPLv2
 Group: Applications/System
 Summary: The kexec/kdump userspace component
@ -396,6 +396,25 @@ done
 %endif

 %changelog
+* Wed Feb 21 2024 Pingfan Liu <piliu@redhat.com> - 2.0.26-14
+- dracut-module-setup: Skip initrd-cleanup and initrd-parse-etc in kdump
+
+* Fri Feb  2 2024 Pingfan Liu <piliu@redhat.com> - 2.0.26-13
+- dracut-module-setup.sh: also install the driver of physical NIC for Hyper-V VM with accelerated networking
+
+* Wed Nov 22 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-12
+- kdumpctl: Only returns immediately after an error occurs in check_*_modified
+
+* Thu Nov  9 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-11
+- powerpc: update kdumpctl to load kernel signing key for fadump
+- powerpc: update kdumpctl to remove deletion of kernel signing key once loaded
+
+* Tue Sep 26 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-10
+- Introduce a function to get reserved memory size
+
+* Tue Sep 19 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-9
+- Add lvm thin provision to kdump supported-kdump-targets.txt
+
 * Thu Aug 10 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-8
 - mkdumprd: Use the correct syntax to redirect the stderr to null
 - mkdumprd: call dracut with --add-device to install the drivers needed by /boot partition automatically for FIPS