diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 6788a6b..69a34eb 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -2,7 +2,6 @@ KEXEC=/sbin/kexec standard_kexec_args="-p" -KDUMP_FILE_LOAD="" EARLY_KDUMP_INITRD="" EARLY_KDUMP_KERNEL="" @@ -44,8 +43,8 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if [ "$KDUMP_FILE_LOAD" == "on" ]; then - echo "Using kexec file based syscall." + if is_secure_boot_enforced; then + echo "Secure Boot is enabled. Using kexec file based syscall." EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" fi diff --git a/kdump-lib.sh b/kdump-lib.sh index 6f250d4..f78e064 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -597,6 +597,35 @@ need_64bit_headers() print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'` } +# Check if secure boot is being enforced. +# +# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and +# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four +# bytes are the attributes associated with the variable and can safely be +# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot +# is 1 and SetupMode is 0, then secure boot is being enforced. +# +# Assume efivars is mounted at /sys/firmware/efi/efivars. +is_secure_boot_enforced() +{ + local secure_boot_file setup_mode_file + local secure_boot_byte setup_mode_byte + + secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) + setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) + + if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then + secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) + setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) + + if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then + return 0 + fi + fi + + return 1 +} + # # prepare_kexec_args # This function prepares kexec argument. diff --git a/kdump.sysconfig.x86_64 b/kdump.sysconfig.x86_64 index e47e195..f67d999 100644 --- a/kdump.sysconfig.x86_64 +++ b/kdump.sysconfig.x86_64 @@ -38,9 +38,3 @@ KDUMP_IMG="vmlinuz" #What is the images extension. Relocatable kernels don't have one KDUMP_IMG_EXT="" - -# Using kexec file based syscall by default -# -# Here, the "on" is the only valid value to enable the kexec file load and -# anything else is equal to the "off"(disable). -KDUMP_FILE_LOAD="on" diff --git a/kdumpctl b/kdumpctl index 70fb551..d3ec4d7 100755 --- a/kdumpctl +++ b/kdumpctl @@ -4,7 +4,6 @@ KEXEC=/sbin/kexec KDUMP_KERNELVER="" KDUMP_COMMANDLINE="" KEXEC_ARGS="" -KDUMP_FILE_LOAD="" KDUMP_CONFIG_FILE="/etc/kdump.conf" MKDUMPRD="/sbin/mkdumprd -f" DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt" @@ -686,8 +685,11 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - if [ "$KDUMP_FILE_LOAD" == "on" ]; then - echo "Using kexec file based syscall." + # For secureboot enabled machines, use new kexec file based syscall. + # Old syscall will always fail as it does not have capability to + # to kernel signature verification. + if is_secure_boot_enforced; then + echo "Secure Boot is enabled. Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" fi @@ -699,9 +701,6 @@ load_kdump() return 0 else echo "kexec: failed to load kdump kernel" >&2 - if [ "$KDUMP_FILE_LOAD" == "on" ]; then - echo "kexec_file_load() failed, please try kexec_load()" >&2 - fi return 1 fi } @@ -1162,7 +1161,7 @@ stop_fadump() stop_kdump() { - if [ "$KDUMP_FILE_LOAD" == "on" ]; then + if is_secure_boot_enforced; then $KEXEC -s -p -u else $KEXEC -p -u