Revert "kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default"

This reverts commit 6a20bd5447.

Let's restore the logic of secureboot status check, and remove the
option 'KDUMP_FILE_LOAD=on|off'. We will use the option KEXEC_ARGS="-s"
to enable the kexec file load later, which can avoid failures when
the secureboot is enabled.

Signed-off-by: Lianbo Jiang <lijiang@redhat.com>
Acked-by: Dave Young <dyoung@redhat.com>

dracut-early-kdump.sh

@@ -2,7 +2,6 @@
 
 KEXEC=/sbin/kexec
 standard_kexec_args="-p"
-KDUMP_FILE_LOAD=""
 
 EARLY_KDUMP_INITRD=""
 EARLY_KDUMP_KERNEL=""
@@ -44,8 +43,8 @@ early_kdump_load()
 
     EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
 
-    if [ "$KDUMP_FILE_LOAD" == "on" ]; then
+    if is_secure_boot_enforced; then
-        echo "Using kexec file based syscall."
+        echo "Secure Boot is enabled. Using kexec file based syscall."
         EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
     fi
 

kdump-lib.sh

@@ -597,6 +597,35 @@ need_64bit_headers()
     print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'`
 }
 
+# Check if secure boot is being enforced.
+#
+# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
+# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
+# bytes are the attributes associated with the variable and can safely be
+# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
+# is 1 and SetupMode is 0, then secure boot is being enforced.
+#
+# Assume efivars is mounted at /sys/firmware/efi/efivars.
+is_secure_boot_enforced()
+{
+    local secure_boot_file setup_mode_file
+    local secure_boot_byte setup_mode_byte
+
+    secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
+    setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
+
+    if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
+        secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5)
+        setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5)
+
+        if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
 #
 # prepare_kexec_args <kexec args>
 # This function prepares kexec argument.

kdump.sysconfig.x86_64

@@ -38,9 +38,3 @@ KDUMP_IMG="vmlinuz"
 
 #What is the images extension.  Relocatable kernels don't have one
 KDUMP_IMG_EXT=""
-
-# Using kexec file based syscall by default
-#
-# Here, the "on" is the only valid value to enable the kexec file load and
-# anything else is equal to the "off"(disable).
-KDUMP_FILE_LOAD="on"

kdumpctl

@@ -4,7 +4,6 @@ KEXEC=/sbin/kexec
 KDUMP_KERNELVER=""
 KDUMP_COMMANDLINE=""
 KEXEC_ARGS=""
-KDUMP_FILE_LOAD=""
 KDUMP_CONFIG_FILE="/etc/kdump.conf"
 MKDUMPRD="/sbin/mkdumprd -f"
 DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
@@ -686,8 +685,11 @@ load_kdump()
 	KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
 	KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
 
-	if [ "$KDUMP_FILE_LOAD" == "on" ]; then
+	# For secureboot enabled machines, use new kexec file based syscall.
-		echo "Using kexec file based syscall."
+	# Old syscall will always fail as it does not have capability to
+	# to kernel signature verification.
+	if is_secure_boot_enforced; then
+		echo "Secure Boot is enabled. Using kexec file based syscall."
 		KEXEC_ARGS="$KEXEC_ARGS -s"
 	fi
 
@@ -699,9 +701,6 @@ load_kdump()
 		return 0
 	else
 		echo "kexec: failed to load kdump kernel" >&2
-		if [ "$KDUMP_FILE_LOAD" == "on" ]; then
-			echo "kexec_file_load() failed, please try kexec_load()" >&2
-		fi
 		return 1
 	fi
 }
@@ -1162,7 +1161,7 @@ stop_fadump()
 
 stop_kdump()
 {
-	if [ "$KDUMP_FILE_LOAD" == "on" ]; then
+	if is_secure_boot_enforced; then
 		$KEXEC -s -p -u
 	else
 		$KEXEC -p -u