From 24020b226a696f924791d1094e3708ddecc9c870 Mon Sep 17 00:00:00 2001
From: Coiby Xu <coxu@redhat.com>
Date: Wed, 18 Oct 2023 14:54:47 +0800
Subject: [PATCH] powerpc: update kdumpctl to load kernel signing key for
 fadump

Resolves: https://issues.redhat.com/browse/RHEL-14003
Upstream: Fedora
Conflict: None

commit 4fa17b2ee4a6089cddd3c4b929840f4faf72ff98
Author: Nayna Jain <nayna@linux.ibm.com>
Date:   Tue Oct 3 23:41:47 2023 -0400

    powerpc: update kdumpctl to load kernel signing key for fadump

    On secure boot enabled systems with static keys, kexec with kexec_file_load(-s)
    fails as "Permission Denied" when fadump is enabled.

    Similar to kdump, load kernel signing key for fadump as well.

    Reported-by: Sachin P Bappalige <sachinpb@linux.vnet.ibm.com>
    Signed-off-by: Nayna Jain <nayna@linux.ibm.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 dracut-early-kdump.sh |  5 -----
 kdump-lib.sh          |  9 +++++++++
 kdumpctl              | 15 ++++++---------
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh
index 2a8652e..c7cdc42 100755
--- a/dracut-early-kdump.sh
+++ b/dracut-early-kdump.sh
@@ -46,11 +46,6 @@ early_kdump_load()
 
     EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
 
-    if is_secure_boot_enforced; then
-        dinfo "Secure Boot is enabled. Using kexec file based syscall."
-        EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
-    fi
-
     # Here, only output the messages, but do not save these messages
     # to a file because the target disk may not be mounted yet, the
     # earlykdump is too early.
diff --git a/kdump-lib.sh b/kdump-lib.sh
index 3f5f5fb..9a21a18 100755
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@@ -636,6 +636,15 @@ prepare_kexec_args()
 			fi
 		fi
 	fi
+
+	# For secureboot enabled machines, use new kexec file based syscall.
+	# Old syscall will always fail as it does not have capability to do
+	# kernel signature verification.
+	if is_secure_boot_enforced; then
+		dinfo "Secure Boot is enabled. Using kexec file based syscall."
+		kexec_args="$kexec_args -s"
+	fi
+
 	echo "$kexec_args"
 }
 
diff --git a/kdumpctl b/kdumpctl
index 82e7b2b..fb5b35a 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -650,15 +650,6 @@ load_kdump()
 	KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
 	KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
 
-	# For secureboot enabled machines, use new kexec file based syscall.
-	# Old syscall will always fail as it does not have capability to
-	# to kernel signature verification.
-	if is_secure_boot_enforced; then
-		dinfo "Secure Boot is enabled. Using kexec file based syscall."
-		KEXEC_ARGS="$KEXEC_ARGS -s"
-		load_kdump_kernel_key
-	fi
-
 	if is_uki "$KDUMP_KERNEL"; then
 		uki=$KDUMP_KERNEL
 		KDUMP_KERNEL=$KDUMP_TMPDIR/vmlinuz
@@ -976,6 +967,12 @@ start_fadump()
 
 start_dump()
 {
+	# On secure boot enabled Power systems, load kernel signing key on .ima for signature
+	# verification using kexec file based syscall.
+	if [[ "$(uname -m)" == ppc64le ]] && is_secure_boot_enforced; then
+		load_kdump_kernel_key
+	fi
+
 	if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then
 		start_fadump
 	else