powerpc: update kdumpctl to load kernel signing key for fadump
Resolves: https://issues.redhat.com/browse/RHEL-14003 Upstream: Fedora Conflict: None commit 4fa17b2ee4a6089cddd3c4b929840f4faf72ff98 Author: Nayna Jain <nayna@linux.ibm.com> Date: Tue Oct 3 23:41:47 2023 -0400 powerpc: update kdumpctl to load kernel signing key for fadump On secure boot enabled systems with static keys, kexec with kexec_file_load(-s) fails as "Permission Denied" when fadump is enabled. Similar to kdump, load kernel signing key for fadump as well. Reported-by: Sachin P Bappalige <sachinpb@linux.vnet.ibm.com> Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Coiby Xu <coxu@redhat.com>
This commit is contained in:
parent
b3263494ef
commit
24020b226a
|
@ -46,11 +46,6 @@ early_kdump_load()
|
||||||
|
|
||||||
EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
|
EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
|
||||||
|
|
||||||
if is_secure_boot_enforced; then
|
|
||||||
dinfo "Secure Boot is enabled. Using kexec file based syscall."
|
|
||||||
EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Here, only output the messages, but do not save these messages
|
# Here, only output the messages, but do not save these messages
|
||||||
# to a file because the target disk may not be mounted yet, the
|
# to a file because the target disk may not be mounted yet, the
|
||||||
# earlykdump is too early.
|
# earlykdump is too early.
|
||||||
|
|
|
@ -636,6 +636,15 @@ prepare_kexec_args()
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# For secureboot enabled machines, use new kexec file based syscall.
|
||||||
|
# Old syscall will always fail as it does not have capability to do
|
||||||
|
# kernel signature verification.
|
||||||
|
if is_secure_boot_enforced; then
|
||||||
|
dinfo "Secure Boot is enabled. Using kexec file based syscall."
|
||||||
|
kexec_args="$kexec_args -s"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "$kexec_args"
|
echo "$kexec_args"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
15
kdumpctl
15
kdumpctl
|
@ -650,15 +650,6 @@ load_kdump()
|
||||||
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
|
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
|
||||||
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
|
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
|
||||||
|
|
||||||
# For secureboot enabled machines, use new kexec file based syscall.
|
|
||||||
# Old syscall will always fail as it does not have capability to
|
|
||||||
# to kernel signature verification.
|
|
||||||
if is_secure_boot_enforced; then
|
|
||||||
dinfo "Secure Boot is enabled. Using kexec file based syscall."
|
|
||||||
KEXEC_ARGS="$KEXEC_ARGS -s"
|
|
||||||
load_kdump_kernel_key
|
|
||||||
fi
|
|
||||||
|
|
||||||
if is_uki "$KDUMP_KERNEL"; then
|
if is_uki "$KDUMP_KERNEL"; then
|
||||||
uki=$KDUMP_KERNEL
|
uki=$KDUMP_KERNEL
|
||||||
KDUMP_KERNEL=$KDUMP_TMPDIR/vmlinuz
|
KDUMP_KERNEL=$KDUMP_TMPDIR/vmlinuz
|
||||||
|
@ -976,6 +967,12 @@ start_fadump()
|
||||||
|
|
||||||
start_dump()
|
start_dump()
|
||||||
{
|
{
|
||||||
|
# On secure boot enabled Power systems, load kernel signing key on .ima for signature
|
||||||
|
# verification using kexec file based syscall.
|
||||||
|
if [[ "$(uname -m)" == ppc64le ]] && is_secure_boot_enforced; then
|
||||||
|
load_kdump_kernel_key
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then
|
if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then
|
||||||
start_fadump
|
start_fadump
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue