From 5e46226b90d85c0ac02bb9bb3cb6f33e40f685fb Mon Sep 17 00:00:00 2001 From: Coiby Xu Date: Thu, 19 Oct 2023 10:08:11 +0800 Subject: [PATCH] powerpc: update kdumpctl to load kernel signing key for fadump Resolves: https://issues.redhat.com/browse/RHEL-14002 Upstream: Fedora Conflict: there are changes in format. commit 4fa17b2ee4a6089cddd3c4b929840f4faf72ff98 Author: Nayna Jain Date: Tue Oct 3 23:41:47 2023 -0400 powerpc: update kdumpctl to load kernel signing key for fadump On secure boot enabled systems with static keys, kexec with kexec_file_load(-s) fails as "Permission Denied" when fadump is enabled. Similar to kdump, load kernel signing key for fadump as well. Reported-by: Sachin P Bappalige Signed-off-by: Nayna Jain Signed-off-by: Coiby Xu --- dracut-early-kdump.sh | 5 ----- kdump-lib.sh | 9 +++++++++ kdumpctl | 17 +++++++---------- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 129841e..0124564 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -49,11 +49,6 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if is_secure_boot_enforced; then - dinfo "Secure Boot is enabled. Using kexec file based syscall." - EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" - fi - # Here, only output the messages, but do not save these messages # to a file because the target disk may not be mounted yet, the # earlykdump is too early. diff --git a/kdump-lib.sh b/kdump-lib.sh index 24c3e63..8dd63a6 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -713,6 +713,15 @@ prepare_kexec_args() fi fi fi + + # For secureboot enabled machines, use new kexec file based syscall. + # Old syscall will always fail as it does not have capability to do + # kernel signature verification. + if is_secure_boot_enforced; then + dinfo "Secure Boot is enabled. Using kexec file based syscall." + kexec_args="$kexec_args -s" + fi + echo $kexec_args } diff --git a/kdumpctl b/kdumpctl index c41e6f5..1df9822 100755 --- a/kdumpctl +++ b/kdumpctl @@ -666,15 +666,6 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - # For secureboot enabled machines, use new kexec file based syscall. - # Old syscall will always fail as it does not have capability to - # to kernel signature verification. - if is_secure_boot_enforced; then - dinfo "Secure Boot is enabled. Using kexec file based syscall." - KEXEC_ARGS="$KEXEC_ARGS -s" - load_kdump_kernel_key - fi - ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL" # The '12' represents an intermediate temporary file descriptor @@ -994,7 +985,13 @@ start_fadump() start_dump() { - if [ $DEFAULT_DUMP_MODE == "fadump" ]; then + # On secure boot enabled Power systems, load kernel signing key on .ima for signature + # verification using kexec file based syscall. + if [[ "$(uname -m)" == ppc64le ]] && is_secure_boot_enforced; then + load_kdump_kernel_key + fi + + if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then start_fadump else load_kdump