rpms/kexec-tools
5
0
Fork 0
Code Issues Pull Requests Releases Activity

powerpc: update kdumpctl to load kernel signing key for fadump

Browse Source 
Resolves: https://issues.redhat.com/browse/RHEL-14002
Upstream: Fedora
Conflict: there are changes in format.

commit 4fa17b2ee4
Author: Nayna Jain <nayna@linux.ibm.com>
Date:   Tue Oct 3 23:41:47 2023 -0400

    powerpc: update kdumpctl to load kernel signing key for fadump

    On secure boot enabled systems with static keys, kexec with kexec_file_load(-s)
    fails as "Permission Denied" when fadump is enabled.

    Similar to kdump, load kernel signing key for fadump as well.

    Reported-by: Sachin P Bappalige <sachinpb@linux.vnet.ibm.com>
    Signed-off-by: Nayna Jain <nayna@linux.ibm.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>
This commit is contained in:
Coiby Xu 2023-10-19 10:08:11 +08:00 committed by Pingfan Liu
parent 60110edf7a
commit 5e46226b90
3 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
dracut-early-kdump.sh
View File

@ -49,11 +49,6 @@ early_kdump_load()
EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
if is_secure_boot_enforced; then
dinfo "Secure Boot is enabled. Using kexec file based syscall."
EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
fi
# Here, only output the messages, but do not save these messages # Here, only output the messages, but do not save these messages
# to a file because the target disk may not be mounted yet, the # to a file because the target disk may not be mounted yet, the
# earlykdump is too early. # earlykdump is too early.

9
kdump-lib.sh
View File

@ -713,6 +713,15 @@ prepare_kexec_args()
fi fi
fi fi
fi fi
# For secureboot enabled machines, use new kexec file based syscall.
# Old syscall will always fail as it does not have capability to do
# kernel signature verification.
if is_secure_boot_enforced; then
dinfo "Secure Boot is enabled. Using kexec file based syscall."
kexec_args="$kexec_args -s"
fi
echo $kexec_args echo $kexec_args
} }

17
kdumpctl
View File

@ -666,15 +666,6 @@ load_kdump()
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
# For secureboot enabled machines, use new kexec file based syscall.
# Old syscall will always fail as it does not have capability to
# to kernel signature verification.
if is_secure_boot_enforced; then
dinfo "Secure Boot is enabled. Using kexec file based syscall."
KEXEC_ARGS="$KEXEC_ARGS -s"
load_kdump_kernel_key
fi
ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL" ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL"
# The '12' represents an intermediate temporary file descriptor # The '12' represents an intermediate temporary file descriptor
@ -994,7 +985,13 @@ start_fadump()
start_dump() start_dump()
{ {
if [ $DEFAULT_DUMP_MODE == "fadump" ]; then # On secure boot enabled Power systems, load kernel signing key on .ima for signature
# verification using kexec file based syscall.
if [[ "$(uname -m)" == ppc64le ]] && is_secure_boot_enforced; then
load_kdump_kernel_key
fi
if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then
start_fadump start_fadump
else else
load_kdump load_kdump