From 60110edf7aa4e0a1bb28171b9f919330461f7a1a Mon Sep 17 00:00:00 2001
From: Coiby Xu <coxu@redhat.com>
Date: Thu, 19 Oct 2023 10:03:05 +0800
Subject: [PATCH] powerpc: update kdumpctl to remove deletion of kernel signing
 key once loaded

Resolves: https://issues.redhat.com/browse/RHEL-14002
Upstream: Fedora
Conflict: There are changes on format

commit fe6eb30e6756d3c13bb7485a08f066b18cd1594b
Author: Nayna Jain <nayna@linux.ibm.com>
Date:   Tue Oct 3 23:41:46 2023 -0400

    powerpc: update kdumpctl to remove deletion of kernel signing key once loaded

    Kernel signing key is deleted once kdump is loaded. This causes confusion in
    debugging since key is no longer visible. Unless someone knows how
    kdumpctl script works, it is difficult to find out how kdump could be
    loaded when there is no key on .ima keyring.

    Remove deletion of kernel signing key once loaded. And then to prevent
    multiple loading of same key when kdump service is disabled/enabled, update
    key description field as well.

    Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
    Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
    Reviewed-by: Philipp Rudo <prudo@redhat.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 kdumpctl | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/kdumpctl b/kdumpctl
index 81ba259..c41e6f5 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -653,20 +653,7 @@ function load_kdump_kernel_key()
                 return
         fi
 
-        KDUMP_KEY_ID=$(cat /usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer |
-                        keyctl padd asymmetric kernelkey-$RANDOM %:.ima)
-}
-
-# remove a previously loaded key. There's no real security implication
-# to leaving it around, we choose to do this because it makes it easier
-# to be idempotent and so as to reduce the potential for confusion.
-function remove_kdump_kernel_key()
-{
-	if [ -z "$KDUMP_KEY_ID" ]; then
-		return
-	fi
-
-	keyctl unlink $KDUMP_KEY_ID %:.ima
+	keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer"
 }
 
 # Load the kdump kernel specified in /etc/sysconfig/kdump
@@ -708,9 +695,7 @@ load_kdump()
 	set +x
 	exec 2>&12 12>&-
 
-	remove_kdump_kernel_key
-
-	if [ $ret == 0 ]; then
+	if [[ $ret == 0 ]]; then
 		dinfo "kexec: loaded kdump kernel"
 		return 0
 	else