mkdumprd: call dracut with --add-device to install the drivers needed by /boot partition automatically for FIPS

Resolves: bz2185794
Upstream: Fedora
Conflicts: small change

commit 443a43e075
Author: Coiby Xu <coxu@redhat.com>
Date:   Wed May 24 12:01:45 2023 +0800

    mkdumprd: call dracut with --add-device to install the drivers needed by /boot partition automatically for FIPS

    Currently, kdump doesn't work on many FIPS-enabled systems including
    Azure, ESXI, Hyper, POWER and etc. When FIPS is enabled, it needs to
    access /boot//.vmlinuz-xxx.hmac to verify the integrity of the kernel.
    However, on those systems, /boot fails to be mounted due to a lack of
    fs and block device drivers and the system just halted after failing to
    verify the integrity of the kernel. For example, on Hyper-V, sd_mod, sg,
    scsi_transport_fc, hv_storvsc and hv_vmbus need to be installed in order
    for /boot to be mounted.

    mkdumprd calls dracut with the --no-hostonly-default-device. Following
    the documentation (man dracut),
        --no-hostonly-default-device
          Do not generate implicit host devices like root, swap, fstab, etc.
          Use "--mount" or "--add-device" to explicitly add devices as needed

    this patch uses "--add-device" to explicitly add the device of /boot.

    Note there is already an attempt to fix it in dracut's 01fips module
    i.e. via the commit 83651776 ("fips: ensure fs module for /boot is
    installed"). Unfortunately it only installs the file system driver e.g.
    xfs.

    Reviewed-by: Philipp Rudo <prudo@redhat.com>
    Signed-off-by: Coiby Xu <coxu@redhat.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>
This commit is contained in:
Coiby Xu 2023-08-10 14:17:11 +08:00
parent 30b68611f7
commit 9b051369fc

View File

@ -443,6 +443,10 @@ if ! is_fadump_capable; then
is_dump_to_rootfs && add_mount "$(to_dev_name $(get_root_fs_device))" is_dump_to_rootfs && add_mount "$(to_dev_name $(get_root_fs_device))"
add_dracut_arg "--no-hostonly-default-device" add_dracut_arg "--no-hostonly-default-device"
if fips-mode-setup --is-enabled 2 > /dev/null; then
add_dracut_arg --add-device "$(findmnt -n -o SOURCE --target /boot)"
fi
fi fi
echo "$dracut_args $@" | xargs dracut echo "$dracut_args $@" | xargs dracut