kdumpctl: claim that kdump does not support secure boot when service start
Kdump does not support secure boot yet, so let's claim it is not supported at the begginning of service start function. In this patch for checking secure boot status I'm checking the efivars per suggestion from pjones. see in code comments for the details. Tested in Fedora 19 + qemu ovmf with secure boot enabled. Signed-off-by: Dave Young <dyoung@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
Dave Young
WANG Chao
parent
1060846036
commit
afff4dc8a3
43
kdumpctl
43
kdumpctl
@ -500,6 +500,43 @@ selinux_relabel()
|
||||
done
|
||||
}
|
||||
|
||||
# Check if secure boot is being enforced.
|
||||
#
|
||||
# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
|
||||
# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
|
||||
# bytes are the attributes associated with the variable and can safely be
|
||||
# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
|
||||
# is 1 and SetupMode is 0, then secure boot is being enforced.
|
||||
#
|
||||
# Assume efivars is mounted at /sys/firmware/efi/efivars.
|
||||
function is_secure_boot_enforced()
|
||||
{
|
||||
local secure_boot_file setup_mode_file
|
||||
local secure_boot_byte setup_mode_byte
|
||||
|
||||
secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
|
||||
setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
|
||||
|
||||
if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
|
||||
secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5)
|
||||
setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5)
|
||||
|
||||
if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
function check_kdump_feasibility()
|
||||
{
|
||||
if is_secure_boot_enforced; then
|
||||
echo "Secure Boot is Enabled. Kdump service can't be started. Disable Secure Boot and retry"
|
||||
return 1;
|
||||
fi
|
||||
}
|
||||
|
||||
function start()
|
||||
{
|
||||
check_config
|
||||
@ -517,6 +554,12 @@ function start()
|
||||
return 1
|
||||
fi
|
||||
|
||||
check_kdump_feasibility
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Starting kdump: [FAILED]"
|
||||
return 1
|
||||
fi
|
||||
|
||||
status
|
||||
rc=$?
|
||||
if [ $rc == 2 ]; then
|
||||
|
||||
Loading…
Reference in New Issue
Block a user