From afff4dc8a3c5a5dadc6246e7b6ddfaa196ec90c8 Mon Sep 17 00:00:00 2001 From: Dave Young Date: Wed, 12 Feb 2014 10:31:41 +0800 Subject: [PATCH] kdumpctl: claim that kdump does not support secure boot when service start Kdump does not support secure boot yet, so let's claim it is not supported at the begginning of service start function. In this patch for checking secure boot status I'm checking the efivars per suggestion from pjones. see in code comments for the details. Tested in Fedora 19 + qemu ovmf with secure boot enabled. Signed-off-by: Dave Young Acked-by: Vivek Goyal --- kdumpctl | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/kdumpctl b/kdumpctl index abcdffd..aef3875 100755 --- a/kdumpctl +++ b/kdumpctl @@ -500,6 +500,43 @@ selinux_relabel() done } +# Check if secure boot is being enforced. +# +# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and +# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four +# bytes are the attributes associated with the variable and can safely be +# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot +# is 1 and SetupMode is 0, then secure boot is being enforced. +# +# Assume efivars is mounted at /sys/firmware/efi/efivars. +function is_secure_boot_enforced() +{ + local secure_boot_file setup_mode_file + local secure_boot_byte setup_mode_byte + + secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) + setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) + + if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then + secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) + setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) + + if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then + return 0 + fi + fi + + return 1 +} + +function check_kdump_feasibility() +{ + if is_secure_boot_enforced; then + echo "Secure Boot is Enabled. Kdump service can't be started. Disable Secure Boot and retry" + return 1; + fi +} + function start() { check_config @@ -517,6 +554,12 @@ function start() return 1 fi + check_kdump_feasibility + if [ $? -ne 0 ]; then + echo "Starting kdump: [FAILED]" + return 1 + fi + status rc=$? if [ $rc == 2 ]; then