import kexec-tools-2.0.20-57.el8
This commit is contained in:
CentOS Sources
parent
3c71e580a2
commit
c9234c7b2a
|
|
@ -617,11 +617,16 @@ is_secure_boot_enforced()
|
|||
local secure_boot_file setup_mode_file
|
||||
local secure_boot_byte setup_mode_byte
|
||||
|
||||
# On powerpc, os-secureboot-enforcing DT property indicates whether secureboot
|
||||
# is enforced. Return success, if it is found.
|
||||
# On powerpc, secure boot is enforced if:
|
||||
# host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists
|
||||
# guest secure boot: /ibm,secure-boot >= 2
|
||||
if [ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]; then
|
||||
return 0
|
||||
fi
|
||||
if [ -f /proc/device-tree/ibm,secure-boot ] && \
|
||||
[ $(lsprop /proc/device-tree/ibm,secure-boot | tail -1) -ge 2 ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
# Detect secure boot on x86 and arm64
|
||||
secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
|
||||
|
|
|
|||
|
|
@ -646,6 +646,35 @@ check_rebuild()
|
|||
return $?
|
||||
}
|
||||
|
||||
# On ppc64le LPARs, the keys trusted by firmware do not end up in
|
||||
# .builtin_trusted_keys. So instead, add the key to the .ima keyring
|
||||
function load_kdump_kernel_key()
|
||||
{
|
||||
# this is only called inside is_secure_boot_enforced,
|
||||
# no need to retest
|
||||
|
||||
# this is only required if DT /ibm,secure-boot is a file.
|
||||
# if it is a dir, we are on OpenPower and don't need this.
|
||||
if ! [ -f /proc/device-tree/ibm,secure-boot ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
KDUMP_KEY_ID=$(cat /usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer |
|
||||
keyctl padd asymmetric kernelkey-$RANDOM %:.ima)
|
||||
}
|
||||
|
||||
# remove a previously loaded key. There's no real security implication
|
||||
# to leaving it around, we choose to do this because it makes it easier
|
||||
# to be idempotent and so as to reduce the potential for confusion.
|
||||
function remove_kdump_kernel_key()
|
||||
{
|
||||
if [ -z "$KDUMP_KEY_ID" ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
keyctl unlink $KDUMP_KEY_ID %:.ima
|
||||
}
|
||||
|
||||
# Load the kdump kernel specified in /etc/sysconfig/kdump
|
||||
# If none is specified, try to load a kdump kernel with the same version
|
||||
# as the currently running kernel.
|
||||
|
|
@ -662,6 +691,7 @@ load_kdump()
|
|||
if is_secure_boot_enforced; then
|
||||
dinfo "Secure Boot is enabled. Using kexec file based syscall."
|
||||
KEXEC_ARGS="$KEXEC_ARGS -s"
|
||||
load_kdump_kernel_key
|
||||
fi
|
||||
|
||||
ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL"
|
||||
|
|
@ -683,6 +713,8 @@ load_kdump()
|
|||
set +x
|
||||
exec 2>&12 12>&-
|
||||
|
||||
remove_kdump_kernel_key
|
||||
|
||||
if [ $ret == 0 ]; then
|
||||
dinfo "kexec: loaded kdump kernel"
|
||||
return 0
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
Name: kexec-tools
|
||||
Version: 2.0.20
|
||||
Release: 56%{?dist}
|
||||
Release: 57%{?dist}
|
||||
License: GPLv2
|
||||
Group: Applications/System
|
||||
Summary: The kexec/kdump userspace component
|
||||
|
|
@ -406,6 +406,9 @@ done
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Aug 27 2021 Pingfan Liu <piliu@redhat.com> - 2.0.20-57
|
||||
- kdumpctl: enable secure boot on ppc64le LPARs
|
||||
|
||||
* Fri Aug 6 2021 Pingfan Liu <piliu@redhat.com> - 2.0.20-56
|
||||
- kdumpctl: fix a typo
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue