kdumpctl: enable secure boot on ppc64le LPARs

Resolves: bz1931802 Upstream: Fedora Conflict: The upstream commit was submitted before shfmt and .editorconfig. So there are issues like 4 spaces verse tab indentation, double brackets verse single bracket and etc. commit 596fa0a07f Author: Pingfan Liu <piliu@redhat.com> Date: Thu Feb 18 14:01:18 2021 +0800 kdumpctl: enable secure boot on ppc64le LPARs On ppc64le LPAR, secure-boot is a little different from bare metal, Where host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists while guest secure boot: /ibm,secure-boot >= 2 Make kexec-tools adapt to LPAR Signed-off-by: Pingfan Liu <piliu@redhat.com> Acked-by: Kairui Song <kasong@redhat.com> Signed-off-by: Coiby Xu <coxu@redhat.com>
2021-11-26 10:40:48 +08:00 · 2021-11-26 10:40:48 +08:00 · eb95f93880
commit eb95f93880
parent 058f49c0ad
2 changed files with 38 additions and 2 deletions
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@ -560,11 +560,16 @@ is_secure_boot_enforced()
 	local secure_boot_file setup_mode_file
 	local secure_boot_byte setup_mode_byte

-	# On powerpc, os-secureboot-enforcing DT property indicates whether secureboot
-	# is enforced. Return success, if it is found.
+	# On powerpc, secure boot is enforced if:
+	#   host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists
+	#   guest secure boot: /ibm,secure-boot >= 2
 	if [[ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]]; then
 		return 0
 	fi
+	if [[ -f /proc/device-tree/ibm,secure-boot ]] &&
+		[[ $(lsprop /proc/device-tree/ibm,secure-boot | tail -1) -ge 2 ]]; then
+			return 0
+	fi

 	# Detect secure boot on x86 and arm64
 	secure_boot_file=$(find /sys/firmware/efi/efivars -name "SecureBoot-*" 2> /dev/null)
--- a/31
+++ b/31
@ -611,6 +611,34 @@ check_rebuild()
 	return $?
 }

+# On ppc64le LPARs, the keys trusted by firmware do not end up in
+# .builtin_trusted_keys. So instead, add the key to the .ima keyring
+function load_kdump_kernel_key()
+{
+	# this is only called inside is_secure_boot_enforced,
+	# no need to retest
+
+        # this is only required if DT /ibm,secure-boot is a file.
+        # if it is a dir, we are on OpenPower and don't need this.
+        if ! [[ -f /proc/device-tree/ibm,secure-boot ]]; then
+                return
+        fi
+
+	KDUMP_KEY_ID=$(keyctl padd asymmetric kernelkey-$RANDOM %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer")
+}
+
+# remove a previously loaded key. There's no real security implication
+# to leaving it around, we choose to do this because it makes it easier
+# to be idempotent and so as to reduce the potential for confusion.
+function remove_kdump_kernel_key()
+{
+	if [[ -z $KDUMP_KEY_ID ]]; then
+		return
+	fi
+
+	keyctl unlink "$KDUMP_KEY_ID" %:.ima
+}
+
 # Load the kdump kernel specified in /etc/sysconfig/kdump
 # If none is specified, try to load a kdump kernel with the same version
 # as the currently running kernel.
@ -627,6 +655,7 @@ load_kdump()
 	if is_secure_boot_enforced; then
 		dinfo "Secure Boot is enabled. Using kexec file based syscall."
 		KEXEC_ARGS="$KEXEC_ARGS -s"
+		load_kdump_kernel_key
 	fi

 	ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL"
@ -649,6 +678,8 @@ load_kdump()
 	set +x
 	exec 2>&12 12>&-

+	remove_kdump_kernel_key
+
 	if [[ $ret == 0 ]]; then
 		dinfo "kexec: loaded kdump kernel"
 		return 0