kdumpctl: enable secure boot on ppc64le LPARs
Resolves: bz1931802
Upstream: Fedora
Conflict: The upstream commit was submitted before shfmt and .editorconfig.
So there are issues like 4 spaces verse tab indentation, double
brackets verse single bracket and etc.
commit 596fa0a07f
Author: Pingfan Liu <piliu@redhat.com>
Date: Thu Feb 18 14:01:18 2021 +0800
kdumpctl: enable secure boot on ppc64le LPARs
On ppc64le LPAR, secure-boot is a little different from bare metal,
Where
host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists
while
guest secure boot: /ibm,secure-boot >= 2
Make kexec-tools adapt to LPAR
Signed-off-by: Pingfan Liu <piliu@redhat.com>
Acked-by: Kairui Song <kasong@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
This commit is contained in:
parent
058f49c0ad
commit
eb95f93880
@ -560,11 +560,16 @@ is_secure_boot_enforced()
|
|||||||
local secure_boot_file setup_mode_file
|
local secure_boot_file setup_mode_file
|
||||||
local secure_boot_byte setup_mode_byte
|
local secure_boot_byte setup_mode_byte
|
||||||
|
|
||||||
# On powerpc, os-secureboot-enforcing DT property indicates whether secureboot
|
# On powerpc, secure boot is enforced if:
|
||||||
# is enforced. Return success, if it is found.
|
# host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists
|
||||||
|
# guest secure boot: /ibm,secure-boot >= 2
|
||||||
if [[ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]]; then
|
if [[ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]]; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
if [[ -f /proc/device-tree/ibm,secure-boot ]] &&
|
||||||
|
[[ $(lsprop /proc/device-tree/ibm,secure-boot | tail -1) -ge 2 ]]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
# Detect secure boot on x86 and arm64
|
# Detect secure boot on x86 and arm64
|
||||||
secure_boot_file=$(find /sys/firmware/efi/efivars -name "SecureBoot-*" 2> /dev/null)
|
secure_boot_file=$(find /sys/firmware/efi/efivars -name "SecureBoot-*" 2> /dev/null)
|
||||||
|
31
kdumpctl
31
kdumpctl
@ -611,6 +611,34 @@ check_rebuild()
|
|||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# On ppc64le LPARs, the keys trusted by firmware do not end up in
|
||||||
|
# .builtin_trusted_keys. So instead, add the key to the .ima keyring
|
||||||
|
function load_kdump_kernel_key()
|
||||||
|
{
|
||||||
|
# this is only called inside is_secure_boot_enforced,
|
||||||
|
# no need to retest
|
||||||
|
|
||||||
|
# this is only required if DT /ibm,secure-boot is a file.
|
||||||
|
# if it is a dir, we are on OpenPower and don't need this.
|
||||||
|
if ! [[ -f /proc/device-tree/ibm,secure-boot ]]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
KDUMP_KEY_ID=$(keyctl padd asymmetric kernelkey-$RANDOM %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer")
|
||||||
|
}
|
||||||
|
|
||||||
|
# remove a previously loaded key. There's no real security implication
|
||||||
|
# to leaving it around, we choose to do this because it makes it easier
|
||||||
|
# to be idempotent and so as to reduce the potential for confusion.
|
||||||
|
function remove_kdump_kernel_key()
|
||||||
|
{
|
||||||
|
if [[ -z $KDUMP_KEY_ID ]]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
keyctl unlink "$KDUMP_KEY_ID" %:.ima
|
||||||
|
}
|
||||||
|
|
||||||
# Load the kdump kernel specified in /etc/sysconfig/kdump
|
# Load the kdump kernel specified in /etc/sysconfig/kdump
|
||||||
# If none is specified, try to load a kdump kernel with the same version
|
# If none is specified, try to load a kdump kernel with the same version
|
||||||
# as the currently running kernel.
|
# as the currently running kernel.
|
||||||
@ -627,6 +655,7 @@ load_kdump()
|
|||||||
if is_secure_boot_enforced; then
|
if is_secure_boot_enforced; then
|
||||||
dinfo "Secure Boot is enabled. Using kexec file based syscall."
|
dinfo "Secure Boot is enabled. Using kexec file based syscall."
|
||||||
KEXEC_ARGS="$KEXEC_ARGS -s"
|
KEXEC_ARGS="$KEXEC_ARGS -s"
|
||||||
|
load_kdump_kernel_key
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL"
|
ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL"
|
||||||
@ -649,6 +678,8 @@ load_kdump()
|
|||||||
set +x
|
set +x
|
||||||
exec 2>&12 12>&-
|
exec 2>&12 12>&-
|
||||||
|
|
||||||
|
remove_kdump_kernel_key
|
||||||
|
|
||||||
if [[ $ret == 0 ]]; then
|
if [[ $ret == 0 ]]; then
|
||||||
dinfo "kexec: loaded kdump kernel"
|
dinfo "kexec: loaded kdump kernel"
|
||||||
return 0
|
return 0
|
||||||
|
Loading…
Reference in New Issue
Block a user