powerpc: update kdumpctl to remove deletion of kernel signing key once loaded

Kernel signing key is deleted once kdump is loaded. This causes confusion in
debugging since key is no longer visible. Unless someone knows how
kdumpctl script works, it is difficult to find out how kdump could be
loaded when there is no key on .ima keyring.

Remove deletion of kernel signing key once loaded. And then to prevent
multiple loading of same key when kdump service is disabled/enabled, update
key description field as well.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Philipp Rudo <prudo@redhat.com>
This commit is contained in:
Nayna Jain 2023-10-03 23:41:46 -04:00 committed by Coiby Xu
parent 8bf11dc3f6
commit fe6eb30e67

View File

@ -678,19 +678,7 @@ function load_kdump_kernel_key()
return return
fi fi
KDUMP_KEY_ID=$(keyctl padd asymmetric kernelkey-$RANDOM %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer") keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer"
}
# remove a previously loaded key. There's no real security implication
# to leaving it around, we choose to do this because it makes it easier
# to be idempotent and so as to reduce the potential for confusion.
function remove_kdump_kernel_key()
{
if [[ -z $KDUMP_KEY_ID ]]; then
return
fi
keyctl unlink "$KDUMP_KEY_ID" %:.ima
} }
# Load the kdump kernel specified in /etc/sysconfig/kdump # Load the kdump kernel specified in /etc/sysconfig/kdump
@ -742,8 +730,6 @@ load_kdump()
set +x set +x
exec 2>&12 12>&- exec 2>&12 12>&-
remove_kdump_kernel_key
if [[ $ret == 0 ]]; then if [[ $ret == 0 ]]; then
dinfo "kexec: loaded kdump kernel" dinfo "kexec: loaded kdump kernel"
return 0 return 0