[PATCH resend] kdumpctl: claim that kdump does not support secure boot when service start
by Dave Young
Kdump does not support secure boot yet, so let's claim it is not supported
at the begginning of service start function.
In this patch for checking secure boot status I'm checking the efivars per
suggestion from pjones. see in code comments for the details.
Tested in Fedora 19 + qemu ovmf with secure boot enabled.
Signed-off-by: Dave Young <dyoung(a)redhat.com>
---
kdumpctl | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
--- kexec-tools.orig/kdumpctl
+++ kexec-tools/kdumpctl
@@ -500,8 +500,44 @@ selinux_relabel()
done
}
+# Check if secure boot is being enforced.
+#
+# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
+# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
+# bytes are the attributes associated with the variable and can safely be
+# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
+# is 1 and SetupMode is 0, then secure boot is being enforced.
+#
+# Assume efivars is mounted at /sys/firmware/efi/efivars.
+function check_secure_boot()
+{
+ local secure_boot_file setup_mode_file
+ local secure_boot_byte setup_mode_byte
+
+ secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
+ setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
+
+ if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
+ secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5)
+ setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5)
+
+ if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then
+ return 0
+ fi
+fi
+
+ return 1
+}
+
function start()
{
+ check_secure_boot
+ if [ $? -eq 0 ]; then
+ echo "Secure boot is not supported in kdump yet. Please disable secure boot and retry."
+ echo "Starting kdump: [FAILED]"
+ return 1
+ fi
+
check_config
if [ $? -ne 0 ]; then
echo "Starting kdump: [FAILED]"
10 years, 2 months
[PATCH] kdumpctl: claim that kdump does not support secure boot when service start
by Dave Young
Kdump does not support secure boot yet, so let's claim it is not supported
at the begginning of service start function.
In this patch for checking secure boot status I'm checking the efivars per
suggestion from pjones. see in code comments for the details.
Tested in Fedora 19 + qemu ovmf with secure boot enabled.
Signed-off-by: Dave Young <dyoung(a)redhat.com>
---
kdumpctl | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
--- kexec-tools.orig/kdumpctl
+++ kexec-tools/kdumpctl
@@ -500,8 +500,43 @@ selinux_relabel()
done
}
+# Check if secure boot is being enforced.
+#
+# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
+# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
+# bytes are the attributes associated with the variable and can safely be
+# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
+# is 1 and SetupMode is 0, then secure boot is being enforced.
+#
+# Assume efivars is mounted at /sys/firmware/efi/efivars.
+function check_secure_boot()
+{
+ local secure_boot_file setup_mode_file
+ local secure_boot_byte setup_mode_byte
+
+ secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
+ setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
+
+ if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
+ secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5)
+ setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5)
+
+ if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then
+ return 0
+ fi
+fi
+
+ return 1
+}
+
function start()
{
+ check_secure_boot
+ if [ $? -eq 0 ]; then
+ echo "Secure boot is not supported in kdump yet. Please disable secure boot and retry."
+ echo "Starting kdump: [FAILED]"
+ fi
+
check_config
if [ $? -ne 0 ]; then
echo "Starting kdump: [FAILED]"
10 years, 2 months
[PATCH 0/6] kdump: Modify kdump init script to support firmware-assisted dump
by Hari Bathini
This patch set implements firmware-assisted dump support for kdump
service. Firmware-assisted dump support depends on existing kdump
infrastructure (kdump scripts) present in userland to save dump
to the disk. Though existing kdump script will work seemlessly, it
still needs to modified to make it aware of presense of firmware-
assisted dump feature during service start and stop. These changes
are tested successfully on a power box with fedora19.
---
Hari Bathini (6):
kdump: Modify status() routine to check for firmware-assisted dump
kdump: Modify kdump script to start the firmware assisted dump.
kdump: Modify kdump script to stop firmware assisted dump
kdump: Take a backup of original default initrd before rebuilding.
kdump: Rebuild default initrd for firmware assisted dump
kdump: Check for /proc/vmcore existence before capturing the vmcore.
dracut-kdump.sh | 3 +
kdumpctl | 181 ++++++++++++++++++++++++++++++++++++++++++++++++++-----
2 files changed, 169 insertions(+), 15 deletions(-)
--
- Hari
10 years, 2 months