This reverts commit 6a20bd54473e11011bf2b47efb52d0759d412854.
Let's restore the logic of secureboot status check, and remove the
option 'KDUMP_FILE_LOAD=on|off'. We will use the option KEXEC_ARGS="-s"
to enable the kexec file load later, which can avoid failures when
the secureboot is enabled.
Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com>
---
dracut-early-kdump.sh | 5 ++---
kdump-lib.sh | 29 +++++++++++++++++++++++++++++
kdump.sysconfig.x86_64 | 6 ------
kdumpctl | 13 ++++++-------
4 files changed, 37 insertions(+), 16 deletions(-)
diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh
index 6788a6b83431..69a34eb996cd 100755
--- a/dracut-early-kdump.sh
+++ b/dracut-early-kdump.sh
@@ -2,7 +2,6 @@
KEXEC=/sbin/kexec
standard_kexec_args="-p"
-KDUMP_FILE_LOAD=""
EARLY_KDUMP_INITRD=""
EARLY_KDUMP_KERNEL=""
@@ -44,8 +43,8 @@ early_kdump_load()
EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then
- echo "Using kexec file based syscall."
+ if is_secure_boot_enforced; then
+ echo "Secure Boot is enabled. Using kexec file based syscall."
EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
fi
diff --git a/kdump-lib.sh b/kdump-lib.sh
index 6f250d4b4ebc..f78e06481ccc 100755
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@@ -597,6 +597,35 @@ need_64bit_headers()
print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'`
}
+# Check if secure boot is being enforced.
+#
+# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
+# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
+# bytes are the attributes associated with the variable and can safely be
+# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
+# is 1 and SetupMode is 0, then secure boot is being enforced.
+#
+# Assume efivars is mounted at /sys/firmware/efi/efivars.
+is_secure_boot_enforced()
+{
+ local secure_boot_file setup_mode_file
+ local secure_boot_byte setup_mode_byte
+
+ secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
+ setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
+
+ if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file"
]; then
+ secure_boot_byte=$(hexdump -v -e '/1 "%d\ "'
$secure_boot_file|cut -d' ' -f 5)
+ setup_mode_byte=$(hexdump -v -e '/1 "%d\ "'
$setup_mode_file|cut -d' ' -f 5)
+
+ if [ "$secure_boot_byte" = "1" ] && [
"$setup_mode_byte" = "0" ]; then
+ return 0
+ fi
+ fi
+
+ return 1
+}
+
#
# prepare_kexec_args <kexec args>
# This function prepares kexec argument.
diff --git a/kdump.sysconfig.x86_64 b/kdump.sysconfig.x86_64
index e47e19564bc2..f67d99914ba4 100644
--- a/kdump.sysconfig.x86_64
+++ b/kdump.sysconfig.x86_64
@@ -38,9 +38,3 @@ KDUMP_IMG="vmlinuz"
#What is the images extension. Relocatable kernels don't have one
KDUMP_IMG_EXT=""
-
-# Using kexec file based syscall by default
-#
-# Here, the "on" is the only valid value to enable the kexec file load and
-# anything else is equal to the "off"(disable).
-KDUMP_FILE_LOAD="on"
diff --git a/kdumpctl b/kdumpctl
index 70fb551fe8fb..d3ec4d725e39 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -4,7 +4,6 @@ KEXEC=/sbin/kexec
KDUMP_KERNELVER=""
KDUMP_COMMANDLINE=""
KEXEC_ARGS=""
-KDUMP_FILE_LOAD=""
KDUMP_CONFIG_FILE="/etc/kdump.conf"
MKDUMPRD="/sbin/mkdumprd -f"
DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
@@ -686,8 +685,11 @@ load_kdump()
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}"
"${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then
- echo "Using kexec file based syscall."
+ # For secureboot enabled machines, use new kexec file based syscall.
+ # Old syscall will always fail as it does not have capability to
+ # to kernel signature verification.
+ if is_secure_boot_enforced; then
+ echo "Secure Boot is enabled. Using kexec file based syscall."
KEXEC_ARGS="$KEXEC_ARGS -s"
fi
@@ -699,9 +701,6 @@ load_kdump()
return 0
else
echo "kexec: failed to load kdump kernel" >&2
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then
- echo "kexec_file_load() failed, please try kexec_load()" >&2
- fi
return 1
fi
}
@@ -1162,7 +1161,7 @@ stop_fadump()
stop_kdump()
{
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then
+ if is_secure_boot_enforced; then
$KEXEC -s -p -u
else
$KEXEC -p -u
--
2.17.1