在 2019年11月20日 16:25, Dave Young 写道:
On 11/20/19 at 03:58pm, lijiang wrote:
> 在 2019年11月20日 13:35, Dave Young 写道:
>> Hi Lianbo,
>> On 11/19/19 at 05:10pm, Lianbo Jiang wrote:
>>> Currently, kernel enabled the kexec_file_load() syscall on x86_64
>>> by default, so lets align it for kexec tools.
>>
>> The description does not explain why this patch is needed.
>> It is enabled by default long time ago, that means both kexec_file_load
>> and kexec_load are enabled in kernel, why we move to kexec_file now?
>>
>> What is the advantage and why it is safe now etc.
>>
> Thanks for your comment.
>
> I will describe more details in patch log.
>
>> Btw, there should be some test data, eg. i386, x86_64, Secure Boot and
>> non Secure Boot, UEFI and non UEFI. Probably only for Fedora kernel no
>> need to do kconfig options test. But if for upstream kernel need think
>> about several combination of kconfigs, eg. # CONFIG_KEXEC_SIG_FORCE is not set
>> CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y =n
>> CONFIG_KEXEC_SIG_FORCE=y or =n
>>
> Good suggestions.
>
> The i386 does not maintain, it should be good to test on x86_64.
>
> I tested Secure Boot and non Secure Boot on non EFI machine, and I will do more tests
for
> UEFI case.
Secure Boot can only be tested on EFI boot machine
OK, thank you for pointing out that. I will cover these cases and investigate it in
detail.
>
> About several combination of Kconfigs, Fedora kernel does not introduce upstream
changes(arch/x86/Kconfig)
> according to the Fedora kernel code, it only disable the
'CONFIG_KEXEC_VERIFY_SIG' by default.
Maybe your kernel is not the latest..
Indeed. Thanks.
$ grep KEXEC /boot/config-5.4.0-0.rc5.git0.1.fc32.x86_64
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_KEXEC_JUMP=y
CONFIG_KEXEC_CORE=y
>
> Do we need to synchronize upstream kernel changes(arch/x86/Kconfig) first? Any idea
about this?
>
>>>
>>> Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com>
>>> ---
>>> kdump-lib.sh | 8 ++++++++
>>> 1 file changed, 8 insertions(+)
>>>
>>> diff --git a/kdump-lib.sh b/kdump-lib.sh
>>> index f393c76b9cbb..89cb08850924 100755
>>> --- a/kdump-lib.sh
>>> +++ b/kdump-lib.sh
>>> @@ -598,10 +598,18 @@ need_64bit_headers()
>>> # is 1 and SetupMode is 0, then secure boot is being enforced.
>>> #
>>> # Assume efivars is mounted at /sys/firmware/efi/efivars.
>>> +#
>>> +# Currently, kernel enabled the kexec_file_load on x86_64 by default, so
>>> +# lets align it.
>>> is_secure_boot_enforced()
>>> {
>>> local secure_boot_file setup_mode_file
>>> local secure_boot_byte setup_mode_byte
>>> + local arch_name=`uname -m`
>>> +
>>> + if [ "$arch_name" == "x86_64" ]; then
>>> + return 0
>>> + fi
>>
>> Secure Boot is used on X86_64 only, if above change is good, then just
>> drop the secure_boot* stuff.
>>
>> Add a new function
>> use_kexec_file_load()
>> and in the function just returnn true in case x86_64
>>
>
> OK. Looks better. Thanks.
>
> Lianbo
>
>>>
>>> secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-*
2>/dev/null)
>>> setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-*
2>/dev/null)
>>> --
>>> 2.17.1
>>> _______________________________________________
>>> kexec mailing list -- kexec(a)lists.fedoraproject.org
>>> To unsubscribe send an email to kexec-leave(a)lists.fedoraproject.org
>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org
>>
>> Thanks
>> Dave
>>
Thanks
Dave