On 11/20/19 at 03:58pm, lijiang wrote:
在 2019年11月20日 13:35, Dave Young 写道:
> Hi Lianbo,
> On 11/19/19 at 05:10pm, Lianbo Jiang wrote:
>> Currently, kernel enabled the kexec_file_load() syscall on x86_64
>> by default, so lets align it for kexec tools.
>
> The description does not explain why this patch is needed.
> It is enabled by default long time ago, that means both kexec_file_load
> and kexec_load are enabled in kernel, why we move to kexec_file now?
>
> What is the advantage and why it is safe now etc.
>
Thanks for your comment.
I will describe more details in patch log.
> Btw, there should be some test data, eg. i386, x86_64, Secure Boot and
> non Secure Boot, UEFI and non UEFI. Probably only for Fedora kernel no
> need to do kconfig options test. But if for upstream kernel need think
> about several combination of kconfigs, eg. # CONFIG_KEXEC_SIG_FORCE is not set
> CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y =n
> CONFIG_KEXEC_SIG_FORCE=y or =n
>
Good suggestions.
The i386 does not maintain, it should be good to test on x86_64.
I tested Secure Boot and non Secure Boot on non EFI machine, and I will do more tests
for
UEFI case.
Secure Boot can only be tested on EFI boot machine
About several combination of Kconfigs, Fedora kernel does not introduce upstream
changes(arch/x86/Kconfig)
according to the Fedora kernel code, it only disable the
'CONFIG_KEXEC_VERIFY_SIG' by default.
Maybe your kernel is not the latest..
$ grep KEXEC /boot/config-5.4.0-0.rc5.git0.1.fc32.x86_64
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_KEXEC_JUMP=y
CONFIG_KEXEC_CORE=y
Do we need to synchronize upstream kernel changes(arch/x86/Kconfig) first? Any idea about
this?
>>
>> Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com>
>> ---
>> kdump-lib.sh | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>>
>> diff --git a/kdump-lib.sh b/kdump-lib.sh
>> index f393c76b9cbb..89cb08850924 100755
>> --- a/kdump-lib.sh
>> +++ b/kdump-lib.sh
>> @@ -598,10 +598,18 @@ need_64bit_headers()
>> # is 1 and SetupMode is 0, then secure boot is being enforced.
>> #
>> # Assume efivars is mounted at /sys/firmware/efi/efivars.
>> +#
>> +# Currently, kernel enabled the kexec_file_load on x86_64 by default, so
>> +# lets align it.
>> is_secure_boot_enforced()
>> {
>> local secure_boot_file setup_mode_file
>> local secure_boot_byte setup_mode_byte
>> + local arch_name=`uname -m`
>> +
>> + if [ "$arch_name" == "x86_64" ]; then
>> + return 0
>> + fi
>
> Secure Boot is used on X86_64 only, if above change is good, then just
> drop the secure_boot* stuff.
>
> Add a new function
> use_kexec_file_load()
> and in the function just returnn true in case x86_64
>
OK. Looks better. Thanks.
Lianbo
>>
>> secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-*
2>/dev/null)
>> setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-*
2>/dev/null)
>> --
>> 2.17.1
>> _______________________________________________
>> kexec mailing list -- kexec(a)lists.fedoraproject.org
>> To unsubscribe send an email to kexec-leave(a)lists.fedoraproject.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org
>
> Thanks
> Dave
>
Thanks
Dave