Kernel signing key is deleted once kdump is loaded. This causes confusion in debugging since key is no longer visible. Unless someone knows how kdumpctl script works, it is difficult to find out how kdump could be loaded when there is no key on .ima keyring. Remove deletion of kernel signing key once loaded. And then to prevent multiple loading of same key when kdump service is disabled/enabled, update key description field as well. Suggested-by: Mimi Zohar <zohar(a)linux.ibm.com&gt; Signed-off-by: Nayna Jain <nayna(a)linux.ibm.com&gt; --- kdumpctl | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/kdumpctl b/kdumpctl index 6e4685f..9671410 100755 --- a/kdumpctl +++ b/kdumpctl @@ -678,19 +678,7 @@ function load_kdump_kernel_key() return fi - KDUMP_KEY_ID=$(keyctl padd asymmetric kernelkey-$RANDOM %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer") -} - -# remove a previously loaded key. There's no real security implication -# to leaving it around, we choose to do this because it makes it easier -# to be idempotent and so as to reduce the potential for confusion. -function remove_kdump_kernel_key() -{ - if [[ -z $KDUMP_KEY_ID ]]; then - return - fi - - keyctl unlink "$KDUMP_KEY_ID" %:.ima + KDUMP_KEY_ID=$(keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer") } # Load the kdump kernel specified in /etc/sysconfig/kdump @@ -742,8 +730,6 @@ load_kdump() set +x exec 2>&12 12>&- - remove_kdump_kernel_key - if [[ $ret == 0 ]]; then dinfo "kexec: loaded kdump kernel" return 0 -- 2.41.0