Hi Nayna,
On Sun, Sep 17, 2023 at 04:48:51PM -0400, Nayna Jain wrote:
On secure boot enabled systems with static keys, kexec using
kexec_file_load(-s)
fails with the error "Permission Denied" when fadump is enabled.
Similar to kdump, load kernel signing key for fadump as well.
Reported-by: Sachin P Bappalige <sachinpb(a)linux.vnet.ibm.com>
Signed-off-by: Nayna Jain <nayna(a)linux.ibm.com>
---
kdumpctl | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kdumpctl b/kdumpctl
index 9671410..54d21c7 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -978,6 +978,13 @@ start_fadump()
return 1
fi
+ # On secure boot enabled systems, load kernel signing key on .ima for signature
+ # verification using kexec file based syscall.
+ if is_secure_boot_enforced; then
+ dinfo "Secure Boot is enabled. Using kexec file based syscall."
+ load_kdump_kernel_key
+ fi
+
dinfo "fadump: registered successfully"
return 0
I think we should load the key in start_dump by moving the key loading
code there instead. This avoids duplicating the code and also avoids
using the kexec_load syscall by mistake.
}
--
2.41.0
_______________________________________________
kexec mailing list -- kexec(a)lists.fedoraproject.org
To unsubscribe send an email to kexec-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Best regards,
Coiby