5:07 a.m.
Kernel signing key is deleted once kdump is loaded. This causes confusion in
debugging since key is no longer visible. Unless someone knows how
kdumpctl script works, it is difficult to find out how kdump could be
loaded when there is no key on .ima keyring.
Remove deletion of kernel signing key once loaded. And then to prevent
multiple loading of same key when kdump service is disabled/enabled, update
key description field as well.
Suggested-by: Mimi Zohar <zohar(a)linux.ibm.com>
Signed-off-by: Nayna Jain <nayna(a)linux.ibm.com>
---
kdumpctl | 16 +---------------
1 file changed, 1 insertion(+), 15 deletions(-)
diff --git a/kdumpctl b/kdumpctl
index 6e4685f..9671410 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -678,19 +678,7 @@ function load_kdump_kernel_key()
return
fi
- KDUMP_KEY_ID=$(keyctl padd asymmetric kernelkey-$RANDOM %:.ima <
"/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer")
-}
-
-# remove a previously loaded key. There's no real security implication
-# to leaving it around, we choose to do this because it makes it easier
-# to be idempotent and so as to reduce the potential for confusion.
-function remove_kdump_kernel_key()
-{
- if [[ -z $KDUMP_KEY_ID ]]; then
- return
- fi
-
- keyctl unlink "$KDUMP_KEY_ID" %:.ima
+ KDUMP_KEY_ID=$(keyctl padd asymmetric "" %:.ima <
"/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer")
}
# Load the kdump kernel specified in /etc/sysconfig/kdump
@@ -742,8 +730,6 @@ load_kdump()
set +x
exec 2>&12 12>&-
- remove_kdump_kernel_key
-
if [[ $ret == 0 ]]; then
dinfo "kexec: loaded kdump kernel"
return 0
--
2.41.0
5:07 a.m.
New subject: [PATCH 2/2] powerpc: update kdumpctl to load kernel signing key for fadump
On secure boot enabled systems with static keys, kexec with kexec_file_load(-s)
fails as "Permission Denied" when fadump is enabled.
Similar to kdump, load kernel signing key for fadump as well.
Reported-by: Sachin P Bappalige <sachinpb(a)linux.vnet.ibm.com>
Signed-off-by: Nayna Jain <nayna(a)linux.ibm.com>
---
Changelog:
v2:
Included feedback from Coiby:
* Moved loading of key to start_dump()
* Also moved addition of -s kexec arg to prepare_kexec_args() for file
based syscall.
kdump-lib.sh | 8 ++++++++
kdumpctl | 15 +++++++--------
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/kdump-lib.sh b/kdump-lib.sh
index 042ac87..5e7903f 100755
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@@ -501,6 +501,14 @@ prepare_kexec_args()
fi
fi
fi
+
+ # For secureboot enabled machines, use new kexec file based syscall.
+ # Old syscall will always fail as it does not have capability to do
+ # kernel signature verification.
+ if is_secure_boot_enforced; then
+ kexec_args="$kexec_args -s"
+ fi
+
echo "$kexec_args"
}
diff --git a/kdumpctl b/kdumpctl
index 9671410..9ceeed2 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -690,14 +690,6 @@ load_kdump()
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}"
"${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
- # For secureboot enabled machines, use new kexec file based syscall.
- # Old syscall will always fail as it does not have capability to
- # to kernel signature verification.
- if is_secure_boot_enforced; then
- dinfo "Secure Boot is enabled. Using kexec file based syscall."
- KEXEC_ARGS="$KEXEC_ARGS -s"
- load_kdump_kernel_key
- fi
if is_uki "$KDUMP_KERNEL"; then
uki=$KDUMP_KERNEL
@@ -984,6 +976,13 @@ start_fadump()
start_dump()
{
+ # On secure boot enabled systems, load kernel signing key on .ima for signature
+ # verification using kexec file based syscall.
+ if is_secure_boot_enforced; then
+ dinfo "Secure Boot is enabled. Using kexec file based syscall."
+ load_kdump_kernel_key
+ fi
+
if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then
start_fadump
else
--
2.41.0
8:06 a.m.
New subject: [PATCH 2/2] powerpc: update kdumpctl to load kernel signing key
for fadump
Hi Nayna,
All in all I'm fine with the change. There are a few nits though.
On Tue, 26 Sep 2023 06:07:53 -0400
Nayna Jain <nayna(a)linux.ibm.com> wrote:
On secure boot enabled systems with static keys, kexec with
kexec_file_load(-s)
fails as "Permission Denied" when fadump is enabled.
Similar to kdump, load kernel signing key for fadump as well.
Reported-by: Sachin P Bappalige <sachinpb(a)linux.vnet.ibm.com>
Signed-off-by: Nayna Jain <nayna(a)linux.ibm.com>
---
Changelog:
v2:
Included feedback from Coiby:
* Moved loading of key to start_dump()
* Also moved addition of -s kexec arg to prepare_kexec_args() for file
based syscall.
kdump-lib.sh | 8 ++++++++
kdumpctl | 15 +++++++--------
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/kdump-lib.sh b/kdump-lib.sh
index 042ac87..5e7903f 100755
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@@ -501,6 +501,14 @@ prepare_kexec_args()
fi
fi
fi
+
+ # For secureboot enabled machines, use new kexec file based syscall.
+ # Old syscall will always fail as it does not have capability to do
+ # kernel signature verification.
+ if is_secure_boot_enforced; then
+ kexec_args="$kexec_args -s"
+ fi
+
When you move the check to prepare_kexec_args you also have to update
dracut-early-kdump.sh. Otherwise it will add the -s option twice.
Furthermore the info message should be printed here, not when loading
the kdump key as you are switching to kexec_file_load by adding the -s
option. Not by loading the key.
echo "$kexec_args"
}
diff --git a/kdumpctl b/kdumpctl
index 9671410..9ceeed2 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -690,14 +690,6 @@ load_kdump()
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}"
"${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
- # For secureboot enabled machines, use new kexec file based syscall.
- # Old syscall will always fail as it does not have capability to
- # to kernel signature verification.
- if is_secure_boot_enforced; then
- dinfo "Secure Boot is enabled. Using kexec file based syscall."
- KEXEC_ARGS="$KEXEC_ARGS -s"
- load_kdump_kernel_key
- fi
if is_uki "$KDUMP_KERNEL"; then
uki=$KDUMP_KERNEL
@@ -984,6 +976,13 @@ start_fadump()
start_dump()
{
+ # On secure boot enabled systems, load kernel signing key on .ima for signature
+ # verification using kexec file based syscall.
+ if is_secure_boot_enforced; then
I would prefer if you added an explicit '[[ "$(uname -m)" == ppc64le ]]
&&' here. Although load_kdump_kernel_key shouldn't do anything for other
architectures I think having this extra layer of security is good to
have. Furthermore it makes it clear for developers that this is special
handling only needed for ppc.
Thanks
Philipp
+ dinfo "Secure Boot is enabled. Using kexec file based
syscall."
+ load_kdump_kernel_key
+ fi
+
if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then
start_fadump
else
8:12 a.m.
New subject: [PATCH 1/2] powerpc: update kdumpctl to remove deletion of
kernel signing key once loaded
Hi Nayna,
On Tue, 26 Sep 2023 06:07:52 -0400
Nayna Jain <nayna(a)linux.ibm.com> wrote:
Kernel signing key is deleted once kdump is loaded. This causes
confusion in
debugging since key is no longer visible. Unless someone knows how
kdumpctl script works, it is difficult to find out how kdump could be
loaded when there is no key on .ima keyring.
Remove deletion of kernel signing key once loaded. And then to prevent
multiple loading of same key when kdump service is disabled/enabled, update
key description field as well.
Suggested-by: Mimi Zohar <zohar(a)linux.ibm.com>
Signed-off-by: Nayna Jain <nayna(a)linux.ibm.com>
---
kdumpctl | 16 +---------------
1 file changed, 1 insertion(+), 15 deletions(-)
diff --git a/kdumpctl b/kdumpctl
index 6e4685f..9671410 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -678,19 +678,7 @@ function load_kdump_kernel_key()
return
fi
- KDUMP_KEY_ID=$(keyctl padd asymmetric kernelkey-$RANDOM %:.ima <
"/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer")
-}
-
-# remove a previously loaded key. There's no real security implication
-# to leaving it around, we choose to do this because it makes it easier
-# to be idempotent and so as to reduce the potential for confusion.
-function remove_kdump_kernel_key()
-{
- if [[ -z $KDUMP_KEY_ID ]]; then
- return
- fi
-
- keyctl unlink "$KDUMP_KEY_ID" %:.ima
+ KDUMP_KEY_ID=$(keyctl padd asymmetric "" %:.ima <
"/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer")
with remove_kdump_kernel_key gone there is no more user for
KDUMP_KEY_ID. You should remove that variable as well.
Thanks
Philipp
}
# Load the kdump kernel specified in /etc/sysconfig/kdump
@@ -742,8 +730,6 @@ load_kdump()
set +x
exec 2>&12 12>&-
- remove_kdump_kernel_key
-
if [[ $ret == 0 ]]; then
dinfo "kexec: loaded kdump kernel"
return 0
224
days inactive
226
days old
3 comments
2 participants
participants (2)
-
Nayna Jain -
Philipp Rudo