Hi Nayna,
All in all I'm fine with the change. There are a few nits though.
On Tue, 26 Sep 2023 06:07:53 -0400
Nayna Jain <nayna(a)linux.ibm.com> wrote:
On secure boot enabled systems with static keys, kexec with
kexec_file_load(-s)
fails as "Permission Denied" when fadump is enabled.
Similar to kdump, load kernel signing key for fadump as well.
Reported-by: Sachin P Bappalige <sachinpb(a)linux.vnet.ibm.com>
Signed-off-by: Nayna Jain <nayna(a)linux.ibm.com>
---
Changelog:
v2:
Included feedback from Coiby:
* Moved loading of key to start_dump()
* Also moved addition of -s kexec arg to prepare_kexec_args() for file
based syscall.
kdump-lib.sh | 8 ++++++++
kdumpctl | 15 +++++++--------
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/kdump-lib.sh b/kdump-lib.sh
index 042ac87..5e7903f 100755
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@@ -501,6 +501,14 @@ prepare_kexec_args()
fi
fi
fi
+
+ # For secureboot enabled machines, use new kexec file based syscall.
+ # Old syscall will always fail as it does not have capability to do
+ # kernel signature verification.
+ if is_secure_boot_enforced; then
+ kexec_args="$kexec_args -s"
+ fi
+
When you move the check to prepare_kexec_args you also have to update
dracut-early-kdump.sh. Otherwise it will add the -s option twice.
Furthermore the info message should be printed here, not when loading
the kdump key as you are switching to kexec_file_load by adding the -s
option. Not by loading the key.
echo "$kexec_args"
}
diff --git a/kdumpctl b/kdumpctl
index 9671410..9ceeed2 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -690,14 +690,6 @@ load_kdump()
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}"
"${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
- # For secureboot enabled machines, use new kexec file based syscall.
- # Old syscall will always fail as it does not have capability to
- # to kernel signature verification.
- if is_secure_boot_enforced; then
- dinfo "Secure Boot is enabled. Using kexec file based syscall."
- KEXEC_ARGS="$KEXEC_ARGS -s"
- load_kdump_kernel_key
- fi
if is_uki "$KDUMP_KERNEL"; then
uki=$KDUMP_KERNEL
@@ -984,6 +976,13 @@ start_fadump()
start_dump()
{
+ # On secure boot enabled systems, load kernel signing key on .ima for signature
+ # verification using kexec file based syscall.
+ if is_secure_boot_enforced; then
I would prefer if you added an explicit '[[ "$(uname -m)" == ppc64le ]]
&&' here. Although load_kdump_kernel_key shouldn't do anything for other
architectures I think having this extra layer of security is good to
have. Furthermore it makes it clear for developers that this is special
handling only needed for ppc.
Thanks
Philipp
+ dinfo "Secure Boot is enabled. Using kexec file based
syscall."
+ load_kdump_kernel_key
+ fi
+
if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then
start_fadump
else