This series includes four patches: [1] Revert "kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default" [2] Revert "s390x: add kdump sysconfig option to use the kexec_file_load() syscall" [3] x86_64: enable the kexec file load by default [4] s390x: enable the kexec file load by default
Let's restore the logic of secureboot status check, and remove the option 'KDUMP_FILE_LOAD=on|off'. We will use the option KEXEC_ARGS="-s" to enable the kexec file load by default, which can avoid failures when the secureboot is enabled.
Lianbo Jiang (4): Revert "kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default" Revert "s390x: add kdump sysconfig option to use the kexec_file_load() syscall" x86_64: enable the kexec file load by default s390x: enable the kexec file load by default
dracut-early-kdump.sh | 5 ++--- kdump-lib.sh | 29 +++++++++++++++++++++++++++++ kdump.sysconfig.s390x | 8 +------- kdump.sysconfig.x86_64 | 8 +------- kdumpctl | 13 ++++++------- 5 files changed, 39 insertions(+), 24 deletions(-)
This reverts commit 6a20bd54473e11011bf2b47efb52d0759d412854.
Let's restore the logic of secureboot status check, and remove the option 'KDUMP_FILE_LOAD=on|off'. We will use the option KEXEC_ARGS="-s" to enable the kexec file load later, which can avoid failures when the secureboot is enabled.
Signed-off-by: Lianbo Jiang lijiang@redhat.com --- dracut-early-kdump.sh | 5 ++--- kdump-lib.sh | 29 +++++++++++++++++++++++++++++ kdump.sysconfig.x86_64 | 6 ------ kdumpctl | 13 ++++++------- 4 files changed, 37 insertions(+), 16 deletions(-)
diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 6788a6b83431..69a34eb996cd 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -2,7 +2,6 @@
KEXEC=/sbin/kexec standard_kexec_args="-p" -KDUMP_FILE_LOAD=""
EARLY_KDUMP_INITRD="" EARLY_KDUMP_KERNEL="" @@ -44,8 +43,8 @@ early_kdump_load()
EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then - echo "Using kexec file based syscall." + if is_secure_boot_enforced; then + echo "Secure Boot is enabled. Using kexec file based syscall." EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" fi
diff --git a/kdump-lib.sh b/kdump-lib.sh index 6f250d4b4ebc..f78e06481ccc 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -597,6 +597,35 @@ need_64bit_headers() print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'` }
+# Check if secure boot is being enforced. +# +# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and +# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four +# bytes are the attributes associated with the variable and can safely be +# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot +# is 1 and SetupMode is 0, then secure boot is being enforced. +# +# Assume efivars is mounted at /sys/firmware/efi/efivars. +is_secure_boot_enforced() +{ + local secure_boot_file setup_mode_file + local secure_boot_byte setup_mode_byte + + secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) + setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) + + if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then + secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) + setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) + + if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then + return 0 + fi + fi + + return 1 +} + # # prepare_kexec_args <kexec args> # This function prepares kexec argument. diff --git a/kdump.sysconfig.x86_64 b/kdump.sysconfig.x86_64 index e47e19564bc2..f67d99914ba4 100644 --- a/kdump.sysconfig.x86_64 +++ b/kdump.sysconfig.x86_64 @@ -38,9 +38,3 @@ KDUMP_IMG="vmlinuz"
#What is the images extension. Relocatable kernels don't have one KDUMP_IMG_EXT="" - -# Using kexec file based syscall by default -# -# Here, the "on" is the only valid value to enable the kexec file load and -# anything else is equal to the "off"(disable). -KDUMP_FILE_LOAD="on" diff --git a/kdumpctl b/kdumpctl index 70fb551fe8fb..d3ec4d725e39 100755 --- a/kdumpctl +++ b/kdumpctl @@ -4,7 +4,6 @@ KEXEC=/sbin/kexec KDUMP_KERNELVER="" KDUMP_COMMANDLINE="" KEXEC_ARGS="" -KDUMP_FILE_LOAD="" KDUMP_CONFIG_FILE="/etc/kdump.conf" MKDUMPRD="/sbin/mkdumprd -f" DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt" @@ -686,8 +685,11 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then - echo "Using kexec file based syscall." + # For secureboot enabled machines, use new kexec file based syscall. + # Old syscall will always fail as it does not have capability to + # to kernel signature verification. + if is_secure_boot_enforced; then + echo "Secure Boot is enabled. Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" fi
@@ -699,9 +701,6 @@ load_kdump() return 0 else echo "kexec: failed to load kdump kernel" >&2 - if [ "$KDUMP_FILE_LOAD" == "on" ]; then - echo "kexec_file_load() failed, please try kexec_load()" >&2 - fi return 1 fi } @@ -1162,7 +1161,7 @@ stop_fadump()
stop_kdump() { - if [ "$KDUMP_FILE_LOAD" == "on" ]; then + if is_secure_boot_enforced; then $KEXEC -s -p -u else $KEXEC -p -u
This reverts commit 66ff48ed6837961c2ebdd017195e6837136fdc4a.
Since the code logic is changed(which related to the option 'KDUMP_FILE_LOAD=on|off'), accordingly, need to remove the option from the sysconfig file.
Signed-off-by: Lianbo Jiang lijiang@redhat.com --- kdump.sysconfig.s390x | 6 ------ 1 file changed, 6 deletions(-)
diff --git a/kdump.sysconfig.s390x b/kdump.sysconfig.s390x index a0e5244970b4..2a24688012bb 100644 --- a/kdump.sysconfig.s390x +++ b/kdump.sysconfig.s390x @@ -41,9 +41,3 @@ KDUMP_IMG="vmlinuz"
#What is the images extension. Relocatable kernels don't have one KDUMP_IMG_EXT="" - -# Using kexec file based syscall by default -# -# Here, the "on" is the only valid value to enable the kexec file load and -# anything else is equal to the "off"(disable). -KDUMP_FILE_LOAD="on"
Let's use the option KEXEC_ARGS="-s" to enable the kexec file load by default.
Signed-off-by: Lianbo Jiang lijiang@redhat.com --- kdump.sysconfig.x86_64 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kdump.sysconfig.x86_64 b/kdump.sysconfig.x86_64 index f67d99914ba4..55f8b9b48f5c 100644 --- a/kdump.sysconfig.x86_64 +++ b/kdump.sysconfig.x86_64 @@ -28,7 +28,7 @@ KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory # # Example: # KEXEC_ARGS="--elf32-core-headers" -KEXEC_ARGS="" +KEXEC_ARGS="-s"
#Where to find the boot image #KDUMP_BOOTDIR="/boot"
Let's use the option KEXEC_ARGS="-s" to enable the kexec file load by default.
Signed-off-by: Lianbo Jiang lijiang@redhat.com --- kdump.sysconfig.s390x | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kdump.sysconfig.s390x b/kdump.sysconfig.s390x index 2a24688012bb..25f7be533885 100644 --- a/kdump.sysconfig.s390x +++ b/kdump.sysconfig.s390x @@ -31,7 +31,7 @@ MKDUMPRD_ARGS="" # # Example: # KEXEC_ARGS="--elf32-core-headers" -KEXEC_ARGS="" +KEXEC_ARGS="-s"
#Where to find the boot image #KDUMP_BOOTDIR="/boot"
On 06/29/20 at 09:13pm, Lianbo Jiang wrote:
This series includes four patches: [1] Revert "kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default" [2] Revert "s390x: add kdump sysconfig option to use the kexec_file_load() syscall" [3] x86_64: enable the kexec file load by default [4] s390x: enable the kexec file load by default
Let's restore the logic of secureboot status check, and remove the option 'KDUMP_FILE_LOAD=on|off'. We will use the option KEXEC_ARGS="-s" to enable the kexec file load by default, which can avoid failures when the secureboot is enabled.
Plus to the patch log: a new config option is not worth for the internal design to choose a syscall so we switch back to add "-s" in KEXEC_ARGS instead.
Lianbo Jiang (4): Revert "kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default" Revert "s390x: add kdump sysconfig option to use the kexec_file_load() syscall" x86_64: enable the kexec file load by default s390x: enable the kexec file load by default
dracut-early-kdump.sh | 5 ++--- kdump-lib.sh | 29 +++++++++++++++++++++++++++++ kdump.sysconfig.s390x | 8 +------- kdump.sysconfig.x86_64 | 8 +------- kdumpctl | 13 ++++++------- 5 files changed, 39 insertions(+), 24 deletions(-)
-- 2.17.1 _______________________________________________ kexec mailing list -- kexec@lists.fedoraproject.org To unsubscribe send an email to kexec-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org
On 06/29/20 at 09:13pm, Lianbo Jiang wrote:
This series includes four patches: [1] Revert "kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default" [2] Revert "s390x: add kdump sysconfig option to use the kexec_file_load() syscall" [3] x86_64: enable the kexec file load by default [4] s390x: enable the kexec file load by default
Let's restore the logic of secureboot status check, and remove the option 'KDUMP_FILE_LOAD=on|off'. We will use the option KEXEC_ARGS="-s" to enable the kexec file load by default, which can avoid failures when the secureboot is enabled.
Lianbo Jiang (4): Revert "kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default" Revert "s390x: add kdump sysconfig option to use the kexec_file_load() syscall" x86_64: enable the kexec file load by default s390x: enable the kexec file load by default
dracut-early-kdump.sh | 5 ++--- kdump-lib.sh | 29 +++++++++++++++++++++++++++++ kdump.sysconfig.s390x | 8 +------- kdump.sysconfig.x86_64 | 8 +------- kdumpctl | 13 ++++++------- 5 files changed, 39 insertions(+), 24 deletions(-)
-- 2.17.1 _______________________________________________ kexec mailing list -- kexec@lists.fedoraproject.org To unsubscribe send an email to kexec-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org
Acked-by: Dave Young dyoung@redhat.com
Thanks Dave