Kdump does not support secure boot yet, so let's claim it is not supported
at the begginning of service start function.
In this patch for checking secure boot status I'm checking the efivars per
suggestion from pjones. see in code comments for the details.
Tested in Fedora 19 + qemu ovmf with secure boot enabled.
Signed-off-by: Dave Young <dyoung(a)redhat.com>
---
kdumpctl | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
--- kexec-tools.orig/kdumpctl
+++ kexec-tools/kdumpctl
@@ -500,8 +500,44 @@ selinux_relabel()
done
}
+# Check if secure boot is being enforced.
+#
+# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
+# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
+# bytes are the attributes associated with the variable and can safely be
+# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
+# is 1 and SetupMode is 0, then secure boot is being enforced.
+#
+# Assume efivars is mounted at /sys/firmware/efi/efivars.
+function check_secure_boot()
+{
+ local secure_boot_file setup_mode_file
+ local secure_boot_byte setup_mode_byte
+
+ secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
+ setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
+
+ if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
+ secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5)
+ setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5)
+
+ if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then
+ return 0
+ fi
+fi
+
+ return 1
+}
+
function start()
{
+ check_secure_boot
+ if [ $? -eq 0 ]; then
+ echo "Secure boot is not supported in kdump yet. Please disable secure boot and retry."
+ echo "Starting kdump: [FAILED]"
+ return 1
+ fi
+
check_config
if [ $? -ne 0 ]; then
echo "Starting kdump: [FAILED]"