December 2019 - kexec - Fedora Mailing-Lists

[PATCH] mkdumprd: allow spaces after 'path' config phrase when network dump

by Kazuhito Hagio

Without this patch, when there are two or more spaces after 'path' configuration phrase with ssh or nfs setting, SAVE_PATH is set to '/var/crash' in mkdumprd, and in most cases kdump service fails to start. ssh kdump(a)192.168.122.1 path /kdump ^^ This behavior would be too sensitive and different from the other configurations. With this patch, mkdumprd allows such spaces. Signed-off-by: Kazuhito Hagio <k-hagio(a)ab.jp.nec.com> --- mkdumprd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdumprd b/mkdumprd index a6f7fe8..aa0abfd 100644 --- a/mkdumprd +++ b/mkdumprd @@ -13,7 +13,7 @@ export IN_KDUMP=1 conf_file="/etc/kdump.conf" SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa" -SAVE_PATH=$(grep ^path $conf_file| cut -d' ' -f2) +SAVE_PATH=$(awk '/^path/ {print $2}' $conf_file) [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH # strip the duplicated "/" SAVE_PATH=$(echo $SAVE_PATH | tr -s /) -- 2.18.0

1 year, 6 months

4
3
0 / 0

[PATCH 0/4] Fix kdump failure with upstream dracut due to missing 'ip' tool

by Kairui Song

Upstream dracut made some change, a main issue is it introduced network-manager module which break kdump network dump. This patch series fixed the missing ip binary issue. There are still some other remaining issue, the initqueue is also broken and we might need to introduce a initqueue/finished hook for kdump only. This issue is raised in dracut upstream here: https://github.com/dracutdevs/dracut/issues/694 We may fix it in kexec-tools later in another series. Also included two clean up patch I found could be helpful when fixing this issue. Kairui Song (4): kdump-lib: Don't abuse echo, and clean up Always use get_save_path to get the 'path' option kdump-lib.sh: Fix is_nfs_dump_target Fix potential ssh/nfs kdump failure of missing "ip" command dracut-module-setup.sh | 20 ++++++-------- kdump-lib.sh | 59 +++++++++++++++++++++++------------------- 2 files changed, 41 insertions(+), 38 deletions(-) -- 2.23.0

3 years, 11 months

2
5
0 / 0

[PATCH] Always install sed and awk

by Kairui Song

sed and awk is heavily used everywhere in the code, but it's not explicitely installed by kdump dracut module. If the module in dracut stop installing them (which already happened with latest dracut upstream), kdump will break. Signed-off-by: Kairui Song <kasong(a)redhat.com> --- dracut-module-setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index 9babae8..3558a0f 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -819,6 +819,8 @@ install() { inst "/bin/sync" "/bin/sync" inst "/bin/cut" "/bin/cut" inst "/bin/head" "/bin/head" + inst "/bin/awk" "/bin/awk" + inst "/bin/sed" "/bin/sed" inst "/sbin/makedumpfile" "/sbin/makedumpfile" inst "/sbin/vmcore-dmesg" "/sbin/vmcore-dmesg" inst "/lib/kdump/kdump-lib.sh" "/lib/kdump-lib.sh" -- 2.23.0

3 years, 11 months

2
1
0 / 0

[PATCH] mkdumprd: Fix dracut args parsing

by Kairui Song

Previous commit f13eab6 ('mkdumprd: simplify dracut args parsing') break dracut arguments parsing for some use case, this should fix it well. Passed nfs/local/iscsi/ssh dump test, and with extra dracut_argss. Signed-off-by: Kairui Song <kasong(a)redhat.com> --- mkdumprd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mkdumprd b/mkdumprd index 76ae7a0..6c33fc5 100644 --- a/mkdumprd +++ b/mkdumprd @@ -41,15 +41,15 @@ add_dracut_arg() { } add_dracut_module() { - add_dracut_arg "--add" "$1" + add_dracut_arg "--add" "\"$1\"" } add_dracut_mount() { - add_dracut_arg "--mount" "$1" + add_dracut_arg "--mount" "\"$1\"" } add_dracut_sshkey() { - add_dracut_arg "--sshkey" "$1" + add_dracut_arg "--sshkey" "\"$1\"" } # caller should ensure $1 is valid and mounted in 1st kernel -- 2.23.0

3 years, 11 months

3
3
0 / 0

[PATCH v4] kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default

by Lianbo Jiang

UEFI Secure boot is a signature verification mechanism, is designed to prevent malicious code being loaded and executed at the early boot stage. This makes sure that code executed is trusted by firmware. Previously, with kexec_file_load() interface, kernel prevents unsigned kernel image from being loaded if secure boot is enabled. So kdump will detect whether secure boot is enabled firstly, then decide which interface is chosen to execute, kexec_load() or kexec_file_load(). Otherwise unsigned kernel loading will fail if secure boot enabled, and kexec_file_load() is entered. Now, the implementation of kexec_file_load() is adjusted in below commit. With this change, if CONFIG_KEXEC_SIG_FORCE is not set, unsigned kernel still has a chance to be allowed to load under some conditions. commit 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE") And in the current Fedora, the CONFIG_KEXEC_SIG_FORCE is not set, only the CONFIG_KEXEC_SIG and CONFIG_BZIMAGE_VERIFY_SIG are set on x86_64 by default. It's time to spread kexec_file_load() onto all systems of x86_64, including Secure-boot platforms and legacy platforms. Please refer to the following form. .----------------------------------------------------------------------. | . | signed kernel | unsigned kernel | | . types |-----------------------|-----------------------| | . |Secure boot| Legacy |Secure boot| Legacy | | . |-----------|-----------|-----------|-----------| | options . | prev| now | prev| now | | | prev| now | | . |(file|(file|(only|(file| prev| now |(only|(file| | . |load)|load)|load)|load)| | |load)|load)| |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set |succ |succ |succ |succ | X | X |succ |succ | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y |succ |succ |succ |fail | X | X |succ |fail | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG is not set | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |succ | X | X |succ |succ | |not set | | | | | | | | | ---------------------------------------------------------------------- Note: [1] The 'X' indicates that the 1st kernel(unsigned) can not boot when the Secure boot is enabled. Hence, in this patch, if on x86_64, lets use the kexec_file_load() only. See if anything wrong happened in this case, in Fedora firstly for the time being. Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com> --- Changes since v1: [1] Improve patch log. [2] Change the is_secure_boot_enforced() to use_kexec_file_load(). [3] Aamend the code comment. [4] Add the form for the kbuild options. Changes since v2: [1] Improve patch log. [2] Also rewrite the form for the kbuild options. Changes since v3: [1] Improve patch log. [2] Display an error message and ask user to try kexec_load() once the kexec_file_load() failed. dracut-early-kdump.sh | 4 ++-- kdump-lib.sh | 31 +++++++++++-------------------- kdumpctl | 13 +++++++------ 3 files changed, 20 insertions(+), 28 deletions(-) diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 69a34eb996cd..bfb923d6efa1 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -43,8 +43,8 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + if use_kexec_file_load; then + echo "Using kexec file based syscall." EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" fi diff --git a/kdump-lib.sh b/kdump-lib.sh index f393c76b9cbb..5b6684992553 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -589,30 +589,21 @@ need_64bit_headers() print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'` } -# Check if secure boot is being enforced. # -# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and -# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four -# bytes are the attributes associated with the variable and can safely be -# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot -# is 1 and SetupMode is 0, then secure boot is being enforced. +# Currently, Secure Boot is only used on x86_64 and kernel enabled the +# kexec_file_load() on x86_64 by default. +# In addition, kernel also enables the option KEXEC_SIG, which makes the +# kexec_file_load() syscall checks for a valid signature of the kernel +# image if there is a signature(It must be valid). And the images can +# still be loaded without a valid signature. So let kexec-tools change +# as well. # -# Assume efivars is mounted at /sys/firmware/efi/efivars. -is_secure_boot_enforced() +use_kexec_file_load() { - local secure_boot_file setup_mode_file - local secure_boot_byte setup_mode_byte + local arch_name=`uname -m` - secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) - setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) - - if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then - secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) - setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) - - if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then - return 0 - fi + if [ "$arch_name" == "x86_64" ]; then + return 0 fi return 1 diff --git a/kdumpctl b/kdumpctl index 2d21a416deb1..f119fd9305ff 100755 --- a/kdumpctl +++ b/kdumpctl @@ -678,11 +678,9 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - # For secureboot enabled machines, use new kexec file based syscall. - # Old syscall will always fail as it does not have capability to - # to kernel signature verification. - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + # On x86_64 machine, lets use kexec file based syscall by default. + if use_kexec_file_load; then + echo "Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" fi @@ -694,6 +692,9 @@ load_kdump() return 0 else echo "kexec: failed to load kdump kernel" >&2 + if [ -n "$KEXEC_ARGS" ]; then + echo "kexec_file_load() failed, please try kexec_load()" >&2 + fi return 1 fi } @@ -1162,7 +1163,7 @@ stop_fadump() stop_kdump() { - if is_secure_boot_enforced; then + if use_kexec_file_load; then $KEXEC -s -p -u else $KEXEC -p -u -- 2.17.1

3 years, 11 months

4
4
0 / 0

RE: [PATCH 1/3] dracut-kdump.sh: Execute the binary and script files in /etc/kdump/{pre.d,post.d}.

by onitsuka.shinic＠fujitsu.com

> -----Original Message----- > From: Hatayama, Daisuke/畑山大輔 <d.hatayama(a)fujitsu.com> > Sent: Wednesday, November 13, 2019 6:16 PM > To: Onitsuka, Shinichi/鬼束伸一 <onitsuka.shinic(a)fujitsu.com> > Cc: kexec(a)lists.fedoraproject.org; 'Kairui Song' <kasong(a)redhat.com> > Subject: RE: [PATCH 1/3] dracut-kdump.sh: Execute the binary and script files in /etc/kdump/{pre.d,post.d}. > > > > > -----Original Message----- > > From: Kairui Song [mailto:kasong@redhat.com] > > Sent: Tuesday, November 12, 2019 6:05 PM > > To: Onitsuka, Shinichi/鬼束伸一 <onitsuka.shinic(a)fujitsu.com> > > Cc: kexec(a)lists.fedoraproject.org > > Subject: Re: [PATCH 1/3] dracut-kdump.sh: Execute the binary and script files > > in /etc/kdump/{pre.d,post.d}. > > > > On Wed, Nov 6, 2019 at 12:26 PM onitsuka.shinic(a)fujitsu.com > > <onitsuka.shinic(a)fujitsu.com> wrote: > > > > > > This patch executes the binary and script files in /etc/kdump/{pre.d,post.d} > > > just like kdump_pre or kdump_post directive written in /etc/kdump.conf. > > > > > > Signed-off-by: shin-onitsuka <onitsuka.shinic(a)fujitsu.com> > > > > > > --- > > > dracut-kdump.sh | 36 ++++++++++++++++++++++++++++++++++++ > > > 1 file changed, 36 insertions(+) > > > > > > diff --git a/dracut-kdump.sh b/dracut-kdump.sh > > > index 2ae1c7c..51a1f73 100755 > > > --- a/dracut-kdump.sh > > > +++ b/dracut-kdump.sh > > > @@ -30,15 +30,51 @@ do_dump() > > > > > > do_kdump_pre() > > > { > > > + local _ret > > > + > > > if [ -n "$KDUMP_PRE" ]; then > > > "$KDUMP_PRE" > > > + _ret=$? > > > + if [ $_ret -ne 0 ]; then > > > + echo "kdump: $KDUMP_PRE exited with $_ret status" > > > + return $_ret > > > + fi > > > + fi > > > + > > > + if [ -d /etc/kdump/pre.d ]; then > > > + for file in `find /etc/kdump/pre.d -type f | sort`; do > > > + "$file" > > > + _ret=$? > > > + if [ $_ret -ne 0 ]; then > > > + echo "kdump: $file exited with $_ret status" > > > + return $_ret > > > + fi > > > + done > > > fi > > > } > > > > Currently the behavior is: > > # kdump_pre <binary | script> > > # - Works like the "kdump_post" directive, but instead of running > > # after the dump process, runs immediately before it. > > # Exit status of this binary is interpreted as follows: > > # 0 - continue with dump process as usual > > # non 0 - reboot the system > > > > After this patch, if any one of the scripts in pre.d failed, rest of > > the scripts will be skipped, and kdump will reboot the system. > > Better to doc this somewhere. > > > > And this whole new thing needs a proper doc too. > > > > In addition to the Kairui's comment, > please mention explicitly in the doc the order of execution of > kdump_pre and files in /etc/kdump/pre.d, i.e. the command specified > in kdump_pre is first executed and then the rest of the commands > under /etc/kdump/pre.d directory are executed. > How about the idea to behave as follows? script/binary | behavior of non 0 Exit status ----------------+------------------------------------------- in kdump_pre | reboot the system with error message | (as usual) ----------------+------------------------------------------- in kdump/pre.d | continue with next script/binary or kdump | with error message The script/binary has already been specified by kdump_pre can be executed without the correction. On the other hand, the script/binary that will be specified by kdump/pre.d should not return with non 0 exit code but reboot the system, if it want to be skipped rest of the scripts/binaries and kdump. > > > > > > do_kdump_post() > > > { > > > + local _ret > > > + > > > + if [ -d /etc/kdump/post.d ]; then > > > + for file in `find /etc/kdump/post.d -type f | sort`; do > > > + "$file" "$1" > > > + _ret=$? > > > + if [ $_ret -ne 0 ]; then > > > + echo "kdump: $file exited with $_ret status" > > > + return $_ret > > > + fi > > > + done > > > + fi > > > + > > > if [ -n "$KDUMP_POST" ]; then > > > "$KDUMP_POST" "$1" > > > + _ret=$? > > > + if [ $_ret -ne 0 ]; then > > > + echo "kdump: $KDUMP_POST exited with $_ret status" > > > + return $_ret > > > + fi > > > fi > > > } > > > > > > -- > > > 1.8.3.1 > > > > -- > > Best Regards, > > Kairui Song > > _______________________________________________ > > kexec mailing list -- kexec(a)lists.fedoraproject.org > > To unsubscribe send an email to kexec-leave(a)lists.fedoraproject.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.or > > g

3 years, 11 months

1
0
0 / 0

[PATCH v3] kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default

by Lianbo Jiang

UEFI Secure boot is a signature verification mechanism, is designed to prevent malicious code being loaded and executed at the early boot stage. This makes sure that code executed is trusted by firmware. Previously, with kexec_file_load() interface, kernel prevents unsigned kernel image from being loaded if secure boot is enabled. So kdump will detect whether secure boot is enabled firstly, then decide which interface is chosen to execute, kexec_load() or kexec_file_load(). Otherwise unsigned kernel loading will fail if secure boot enabled, and kexec_file_load() is entered. Now, the implementation of kexec_file_load() is adjusted in below commit. With this change, if CONFIG_KEXEC_SIG_FORCE is not set, unsigned kernel still has chance to be allowed to load under some conditions. commit 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE") And in the current fedora and RHEL, CONFIG_KEXEC_SIG_FORCE is not set, only CONFIG_KEXEC_SIG and CONFIG_BZIMAGE_VERIFY_SIG are set on x86_64 by default. It's time to spread kexec_file_load() onto all systems of x86_64, including Secute-boot platforms and legacy platforms. Please refer to the following form. .----------------------------------------------------------------------. | . | signed kernel | unsigned kernel | | . types |-----------------------|-----------------------| | . |Secure boot| Legacy |Secure boot| Legacy | | . |-----------|-----------|-----------|-----------| | options . | prev| now | prev| now | | | prev| now | | . |(file|(file|(only|(file| prev| now |(only|(file| | . |load)|load)|load)|load)| | |load)|load)| |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set |succ |succ |succ |succ | X | X |succ |succ | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y |succ |succ |succ |fail | X | X |succ |fail | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG is not set | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |succ | X | X |succ |succ | |not set | | | | | | | | | ---------------------------------------------------------------------- Note: [1] The 'X' indicates that the 1st kernel(unsigned) can not boot when the Secure boot is enabled. Hence, in this patch, if on x86, lets use the kexec_file_load() only. See if anything wrong happened in this case, in Fedora firstly for the time being. Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com> --- dracut-early-kdump.sh | 4 ++-- kdump-lib.sh | 31 +++++++++++-------------------- kdumpctl | 10 ++++------ 3 files changed, 17 insertions(+), 28 deletions(-) diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 69a34eb996cd..bfb923d6efa1 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -43,8 +43,8 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + if use_kexec_file_load; then + echo "Using kexec file based syscall." EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" fi diff --git a/kdump-lib.sh b/kdump-lib.sh index f393c76b9cbb..5b6684992553 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -589,30 +589,21 @@ need_64bit_headers() print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'` } -# Check if secure boot is being enforced. # -# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and -# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four -# bytes are the attributes associated with the variable and can safely be -# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot -# is 1 and SetupMode is 0, then secure boot is being enforced. +# Currently, Secure Boot is only used on x86_64 and kernel enabled the +# kexec_file_load() on x86_64 by default. +# In addition, kernel also enables the option KEXEC_SIG, which makes the +# kexec_file_load() syscall checks for a valid signature of the kernel +# image if there is a signature(It must be valid). And the images can +# still be loaded without a valid signature. So let kexec-tools change +# as well. # -# Assume efivars is mounted at /sys/firmware/efi/efivars. -is_secure_boot_enforced() +use_kexec_file_load() { - local secure_boot_file setup_mode_file - local secure_boot_byte setup_mode_byte + local arch_name=`uname -m` - secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) - setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) - - if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then - secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) - setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) - - if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then - return 0 - fi + if [ "$arch_name" == "x86_64" ]; then + return 0 fi return 1 diff --git a/kdumpctl b/kdumpctl index 2d21a416deb1..d1c987773cf9 100755 --- a/kdumpctl +++ b/kdumpctl @@ -678,11 +678,9 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - # For secureboot enabled machines, use new kexec file based syscall. - # Old syscall will always fail as it does not have capability to - # to kernel signature verification. - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + # On x86_64 machine, lets use kexec file based syscall by default. + if use_kexec_file_load; then + echo "Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" fi @@ -1162,7 +1160,7 @@ stop_fadump() stop_kdump() { - if is_secure_boot_enforced; then + if use_kexec_file_load; then $KEXEC -s -p -u else $KEXEC -p -u -- 2.17.1

3 years, 11 months

3
2
0 / 0

[PATCH v2] kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default

by Lianbo Jiang

UEFI Secure boot is a verification mechanism, it can make sure that code launched is trusted by firmware. So Secure boot is designed to prevent malicious code being loaded and executed early at the boot stage. Previously, kernel prevents unsigned kernel images from being loaded with kexec_file_load(). But now, kernel has evolved, the kexec_file_load() syscall checks for a valid signature of the kernel image if there is a signature(It must be valid). In addition, the images can still be loaded without a valid signature. Currently, kernel enables the options KEXEC_SIG and KEXEC_BZIMAGE_VERIFY _SIG on x86_64 by default, it can cover signed or unsigned kernel images and allow to load them, please refer to the following form. .-----------------------------------------------------------------------. | . | UEFI(signed) | non UEFI(unsigned) | | . types |-----------------------|------------------------| | . | | non | | | | . |secure boot|secure boot| prev | now | | options . |-----------|-----------| | | | . | prev| now | prev| now | | | |----------------------|-----|-----|-----|-----|-----------|------------| |KEXEC_SIG=y | | | | | | | |SIG_FORCE is not set |succ |succ |succ |succ | succ | succ | |BZIMAGE_VERIFY_SIG=y | | | | | | | |----------------------|-----|-----|-----|-----|-----------|------------| |KEXEC_SIG=y | | | | | | | |SIG_FORCE is not set | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | succ | fail | |not set | | | | | | | |----------------------|-----|-----|-----|-----|-----------|------------| |KEXEC_SIG=y | | | | | | | |SIG_FORCE=y |succ |succ |succ |fail | succ | fail | |BZIMAGE_VERIFY_SIG=y | | | | | | | |----------------------|-----|-----|-----|-----|-----------|------------| |KEXEC_SIG=y | | | | | | | |SIG_FORCE=y | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | succ | fail | |not set | | | | | | | |----------------------|-----|-----|-----|-----|-----------|------------| |KEXEC_SIG is not set | | | | | | | |SIG_FORCE is not set | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |succ | succ | succ | |not set | | | | | | | ----------------------------------------------------------------------- Note: [1] 'prev': Without this patch [2] 'now': With this patch So, it's time for switching to the kexec_file_load() syscall on x86_64 for kexec-tools. Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com> --- dracut-early-kdump.sh | 4 ++-- kdump-lib.sh | 31 +++++++++++-------------------- kdumpctl | 10 ++++------ 3 files changed, 17 insertions(+), 28 deletions(-) diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 69a34eb996cd..bfb923d6efa1 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -43,8 +43,8 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + if use_kexec_file_load; then + echo "Using kexec file based syscall." EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" fi diff --git a/kdump-lib.sh b/kdump-lib.sh index f393c76b9cbb..5b6684992553 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -589,30 +589,21 @@ need_64bit_headers() print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'` } -# Check if secure boot is being enforced. # -# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and -# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four -# bytes are the attributes associated with the variable and can safely be -# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot -# is 1 and SetupMode is 0, then secure boot is being enforced. +# Currently, Secure Boot is only used on x86_64 and kernel enabled the +# kexec_file_load() on x86_64 by default. +# In addition, kernel also enables the option KEXEC_SIG, which makes the +# kexec_file_load() syscall checks for a valid signature of the kernel +# image if there is a signature(It must be valid). And the images can +# still be loaded without a valid signature. So let kexec-tools change +# as well. # -# Assume efivars is mounted at /sys/firmware/efi/efivars. -is_secure_boot_enforced() +use_kexec_file_load() { - local secure_boot_file setup_mode_file - local secure_boot_byte setup_mode_byte + local arch_name=`uname -m` - secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) - setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) - - if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then - secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) - setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) - - if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then - return 0 - fi + if [ "$arch_name" == "x86_64" ]; then + return 0 fi return 1 diff --git a/kdumpctl b/kdumpctl index 2d21a416deb1..d1c987773cf9 100755 --- a/kdumpctl +++ b/kdumpctl @@ -678,11 +678,9 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - # For secureboot enabled machines, use new kexec file based syscall. - # Old syscall will always fail as it does not have capability to - # to kernel signature verification. - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + # On x86_64 machine, lets use kexec file based syscall by default. + if use_kexec_file_load; then + echo "Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" fi @@ -1162,7 +1160,7 @@ stop_fadump() stop_kdump() { - if is_secure_boot_enforced; then + if use_kexec_file_load; then $KEXEC -s -p -u else $KEXEC -p -u -- 2.17.1

3 years, 11 months

4
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

kexec December 2019