January 2020 - kexec - Fedora Mailing-Lists

[PATCH] mkdumprd: allow spaces after 'path' config phrase when network dump

by Kazuhito Hagio

Without this patch, when there are two or more spaces after 'path' configuration phrase with ssh or nfs setting, SAVE_PATH is set to '/var/crash' in mkdumprd, and in most cases kdump service fails to start. ssh kdump(a)192.168.122.1 path /kdump ^^ This behavior would be too sensitive and different from the other configurations. With this patch, mkdumprd allows such spaces. Signed-off-by: Kazuhito Hagio <k-hagio(a)ab.jp.nec.com> --- mkdumprd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdumprd b/mkdumprd index a6f7fe8..aa0abfd 100644 --- a/mkdumprd +++ b/mkdumprd @@ -13,7 +13,7 @@ export IN_KDUMP=1 conf_file="/etc/kdump.conf" SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa" -SAVE_PATH=$(grep ^path $conf_file| cut -d' ' -f2) +SAVE_PATH=$(awk '/^path/ {print $2}' $conf_file) [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH # strip the duplicated "/" SAVE_PATH=$(echo $SAVE_PATH | tr -s /) -- 2.18.0

1 year, 4 months

4
3
0 / 0

[PATCH v6] kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default

by Lianbo Jiang

UEFI Secure boot is a signature verification mechanism, designed to prevent malicious code being loaded and executed at the early boot stage. This makes sure that code executed is trusted by firmware. Previously, with kexec_file_load() interface, kernel prevents unsigned kernel image from being loaded if secure boot is enabled. So kdump will detect whether secure boot is enabled firstly, then decide which interface is chosen to execute, kexec_load() or kexec_file_load(). Otherwise unsigned kernel loading will fail if secure boot enabled, and kexec_file_load() is entered. Now, the implementation of kexec_file_load() is adjusted in below commit. With this change, if CONFIG_KEXEC_SIG_FORCE is not set, unsigned kernel still has a chance to be allowed to load under some conditions. commit 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE") And in the current Fedora, the CONFIG_KEXEC_SIG_FORCE is not set, only the CONFIG_KEXEC_SIG and CONFIG_BZIMAGE_VERIFY_SIG are set on x86_64 by default. It's time to spread kexec_file_load() onto all systems of x86_64, including Secure-boot platforms and legacy platforms. Please refer to the following form. .----------------------------------------------------------------------. | . | signed kernel | unsigned kernel | | . types |-----------------------|-----------------------| | . |Secure boot| Legacy |Secure boot| Legacy | | . |-----------|-----------|-----------|-----------| | options . | prev| now | prev| now | | | prev| now | | . |(file|(file|(only|(file| prev| now |(only|(file| | . |load)|load)|load)|load)| | |load)|load)| |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set |succ |succ |succ |succ | X | X |succ |succ | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y |succ |succ |succ |fail | X | X |succ |fail | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG is not set | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |succ | X | X |succ |succ | |not set | | | | | | | | | ---------------------------------------------------------------------- Note: [1] The 'X' indicates that the 1st kernel(unsigned) can not boot when the Secure boot is enabled. Hence, in this patch, if on x86_64, let's use the kexec_file_load() only. See if anything wrong happened in this case, in Fedora firstly for the time being. Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com> --- Changes since v1: [1] Improve patch log. [2] Change the is_secure_boot_enforced() to use_kexec_file_load(). [3] Aamend the code comment. [4] Add the form for the kbuild options. Changes since v2: [1] Improve patch log. [2] Also rewrite the form for the kbuild options. Changes since v3: [1] Improve patch log. [2] Display an error message and ask user to try kexec_load() once the kexec_file_load() failed. Changes since v4: [1] Improve patch log. [2] Remove the unused is_secure_boot_enforced() from kdump-lib.sh. [3] Add a new option 'KDUMP_FILE_LOAD', which provides a chance for user to choose the kexec load or kexec file load. And use the kexec file load by default. Changes since v5: [1] Improve the code comment for the kdump.sysconfig.x86_64, also say that the "on" is the only valid value to enable the kexec file load, anything else is equal to the "off". dracut-early-kdump.sh | 5 +++-- kdump-lib.sh | 29 ----------------------------- kdump.sysconfig.x86_64 | 6 ++++++ kdumpctl | 13 +++++++------ 4 files changed, 16 insertions(+), 37 deletions(-) diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 69a34eb996cd..6788a6b83431 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -2,6 +2,7 @@ KEXEC=/sbin/kexec standard_kexec_args="-p" +KDUMP_FILE_LOAD="" EARLY_KDUMP_INITRD="" EARLY_KDUMP_KERNEL="" @@ -43,8 +44,8 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + if [ "$KDUMP_FILE_LOAD" == "on" ]; then + echo "Using kexec file based syscall." EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" fi diff --git a/kdump-lib.sh b/kdump-lib.sh index f393c76b9cbb..a79c1a70cc07 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -589,35 +589,6 @@ need_64bit_headers() print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'` } -# Check if secure boot is being enforced. -# -# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and -# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four -# bytes are the attributes associated with the variable and can safely be -# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot -# is 1 and SetupMode is 0, then secure boot is being enforced. -# -# Assume efivars is mounted at /sys/firmware/efi/efivars. -is_secure_boot_enforced() -{ - local secure_boot_file setup_mode_file - local secure_boot_byte setup_mode_byte - - secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) - setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) - - if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then - secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) - setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) - - if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then - return 0 - fi - fi - - return 1 -} - # # prepare_kexec_args <kexec args> # This function prepares kexec argument. diff --git a/kdump.sysconfig.x86_64 b/kdump.sysconfig.x86_64 index 09de2ebe798e..7894ccc840b2 100644 --- a/kdump.sysconfig.x86_64 +++ b/kdump.sysconfig.x86_64 @@ -38,3 +38,9 @@ KDUMP_IMG="vmlinuz" #What is the images extension. Relocatable kernels don't have one KDUMP_IMG_EXT="" + +# Using kexec file based syscall by default +# +# Here, the "on" is the only valid value to enable the kexec file load and +# anything else is equal to the "off"(disable). +KDUMP_FILE_LOAD="on" diff --git a/kdumpctl b/kdumpctl index 2d21a416deb1..97fe54110447 100755 --- a/kdumpctl +++ b/kdumpctl @@ -4,6 +4,7 @@ KEXEC=/sbin/kexec KDUMP_KERNELVER="" KDUMP_COMMANDLINE="" KEXEC_ARGS="" +KDUMP_FILE_LOAD="" KDUMP_CONFIG_FILE="/etc/kdump.conf" MKDUMPRD="/sbin/mkdumprd -f" DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt" @@ -678,11 +679,8 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - # For secureboot enabled machines, use new kexec file based syscall. - # Old syscall will always fail as it does not have capability to - # to kernel signature verification. - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + if [ "$KDUMP_FILE_LOAD" == "on" ]; then + echo "Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" fi @@ -694,6 +692,9 @@ load_kdump() return 0 else echo "kexec: failed to load kdump kernel" >&2 + if [ "$KDUMP_FILE_LOAD" == "on" ]; then + echo "kexec_file_load() failed, please try kexec_load()" >&2 + fi return 1 fi } @@ -1162,7 +1163,7 @@ stop_fadump() stop_kdump() { - if is_secure_boot_enforced; then + if [ "$KDUMP_FILE_LOAD" == "on" ]; then $KEXEC -s -p -u else $KEXEC -p -u -- 2.17.1

3 years, 7 months

3
4
0 / 0

[PATCH v2] powerpc: enable the scripts to capture dump on POWERNV platform

by Hari Bathini

With FADump support added on POWERNV paltform, enable the scripts to capture /proc/vmcore. Also, if CONFIG_OPAL_CORE is enabled, OPAL core is preserved and exported on POWERNV platform. So, offload OPAL core, if it is available. Signed-off-by: Hari Bathini <hbathini(a)linux.ibm.com> --- Changes in v2: * add appropriate return statements in opalcore save functions. dracut-kdump.sh | 31 +++++++++++++++++++++++++++++-- kdump-lib-initramfs.sh | 26 ++++++++++++++++++++++++++ kdumpctl | 3 +++ 3 files changed, 58 insertions(+), 2 deletions(-) diff --git a/dracut-kdump.sh b/dracut-kdump.sh index 2ae1c7c..6dec0b7 100755 --- a/dracut-kdump.sh +++ b/dracut-kdump.sh @@ -1,8 +1,8 @@ #!/bin/sh # continue here only if we have to save dump. -if [ -f /etc/fadump.initramfs ] && [ ! -f /proc/device-tree/rtas/ibm,kernel-dump ]; then - exit 0 +if [ -f /etc/fadump.initramfs ] && [ ! -f /proc/device-tree/rtas/ibm,kernel-dump ] && [ ! -f /proc/device-tree/ibm,opal/dump/mpipl-boot ]; then + exit 0 fi exec &> /dev/console @@ -81,6 +81,7 @@ dump_ssh() ssh -q $_opt $_host mkdir -p $_dir || return 1 save_vmcore_dmesg_ssh ${DMESG_COLLECTOR} ${_dir} "${_opt}" $_host + save_opalcore_ssh ${_dir} "${_opt}" $_host echo "kdump: saving vmcore" @@ -114,6 +115,32 @@ save_vmcore_dmesg_ssh() { fi } +save_opalcore_ssh() { + local _path=$1 + local _opts="$2" + local _location=$3 + + if [ ! -f $OPALCORE ]; then + # Check if we are on an old kernel that uses a different path + if [ -f /sys/firmware/opal/core ]; then + OPALCORE="/sys/firmware/opal/core" + else + return 0 + fi + fi + + echo "kdump: saving opalcore" + scp $_opts $OPALCORE $_location:$_path/opalcore-incomplete + if [ $? -ne 0 ]; then + echo "kdump: saving opalcore failed" + return 1 + fi + + ssh $_opts $_location mv $_path/opalcore-incomplete $_path/opalcore + echo "kdump: saving opalcore complete" + return 0 +} + get_host_ip() { local _host diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh index 8530556..613f976 100755 --- a/kdump-lib-initramfs.sh +++ b/kdump-lib-initramfs.sh @@ -18,6 +18,7 @@ KDUMP_CONF="/etc/kdump.conf" KDUMP_PRE="" KDUMP_POST="" NEWROOT="/sysroot" +OPALCORE="/sys/firmware/opal/mpipl/core" get_kdump_confs() { @@ -137,6 +138,7 @@ dump_fs() mkdir -p $_mp/$KDUMP_PATH/$HOST_IP-$DATEDIR || return 1 save_vmcore_dmesg_fs ${DMESG_COLLECTOR} "$_mp/$KDUMP_PATH/$HOST_IP-$DATEDIR/" + save_opalcore_fs "$_mp/$KDUMP_PATH/$HOST_IP-$DATEDIR/" echo "kdump: saving vmcore" $CORE_COLLECTOR /proc/vmcore $_mp/$KDUMP_PATH/$HOST_IP-$DATEDIR/vmcore-incomplete || return 1 @@ -173,6 +175,30 @@ save_vmcore_dmesg_fs() { fi } +save_opalcore_fs() { + local _path=$1 + + if [ ! -f $OPALCORE ]; then + # Check if we are on an old kernel that uses a different path + if [ -f /sys/firmware/opal/core ]; then + OPALCORE="/sys/firmware/opal/core" + else + return 0 + fi + fi + + echo "kdump: saving opalcore" + cp $OPALCORE ${_path}/opalcore + if [ $? -ne 0 ]; then + echo "kdump: saving opalcore failed" + return 1 + fi + + sync + echo "kdump: saving opalcore complete" + return 0 +} + dump_to_rootfs() { diff --git a/kdumpctl b/kdumpctl index 2d21a41..b4c6e8e 100755 --- a/kdumpctl +++ b/kdumpctl @@ -249,6 +249,9 @@ check_config() echo "Invalid kdump config value for option $config_opt." return 1; } + if [ -d "/proc/device-tree/ibm,opal/dump" ] && [ "$config_opt" == "raw" ]; then + echo "WARNING: Won't capture opalcore when 'raw' dump target is used." + fi ;; net|options|link_delay|disk_timeout|debug_mem_level|blacklist) echo "Deprecated kdump config option: $config_opt. Refer to kdump.conf manpage for alternatives."

3 years, 7 months

2
1
0 / 0

RE: [PATCH] Add --force option to step 2 in early-kdump-howto.txt

by HAGIO KAZUHITO(萩尾　一仁)

> -----Original Message----- > Hello, > > For step2 in early-kdump-howto.txt, --force option of dracut > is necessary to rebuild system initramfs. Without --force option, > executing step2 fails because system initramfs already exists. > > Signed-off-by: Shigeki Morishima <s.morishima(a)jp.fujitsu.com> > --- > early-kdump-howto.txt | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/early-kdump-howto.txt b/early-kdump-howto.txt > index b8cab6a..5f592c1 100644 > --- a/early-kdump-howto.txt > +++ b/early-kdump-howto.txt > @@ -34,14 +34,13 @@ You can rebuild the initramfs with earlykdump support with below steps: > For the failure_action, you can choose anything other than "reboot". > > 2. rebuild system initramfs with earlykdump support. > - # dracut --add earlykdump > + # dracut --force --add earlykdump > > 3. add rd.earlykdump in grub kernel command line. > > Note: > [1]. Early kdump initramfs size will be large because it includes vmlinuz and > -kdump initramfs. And for step 2 if you are sure to overwrite system initramfs > -you can backup the original initramfs and use "--force" option. > +kdump initramfs. Hi, If we remove this, how about explicitly adding a backup process before rebuilding initramfs for safety's sake? I think there will also be times when we want to put it back completely. (It may be good to have such a procedure as well.) Thanks, Kazu > > [2]. Early kdump inherits the settings of normal kdump, so any changes that > caused normal kdump rebuilding also require rebuilding the system initramfs > -- > 1.8.3.1 > > Best Regards, > Shigeki Morishima > > ---------------------------------------------------------------------- > 森島　茂貴(Morishima Shigeki) > 富士通ミッションクリティカルソフトウェア株式会社(MCS) > MC サービスソリューション統括部）ネットワークチーム > E-mail: s.morishima(a)fujitsu.com > Tel: 055-924-7280 (内線: 7260540352) > ---------------------------------------------------------------------- > _______________________________________________ > kexec mailing list -- kexec(a)lists.fedoraproject.org > To unsubscribe send an email to kexec-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org

3 years, 8 months

1
0
0 / 0

[PATCH] Add --force option to step 2 in early-kdump-howto.txt

by s.morishima＠fujitsu.com

Hello, For step2 in early-kdump-howto.txt, --force option of dracut is necessary to rebuild system initramfs. Without --force option, executing step2 fails because system initramfs already exists. Signed-off-by: Shigeki Morishima <s.morishima(a)jp.fujitsu.com> --- early-kdump-howto.txt | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/early-kdump-howto.txt b/early-kdump-howto.txt index b8cab6a..5f592c1 100644 --- a/early-kdump-howto.txt +++ b/early-kdump-howto.txt @@ -34,14 +34,13 @@ You can rebuild the initramfs with earlykdump support with below steps: For the failure_action, you can choose anything other than "reboot". 2. rebuild system initramfs with earlykdump support. - # dracut --add earlykdump + # dracut --force --add earlykdump 3. add rd.earlykdump in grub kernel command line. Note: [1]. Early kdump initramfs size will be large because it includes vmlinuz and -kdump initramfs. And for step 2 if you are sure to overwrite system initramfs -you can backup the original initramfs and use "--force" option. +kdump initramfs. [2]. Early kdump inherits the settings of normal kdump, so any changes that caused normal kdump rebuilding also require rebuilding the system initramfs -- 1.8.3.1 Best Regards, Shigeki Morishima ---------------------------------------------------------------------- 森島　茂貴(Morishima Shigeki) 富士通ミッションクリティカルソフトウェア株式会社(MCS) MC サービスソリューション統括部）ネットワークチーム E-mail: s.morishima(a)fujitsu.com Tel: 055-924-7280 (内線: 7260540352) ----------------------------------------------------------------------

3 years, 8 months

1
0
0 / 0

[PATCH] Fix typo in early-kdump-howto.txt

by s.morishima＠fujitsu.com

Hello, I found typo in early-kdump-howto.txt, and fixed it. Signed-off-by: Shigeki Morishima <s.morishima(a)jp.fujitsu.com> --- early-kdump-howto.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/early-kdump-howto.txt b/early-kdump-howto.txt index b8cab6a..89df4ef 100644 --- a/early-kdump-howto.txt +++ b/early-kdump-howto.txt @@ -58,7 +58,7 @@ on the command prompt: # journalctl -x|grep early-kdump -Then, you will see some useful logs, for exapmle: +Then, you will see some useful logs, for example: 1. if early kdump is successful. Mar 09 09:57:56 localhost.localdomain dracut-cmdline[190]: early-kdump is enabled. -- Best Regards, Shigeki Morishima ---------------------------------------------------------------------- 森島　茂貴(Morishima Shigeki) 富士通ミッションクリティカルソフトウェア株式会社(MCS) MC サービスソリューション統括部）ネットワークチーム E-mail: s.morishima(a)fujitsu.com Tel: 055-924-7280 (内線: 7260540352) ----------------------------------------------------------------------

3 years, 8 months

1
0
0 / 0

[PATCH] powerpc: enable the scripts to capture dump on POWERNV platform

by Hari Bathini

With FADump support added on POWERNV paltform, enable the scripts to capture /proc/vmcore. Also, if CONFIG_OPAL_CORE is enabled, OPAL core is preserved and exported on POWERNV platform. So, offload OPAL core, if it is available. Signed-off-by: Hari Bathini <hbathini(a)linux.ibm.com> --- dracut-kdump.sh | 29 +++++++++++++++++++++++++++-- kdump-lib-initramfs.sh | 24 ++++++++++++++++++++++++ kdumpctl | 3 +++ 3 files changed, 54 insertions(+), 2 deletions(-) diff --git a/dracut-kdump.sh b/dracut-kdump.sh index 2ae1c7c..e1473b6 100755 --- a/dracut-kdump.sh +++ b/dracut-kdump.sh @@ -1,8 +1,8 @@ #!/bin/sh # continue here only if we have to save dump. -if [ -f /etc/fadump.initramfs ] && [ ! -f /proc/device-tree/rtas/ibm,kernel-dump ]; then - exit 0 +if [ -f /etc/fadump.initramfs ] && [ ! -f /proc/device-tree/rtas/ibm,kernel-dump ] && [ ! -f /proc/device-tree/ibm,opal/dump/mpipl-boot ]; then + exit 0 fi exec &> /dev/console @@ -81,6 +81,7 @@ dump_ssh() ssh -q $_opt $_host mkdir -p $_dir || return 1 save_vmcore_dmesg_ssh ${DMESG_COLLECTOR} ${_dir} "${_opt}" $_host + save_opalcore_ssh ${_dir} "${_opt}" $_host echo "kdump: saving vmcore" @@ -114,6 +115,30 @@ save_vmcore_dmesg_ssh() { fi } +save_opalcore_ssh() { + local _path=$1 + local _opts="$2" + local _location=$3 + + if [ ! -f $OPALCORE ]; then + # Check if we on an old kernel that uses a different path + if [ -f /sys/firmware/opal/core ]; then + OPALCORE="/sys/firmware/opal/core" + else + return 0 + fi + fi + + echo "kdump: saving opalcore" + scp $_opts $OPALCORE $_location:$_path/opalcore-incomplete + if [ $? -ne 0 ]; then + echo "kdump: saving opalcore failed" + fi + + ssh $_opts $_location mv $_path/opalcore-incomplete $_path/opalcore + echo "kdump: saving opalcore complete" +} + get_host_ip() { local _host diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh index 8530556..57712ad 100755 --- a/kdump-lib-initramfs.sh +++ b/kdump-lib-initramfs.sh @@ -18,6 +18,7 @@ KDUMP_CONF="/etc/kdump.conf" KDUMP_PRE="" KDUMP_POST="" NEWROOT="/sysroot" +OPALCORE="/sys/firmware/opal/mpipl/core" get_kdump_confs() { @@ -137,6 +138,7 @@ dump_fs() mkdir -p $_mp/$KDUMP_PATH/$HOST_IP-$DATEDIR || return 1 save_vmcore_dmesg_fs ${DMESG_COLLECTOR} "$_mp/$KDUMP_PATH/$HOST_IP-$DATEDIR/" + save_opalcore_fs "$_mp/$KDUMP_PATH/$HOST_IP-$DATEDIR/" echo "kdump: saving vmcore" $CORE_COLLECTOR /proc/vmcore $_mp/$KDUMP_PATH/$HOST_IP-$DATEDIR/vmcore-incomplete || return 1 @@ -173,6 +175,28 @@ save_vmcore_dmesg_fs() { fi } +save_opalcore_fs() { + local _path=$1 + + if [ ! -f $OPALCORE ]; then + # Check if we on an old kernel that uses a different path + if [ -f /sys/firmware/opal/core ]; then + OPALCORE="/sys/firmware/opal/core" + else + return 0 + fi + fi + + echo "kdump: saving opalcore" + cp $OPALCORE ${_path}/opalcore + if [ $? -ne 0 ]; then + echo "kdump: saving opalcore failed" + fi + + sync + echo "kdump: saving opalcore complete" +} + dump_to_rootfs() { diff --git a/kdumpctl b/kdumpctl index 2d21a41..b4c6e8e 100755 --- a/kdumpctl +++ b/kdumpctl @@ -249,6 +249,9 @@ check_config() echo "Invalid kdump config value for option $config_opt." return 1; } + if [ -d "/proc/device-tree/ibm,opal/dump" ] && [ "$config_opt" == "raw" ]; then + echo "WARNING: Won't capture opalcore when 'raw' dump target is used." + fi ;; net|options|link_delay|disk_timeout|debug_mem_level|blacklist) echo "Deprecated kdump config option: $config_opt. Refer to kdump.conf manpage for alternatives."

3 years, 8 months

3
3
0 / 0

[PATCH] Add a hook to wait for kdump target in initqueue

by Kairui Song

The dracut initqueue may quit immediately and won't trigger any hook if there is no "finished" hook still pending (finished hook will be deleted once it return 0). This issue start to appear with latest dracut, latest dracut use network-manager to configure the network, network-manager module only install "settled" hook, and we didn't install any other hook. So NFS/SSH dump will fail. iSCSI dump works because dracut iscsi module will install a "finished" hook to detect if the iscsi target is up. So for NFS/SSH we keep initqueue running until the host successfully get a valid IP address, which means the network is ready. Signed-off-by: Kairui Song <kasong(a)redhat.com> --- dracut-kdump-wait-for-target.sh | 23 ++++++++++++++++ dracut-kdump.sh | 48 --------------------------------- dracut-module-setup.sh | 2 ++ kdump-lib-initramfs.sh | 48 +++++++++++++++++++++++++++++++++ kexec-tools.spec | 2 ++ 5 files changed, 75 insertions(+), 48 deletions(-) create mode 100755 dracut-kdump-wait-for-target.sh diff --git a/dracut-kdump-wait-for-target.sh b/dracut-kdump-wait-for-target.sh new file mode 100755 index 0000000..ce984d0 --- /dev/null +++ b/dracut-kdump-wait-for-target.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# only wait if it's kdump kernel +if [ -f /etc/fadump.initramfs ] && [ ! -f /proc/device-tree/rtas/ibm,kernel-dump ]; then + exit 0 +fi + +. /lib/dracut-lib.sh +. /lib/kdump-lib-initramfs.sh + +# For SSH/NFS target, need to wait for the network to setup +if is_nfs_dump_target; then + get_host_ip + exit $? +fi + +if is_ssh_dump_target; then + get_host_ip + exit $? +fi + +# No need to wait for dump target +exit 0 diff --git a/dracut-kdump.sh b/dracut-kdump.sh index 2ae1c7c..8add48d 100755 --- a/dracut-kdump.sh +++ b/dracut-kdump.sh @@ -114,54 +114,6 @@ save_vmcore_dmesg_ssh() { fi } -get_host_ip() -{ - local _host - if is_nfs_dump_target || is_ssh_dump_target - then - kdumpnic=$(getarg kdumpnic=) - [ -z "$kdumpnic" ] && echo "kdump: failed to get kdumpnic!" && return 1 - _host=`ip addr show dev $kdumpnic|grep '[ ]*inet'` - [ $? -ne 0 ] && echo "kdump: wrong kdumpnic: $kdumpnic" && return 1 - _host=`echo $_host | head -n 1 | cut -d' ' -f2` - _host="${_host%%/*}" - [ -z "$_host" ] && echo "kdump: wrong kdumpnic: $kdumpnic" && return 1 - HOST_IP=$_host - fi - return 0 -} - -read_kdump_conf() -{ - if [ ! -f "$KDUMP_CONF" ]; then - echo "kdump: $KDUMP_CONF not found" - return - fi - - get_kdump_confs - - # rescan for add code for dump target - while read config_opt config_val; - do - # remove inline comments after the end of a directive. - case "$config_opt" in - dracut_args) - config_val=$(get_dracut_args_target "$config_val") - [ -n "$config_val" ] && add_dump_code "dump_fs $config_val" - ;; - ext[234]|xfs|btrfs|minix|nfs) - add_dump_code "dump_fs $config_val" - ;; - raw) - add_dump_code "dump_raw $config_val" - ;; - ssh) - add_dump_code "dump_ssh $SSH_KEY_LOCATION $config_val" - ;; - esac - done <<< "$(read_strip_comments $KDUMP_CONF)" -} - fence_kdump_notify() { if [ -n "$FENCE_KDUMP_NODES" ]; then diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index 3558a0f..570bd62 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -842,7 +842,9 @@ install() { kdump_check_iscsi_targets # nfs/ssh dump will need to get host ip in second kernel and need to call 'ip' tool, see get_host_ip for more detail + # also need to let initqueue wait for target to become ready if is_nfs_dump_target || is_ssh_dump_target; then + inst_hook initqueue/finished 01 $moddir/kdump-wait-for-target.sh inst "ip" fi diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh index 8530556..d5d2ee2 100755 --- a/kdump-lib-initramfs.sh +++ b/kdump-lib-initramfs.sh @@ -201,3 +201,51 @@ do_final_action() { eval $FINAL_ACTION } + +get_host_ip() +{ + local _host + if is_nfs_dump_target || is_ssh_dump_target + then + kdumpnic=$(getarg kdumpnic=) + [ -z "$kdumpnic" ] && echo "kdump: failed to get kdumpnic!" && return 1 + _host=`ip addr show dev $kdumpnic|grep '[ ]*inet'` + [ $? -ne 0 ] && echo "kdump: wrong kdumpnic: $kdumpnic" && return 1 + _host=`echo $_host | head -n 1 | cut -d' ' -f2` + _host="${_host%%/*}" + [ -z "$_host" ] && echo "kdump: wrong kdumpnic: $kdumpnic" && return 1 + HOST_IP=$_host + fi + return 0 +} + +read_kdump_conf() +{ + if [ ! -f "$KDUMP_CONF" ]; then + echo "kdump: $KDUMP_CONF not found" + return + fi + + get_kdump_confs + + # rescan for add code for dump target + while read config_opt config_val; + do + # remove inline comments after the end of a directive. + case "$config_opt" in + dracut_args) + config_val=$(get_dracut_args_target "$config_val") + [ -n "$config_val" ] && add_dump_code "dump_fs $config_val" + ;; + ext[234]|xfs|btrfs|minix|nfs) + add_dump_code "dump_fs $config_val" + ;; + raw) + add_dump_code "dump_raw $config_val" + ;; + ssh) + add_dump_code "dump_ssh $SSH_KEY_LOCATION $config_val" + ;; + esac + done <<< "$(read_strip_comments $KDUMP_CONF)" +} diff --git a/kexec-tools.spec b/kexec-tools.spec index 06b8aae..91eae0c 100644 --- a/kexec-tools.spec +++ b/kexec-tools.spec @@ -50,6 +50,7 @@ Source106: dracut-kdump-capture.service Source107: dracut-kdump-emergency.target Source108: dracut-early-kdump.sh Source109: dracut-early-kdump-module-setup.sh +Source110: dracut-kdump-wait-for-target.sh Requires(post): systemd-units Requires(preun): systemd-units @@ -222,6 +223,7 @@ cp %{SOURCE104} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpb cp %{SOURCE105} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpbase/%{remove_dracut_prefix %{SOURCE105}} cp %{SOURCE106} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpbase/%{remove_dracut_prefix %{SOURCE106}} cp %{SOURCE107} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpbase/%{remove_dracut_prefix %{SOURCE107}} +cp %{SOURCE110} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpbase/%{remove_dracut_prefix %{SOURCE110}} chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpbase/%{remove_dracut_prefix %{SOURCE100}} chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpbase/%{remove_dracut_prefix %{SOURCE101}} mkdir -p -m755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump -- 2.24.1

3 years, 8 months

2
1
0 / 0

[PATCH] kexec-tools/module-setup: Ensure eth devices get IP address for VLAN

by Bhupesh Sharma

Currently while trying to save vmcore via vlan eth interface, the Kdump kernel fails with network unreachable message. This is because mkdumprd produces a vlan config that does not get ip address for vlan on eth device. Fix the same via this patch. Signed-off-by: Bhupesh Sharma <bhsharma(a)redhat.com> --- dracut-module-setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index e6358a8ab910..3edbe146d09e 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -307,10 +307,10 @@ kdump_setup_vlan() { exit 1 elif kdump_is_bond "$_phydev"; then kdump_setup_bond "$_phydev" - echo " vlan=$_netdev:$_phydev" > ${initdir}/etc/cmdline.d/43vlan.conf + echo " vlan=$(kdump_setup_ifname $_netdev):$_phydev" > ${initdir}/etc/cmdline.d/43vlan.conf else _kdumpdev="$(kdump_setup_ifname $_phydev)" - echo " vlan=$_netdev:$_kdumpdev ifname=$_kdumpdev:$_netmac" > ${initdir}/etc/cmdline.d/43vlan.conf + echo " vlan=$(kdump_setup_ifname $_netdev):$_kdumpdev ifname=$_kdumpdev:$_netmac" > ${initdir}/etc/cmdline.d/43vlan.conf fi } -- 2.7.4

3 years, 8 months

2
3
0 / 0

[PATCH v5] kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default

by Lianbo Jiang

UEFI Secure boot is a signature verification mechanism, designed to prevent malicious code being loaded and executed at the early boot stage. This makes sure that code executed is trusted by firmware. Previously, with kexec_file_load() interface, kernel prevents unsigned kernel image from being loaded if secure boot is enabled. So kdump will detect whether secure boot is enabled firstly, then decide which interface is chosen to execute, kexec_load() or kexec_file_load(). Otherwise unsigned kernel loading will fail if secure boot enabled, and kexec_file_load() is entered. Now, the implementation of kexec_file_load() is adjusted in below commit. With this change, if CONFIG_KEXEC_SIG_FORCE is not set, unsigned kernel still has a chance to be allowed to load under some conditions. commit 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE") And in the current Fedora, the CONFIG_KEXEC_SIG_FORCE is not set, only the CONFIG_KEXEC_SIG and CONFIG_BZIMAGE_VERIFY_SIG are set on x86_64 by default. It's time to spread kexec_file_load() onto all systems of x86_64, including Secure-boot platforms and legacy platforms. Please refer to the following form. .----------------------------------------------------------------------. | . | signed kernel | unsigned kernel | | . types |-----------------------|-----------------------| | . |Secure boot| Legacy |Secure boot| Legacy | | . |-----------|-----------|-----------|-----------| | options . | prev| now | prev| now | | | prev| now | | . |(file|(file|(only|(file| prev| now |(only|(file| | . |load)|load)|load)|load)| | |load)|load)| |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set |succ |succ |succ |succ | X | X |succ |succ | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y |succ |succ |succ |fail | X | X |succ |fail | |BZIMAGE_VERIFY_SIG=y | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG=y | | | | | | | | | |SIG_FORCE=y | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | X | X |succ |fail | |not set | | | | | | | | | |----------------------|-----|-----|-----|-----|-----|-----|-----|-----| |KEXEC_SIG is not set | | | | | | | | | |SIG_FORCE is not set | | | | | | | | | |BZIMAGE_VERIFY_SIG is |fail |fail |succ |succ | X | X |succ |succ | |not set | | | | | | | | | ---------------------------------------------------------------------- Note: [1] The 'X' indicates that the 1st kernel(unsigned) can not boot when the Secure boot is enabled. Hence, in this patch, if on x86_64, let's use the kexec_file_load() only. See if anything wrong happened in this case, in Fedora firstly for the time being. Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com> --- Changes since v1: [1] Improve patch log. [2] Change the is_secure_boot_enforced() to use_kexec_file_load(). [3] Aamend the code comment. [4] Add the form for the kbuild options. Changes since v2: [1] Improve patch log. [2] Also rewrite the form for the kbuild options. Changes since v3: [1] Improve patch log. [2] Display an error message and ask user to try kexec_load() once the kexec_file_load() failed. Changes since v4: [1] Improve patch log. [2] Remove the unused is_secure_boot_enforced() from kdump-lib.sh. [3] Add a new option 'KDUMP_FILE_LOAD', which provides a chance for user to choose the kexec load or kexec file load. And use the kexec file load by default. dracut-early-kdump.sh | 5 +++-- kdump-lib.sh | 29 ----------------------------- kdump.sysconfig.x86_64 | 3 +++ kdumpctl | 13 +++++++------ 4 files changed, 13 insertions(+), 37 deletions(-) diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 69a34eb996cd..6788a6b83431 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -2,6 +2,7 @@ KEXEC=/sbin/kexec standard_kexec_args="-p" +KDUMP_FILE_LOAD="" EARLY_KDUMP_INITRD="" EARLY_KDUMP_KERNEL="" @@ -43,8 +44,8 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + if [ "$KDUMP_FILE_LOAD" == "on" ]; then + echo "Using kexec file based syscall." EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" fi diff --git a/kdump-lib.sh b/kdump-lib.sh index f393c76b9cbb..a79c1a70cc07 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -589,35 +589,6 @@ need_64bit_headers() print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'` } -# Check if secure boot is being enforced. -# -# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and -# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four -# bytes are the attributes associated with the variable and can safely be -# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot -# is 1 and SetupMode is 0, then secure boot is being enforced. -# -# Assume efivars is mounted at /sys/firmware/efi/efivars. -is_secure_boot_enforced() -{ - local secure_boot_file setup_mode_file - local secure_boot_byte setup_mode_byte - - secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) - setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) - - if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then - secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) - setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) - - if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then - return 0 - fi - fi - - return 1 -} - # # prepare_kexec_args <kexec args> # This function prepares kexec argument. diff --git a/kdump.sysconfig.x86_64 b/kdump.sysconfig.x86_64 index 09de2ebe798e..105f3f9f2d9c 100644 --- a/kdump.sysconfig.x86_64 +++ b/kdump.sysconfig.x86_64 @@ -38,3 +38,6 @@ KDUMP_IMG="vmlinuz" #What is the images extension. Relocatable kernels don't have one KDUMP_IMG_EXT="" + +#Using kexec file based syscall by default +KDUMP_FILE_LOAD="on" diff --git a/kdumpctl b/kdumpctl index 2d21a416deb1..97fe54110447 100755 --- a/kdumpctl +++ b/kdumpctl @@ -4,6 +4,7 @@ KEXEC=/sbin/kexec KDUMP_KERNELVER="" KDUMP_COMMANDLINE="" KEXEC_ARGS="" +KDUMP_FILE_LOAD="" KDUMP_CONFIG_FILE="/etc/kdump.conf" MKDUMPRD="/sbin/mkdumprd -f" DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt" @@ -678,11 +679,8 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - # For secureboot enabled machines, use new kexec file based syscall. - # Old syscall will always fail as it does not have capability to - # to kernel signature verification. - if is_secure_boot_enforced; then - echo "Secure Boot is enabled. Using kexec file based syscall." + if [ "$KDUMP_FILE_LOAD" == "on" ]; then + echo "Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" fi @@ -694,6 +692,9 @@ load_kdump() return 0 else echo "kexec: failed to load kdump kernel" >&2 + if [ "$KDUMP_FILE_LOAD" == "on" ]; then + echo "kexec_file_load() failed, please try kexec_load()" >&2 + fi return 1 fi } @@ -1162,7 +1163,7 @@ stop_fadump() stop_kdump() { - if is_secure_boot_enforced; then + if [ "$KDUMP_FILE_LOAD" == "on" ]; then $KEXEC -s -p -u else $KEXEC -p -u -- 2.17.1

3 years, 8 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

kexec January 2020