On ppc64le LPAR, secure-boot is a little different from bare metal,
Where
host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists
while
guest secure boot: /ibm,secure-boot >= 2
Make kexec-tools adapt to LPAR
Signed-off-by: Pingfan Liu <piliu(a)redhat.com>
---
kdump-lib.sh | 9 +++++++--
kdumpctl | 32 ++++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/kdump-lib.sh b/kdump-lib.sh
index a4bab39..3d57f98 100755
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@@ -621,11 +621,16 @@ is_secure_boot_enforced()
local secure_boot_file setup_mode_file
local secure_boot_byte setup_mode_byte
- # On powerpc, os-secureboot-enforcing DT property indicates whether secureboot
- # is enforced. Return success, if it is found.
+ # On powerpc, secure boot is enforced if:
+ # host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists
+ # guest secure boot: /ibm,secure-boot >= 2
if [ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]; then
return 0
fi
+ if [ -f /proc/device-tree/ibm,secure-boot ] && \
+ [ $(lsprop /proc/device-tree/ibm,secure-boot | tail -1) -ge 2 ]; then
+ return 0
+ fi
# Detect secure boot on x86 and arm64
secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
diff --git a/kdumpctl b/kdumpctl
index 24f5cf7..c3311ad 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -638,6 +638,35 @@ check_rebuild()
return $?
}
+# On ppc64le LPARs, the keys trusted by firmware do not end up in
+# .builtin_trusted_keys. So instead, add the key to the .ima keyring
+function load_kdump_kernel_key()
+{
+ # this is only called inside is_secure_boot_enforced,
+ # no need to retest
+
+ # this is only required if DT /ibm,secure-boot is a file.
+ # if it is a dir, we are on OpenPower and don't need this.
+ if ! [ -f /proc/device-tree/ibm,secure-boot ]; then
+ return
+ fi
+
+ KDUMP_KEY_ID=$(cat /usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer |
+ keyctl padd asymmetric kernelkey-$RANDOM %:.ima)
+}
+
+# remove a previously loaded key. There's no real security implication
+# to leaving it around, we choose to do this because it makes it easier
+# to be idempotent and so as to reduce the potential for confusion.
+function remove_kdump_kernel_key()
+{
+ if [ -z "$KDUMP_KEY_ID" ]; then
+ return
+ fi
+
+ keyctl unlink $KDUMP_KEY_ID %:.ima
+}
+
# Load the kdump kernel specified in /etc/sysconfig/kdump
# If none is specified, try to load a kdump kernel with the same version
# as the currently running kernel.
@@ -654,6 +683,7 @@ load_kdump()
if is_secure_boot_enforced; then
dinfo "Secure Boot is enabled. Using kexec file based syscall."
KEXEC_ARGS="$KEXEC_ARGS -s"
+ load_kdump_kernel_key
fi
ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL"
@@ -675,6 +705,8 @@ load_kdump()
set +x
exec 2>&12 12>&-
+ remove_kdump_kernel_key
+
if [ $ret == 0 ]; then
dinfo "kexec: loaded kdump kernel"
return 0
--
2.29.2