UEFI Secure boot is a verification mechanism, it can make sure that code
launched is trusted by firmware. So Secure boot is designed to prevent
malicious code being loaded and executed early at the boot stage.
Previously, kernel prevents unsigned kernel images from being loaded with
kexec_file_load(). But now, kernel has evolved, the kexec_file_load()
syscall checks for a valid signature of the kernel image if there is a
signature(It must be valid). In addition, the images can still be loaded
without a valid signature.
Currently, kernel enables the options KEXEC_SIG and KEXEC_BZIMAGE_VERIFY
_SIG on x86_64 by default, it can cover signed or unsigned kernel images
and allow to load them, please refer to the following form.
.-----------------------------------------------------------------------.
| . | UEFI(signed) | non UEFI(unsigned) |
| . types |-----------------------|------------------------|
| . | | non | | |
| . |secure boot|secure boot| prev | now |
| options . |-----------|-----------| | |
| . | prev| now | prev| now | | |
|----------------------|-----|-----|-----|-----|-----------|------------|
|KEXEC_SIG=y | | | | | | |
|SIG_FORCE is not set |succ |succ |succ |succ | succ | succ |
|BZIMAGE_VERIFY_SIG=y | | | | | | |
|----------------------|-----|-----|-----|-----|-----------|------------|
|KEXEC_SIG=y | | | | | | |
|SIG_FORCE is not set | | | | | | |
|BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | succ | fail |
|not set | | | | | | |
|----------------------|-----|-----|-----|-----|-----------|------------|
|KEXEC_SIG=y | | | | | | |
|SIG_FORCE=y |succ |succ |succ |fail | succ | fail |
|BZIMAGE_VERIFY_SIG=y | | | | | | |
|----------------------|-----|-----|-----|-----|-----------|------------|
|KEXEC_SIG=y | | | | | | |
|SIG_FORCE=y | | | | | | |
|BZIMAGE_VERIFY_SIG is |fail |fail |succ |fail | succ | fail |
|not set | | | | | | |
|----------------------|-----|-----|-----|-----|-----------|------------|
|KEXEC_SIG is not set | | | | | | |
|SIG_FORCE is not set | | | | | | |
|BZIMAGE_VERIFY_SIG is |fail |fail |succ |succ | succ | succ |
|not set | | | | | | |
-----------------------------------------------------------------------
Note:
[1] 'prev': Without this patch
[2] 'now': With this patch
So, it's time for switching to the kexec_file_load() syscall on x86_64
for kexec-tools.
Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com>
---
dracut-early-kdump.sh | 4 ++--
kdump-lib.sh | 31 +++++++++++--------------------
kdumpctl | 10 ++++------
3 files changed, 17 insertions(+), 28 deletions(-)
diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh
index 69a34eb996cd..bfb923d6efa1 100755
--- a/dracut-early-kdump.sh
+++ b/dracut-early-kdump.sh
@@ -43,8 +43,8 @@ early_kdump_load()
EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
- if is_secure_boot_enforced; then
- echo "Secure Boot is enabled. Using kexec file based syscall."
+ if use_kexec_file_load; then
+ echo "Using kexec file based syscall."
EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
fi
diff --git a/kdump-lib.sh b/kdump-lib.sh
index f393c76b9cbb..5b6684992553 100755
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@@ -589,30 +589,21 @@ need_64bit_headers()
print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'`
}
-# Check if secure boot is being enforced.
#
-# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
-# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
-# bytes are the attributes associated with the variable and can safely be
-# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
-# is 1 and SetupMode is 0, then secure boot is being enforced.
+# Currently, Secure Boot is only used on x86_64 and kernel enabled the
+# kexec_file_load() on x86_64 by default.
+# In addition, kernel also enables the option KEXEC_SIG, which makes the
+# kexec_file_load() syscall checks for a valid signature of the kernel
+# image if there is a signature(It must be valid). And the images can
+# still be loaded without a valid signature. So let kexec-tools change
+# as well.
#
-# Assume efivars is mounted at /sys/firmware/efi/efivars.
-is_secure_boot_enforced()
+use_kexec_file_load()
{
- local secure_boot_file setup_mode_file
- local secure_boot_byte setup_mode_byte
+ local arch_name=`uname -m`
- secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
- setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
-
- if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file"
]; then
- secure_boot_byte=$(hexdump -v -e '/1 "%d\ "'
$secure_boot_file|cut -d' ' -f 5)
- setup_mode_byte=$(hexdump -v -e '/1 "%d\ "'
$setup_mode_file|cut -d' ' -f 5)
-
- if [ "$secure_boot_byte" = "1" ] && [
"$setup_mode_byte" = "0" ]; then
- return 0
- fi
+ if [ "$arch_name" == "x86_64" ]; then
+ return 0
fi
return 1
diff --git a/kdumpctl b/kdumpctl
index 2d21a416deb1..d1c987773cf9 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -678,11 +678,9 @@ load_kdump()
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}"
"${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
- # For secureboot enabled machines, use new kexec file based syscall.
- # Old syscall will always fail as it does not have capability to
- # to kernel signature verification.
- if is_secure_boot_enforced; then
- echo "Secure Boot is enabled. Using kexec file based syscall."
+ # On x86_64 machine, lets use kexec file based syscall by default.
+ if use_kexec_file_load; then
+ echo "Using kexec file based syscall."
KEXEC_ARGS="$KEXEC_ARGS -s"
fi
@@ -1162,7 +1160,7 @@ stop_fadump()
stop_kdump()
{
- if is_secure_boot_enforced; then
+ if use_kexec_file_load; then
$KEXEC -s -p -u
else
$KEXEC -p -u
--
2.17.1