Hi,
Following patch series contains changes to kdumpctl for supporting kdump on secureboot enabled machines.
There is one kexec-tools patch required to be backported. That will follow in a separate mail.
Thanks Vivek
Vivek Goyal (3): kdumpctl: Do not redirect error messages to /dev/null kdumpctl: Use kexec file based mode to unload kdump kernel kdumpctl: Use kexec file based syscall for secureboot enabled machines
kdumpctl | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-)
Does anybody know why are we redirecting stderr to /dev/null when using kexec load/unload commands? This sounds wrong to me. In case of error I have no idea what went wrong.
Systemctl already puts all the information in journal. So if we are worried that user will be bombarded with error messages, that should not be a concern.
So do not redirect stderr to /dev/null.
Signed-off-by: Vivek Goyal vgoyal@redhat.com --- kdumpctl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 70d30fa..bb98225 100755 --- a/kdumpctl +++ b/kdumpctl @@ -435,7 +435,7 @@ load_kdump()
$KEXEC $KEXEC_ARGS $standard_kexec_args \ --command-line="$KDUMP_COMMANDLINE" \ - --initrd=$TARGET_INITRD $kdump_kernel 2>/dev/null + --initrd=$TARGET_INITRD $kdump_kernel if [ $? == 0 ]; then echo "kexec: loaded kdump kernel" return 0 @@ -826,7 +826,7 @@ stop_fadump()
stop_kdump() { - $KEXEC -p -u 2>/dev/null + $KEXEC -p -u if [ $? != 0 ]; then echo "kexec: failed to unload kdump kernel" return 1
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Does anybody know why are we redirecting stderr to /dev/null when using kexec load/unload commands? This sounds wrong to me. In case of error I have no idea what went wrong.
Seems it was 2>&1 originally, it's strange to redirect to /dev/null.. I think we can remove the redirection safely.
Systemctl already puts all the information in journal. So if we are worried that user will be bombarded with error messages, that should not be a concern.
So do not redirect stderr to /dev/null.
Signed-off-by: Vivek Goyal vgoyal@redhat.com
kdumpctl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 70d30fa..bb98225 100755 --- a/kdumpctl +++ b/kdumpctl @@ -435,7 +435,7 @@ load_kdump()
$KEXEC $KEXEC_ARGS $standard_kexec_args \ --command-line="$KDUMP_COMMANDLINE" \
--initrd=$TARGET_INITRD $kdump_kernel 2>/dev/null
if [ $? == 0 ]; then echo "kexec: loaded kdump kernel" return 0--initrd=$TARGET_INITRD $kdump_kernel
@@ -826,7 +826,7 @@ stop_fadump()
stop_kdump() {
- $KEXEC -p -u 2>/dev/null
- $KEXEC -p -u if [ $? != 0 ]; then echo "kexec: failed to unload kdump kernel" return 1
-- 1.9.0
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
Signed-off-by: Vivek Goyal vgoyal@redhat.com --- kdumpctl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kdumpctl b/kdumpctl index bb98225..9403d61 100755 --- a/kdumpctl +++ b/kdumpctl @@ -826,7 +826,12 @@ stop_fadump()
stop_kdump() { - $KEXEC -p -u + if is_secure_boot_enforced; then + $KEXEC -s -p -u + else + $KEXEC -p -u + fi + if [ $? != 0 ]; then echo "kexec: failed to unload kdump kernel" return 1
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
We need to make sure the new syscall is in latest Fedora kernel, then we can add this patch in kexec-tools.
Signed-off-by: Vivek Goyal vgoyal@redhat.com
kdumpctl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kdumpctl b/kdumpctl index bb98225..9403d61 100755 --- a/kdumpctl +++ b/kdumpctl @@ -826,7 +826,12 @@ stop_fadump()
stop_kdump() {
- $KEXEC -p -u
- if is_secure_boot_enforced; then
$KEXEC -s -p -u
- else
$KEXEC -p -u
- fi
- if [ $? != 0 ]; then echo "kexec: failed to unload kdump kernel" return 1
-- 1.9.0
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
On 09/05/14 at 10:16am, Dave Young wrote:
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
We need to make sure the new syscall is in latest Fedora kernel, then we can add this patch in kexec-tools.
BTW, seems there's a new kconfig option for the syscall, it need a fedora kernel patch if it's not default on.
Signed-off-by: Vivek Goyal vgoyal@redhat.com
kdumpctl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kdumpctl b/kdumpctl index bb98225..9403d61 100755 --- a/kdumpctl +++ b/kdumpctl @@ -826,7 +826,12 @@ stop_fadump()
stop_kdump() {
- $KEXEC -p -u
- if is_secure_boot_enforced; then
$KEXEC -s -p -u
- else
$KEXEC -p -u
- fi
- if [ $? != 0 ]; then echo "kexec: failed to unload kdump kernel" return 1
-- 1.9.0
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
On 09/05/14 at 10:45am, Dave Young wrote:
On 09/05/14 at 10:16am, Dave Young wrote:
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
We need to make sure the new syscall is in latest Fedora kernel, then we can add this patch in kexec-tools.
BTW, seems there's a new kconfig option for the syscall, it need a fedora kernel patch if it's not default on.
Yeah, I was a little surprised when the OS said kexec_file_load is not implemented yet. Is there any concern about defaulting CONFIG_KEXEC_FILE now?
Signed-off-by: Vivek Goyal vgoyal@redhat.com
kdumpctl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kdumpctl b/kdumpctl index bb98225..9403d61 100755 --- a/kdumpctl +++ b/kdumpctl @@ -826,7 +826,12 @@ stop_fadump()
stop_kdump() {
- $KEXEC -p -u
- if is_secure_boot_enforced; then
$KEXEC -s -p -u
- else
$KEXEC -p -u
- fi
- if [ $? != 0 ]; then echo "kexec: failed to unload kdump kernel" return 1
-- 1.9.0
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
On Fri, Sep 05, 2014 at 10:57:31AM +0800, Baoquan He wrote:
On 09/05/14 at 10:45am, Dave Young wrote:
On 09/05/14 at 10:16am, Dave Young wrote:
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
We need to make sure the new syscall is in latest Fedora kernel, then we can add this patch in kexec-tools.
BTW, seems there's a new kconfig option for the syscall, it need a fedora kernel patch if it's not default on.
Yeah, I was a little surprised when the OS said kexec_file_load is not implemented yet. Is there any concern about defaulting CONFIG_KEXEC_FILE now?
I think it is perfectly fine. This kexec-tools should be able to run on kernels which have CONFIG_KEXEC_FILE=n and user space should display correct error message.
Thanks Vivek
On 09/05/14 at 07:53am, Vivek Goyal wrote:
On Fri, Sep 05, 2014 at 10:57:31AM +0800, Baoquan He wrote:
On 09/05/14 at 10:45am, Dave Young wrote:
On 09/05/14 at 10:16am, Dave Young wrote:
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
We need to make sure the new syscall is in latest Fedora kernel, then we can add this patch in kexec-tools.
BTW, seems there's a new kconfig option for the syscall, it need a fedora kernel patch if it's not default on.
Yeah, I was a little surprised when the OS said kexec_file_load is not implemented yet. Is there any concern about defaulting CONFIG_KEXEC_FILE now?
I think it is perfectly fine. This kexec-tools should be able to run on kernels which have CONFIG_KEXEC_FILE=n and user space should display correct error message.
Yes, understood it after discussion with Dave. Just a little confusing when found kexec_file_load suddenly didn't work. I even used gdb to check it. That will be better if user space can tell the reason more clearly.
Btw, this will be opened in rhel and fedora, right?
Thanks Baoquan
Thanks Vivek
On Fri, Sep 05, 2014 at 08:51:58PM +0800, Baoquan He wrote:
On 09/05/14 at 07:53am, Vivek Goyal wrote:
On Fri, Sep 05, 2014 at 10:57:31AM +0800, Baoquan He wrote:
On 09/05/14 at 10:45am, Dave Young wrote:
On 09/05/14 at 10:16am, Dave Young wrote:
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
We need to make sure the new syscall is in latest Fedora kernel, then we can add this patch in kexec-tools.
BTW, seems there's a new kconfig option for the syscall, it need a fedora kernel patch if it's not default on.
Yeah, I was a little surprised when the OS said kexec_file_load is not implemented yet. Is there any concern about defaulting CONFIG_KEXEC_FILE now?
I think it is perfectly fine. This kexec-tools should be able to run on kernels which have CONFIG_KEXEC_FILE=n and user space should display correct error message.
Yes, understood it after discussion with Dave. Just a little confusing when found kexec_file_load suddenly didn't work. I even used gdb to check it. That will be better if user space can tell the reason more clearly.
Btw, this will be opened in rhel and fedora, right?
Yes. Latest fedora kernels have already enabled it. I will post RHEL patches pretty soon.
Thanks Vivek
On Fri, Sep 05, 2014 at 10:45:35AM +0800, Dave Young wrote:
On 09/05/14 at 10:16am, Dave Young wrote:
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
We need to make sure the new syscall is in latest Fedora kernel, then we can add this patch in kexec-tools.
BTW, seems there's a new kconfig option for the syscall, it need a fedora kernel patch if it's not default on.
I already posted the patch and that patch got committed in fedora kernel tree.
http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?id=d5eb8951d21de019218...
Vivek
On Fri, Sep 05, 2014 at 10:16:10AM +0800, Dave Young wrote:
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
We need to make sure the new syscall is in latest Fedora kernel, then we can add this patch in kexec-tools.
It is already there in latest fedora kernels. So let us commit this patch.
Thanks Vivek
Now kexec file based syscall can be used with secureboot enabled machines. Automatically switch to using new syscall if secureboot is enabled on the machine.
Also remove the old message where kdump service failed if secureboot is enabled. That's not the case anymore.
Signed-off-by: Vivek Goyal vgoyal@redhat.com --- kdumpctl | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 9403d61..8fc2c27 100755 --- a/kdumpctl +++ b/kdumpctl @@ -433,6 +433,14 @@ load_kdump()
KDUMP_COMMANDLINE=`prepare_cmdline`
+ # For secureboot enabled machines, use new kexec file based syscall. + # Old syscall will always fail as it does not have capability to + # to kernel signature verification. + if is_secure_boot_enforced; then + echo "Secureboot is enabled. Using kexec file based syscall." + KEXEC_ARGS="$KEXEC_ARGS -s" + fi + $KEXEC $KEXEC_ARGS $standard_kexec_args \ --command-line="$KDUMP_COMMANDLINE" \ --initrd=$TARGET_INITRD $kdump_kernel @@ -702,11 +710,6 @@ is_secure_boot_enforced()
check_kdump_feasibility() { - if is_secure_boot_enforced; then - echo "Secure Boot is Enabled. Kdump service can't be started. Disable Secure Boot and retry" - return 1; - fi - if [ ! -e /sys/kernel/kexec_crash_loaded ]; then echo "Kdump is not supported on this kernel" return 1
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Now kexec file based syscall can be used with secureboot enabled machines. Automatically switch to using new syscall if secureboot is enabled on the machine.
Also remove the old message where kdump service failed if secureboot is enabled. That's not the case anymore.
Vivek
how about merge patch 2/3 and 3/3 as one patch so that it can be logically one funtionally.
Signed-off-by: Vivek Goyal vgoyal@redhat.com
kdumpctl | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 9403d61..8fc2c27 100755 --- a/kdumpctl +++ b/kdumpctl @@ -433,6 +433,14 @@ load_kdump()
KDUMP_COMMANDLINE=`prepare_cmdline`
- # For secureboot enabled machines, use new kexec file based syscall.
- # Old syscall will always fail as it does not have capability to
- # to kernel signature verification.
- if is_secure_boot_enforced; then
echo "Secureboot is enabled. Using kexec file based syscall."
KEXEC_ARGS="$KEXEC_ARGS -s"
- fi
- $KEXEC $KEXEC_ARGS $standard_kexec_args \ --command-line="$KDUMP_COMMANDLINE" \ --initrd=$TARGET_INITRD $kdump_kernel
@@ -702,11 +710,6 @@ is_secure_boot_enforced()
check_kdump_feasibility() {
- if is_secure_boot_enforced; then
echo "Secure Boot is Enabled. Kdump service can't be started. Disable Secure Boot and retry"
return 1;
- fi
- if [ ! -e /sys/kernel/kexec_crash_loaded ]; then echo "Kdump is not supported on this kernel" return 1
-- 1.9.0
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
On Fri, Sep 05, 2014 at 10:18:52AM +0800, Dave Young wrote:
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Now kexec file based syscall can be used with secureboot enabled machines. Automatically switch to using new syscall if secureboot is enabled on the machine.
Also remove the old message where kdump service failed if secureboot is enabled. That's not the case anymore.
Vivek
how about merge patch 2/3 and 3/3 as one patch so that it can be logically one funtionally.
Do you really feel strongly about it? I will have to redo the patches. I looks fine to me. One patch for unloading kernel and one patch for loading kernel.
Thanks Vivek
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Hi,
Following patch series contains changes to kdumpctl for supporting kdump on secureboot enabled machines.
There is one kexec-tools patch required to be backported. That will follow in a separate mail.
Vivek, thanks for the patches. I have some comments about the kdumpctl patches.
BTW, chao will be back at next Friday. Baoquan, can you help to commit the Fedora patches when they are ready?
Thanks Vivek
Vivek Goyal (3): kdumpctl: Do not redirect error messages to /dev/null kdumpctl: Use kexec file based mode to unload kdump kernel kdumpctl: Use kexec file based syscall for secureboot enabled machines
kdumpctl | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-)
-- 1.9.0
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
On 09/05/14 at 10:34am, Dave Young wrote:
On 09/03/14 at 12:07pm, Vivek Goyal wrote:
Hi,
Following patch series contains changes to kdumpctl for supporting kdump on secureboot enabled machines.
There is one kexec-tools patch required to be backported. That will follow in a separate mail.
Vivek, thanks for the patches. I have some comments about the kdumpctl patches.
BTW, chao will be back at next Friday. Baoquan, can you help to commit the Fedora patches when they are ready?
Yes, I have replied to Vivek, I can merge it.
Thanks Vivek
Vivek Goyal (3): kdumpctl: Do not redirect error messages to /dev/null kdumpctl: Use kexec file based mode to unload kdump kernel kdumpctl: Use kexec file based syscall for secureboot enabled machines
kdumpctl | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-)
-- 1.9.0
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec