Hi,
This is V2 of patches. I changed patch 3 a bit. In user visible message,
changed string "secureboot" to "Secure Boot".
Following patch series contains changes to kdumpctl for supporting kdump
on secureboot enabled machines. Kernel patches are not available in
latest fedora kernel.
There is one kexec-tools patch required to be backported. That will follow
in a separate mail.
Thanks
Vivek
Vivek Goyal (3):
kdumpctl: Do not redirect error messages to /dev/null
kdumpctl: Use kexec file based mode to unload kdump kernel
kdumpctl: Use kexec file based syscall for secureboot enabled machines
kdumpctl | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
--
1.9.0
Show replies by thread
Does anybody know why are we redirecting stderr to /dev/null when using
kexec load/unload commands? This sounds wrong to me. In case of error I
have no idea what went wrong.
Systemctl already puts all the information in journal. So if we are worried
that user will be bombarded with error messages, that should not be a concern.
So do not redirect stderr to /dev/null.
Signed-off-by: Vivek Goyal <vgoyal(a)redhat.com>
---
kdumpctl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kdumpctl b/kdumpctl
index 70d30fa..bb98225 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -435,7 +435,7 @@ load_kdump()
$KEXEC $KEXEC_ARGS $standard_kexec_args \
--command-line="$KDUMP_COMMANDLINE" \
- --initrd=$TARGET_INITRD $kdump_kernel 2>/dev/null
+ --initrd=$TARGET_INITRD $kdump_kernel
if [ $? == 0 ]; then
echo "kexec: loaded kdump kernel"
return 0
@@ -826,7 +826,7 @@ stop_fadump()
stop_kdump()
{
- $KEXEC -p -u 2>/dev/null
+ $KEXEC -p -u
if [ $? != 0 ]; then
echo "kexec: failed to unload kdump kernel"
return 1
--
1.9.0
Currently old kexec syscall denies unloading a kernel if secureboot is enabled.
I think this is not right behavior and should be changed. But for now, use
new syscall if secureboot is enabled and that allows unloading kernel.
Signed-off-by: Vivek Goyal <vgoyal(a)redhat.com>
---
kdumpctl | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kdumpctl b/kdumpctl
index bb98225..9403d61 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -826,7 +826,12 @@ stop_fadump()
stop_kdump()
{
- $KEXEC -p -u
+ if is_secure_boot_enforced; then
+ $KEXEC -s -p -u
+ else
+ $KEXEC -p -u
+ fi
+
if [ $? != 0 ]; then
echo "kexec: failed to unload kdump kernel"
return 1
--
1.9.0
Now kexec file based syscall can be used with secureboot enabled machines.
Automatically switch to using new syscall if secureboot is enabled on the
machine.
Also remove the old message where kdump service failed if secureboot is
enabled. That's not the case anymore.
v2:
Renamed "secureboot" to "Secure Boot" in user visible message.
Signed-off-by: Vivek Goyal <vgoyal(a)redhat.com>
---
kdumpctl | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/kdumpctl b/kdumpctl
index 9403d61..ee3214a 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -433,6 +433,14 @@ load_kdump()
KDUMP_COMMANDLINE=`prepare_cmdline`
+ # For secureboot enabled machines, use new kexec file based syscall.
+ # Old syscall will always fail as it does not have capability to
+ # to kernel signature verification.
+ if is_secure_boot_enforced; then
+ echo "Secure Boot is enabled. Using kexec file based syscall."
+ KEXEC_ARGS="$KEXEC_ARGS -s"
+ fi
+
$KEXEC $KEXEC_ARGS $standard_kexec_args \
--command-line="$KDUMP_COMMANDLINE" \
--initrd=$TARGET_INITRD $kdump_kernel
@@ -702,11 +710,6 @@ is_secure_boot_enforced()
check_kdump_feasibility()
{
- if is_secure_boot_enforced; then
- echo "Secure Boot is Enabled. Kdump service can't be started. Disable Secure
Boot and retry"
- return 1;
- fi
-
if [ ! -e /sys/kernel/kexec_crash_loaded ]; then
echo "Kdump is not supported on this kernel"
return 1
--
1.9.0