[kexec-tools/f20] kdumpctl: claim that kdump does not support secure boot when service start

Mon Feb 17 05:47:11 UTC 2014

commit 5ac8d45483c98699052b1a56d4b50d492ca59808
Author: Dave Young <dyoung at redhat.com>
Date:   Wed Feb 12 10:31:41 2014 +0800

    kdumpctl: claim that kdump does not support secure boot when service start
    
    Kdump does not support secure boot yet, so let's claim it is not supported
    at the begginning of service start function.
    
    In this patch for checking secure boot status I'm checking the efivars per
    suggestion from pjones. see in code comments for the details.
    
    Tested in Fedora 19 + qemu ovmf with secure boot enabled.
    
    Signed-off-by: Dave Young <dyoung at redhat.com>
    Acked-by: Vivek Goyal <vgoyal at redhat.com>

 kdumpctl |   43 +++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 43 insertions(+), 0 deletions(-)
---

diff --git a/kdumpctl b/kdumpctl
index abcdffd..aef3875 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -500,6 +500,43 @@ selinux_relabel()
 	done
 }
 
+# Check if secure boot is being enforced.
+#
+# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
+# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
+# bytes are the attributes associated with the variable and can safely be
+# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
+# is 1 and SetupMode is 0, then secure boot is being enforced.
+#
+# Assume efivars is mounted at /sys/firmware/efi/efivars.
+function is_secure_boot_enforced()
+{
+	local secure_boot_file setup_mode_file
+	local secure_boot_byte setup_mode_byte
+
+	secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
+	setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
+
+	if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
+		secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5)
+		setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5)
+
+		if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then
+			return 0
+		fi
+	fi
+
+	return 1
+}
+
+function check_kdump_feasibility()
+{
+	if is_secure_boot_enforced; then
+		echo "Secure Boot is Enabled. Kdump service can't be started. Disable Secure Boot and retry"
+		return 1;
+	fi
+}
+
 function start()
 {
 	check_config
@@ -517,6 +554,12 @@ function start()
 		return 1
 	fi
 
+	check_kdump_feasibility
+	if [ $? -ne 0 ]; then
+		echo "Starting kdump: [FAILED]"
+		return 1
+	fi
+
 	status 
 	rc=$?
 	if [ $rc == 2 ]; then
