From b3263494ef55252b593a9a86294acfa49457c1ca Mon Sep 17 00:00:00 2001 From: Coiby Xu Date: Nov 08 2023 01:36:58 +0000 Subject: powerpc: update kdumpctl to remove deletion of kernel signing key once loaded Resolves: https://issues.redhat.com/browse/RHEL-14003 Upstream: Fedora Conflict: None commit fe6eb30e6756d3c13bb7485a08f066b18cd1594b Author: Nayna Jain Date: Tue Oct 3 23:41:46 2023 -0400 powerpc: update kdumpctl to remove deletion of kernel signing key once loaded Kernel signing key is deleted once kdump is loaded. This causes confusion in debugging since key is no longer visible. Unless someone knows how kdumpctl script works, it is difficult to find out how kdump could be loaded when there is no key on .ima keyring. Remove deletion of kernel signing key once loaded. And then to prevent multiple loading of same key when kdump service is disabled/enabled, update key description field as well. Suggested-by: Mimi Zohar Signed-off-by: Nayna Jain Reviewed-by: Philipp Rudo Signed-off-by: Coiby Xu --- diff --git a/kdumpctl b/kdumpctl index 489a5b1..82e7b2b 100755 --- a/kdumpctl +++ b/kdumpctl @@ -637,19 +637,7 @@ function load_kdump_kernel_key() return fi - KDUMP_KEY_ID=$(keyctl padd asymmetric kernelkey-$RANDOM %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer") -} - -# remove a previously loaded key. There's no real security implication -# to leaving it around, we choose to do this because it makes it easier -# to be idempotent and so as to reduce the potential for confusion. -function remove_kdump_kernel_key() -{ - if [[ -z $KDUMP_KEY_ID ]]; then - return - fi - - keyctl unlink "$KDUMP_KEY_ID" %:.ima + keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer" } # Load the kdump kernel specified in /etc/sysconfig/kdump @@ -702,8 +690,6 @@ load_kdump() set +x exec 2>&12 12>&- - remove_kdump_kernel_key - if [[ $ret == 0 ]]; then dinfo "kexec: loaded kdump kernel" return 0