From eb95f93880b3fe5ded1c01569220b19a94130b70 Mon Sep 17 00:00:00 2001 From: Coiby Xu Date: Nov 26 2021 04:03:07 +0000 Subject: kdumpctl: enable secure boot on ppc64le LPARs Resolves: bz1931802 Upstream: Fedora Conflict: The upstream commit was submitted before shfmt and .editorconfig. So there are issues like 4 spaces verse tab indentation, double brackets verse single bracket and etc. commit 596fa0a07f089a9dd54cf631124d88653b4d77ec Author: Pingfan Liu Date: Thu Feb 18 14:01:18 2021 +0800 kdumpctl: enable secure boot on ppc64le LPARs On ppc64le LPAR, secure-boot is a little different from bare metal, Where host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists while guest secure boot: /ibm,secure-boot >= 2 Make kexec-tools adapt to LPAR Signed-off-by: Pingfan Liu Acked-by: Kairui Song Signed-off-by: Coiby Xu --- diff --git a/kdump-lib.sh b/kdump-lib.sh index 09e2058..d7d28ee 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -560,11 +560,16 @@ is_secure_boot_enforced() local secure_boot_file setup_mode_file local secure_boot_byte setup_mode_byte - # On powerpc, os-secureboot-enforcing DT property indicates whether secureboot - # is enforced. Return success, if it is found. + # On powerpc, secure boot is enforced if: + # host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists + # guest secure boot: /ibm,secure-boot >= 2 if [[ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]]; then return 0 fi + if [[ -f /proc/device-tree/ibm,secure-boot ]] && + [[ $(lsprop /proc/device-tree/ibm,secure-boot | tail -1) -ge 2 ]]; then + return 0 + fi # Detect secure boot on x86 and arm64 secure_boot_file=$(find /sys/firmware/efi/efivars -name "SecureBoot-*" 2> /dev/null) diff --git a/kdumpctl b/kdumpctl index 7a529e6..89cf3d3 100755 --- a/kdumpctl +++ b/kdumpctl @@ -611,6 +611,34 @@ check_rebuild() return $? } +# On ppc64le LPARs, the keys trusted by firmware do not end up in +# .builtin_trusted_keys. So instead, add the key to the .ima keyring +function load_kdump_kernel_key() +{ + # this is only called inside is_secure_boot_enforced, + # no need to retest + + # this is only required if DT /ibm,secure-boot is a file. + # if it is a dir, we are on OpenPower and don't need this. + if ! [[ -f /proc/device-tree/ibm,secure-boot ]]; then + return + fi + + KDUMP_KEY_ID=$(keyctl padd asymmetric kernelkey-$RANDOM %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer") +} + +# remove a previously loaded key. There's no real security implication +# to leaving it around, we choose to do this because it makes it easier +# to be idempotent and so as to reduce the potential for confusion. +function remove_kdump_kernel_key() +{ + if [[ -z $KDUMP_KEY_ID ]]; then + return + fi + + keyctl unlink "$KDUMP_KEY_ID" %:.ima +} + # Load the kdump kernel specified in /etc/sysconfig/kdump # If none is specified, try to load a kdump kernel with the same version # as the currently running kernel. @@ -627,6 +655,7 @@ load_kdump() if is_secure_boot_enforced; then dinfo "Secure Boot is enabled. Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" + load_kdump_kernel_key fi ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL" @@ -649,6 +678,8 @@ load_kdump() set +x exec 2>&12 12>&- + remove_kdump_kernel_key + if [[ $ret == 0 ]]; then dinfo "kexec: loaded kdump kernel" return 0