diff --git a/SOURCES/kdump-lib.sh b/SOURCES/kdump-lib.sh
index dd6156b..67ee10e 100755
--- a/SOURCES/kdump-lib.sh
+++ b/SOURCES/kdump-lib.sh
@@ -617,11 +617,16 @@ is_secure_boot_enforced()
     local secure_boot_file setup_mode_file
     local secure_boot_byte setup_mode_byte
 
-    # On powerpc, os-secureboot-enforcing DT property indicates whether secureboot
-    # is enforced. Return success, if it is found.
+    # On powerpc, secure boot is enforced if:
+    #   host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists
+    #   guest secure boot: /ibm,secure-boot >= 2
     if [ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]; then
 		return 0
     fi
+    if [ -f /proc/device-tree/ibm,secure-boot ] && \
+       [ $(lsprop /proc/device-tree/ibm,secure-boot | tail -1) -ge 2 ]; then
+		return 0
+    fi
 
     # Detect secure boot on x86 and arm64
     secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
diff --git a/SOURCES/kdumpctl b/SOURCES/kdumpctl
index 35b3b9f..e8a7a3a 100755
--- a/SOURCES/kdumpctl
+++ b/SOURCES/kdumpctl
@@ -646,6 +646,35 @@ check_rebuild()
 	return $?
 }
 
+# On ppc64le LPARs, the keys trusted by firmware do not end up in
+# .builtin_trusted_keys. So instead, add the key to the .ima keyring
+function load_kdump_kernel_key()
+{
+	# this is only called inside is_secure_boot_enforced,
+	# no need to retest
+
+        # this is only required if DT /ibm,secure-boot is a file.
+        # if it is a dir, we are on OpenPower and don't need this.
+        if ! [ -f /proc/device-tree/ibm,secure-boot ]; then
+                return
+        fi
+
+        KDUMP_KEY_ID=$(cat /usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer |
+                        keyctl padd asymmetric kernelkey-$RANDOM %:.ima)
+}
+
+# remove a previously loaded key. There's no real security implication
+# to leaving it around, we choose to do this because it makes it easier
+# to be idempotent and so as to reduce the potential for confusion.
+function remove_kdump_kernel_key()
+{
+	if [ -z "$KDUMP_KEY_ID" ]; then
+		return
+	fi
+
+	keyctl unlink $KDUMP_KEY_ID %:.ima
+}
+
 # Load the kdump kernel specified in /etc/sysconfig/kdump
 # If none is specified, try to load a kdump kernel with the same version
 # as the currently running kernel.
@@ -662,6 +691,7 @@ load_kdump()
 	if is_secure_boot_enforced; then
 		dinfo "Secure Boot is enabled. Using kexec file based syscall."
 		KEXEC_ARGS="$KEXEC_ARGS -s"
+		load_kdump_kernel_key
 	fi
 
 	ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL"
@@ -683,6 +713,8 @@ load_kdump()
 	set +x
 	exec 2>&12 12>&-
 
+	remove_kdump_kernel_key
+
 	if [ $ret == 0 ]; then
 		dinfo "kexec: loaded kdump kernel"
 		return 0
diff --git a/SPECS/kexec-tools.spec b/SPECS/kexec-tools.spec
index 219e948..8ab65a9 100644
--- a/SPECS/kexec-tools.spec
+++ b/SPECS/kexec-tools.spec
@@ -1,6 +1,6 @@
 Name: kexec-tools
 Version: 2.0.20
-Release: 56%{?dist}
+Release: 57%{?dist}
 License: GPLv2
 Group: Applications/System
 Summary: The kexec/kdump userspace component
@@ -406,6 +406,9 @@ done
 %endif
 
 %changelog
+* Fri Aug 27 2021 Pingfan Liu <piliu@redhat.com> - 2.0.20-57
+- kdumpctl: enable secure boot on ppc64le LPARs
+
 * Fri Aug  6 2021 Pingfan Liu <piliu@redhat.com> - 2.0.20-56
 - kdumpctl: fix a typo