diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 2a8652e..c7cdc42 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -46,11 +46,6 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if is_secure_boot_enforced; then - dinfo "Secure Boot is enabled. Using kexec file based syscall." - EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" - fi - # Here, only output the messages, but do not save these messages # to a file because the target disk may not be mounted yet, the # earlykdump is too early. diff --git a/kdump-lib.sh b/kdump-lib.sh index 3f5f5fb..9a21a18 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -636,6 +636,15 @@ prepare_kexec_args() fi fi fi + + # For secureboot enabled machines, use new kexec file based syscall. + # Old syscall will always fail as it does not have capability to do + # kernel signature verification. + if is_secure_boot_enforced; then + dinfo "Secure Boot is enabled. Using kexec file based syscall." + kexec_args="$kexec_args -s" + fi + echo "$kexec_args" } diff --git a/kdumpctl b/kdumpctl index 82e7b2b..fb5b35a 100755 --- a/kdumpctl +++ b/kdumpctl @@ -650,15 +650,6 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - # For secureboot enabled machines, use new kexec file based syscall. - # Old syscall will always fail as it does not have capability to - # to kernel signature verification. - if is_secure_boot_enforced; then - dinfo "Secure Boot is enabled. Using kexec file based syscall." - KEXEC_ARGS="$KEXEC_ARGS -s" - load_kdump_kernel_key - fi - if is_uki "$KDUMP_KERNEL"; then uki=$KDUMP_KERNEL KDUMP_KERNEL=$KDUMP_TMPDIR/vmlinuz @@ -976,6 +967,12 @@ start_fadump() start_dump() { + # On secure boot enabled Power systems, load kernel signing key on .ima for signature + # verification using kexec file based syscall. + if [[ "$(uname -m)" == ppc64le ]] && is_secure_boot_enforced; then + load_kdump_kernel_key + fi + if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then start_fadump else