diff --git a/SOURCES/kdump-lib.sh b/SOURCES/kdump-lib.sh index 8ae8617..1c15a3d 100755 --- a/SOURCES/kdump-lib.sh +++ b/SOURCES/kdump-lib.sh @@ -617,11 +617,16 @@ is_secure_boot_enforced() local secure_boot_file setup_mode_file local secure_boot_byte setup_mode_byte - # On powerpc, os-secureboot-enforcing DT property indicates whether secureboot - # is enforced. Return success, if it is found. + # On powerpc, secure boot is enforced if: + # host secure boot: /ibm,secure-boot/os-secureboot-enforcing DT property exists + # guest secure boot: /ibm,secure-boot >= 2 if [ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]; then return 0 fi + if [ -f /proc/device-tree/ibm,secure-boot ] && \ + [ $(lsprop /proc/device-tree/ibm,secure-boot | tail -1) -ge 2 ]; then + return 0 + fi # Detect secure boot on x86 and arm64 secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) diff --git a/SOURCES/kdumpctl b/SOURCES/kdumpctl index ef86571..099d5fc 100755 --- a/SOURCES/kdumpctl +++ b/SOURCES/kdumpctl @@ -643,6 +643,35 @@ check_rebuild() return $? } +# On ppc64le LPARs, the keys trusted by firmware do not end up in +# .builtin_trusted_keys. So instead, add the key to the .ima keyring +function load_kdump_kernel_key() +{ + # this is only called inside is_secure_boot_enforced, + # no need to retest + + # this is only required if DT /ibm,secure-boot is a file. + # if it is a dir, we are on OpenPower and don't need this. + if ! [ -f /proc/device-tree/ibm,secure-boot ]; then + return + fi + + KDUMP_KEY_ID=$(cat /usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer | + keyctl padd asymmetric kernelkey-$RANDOM %:.ima) +} + +# remove a previously loaded key. There's no real security implication +# to leaving it around, we choose to do this because it makes it easier +# to be idempotent and so as to reduce the potential for confusion. +function remove_kdump_kernel_key() +{ + if [ -z "$KDUMP_KEY_ID" ]; then + return + fi + + keyctl unlink $KDUMP_KEY_ID %:.ima +} + # Load the kdump kernel specified in /etc/sysconfig/kdump # If none is specified, try to load a kdump kernel with the same version # as the currently running kernel. @@ -659,6 +688,7 @@ load_kdump() if is_secure_boot_enforced; then dinfo "Secure Boot is enabled. Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" + load_kdump_kernel_key fi ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL" @@ -680,6 +710,8 @@ load_kdump() set +x exec 2>&12 12>&- + remove_kdump_kernel_key + if [ $ret == 0 ]; then dinfo "kexec: loaded kdump kernel" return 0 diff --git a/SPECS/kexec-tools.spec b/SPECS/kexec-tools.spec index 94aa05d..a01500e 100644 --- a/SPECS/kexec-tools.spec +++ b/SPECS/kexec-tools.spec @@ -1,6 +1,6 @@ Name: kexec-tools Version: 2.0.20 -Release: 45%{?dist} +Release: 46%{?dist} License: GPLv2 Group: Applications/System Summary: The kexec/kdump userspace component @@ -378,6 +378,9 @@ done %endif %changelog +* Thu Feb 25 2021 Pingfan Liu - 2.0.20-46 +- kdumpctl: enable secure boot on ppc64le LPARs + * Mon Jan 25 2021 Pingfan Liu - 2.0.20-45 - origin/rhel-8.4.0) Revert "Revert "Append both nofail and x-systemd.before to kdump mount target"" - kdump.conf: add ipv6 example for nfs and ssh dump