diff --git a/SOURCES/dracut-early-kdump.sh b/SOURCES/dracut-early-kdump.sh
index 6788a6b..69a34eb 100755
--- a/SOURCES/dracut-early-kdump.sh
+++ b/SOURCES/dracut-early-kdump.sh
@@ -2,7 +2,6 @@
KEXEC=/sbin/kexec
standard_kexec_args="-p"
-KDUMP_FILE_LOAD=""
EARLY_KDUMP_INITRD=""
EARLY_KDUMP_KERNEL=""
@@ -44,8 +43,8 @@ early_kdump_load()
EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then
- echo "Using kexec file based syscall."
+ if is_secure_boot_enforced; then
+ echo "Secure Boot is enabled. Using kexec file based syscall."
EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
fi
diff --git a/SOURCES/dracut-kdump.sh b/SOURCES/dracut-kdump.sh
index b71278d..6f948fc 100755
--- a/SOURCES/dracut-kdump.sh
+++ b/SOURCES/dracut-kdump.sh
@@ -41,6 +41,7 @@ do_kdump_pre()
fi
fi
+ # if any script fails, it just raises warning and continues
if [ -d /etc/kdump/pre.d ]; then
for file in /etc/kdump/pre.d/*; do
"$file"
@@ -251,6 +252,8 @@ do_kdump_pre
if [ $? -ne 0 ]; then
echo "kdump: kdump_pre script exited with non-zero status!"
do_final_action
+ # During systemd service to reboot the machine, stop this shell script running
+ exit 1
fi
make_trace_mem "kdump saving vmcore" '1:shortmem' '2+:mem' '3+:slab'
do_dump
diff --git a/SOURCES/dracut-module-setup.sh b/SOURCES/dracut-module-setup.sh
index 596ee57..32506ad 100755
--- a/SOURCES/dracut-module-setup.sh
+++ b/SOURCES/dracut-module-setup.sh
@@ -380,7 +380,7 @@ kdump_install_pre_post_conf() {
for file in /etc/kdump/pre.d/*; do
if [ -x "$file" ]; then
dracut_install $file
- else
+ elif [ $file != "/etc/kdump/pre.d/*" ]; then
echo "$file is not executable"
fi
done
@@ -390,7 +390,7 @@ kdump_install_pre_post_conf() {
for file in /etc/kdump/post.d/*; do
if [ -x "$file" ]; then
dracut_install $file
- else
+ elif [ $file != "/etc/kdump/post.d/*" ]; then
echo "$file is not executable"
fi
done
diff --git a/SOURCES/kdump-lib.sh b/SOURCES/kdump-lib.sh
index c88c3f5..313a35b 100755
--- a/SOURCES/kdump-lib.sh
+++ b/SOURCES/kdump-lib.sh
@@ -597,6 +597,41 @@ need_64bit_headers()
print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'`
}
+# Check if secure boot is being enforced.
+#
+# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
+# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
+# bytes are the attributes associated with the variable and can safely be
+# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
+# is 1 and SetupMode is 0, then secure boot is being enforced.
+#
+# Assume efivars is mounted at /sys/firmware/efi/efivars.
+is_secure_boot_enforced()
+{
+ local secure_boot_file setup_mode_file
+ local secure_boot_byte setup_mode_byte
+
+ # On powerpc, os-secureboot-enforcing DT property indicates whether secureboot
+ # is enforced. Return success, if it is found.
+ if [ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]; then
+ return 0
+ fi
+
+ secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
+ setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
+
+ if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
+ secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5)
+ setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5)
+
+ if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then
+ return 0
+ fi
+ fi
+
+ return 1
+}
+
#
# prepare_kexec_args <kexec args>
# This function prepares kexec argument.
diff --git a/SOURCES/kdump.conf b/SOURCES/kdump.conf
index 4f3e30e..fc0aa6d 100644
--- a/SOURCES/kdump.conf
+++ b/SOURCES/kdump.conf
@@ -79,7 +79,7 @@
# or script after the vmcore dump process terminates.
# The exit status of the current dump process is fed to
# the executable binary or script as its first argument.
-# If /etc/kdump/post.d directory is exist, All files in
+# If /etc/kdump/post.d directory exists, all files in
# the directory are collectively sorted and executed in
# lexical order, before binary or script specified
# kdump_post parameter is executed.
@@ -89,7 +89,7 @@
# after the dump process, runs immediately before it.
# Exit status of this binary is interpreted as follows:
# 0 - continue with dump process as usual
-# non 0 - reboot the system
+# non 0 - run the final action (reboot/poweroff/halt)
# If /etc/kdump/pre.d directory exists, all files in
# the directory are collectively sorted and executed in
# lexical order, after binary or script specified
diff --git a/SOURCES/kdump.conf.5 b/SOURCES/kdump.conf.5
index ea3e770..658d16e 100644
--- a/SOURCES/kdump.conf.5
+++ b/SOURCES/kdump.conf.5
@@ -127,7 +127,7 @@ as follows:
.PP
0 - continue with dump process as usual
.PP
-non 0 - reboot the system
+non 0 - run the final action (reboot/poweroff/halt)
.PP
If /etc/kdump/pre.d directory exists, all files in
the directory are collectively sorted and executed in
diff --git a/SOURCES/kdump.sysconfig.x86_64 b/SOURCES/kdump.sysconfig.x86_64
index ef1da2d..ce4d30f 100644
--- a/SOURCES/kdump.sysconfig.x86_64
+++ b/SOURCES/kdump.sysconfig.x86_64
@@ -28,7 +28,7 @@ KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory
#
# Example:
# KEXEC_ARGS="--elf32-core-headers"
-KEXEC_ARGS=""
+KEXEC_ARGS="-s"
#Where to find the boot image
#KDUMP_BOOTDIR="/boot"
@@ -38,9 +38,3 @@ KDUMP_IMG="vmlinuz"
#What is the images extension. Relocatable kernels don't have one
KDUMP_IMG_EXT=""
-
-# Using kexec file based syscall by default
-#
-# Here, the "on" is the only valid value to enable the kexec file load and
-# anything else is equal to the "off"(disable).
-KDUMP_FILE_LOAD="off"
diff --git a/SOURCES/kdumpctl b/SOURCES/kdumpctl
index 73f45d3..3a0f01a 100755
--- a/SOURCES/kdumpctl
+++ b/SOURCES/kdumpctl
@@ -4,7 +4,6 @@ KEXEC=/sbin/kexec
KDUMP_KERNELVER=""
KDUMP_COMMANDLINE=""
KEXEC_ARGS=""
-KDUMP_FILE_LOAD=""
KDUMP_CONFIG_FILE="/etc/kdump.conf"
MKDUMPRD="/sbin/mkdumprd -f"
DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
@@ -336,6 +335,7 @@ check_files_modified()
EXTRA_BINS=`grep ^kdump_post $KDUMP_CONFIG_FILE | cut -d\ -f2`
CHECK_FILES=`grep ^kdump_pre $KDUMP_CONFIG_FILE | cut -d\ -f2`
+ HOOKS="/etc/kdump/post.d/ /etc/kdump/pre.d/"
if [ -d /etc/kdump/post.d ]; then
for file in /etc/kdump/post.d/*; do
if [ -x "$file" ]; then
@@ -350,9 +350,11 @@ check_files_modified()
fi
done
fi
+ HOOKS="$HOOKS $POST_FILES $PRE_FILES"
CORE_COLLECTOR=`grep ^core_collector $KDUMP_CONFIG_FILE | cut -d\ -f2`
CORE_COLLECTOR=`type -P $CORE_COLLECTOR`
- EXTRA_BINS="$EXTRA_BINS $CHECK_FILES $POST_FILES $PRE_FILES"
+ # POST_FILES and PRE_FILES are already checked against executable, need not to check again.
+ EXTRA_BINS="$EXTRA_BINS $CHECK_FILES"
CHECK_FILES=`grep ^extra_bins $KDUMP_CONFIG_FILE | cut -d\ -f2-`
EXTRA_BINS="$EXTRA_BINS $CHECK_FILES"
files="$KDUMP_CONFIG_FILE $kdump_kernel $EXTRA_BINS $CORE_COLLECTOR"
@@ -383,6 +385,8 @@ check_files_modified()
check_exist "$files" && check_executable "$EXTRA_BINS"
[ $? -ne 0 ] && return 2
+ # HOOKS only need to check the modification here
+ files="$files $HOOKS"
for file in $files; do
if [ -e "$file" ]; then
time_stamp=`stat -c "%Y" $file`
@@ -683,8 +687,11 @@ load_kdump()
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then
- echo "Using kexec file based syscall."
+ # For secureboot enabled machines, use new kexec file based syscall.
+ # Old syscall will always fail as it does not have capability to
+ # to kernel signature verification.
+ if is_secure_boot_enforced; then
+ echo "Secure Boot is enabled. Using kexec file based syscall."
KEXEC_ARGS="$KEXEC_ARGS -s"
fi
@@ -696,9 +703,6 @@ load_kdump()
return 0
else
echo "kexec: failed to load kdump kernel" >&2
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then
- echo "kexec_file_load() failed, please try kexec_load()" >&2
- fi
return 1
fi
}
@@ -1154,7 +1158,7 @@ stop_fadump()
stop_kdump()
{
- if [ "$KDUMP_FILE_LOAD" == "on" ]; then
+ if is_secure_boot_enforced; then
$KEXEC -s -p -u
else
$KEXEC -p -u
diff --git a/SOURCES/kexec-kdump-howto.txt b/SOURCES/kexec-kdump-howto.txt
index 449855e..50bd316 100644
--- a/SOURCES/kexec-kdump-howto.txt
+++ b/SOURCES/kexec-kdump-howto.txt
@@ -553,7 +553,7 @@ Kdump Pre-Capture Executable
It is possible to specify a custom script or binary you wish to run before
capturing a vmcore. Exit status of this binary is interpreted:
0 - continue with dump process as usual
-non 0 - reboot the system
+non 0 - run the final action (reboot/poweroff/halt)
If /etc/kdump/pre.d directory exists, all files in the directory are collectively
sorted and executed in lexical order, after binary or script specified
kdump_pre parameter is executed.
diff --git a/SPECS/kexec-tools.spec b/SPECS/kexec-tools.spec
index 49e1d46..58a4a00 100644
--- a/SPECS/kexec-tools.spec
+++ b/SPECS/kexec-tools.spec
@@ -1,6 +1,6 @@
Name: kexec-tools
Version: 2.0.20
-Release: 29%{?dist}
+Release: 31%{?dist}
License: GPLv2
Group: Applications/System
Summary: The kexec/kdump userspace component
@@ -182,6 +182,9 @@ make -C makedumpfile-1.6.7 LDFLAGS="$LDFLAGS -I../eppic/libeppic -L../eppic/libe
%install
mkdir -p -m755 $RPM_BUILD_ROOT/usr/sbin
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/kdump
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/kdump/pre.d
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/kdump/post.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_localstatedir}/crash
mkdir -p -m755 $RPM_BUILD_ROOT%{_mandir}/man8/
mkdir -p -m755 $RPM_BUILD_ROOT%{_mandir}/man5/
@@ -350,6 +353,9 @@ done
%endif
%{dracutlibdir}/modules.d/*
%dir %{_localstatedir}/crash
+%dir %{_sysconfdir}/kdump
+%dir %{_sysconfdir}/kdump/pre.d
+%dir %{_sysconfdir}/kdump/post.d
%{_mandir}/man8/kdumpctl.8.gz
%{_mandir}/man8/kexec.8.gz
%{_mandir}/man8/makedumpfile.8.gz
@@ -373,6 +379,19 @@ done
%endif
%changelog
+* Wed Jul 22 2020 Pingfan Liu <piliu@redhat.com> - 2.0.20-31
+- ppc64/kdump: use kexec_file_load when secureboot is enabled
+- kdump_pre: make notes more precise
+- dracut-kdump.sh: exit shell when machine reboot
+- kdump.conf: fix a grammar issue
+- kdumpctl: detect modification of scripts by its directory's timestamp
+- module-setup.sh: suppress false alarm
+- kexec-tools.spec: make the existence of pre.d and post.d mandatory
+
+* Tue Jul 14 2020 Pingfan Liu <piliu@redhat.com> - 2.0.20-30
+- x86_64: enable the kexec file load by default
+- Revert "kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default"
+
* Wed Jun 24 2020 Pingfan Liu <piliu@redhat.com> - 2.0.20-29
- mkdumprd: Improve the error message for umounted dump target