diff --git a/SOURCES/dracut-early-kdump.sh b/SOURCES/dracut-early-kdump.sh index 6788a6b..69a34eb 100755 --- a/SOURCES/dracut-early-kdump.sh +++ b/SOURCES/dracut-early-kdump.sh @@ -2,7 +2,6 @@ KEXEC=/sbin/kexec standard_kexec_args="-p" -KDUMP_FILE_LOAD="" EARLY_KDUMP_INITRD="" EARLY_KDUMP_KERNEL="" @@ -44,8 +43,8 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if [ "$KDUMP_FILE_LOAD" == "on" ]; then - echo "Using kexec file based syscall." + if is_secure_boot_enforced; then + echo "Secure Boot is enabled. Using kexec file based syscall." EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" fi diff --git a/SOURCES/dracut-kdump.sh b/SOURCES/dracut-kdump.sh index b71278d..6f948fc 100755 --- a/SOURCES/dracut-kdump.sh +++ b/SOURCES/dracut-kdump.sh @@ -41,6 +41,7 @@ do_kdump_pre() fi fi + # if any script fails, it just raises warning and continues if [ -d /etc/kdump/pre.d ]; then for file in /etc/kdump/pre.d/*; do "$file" @@ -251,6 +252,8 @@ do_kdump_pre if [ $? -ne 0 ]; then echo "kdump: kdump_pre script exited with non-zero status!" do_final_action + # During systemd service to reboot the machine, stop this shell script running + exit 1 fi make_trace_mem "kdump saving vmcore" '1:shortmem' '2+:mem' '3+:slab' do_dump diff --git a/SOURCES/dracut-module-setup.sh b/SOURCES/dracut-module-setup.sh index 596ee57..32506ad 100755 --- a/SOURCES/dracut-module-setup.sh +++ b/SOURCES/dracut-module-setup.sh @@ -380,7 +380,7 @@ kdump_install_pre_post_conf() { for file in /etc/kdump/pre.d/*; do if [ -x "$file" ]; then dracut_install $file - else + elif [ $file != "/etc/kdump/pre.d/*" ]; then echo "$file is not executable" fi done @@ -390,7 +390,7 @@ kdump_install_pre_post_conf() { for file in /etc/kdump/post.d/*; do if [ -x "$file" ]; then dracut_install $file - else + elif [ $file != "/etc/kdump/post.d/*" ]; then echo "$file is not executable" fi done diff --git a/SOURCES/kdump-lib.sh b/SOURCES/kdump-lib.sh index c88c3f5..313a35b 100755 --- a/SOURCES/kdump-lib.sh +++ b/SOURCES/kdump-lib.sh @@ -597,6 +597,41 @@ need_64bit_headers() print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'` } +# Check if secure boot is being enforced. +# +# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and +# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four +# bytes are the attributes associated with the variable and can safely be +# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot +# is 1 and SetupMode is 0, then secure boot is being enforced. +# +# Assume efivars is mounted at /sys/firmware/efi/efivars. +is_secure_boot_enforced() +{ + local secure_boot_file setup_mode_file + local secure_boot_byte setup_mode_byte + + # On powerpc, os-secureboot-enforcing DT property indicates whether secureboot + # is enforced. Return success, if it is found. + if [ -f /proc/device-tree/ibm,secureboot/os-secureboot-enforcing ]; then + return 0 + fi + + secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) + setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) + + if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then + secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) + setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) + + if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then + return 0 + fi + fi + + return 1 +} + # # prepare_kexec_args # This function prepares kexec argument. diff --git a/SOURCES/kdump.conf b/SOURCES/kdump.conf index 4f3e30e..fc0aa6d 100644 --- a/SOURCES/kdump.conf +++ b/SOURCES/kdump.conf @@ -79,7 +79,7 @@ # or script after the vmcore dump process terminates. # The exit status of the current dump process is fed to # the executable binary or script as its first argument. -# If /etc/kdump/post.d directory is exist, All files in +# If /etc/kdump/post.d directory exists, all files in # the directory are collectively sorted and executed in # lexical order, before binary or script specified # kdump_post parameter is executed. @@ -89,7 +89,7 @@ # after the dump process, runs immediately before it. # Exit status of this binary is interpreted as follows: # 0 - continue with dump process as usual -# non 0 - reboot the system +# non 0 - run the final action (reboot/poweroff/halt) # If /etc/kdump/pre.d directory exists, all files in # the directory are collectively sorted and executed in # lexical order, after binary or script specified diff --git a/SOURCES/kdump.conf.5 b/SOURCES/kdump.conf.5 index ea3e770..658d16e 100644 --- a/SOURCES/kdump.conf.5 +++ b/SOURCES/kdump.conf.5 @@ -127,7 +127,7 @@ as follows: .PP 0 - continue with dump process as usual .PP -non 0 - reboot the system +non 0 - run the final action (reboot/poweroff/halt) .PP If /etc/kdump/pre.d directory exists, all files in the directory are collectively sorted and executed in diff --git a/SOURCES/kdump.sysconfig.x86_64 b/SOURCES/kdump.sysconfig.x86_64 index ef1da2d..ce4d30f 100644 --- a/SOURCES/kdump.sysconfig.x86_64 +++ b/SOURCES/kdump.sysconfig.x86_64 @@ -28,7 +28,7 @@ KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory # # Example: # KEXEC_ARGS="--elf32-core-headers" -KEXEC_ARGS="" +KEXEC_ARGS="-s" #Where to find the boot image #KDUMP_BOOTDIR="/boot" @@ -38,9 +38,3 @@ KDUMP_IMG="vmlinuz" #What is the images extension. Relocatable kernels don't have one KDUMP_IMG_EXT="" - -# Using kexec file based syscall by default -# -# Here, the "on" is the only valid value to enable the kexec file load and -# anything else is equal to the "off"(disable). -KDUMP_FILE_LOAD="off" diff --git a/SOURCES/kdumpctl b/SOURCES/kdumpctl index 73f45d3..3a0f01a 100755 --- a/SOURCES/kdumpctl +++ b/SOURCES/kdumpctl @@ -4,7 +4,6 @@ KEXEC=/sbin/kexec KDUMP_KERNELVER="" KDUMP_COMMANDLINE="" KEXEC_ARGS="" -KDUMP_FILE_LOAD="" KDUMP_CONFIG_FILE="/etc/kdump.conf" MKDUMPRD="/sbin/mkdumprd -f" DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt" @@ -336,6 +335,7 @@ check_files_modified() EXTRA_BINS=`grep ^kdump_post $KDUMP_CONFIG_FILE | cut -d\ -f2` CHECK_FILES=`grep ^kdump_pre $KDUMP_CONFIG_FILE | cut -d\ -f2` + HOOKS="/etc/kdump/post.d/ /etc/kdump/pre.d/" if [ -d /etc/kdump/post.d ]; then for file in /etc/kdump/post.d/*; do if [ -x "$file" ]; then @@ -350,9 +350,11 @@ check_files_modified() fi done fi + HOOKS="$HOOKS $POST_FILES $PRE_FILES" CORE_COLLECTOR=`grep ^core_collector $KDUMP_CONFIG_FILE | cut -d\ -f2` CORE_COLLECTOR=`type -P $CORE_COLLECTOR` - EXTRA_BINS="$EXTRA_BINS $CHECK_FILES $POST_FILES $PRE_FILES" + # POST_FILES and PRE_FILES are already checked against executable, need not to check again. + EXTRA_BINS="$EXTRA_BINS $CHECK_FILES" CHECK_FILES=`grep ^extra_bins $KDUMP_CONFIG_FILE | cut -d\ -f2-` EXTRA_BINS="$EXTRA_BINS $CHECK_FILES" files="$KDUMP_CONFIG_FILE $kdump_kernel $EXTRA_BINS $CORE_COLLECTOR" @@ -383,6 +385,8 @@ check_files_modified() check_exist "$files" && check_executable "$EXTRA_BINS" [ $? -ne 0 ] && return 2 + # HOOKS only need to check the modification here + files="$files $HOOKS" for file in $files; do if [ -e "$file" ]; then time_stamp=`stat -c "%Y" $file` @@ -683,8 +687,11 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - if [ "$KDUMP_FILE_LOAD" == "on" ]; then - echo "Using kexec file based syscall." + # For secureboot enabled machines, use new kexec file based syscall. + # Old syscall will always fail as it does not have capability to + # to kernel signature verification. + if is_secure_boot_enforced; then + echo "Secure Boot is enabled. Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" fi @@ -696,9 +703,6 @@ load_kdump() return 0 else echo "kexec: failed to load kdump kernel" >&2 - if [ "$KDUMP_FILE_LOAD" == "on" ]; then - echo "kexec_file_load() failed, please try kexec_load()" >&2 - fi return 1 fi } @@ -1154,7 +1158,7 @@ stop_fadump() stop_kdump() { - if [ "$KDUMP_FILE_LOAD" == "on" ]; then + if is_secure_boot_enforced; then $KEXEC -s -p -u else $KEXEC -p -u diff --git a/SOURCES/kexec-kdump-howto.txt b/SOURCES/kexec-kdump-howto.txt index 449855e..50bd316 100644 --- a/SOURCES/kexec-kdump-howto.txt +++ b/SOURCES/kexec-kdump-howto.txt @@ -553,7 +553,7 @@ Kdump Pre-Capture Executable It is possible to specify a custom script or binary you wish to run before capturing a vmcore. Exit status of this binary is interpreted: 0 - continue with dump process as usual -non 0 - reboot the system +non 0 - run the final action (reboot/poweroff/halt) If /etc/kdump/pre.d directory exists, all files in the directory are collectively sorted and executed in lexical order, after binary or script specified kdump_pre parameter is executed. diff --git a/SPECS/kexec-tools.spec b/SPECS/kexec-tools.spec index 49e1d46..58a4a00 100644 --- a/SPECS/kexec-tools.spec +++ b/SPECS/kexec-tools.spec @@ -1,6 +1,6 @@ Name: kexec-tools Version: 2.0.20 -Release: 29%{?dist} +Release: 31%{?dist} License: GPLv2 Group: Applications/System Summary: The kexec/kdump userspace component @@ -182,6 +182,9 @@ make -C makedumpfile-1.6.7 LDFLAGS="$LDFLAGS -I../eppic/libeppic -L../eppic/libe %install mkdir -p -m755 $RPM_BUILD_ROOT/usr/sbin mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig +mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/kdump +mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/kdump/pre.d +mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/kdump/post.d mkdir -p -m755 $RPM_BUILD_ROOT%{_localstatedir}/crash mkdir -p -m755 $RPM_BUILD_ROOT%{_mandir}/man8/ mkdir -p -m755 $RPM_BUILD_ROOT%{_mandir}/man5/ @@ -350,6 +353,9 @@ done %endif %{dracutlibdir}/modules.d/* %dir %{_localstatedir}/crash +%dir %{_sysconfdir}/kdump +%dir %{_sysconfdir}/kdump/pre.d +%dir %{_sysconfdir}/kdump/post.d %{_mandir}/man8/kdumpctl.8.gz %{_mandir}/man8/kexec.8.gz %{_mandir}/man8/makedumpfile.8.gz @@ -373,6 +379,19 @@ done %endif %changelog +* Wed Jul 22 2020 Pingfan Liu - 2.0.20-31 +- ppc64/kdump: use kexec_file_load when secureboot is enabled +- kdump_pre: make notes more precise +- dracut-kdump.sh: exit shell when machine reboot +- kdump.conf: fix a grammar issue +- kdumpctl: detect modification of scripts by its directory's timestamp +- module-setup.sh: suppress false alarm +- kexec-tools.spec: make the existence of pre.d and post.d mandatory + +* Tue Jul 14 2020 Pingfan Liu - 2.0.20-30 +- x86_64: enable the kexec file load by default +- Revert "kdump-lib: switch to the kexec_file_load() syscall on x86_64 by default" + * Wed Jun 24 2020 Pingfan Liu - 2.0.20-29 - mkdumprd: Improve the error message for umounted dump target