[Bug 1840941] Re: kdump fails to start with secure boot enabled

Mathieu Trudel-Lapierre mathieu.tl at gmail.com
Thu Oct 31 22:02:47 UTC 2019 

Should be done very soon; we're waiting for the shim review board to
review, then it can be submitted to Microsoft for signing. Expect about
a week turnaround time.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1840941

Title:
  kdump fails to start with secure boot enabled

Status in shim-signed package in Ubuntu:
  Confirmed

Bug description:
  The shim shipped in Ubuntu suffers from a bug that does not allow propagating its
  keys into the Linux keyring. Thus at kexec_file_load time, the signature
  validation fails.

  This is explained in these bugs/links:
  https://github.com/rhboot/shim/pull/153
  https://bugzilla.redhat.com/show_bug.cgi?id=1662929

  This problem is in Ubuntu 16.04 as well as 18.04.

  There is a workaround; essentially by loading an additional cert into the
  MOK, the bug goes away. 

  lsb_release -rd
  Description:  Ubuntu 18.04.3 LTS
  Release:      18.04

  apt-cache policy shim-signed
  shim-signed:
    Installed: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Candidate: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Version table:
   *** 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 500
          500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.34.9+13-0ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

  Expected to happen:
  Canonical keys to be listed in the Linux keyring is enabled.
  systemctl start kdump-tools.service is expected to succeeed

  What happened instead:
  Canonical keys not in the Linux keyring, thus kdump fails to load/start.
  systemctl start kdump-tools.service
  systemctl status kdump-tools.service
  Aug 21 15:43:53 vm362 systemd[1]: Starting Kernel crash dump capture service...
  Aug 21 15:43:53 vm362 kdump-tools[980]: Starting kdump-tools:  * Creating symlin
  Aug 21 15:43:53 vm362 kdump-tools[980]:  * Creating symlink /var/lib/kdump/initr
  Aug 21 15:43:54 vm362 kdump-tools[980]: kexec_file_load failed: Required key not
  Aug 21 15:43:54 vm362 kdump-tools[980]:  * failed to load kdump kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions

More information about the foundations-bugs mailing list