ACK: [SRU][J][PATCH 0/3] kdump doesn't work with UEFI secure boot and kernel lockdown enabled on ARM64

Tim Gardner tim.gardner at canonical.com
Fri Aug 25 14:41:30 UTC 2023 

On 8/25/23 12:18 AM, Chengen Du wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007
> 
> SRU Justification:
> 
> [Impact]
> The kdump service operates by utilizing the kexec_file_load system call, which loads a new kernel image intended for subsequent execution.
> However, this process encounters a hindrance if the CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate signature verification.
> 
> In addition, a noteworthy point is that if the kernel image is signed with a MOK,
> it will face rejection due to ARM64's reliance solely on the .builtin_trusted_keys for verification purposes.
> To enhance flexibility, it's suggested that we align the behavior on x86 platforms.
> This alignment could potentially involve expanding the scope to encompass more keyrings, such as .secondary_trusted_keys and platform keyrings,
> thereby broadening the options available for verification mechanisms.
> 
> [Fix]
> Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary,
> along with the incorporation of two specific commits, in order to enhance the capabilities of the kexec_file_load system call on ARM64.
> The commits that need to be applied are as follows:
> c903dae8941d kexec, KEYS: make the code in bzImage64_verify_sig generic
> 0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel image signature
> 
> [Test Plan]
> 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
> 2. Install 'kdump-tools'
> sudo apt install linux-crashdump
> 3. Reboot and verify kdump status with 'kdump-config show'
> root at ubuntu:~# kdump-config show
> DUMP_MODE: kdump
> USE_KDUMP: 1
> KDUMP_COREDIR: /var/crash
> crashkernel addr: 0xde000000
>     /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-78-generic
> kdump initrd:
>     /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-78-generic
> current state: Not ready to kdump
> 
> kexec command:
>    /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz
> 4. Check the log using 'systemctl status kdump-tools'
> Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture service...
> Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools:
> Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/vmlinuz
> Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/initrd.img
> Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-78-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz
> Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7
> Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel
> Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel
> Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service.
> 
> [Where problems could occur]
> The problem is specific to kexec image signature verification on ARM64.
> This change allows additional keyrings and impacts only the ARM64 kexec_file_load system call.
> 
> Chengen Du (1):
>    UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG
> 
> Coiby Xu (2):
>    kexec, KEYS: make the code in bzImage64_verify_sig generic
>    arm64: kexec_file: use more system keyrings to verify kernel image
>      signature
> 
>   arch/arm64/kernel/kexec_image.c   | 11 +----------
>   arch/x86/kernel/kexec-bzimage64.c | 20 +-------------------
>   debian.master/config/annotations  |  2 +-
>   include/linux/kexec.h             |  7 +++++++
>   kernel/kexec_file.c               | 17 +++++++++++++++++
>   5 files changed, 27 insertions(+), 30 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner at canonical.com>
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list