[SRU][N][PATCH 0/1] UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
Kevin Becker
kevin.becker at canonical.com
Tue Jul 16 20:29:12 UTC 2024
BugLink: https://bugs.launchpad.net/bugs/2033007
[Impact]
The kdump service operates by utilizing the kexec_file_load system call,
which loads a new kernel image intended for subsequent execution.
However, this process encounters a problem on ARM64 with Secure Boot
when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate
signature verification.
[Fix]
Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary.
[Test Plan]
1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
2. Install kdump-tools: 'apt install linux-crashdump'
3. Reboot and verify kdump status with 'kdump-config show'
4. Check the log using 'systemctl status kdump-tools'
[Where problems could occur]
The problem is specific to kexec image signature verification on ARM64.
This change impacts only the ARM64 kexec_file_load system call.
Kevin Becker (1):
UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
debian.master/config/annotations | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.43.0
More information about the kernel-team
mailing list