ACK: [SRU][N][PATCH 0/1] UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
Noah Wager
noah.wager at canonical.com
Tue Jul 16 20:59:39 UTC 2024
Acked-by: Noah Wager <noah.wager at canonical.com>
On Tue, Jul 16, 2024 at 04:29:12PM -0400, Kevin Becker wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007
>
> [Impact]
> The kdump service operates by utilizing the kexec_file_load system call,
> which loads a new kernel image intended for subsequent execution.
> However, this process encounters a problem on ARM64 with Secure Boot
> when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate
> signature verification.
>
> [Fix]
> Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary.
>
> [Test Plan]
> 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
> 2. Install kdump-tools: 'apt install linux-crashdump'
> 3. Reboot and verify kdump status with 'kdump-config show'
> 4. Check the log using 'systemctl status kdump-tools'
>
> [Where problems could occur]
> The problem is specific to kexec image signature verification on ARM64.
> This change impacts only the ARM64 kexec_file_load system call.
>
> Kevin Becker (1):
> UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
>
> debian.master/config/annotations | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list