APPLIED: [SRU][N][PATCH 0/1] UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
Stefan Bader
stefan.bader at canonical.com
Fri Jul 19 09:43:37 UTC 2024
On 16.07.24 22:29, Kevin Becker wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007
>
> [Impact]
> The kdump service operates by utilizing the kexec_file_load system call,
> which loads a new kernel image intended for subsequent execution.
> However, this process encounters a problem on ARM64 with Secure Boot
> when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate
> signature verification.
>
> [Fix]
> Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary.
>
> [Test Plan]
> 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
> 2. Install kdump-tools: 'apt install linux-crashdump'
> 3. Reboot and verify kdump status with 'kdump-config show'
> 4. Check the log using 'systemctl status kdump-tools'
>
> [Where problems could occur]
> The problem is specific to kexec image signature verification on ARM64.
> This change impacts only the ARM64 kexec_file_load system call.
>
> Kevin Becker (1):
> UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
>
> debian.master/config/annotations | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Applied to noble:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240719/e92abf43/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240719/e92abf43/attachment-0001.sig>
More information about the kernel-team
mailing list