kdump doesn't work with UEFI secure boot and kernel lockdown enabled on ARM64
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
In Progress
|
Undecided
|
Unassigned | ||
Focal |
In Progress
|
Undecided
|
Chengen Du | ||
Jammy |
Fix Released
|
Medium
|
Chengen Du | ||
Lunar |
Fix Released
|
Medium
|
Chengen Du |
Bug Description
[Impact]
The kdump service operates by utilizing the kexec_file_load system call, which loads a new kernel image intended for subsequent execution.
However, this process encounters a hindrance if the CONFIG_
In addition, a noteworthy point is that if the kernel image is signed with a MOK,
it will face rejection due to ARM64's reliance solely on the .builtin_
To enhance flexibility, it's suggested that we align the behavior on x86 platforms.
This alignment could potentially involve expanding the scope to encompass more keyrings, such as .secondary_
thereby broadening the options available for verification mechanisms.
[Fix]
Enabling the CONFIG_
along with the incorporation of two specific commits, in order to enhance the capabilities of the kexec_file_load system call on ARM64.
The commits that need to be applied are as follows:
c903dae8941d kexec, KEYS: make the code in bzImage64_
0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel image signature
[Test Plan]
1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
2. Install 'kdump-tools'
sudo apt install linux-crashdump
3. Reboot and verify kdump status with 'kdump-config show'
root@ubuntu:~# kdump-config show
DUMP_MODE: kdump
USE_KDUMP: 1
KDUMP_COREDIR: /var/crash
crashkernel addr: 0xde000000
/var/
kdump initrd:
/var/
current state: Not ready to kdump
kexec command:
/sbin/kexec -p -s --command-
4. Check the log using 'systemctl status kdump-tools'
Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture service...
Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools:
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s --command-
Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7
Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel
Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel
Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service.
[Where problems could occur]
The problem is specific to kexec image signature verification on ARM64.
This change allows additional keyrings and impacts only the ARM64 kexec_file_load system call.
Changed in linux (Ubuntu Focal): | |
assignee: | nobody → Chengen Du (chengendu) |
Changed in linux (Ubuntu Jammy): | |
assignee: | nobody → Chengen Du (chengendu) |
Changed in linux (Ubuntu Lunar): | |
assignee: | nobody → Chengen Du (chengendu) |
Changed in linux (Ubuntu): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Focal): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Jammy): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Lunar): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Lunar): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Lunar): | |
importance: | Undecided → Medium |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 2033007
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.