kdump doesn't work with UEFI secure boot and kernel lockdown enabled on ARM64

Bug #2033007 reported by Chengen Du
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
In Progress
Undecided
Unassigned
Focal
In Progress
Undecided
Chengen Du
Jammy
Fix Released
Medium
Chengen Du
Lunar
Fix Released
Medium
Chengen Du

Bug Description

[Impact]
The kdump service operates by utilizing the kexec_file_load system call, which loads a new kernel image intended for subsequent execution.
However, this process encounters a hindrance if the CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate signature verification.

In addition, a noteworthy point is that if the kernel image is signed with a MOK,
it will face rejection due to ARM64's reliance solely on the .builtin_trusted_keys for verification purposes.
To enhance flexibility, it's suggested that we align the behavior on x86 platforms.
This alignment could potentially involve expanding the scope to encompass more keyrings, such as .secondary_trusted_keys and platform keyrings,
thereby broadening the options available for verification mechanisms.

[Fix]
Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary,
along with the incorporation of two specific commits, in order to enhance the capabilities of the kexec_file_load system call on ARM64.
The commits that need to be applied are as follows:
c903dae8941d kexec, KEYS: make the code in bzImage64_verify_sig generic
0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel image signature

[Test Plan]
1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
2. Install 'kdump-tools'
sudo apt install linux-crashdump
3. Reboot and verify kdump status with 'kdump-config show'
root@ubuntu:~# kdump-config show
DUMP_MODE: kdump
USE_KDUMP: 1
KDUMP_COREDIR: /var/crash
crashkernel addr: 0xde000000
   /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-78-generic
kdump initrd:
   /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-78-generic
current state: Not ready to kdump

kexec command:
  /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz
4. Check the log using 'systemctl status kdump-tools'
Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture service...
Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools:
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/vmlinuz
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/initrd.img
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-78-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz
Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7
Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel
Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel
Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service.

[Where problems could occur]
The problem is specific to kexec image signature verification on ARM64.
This change allows additional keyrings and impacts only the ARM64 kexec_file_load system call.

Chengen Du (chengendu)
Changed in linux (Ubuntu Focal):
assignee: nobody → Chengen Du (chengendu)
Changed in linux (Ubuntu Jammy):
assignee: nobody → Chengen Du (chengendu)
Changed in linux (Ubuntu Lunar):
assignee: nobody → Chengen Du (chengendu)
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 2033007

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Focal):
status: New → Incomplete
Changed in linux (Ubuntu Jammy):
status: New → Incomplete
Changed in linux (Ubuntu Lunar):
status: New → Incomplete
Chengen Du (chengendu)
Changed in linux (Ubuntu):
status: Incomplete → In Progress
Changed in linux (Ubuntu Focal):
status: Incomplete → In Progress
Changed in linux (Ubuntu Jammy):
status: Incomplete → In Progress
Changed in linux (Ubuntu Lunar):
status: Incomplete → In Progress
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Lunar):
status: In Progress → Fix Committed
Stefan Bader (smb)
Changed in linux (Ubuntu Jammy):
importance: Undecided → Medium
Changed in linux (Ubuntu Lunar):
importance: Undecided → Medium
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-85.95 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy-linux' to 'verification-failed-jammy-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-v2 verification-needed-jammy-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.2.0-34.34 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar-linux' to 'verification-done-lunar-linux'. If the problem still exists, change the tag 'verification-needed-lunar-linux' to 'verification-failed-lunar-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-v2 verification-needed-lunar-linux
Revision history for this message
Chengen Du (chengendu) wrote :

The kernels (5.15.0-85.95/6.2.0-34.34) have been tested without any issues.

tags: added: verification-done-jammy-linux verification-done-lunar-linux
removed: verification-needed-jammy-linux verification-needed-lunar-linux
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (56.7 KiB)

This bug was fixed in the package linux - 5.15.0-86.96

---------------
linux (5.15.0-86.96) jammy; urgency=medium

  * jammy/linux: 5.15.0-86.96 -proposed tracker (LP: #2036575)

  * 5.15.0-85 live migration regression (LP: #2036675)
    - Revert "KVM: x86: Always enable legacy FP/SSE in allowed user XFEATURES"
    - Revert "x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0"

  * Regression for ubuntu_bpf test build on Jammy 5.15.0-85.95 (LP: #2035181)
    - selftests/bpf: fix static assert compilation issue for test_cls_*.c

  * `refcount_t: underflow; use-after-free.` on hidon w/ 5.15.0-85-generic
    (LP: #2034447)
    - crypto: rsa-pkcs1pad - Use helper to set reqsize

linux (5.15.0-85.95) jammy; urgency=medium

  * jammy/linux: 5.15.0-85.95 -proposed tracker (LP: #2033821)

  * Please enable Renesas RZ platform serial installer (LP: #2022361)
    - [Config] enable hihope RZ/G2M serial console
    - [Config] Mark sh-sci as built-in

  * Request backport of xen timekeeping performance improvements (LP: #2033122)
    - x86/xen/time: prefer tsc as clocksource when it is invariant

  * kdump doesn't work with UEFI secure boot and kernel lockdown enabled on
    ARM64 (LP: #2033007)
    - [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG
    - kexec, KEYS: make the code in bzImage64_verify_sig generic
    - arm64: kexec_file: use more system keyrings to verify kernel image signature

  * ubuntu_kernel_selftests:net:vrf-xfrm-tests.sh: 8 failed test cases on
    jammy/fips (LP: #2019880)
    - selftests: net: vrf-xfrm-tests: change authentication and encryption algos

  * ubuntu_kernel_selftests:net:tls: 88 failed test cases on jammy/fips
    (LP: #2019868)
    - selftests/harness: allow tests to be skipped during setup
    - selftests: net: tls: check if FIPS mode is enabled

  * A general-proteciton exception during guest migration to unsupported PKRU
    machine (LP: 2032164, reverted)
    - x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0
    - KVM: x86: Always enable legacy FP/SSE in allowed user XFEATURES

  * CVE-2023-4569
    - netfilter: nf_tables: deactivate catchall elements in next generation

  * CVE-2023-20569
    - x86/cpu, kvm: Add support for CPUID_80000021_EAX
    - x86/srso: Add a Speculative RAS Overflow mitigation
    - x86/srso: Add IBPB_BRTYPE support
    - x86/srso: Add SRSO_NO support
    - x86/srso: Add IBPB
    - x86/srso: Add IBPB on VMEXIT
    - x86/srso: Fix return thunks in generated code
    - x86/srso: Tie SBPB bit setting to microcode patch detection
    - x86: fix backwards merge of GDS/SRSO bit
    - x86/srso: Fix build breakage with the LLVM linker
    - x86/cpu: Fix __x86_return_thunk symbol type
    - x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
    - x86/alternative: Make custom return thunk unconditional
    - objtool: Add frame-pointer-specific function ignore
    - x86/ibt: Add ANNOTATE_NOENDBR
    - x86/cpu: Clean up SRSO return thunk mess
    - x86/cpu: Rename original retbleed methods
    - x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
    - x86/cpu: Cleanup the untrain mess
    - x86/srso: Explain the untraining sequences a bit more
    - x86/static_call:...

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (32.0 KiB)

This bug was fixed in the package linux - 6.2.0-34.34

---------------
linux (6.2.0-34.34) lunar; urgency=medium

  * lunar/linux: 6.2.0-34.34 -proposed tracker (LP: #2033779)

  * CVE-2023-20569
    - x86/cpu, kvm: Add support for CPUID_80000021_EAX
    - tools headers x86 cpufeatures: Sync with the kernel sources
    - x86/alternative: Optimize returns patching
    - x86/retbleed: Add __x86_return_thunk alignment checks
    - x86/srso: Add a Speculative RAS Overflow mitigation
    - x86/srso: Add IBPB_BRTYPE support
    - x86/srso: Add SRSO_NO support
    - x86/srso: Add IBPB
    - x86/srso: Add IBPB on VMEXIT
    - x86/srso: Fix return thunks in generated code
    - x86/srso: Add a forgotten NOENDBR annotation
    - x86/srso: Tie SBPB bit setting to microcode patch detection
    - Documentation/hw-vuln: Unify filename specification in index
    - Documentation/srso: Document IBPB aspect and fix formatting
    - x86/srso: Fix build breakage with the LLVM linker
    - x86: Move gds_ucode_mitigated() declaration to header
    - x86/retpoline: Don't clobber RFLAGS during srso_safe_ret()
    - x86/srso: Disable the mitigation on unaffected configurations
    - x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG
    - x86/retpoline,kprobes: Skip optprobe check for indirect jumps with
      retpolines and IBT
    - x86/cpu: Fix __x86_return_thunk symbol type
    - x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
    - objtool/x86: Fix SRSO mess
    - x86/alternative: Make custom return thunk unconditional
    - x86/cpu: Clean up SRSO return thunk mess
    - x86/cpu: Rename original retbleed methods
    - x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
    - x86/cpu: Cleanup the untrain mess
    - x86/srso: Explain the untraining sequences a bit more
    - objtool/x86: Fixup frame-pointer vs rethunk
    - x86/static_call: Fix __static_call_fixup()
    - x86/srso: Correct the mitigation status when SMT is disabled
    - Ubuntu: [Config]: enable Speculative Return Stack Overflow mitigation

  * Please enable Renesas RZ platform serial installer (LP: #2022361)
    - [Config] enable hihope RZ/G2M serial console
    - [Config] Mark sh-sci as built-in

  * dGPU cannot resume because system firmware stuck in IPCS method
    (LP: #2021572)
    - drm/i915/tc: Abort DP AUX transfer on a disconnected TC port
    - drm/i915/tc: switch to intel_de_* register accessors in display code
    - drm/i915: Enable a PIPEDMC whenever its corresponding pipe is enabled
    - drm/i915/tc: Fix TC port link ref init for DP MST during HW readout
    - drm/i915/tc: Fix system resume MST mode restore for DP-alt sinks
    - drm/i915/tc: Wait for IOM/FW PHY initialization of legacy TC ports
    - drm/i915/tc: Factor out helpers converting HPD mask to TC mode
    - drm/i915/tc: Fix target TC mode for a disconnected legacy port
    - drm/i915/tc: Fix TC mode for a legacy port if the PHY is not ready
    - drm/i915/tc: Fix initial TC mode on disabled legacy ports
    - drm/i915/tc: Make the TC mode readout consistent in all PHY states
    - drm/i915: Add encoder hook to get the PLL type used by TC ports
    - drm/i915/tc: Assume a TC port is legacy ...

Changed in linux (Ubuntu Lunar):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/5.15.0-1050.57 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-azure' to 'verification-done-jammy-linux-azure'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure' to 'verification-failed-jammy-linux-azure'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-azure-v2 verification-needed-jammy-linux-azure
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws/5.15.0-1048.53 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-aws' to 'verification-done-jammy-linux-aws'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws' to 'verification-failed-jammy-linux-aws'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-aws-v2 verification-needed-jammy-linux-aws
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/6.2.0-1015.15 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar-linux-azure' to 'verification-done-lunar-linux-azure'. If the problem still exists, change the tag 'verification-needed-lunar-linux-azure' to 'verification-failed-lunar-linux-azure'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-azure-v2 verification-needed-lunar-linux-azure
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws-6.2/6.2.0-1014.14~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-aws-6.2' to 'verification-done-jammy-linux-aws-6.2'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws-6.2' to 'verification-failed-jammy-linux-aws-6.2'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-aws-6.2-v2 verification-needed-jammy-linux-aws-6.2
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra/5.15.0-1018.18 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-tegra' to 'verification-done-jammy-linux-nvidia-tegra'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-tegra' to 'verification-failed-jammy-linux-nvidia-tegra'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-tegra-v2 verification-needed-jammy-linux-nvidia-tegra
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-raspi/5.15.0-1040.43 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-raspi' to 'verification-done-jammy-linux-raspi'. If the problem still exists, change the tag 'verification-needed-jammy-linux-raspi' to 'verification-failed-jammy-linux-raspi'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-raspi-v2 verification-needed-jammy-linux-raspi
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-bluefield/5.15.0-1027.29 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-bluefield' to 'verification-done-jammy-linux-bluefield'. If the problem still exists, change the tag 'verification-needed-jammy-linux-bluefield' to 'verification-failed-jammy-linux-bluefield'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-bluefield-v2 verification-needed-jammy-linux-bluefield
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-6.2/6.2.0-1011.11 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-6.2' to 'verification-done-jammy-linux-nvidia-6.2'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-6.2' to 'verification-failed-jammy-linux-nvidia-6.2'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-6.2-v2 verification-needed-jammy-linux-nvidia-6.2
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra-igx/5.15.0-1005.5 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-tegra-igx' to 'verification-done-jammy-linux-nvidia-tegra-igx'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-tegra-igx' to 'verification-failed-jammy-linux-nvidia-tegra-igx'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-tegra-igx-v2 verification-needed-jammy-linux-nvidia-tegra-igx
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.