| Message ID | 20230825061839.52444-1-chengen.du@canonical.com |
|---|---|
| Headers | show |
| Series | kdump doesn't work with UEFI secure boot and kernel lockdown enabled on ARM64 | expand |
On 8/25/23 12:18 AM, Chengen Du wrote: > BugLink: https://bugs.launchpad.net/bugs/2033007 > > SRU Justification: > > [Impact] > The kdump service operates by utilizing the kexec_file_load system call, which loads a new kernel image intended for subsequent execution. > However, this process encounters a hindrance if the CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate signature verification. > > In addition, a noteworthy point is that if the kernel image is signed with a MOK, > it will face rejection due to ARM64's reliance solely on the .builtin_trusted_keys for verification purposes. > To enhance flexibility, it's suggested that we align the behavior on x86 platforms. > This alignment could potentially involve expanding the scope to encompass more keyrings, such as .secondary_trusted_keys and platform keyrings, > thereby broadening the options available for verification mechanisms. > > [Fix] > Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary, > along with the incorporation of two specific commits, in order to enhance the capabilities of the kexec_file_load system call on ARM64. > The commits that need to be applied are as follows: > c903dae8941d kexec, KEYS: make the code in bzImage64_verify_sig generic > 0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel image signature > > [Test Plan] > 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64 > 2. Install 'kdump-tools' > sudo apt install linux-crashdump > 3. Reboot and verify kdump status with 'kdump-config show' > root@ubuntu:~# kdump-config show > DUMP_MODE: kdump > USE_KDUMP: 1 > KDUMP_COREDIR: /var/crash > crashkernel addr: 0xde000000 > /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-78-generic > kdump initrd: > /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-78-generic > current state: Not ready to kdump > > kexec command: > /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz > 4. Check the log using 'systemctl status kdump-tools' > Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture service... > Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools: > Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/vmlinuz > Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/initrd.img > Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-78-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz > Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7 > Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel > Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel > Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service. > > [Where problems could occur] > The problem is specific to kexec image signature verification on ARM64. > This change allows additional keyrings and impacts only the ARM64 kexec_file_load system call. > > Chengen Du (1): > UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG > > Coiby Xu (2): > kexec, KEYS: make the code in bzImage64_verify_sig generic > arm64: kexec_file: use more system keyrings to verify kernel image > signature > > arch/arm64/kernel/kexec_image.c | 11 +---------- > arch/x86/kernel/kexec-bzimage64.c | 20 +------------------- > debian.master/config/annotations | 2 +- > include/linux/kexec.h | 7 +++++++ > kernel/kexec_file.c | 17 +++++++++++++++++ > 5 files changed, 27 insertions(+), 30 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 25/08/2023 08:18, Chengen Du wrote: > BugLink: https://bugs.launchpad.net/bugs/2033007 > > SRU Justification: > > [Impact] > The kdump service operates by utilizing the kexec_file_load system call, which loads a new kernel image intended for subsequent execution. > However, this process encounters a hindrance if the CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate signature verification. > > In addition, a noteworthy point is that if the kernel image is signed with a MOK, > it will face rejection due to ARM64's reliance solely on the .builtin_trusted_keys for verification purposes. > To enhance flexibility, it's suggested that we align the behavior on x86 platforms. > This alignment could potentially involve expanding the scope to encompass more keyrings, such as .secondary_trusted_keys and platform keyrings, > thereby broadening the options available for verification mechanisms. > > [Fix] > Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary, > along with the incorporation of two specific commits, in order to enhance the capabilities of the kexec_file_load system call on ARM64. > The commits that need to be applied are as follows: > c903dae8941d kexec, KEYS: make the code in bzImage64_verify_sig generic > 0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel image signature > > [Test Plan] > 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64 > 2. Install 'kdump-tools' > sudo apt install linux-crashdump > 3. Reboot and verify kdump status with 'kdump-config show' > root@ubuntu:~# kdump-config show > DUMP_MODE: kdump > USE_KDUMP: 1 > KDUMP_COREDIR: /var/crash > crashkernel addr: 0xde000000 > /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-78-generic > kdump initrd: > /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-78-generic > current state: Not ready to kdump > > kexec command: > /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz > 4. Check the log using 'systemctl status kdump-tools' > Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture service... > Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools: > Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/vmlinuz > Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/initrd.img > Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-78-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz > Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7 > Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel > Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel > Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service. > > [Where problems could occur] > The problem is specific to kexec image signature verification on ARM64. > This change allows additional keyrings and impacts only the ARM64 kexec_file_load system call. > > Chengen Du (1): > UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG > > Coiby Xu (2): > kexec, KEYS: make the code in bzImage64_verify_sig generic > arm64: kexec_file: use more system keyrings to verify kernel image > signature > > arch/arm64/kernel/kexec_image.c | 11 +---------- > arch/x86/kernel/kexec-bzimage64.c | 20 +------------------- > debian.master/config/annotations | 2 +- > include/linux/kexec.h | 7 +++++++ > kernel/kexec_file.c | 17 +++++++++++++++++ > 5 files changed, 27 insertions(+), 30 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 25/08/2023 08:18, Chengen Du wrote: > BugLink: https://bugs.launchpad.net/bugs/2033007 > > SRU Justification: > > [Impact] > The kdump service operates by utilizing the kexec_file_load system call, which loads a new kernel image intended for subsequent execution. > However, this process encounters a hindrance if the CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate signature verification. > > In addition, a noteworthy point is that if the kernel image is signed with a MOK, > it will face rejection due to ARM64's reliance solely on the .builtin_trusted_keys for verification purposes. > To enhance flexibility, it's suggested that we align the behavior on x86 platforms. > This alignment could potentially involve expanding the scope to encompass more keyrings, such as .secondary_trusted_keys and platform keyrings, > thereby broadening the options available for verification mechanisms. > > [Fix] > Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary, > along with the incorporation of two specific commits, in order to enhance the capabilities of the kexec_file_load system call on ARM64. > The commits that need to be applied are as follows: > c903dae8941d kexec, KEYS: make the code in bzImage64_verify_sig generic > 0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel image signature > > [Test Plan] > 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64 > 2. Install 'kdump-tools' > sudo apt install linux-crashdump > 3. Reboot and verify kdump status with 'kdump-config show' > root@ubuntu:~# kdump-config show > DUMP_MODE: kdump > USE_KDUMP: 1 > KDUMP_COREDIR: /var/crash > crashkernel addr: 0xde000000 > /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-78-generic > kdump initrd: > /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-78-generic > current state: Not ready to kdump > > kexec command: > /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz > 4. Check the log using 'systemctl status kdump-tools' > Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture service... > Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools: > Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/vmlinuz > Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/initrd.img > Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-78-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz > Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7 > Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel > Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel > Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service. > > [Where problems could occur] > The problem is specific to kexec image signature verification on ARM64. > This change allows additional keyrings and impacts only the ARM64 kexec_file_load system call. > > Chengen Du (1): > UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG > > Coiby Xu (2): > kexec, KEYS: make the code in bzImage64_verify_sig generic > arm64: kexec_file: use more system keyrings to verify kernel image > signature > > arch/arm64/kernel/kexec_image.c | 11 +---------- > arch/x86/kernel/kexec-bzimage64.c | 20 +------------------- > debian.master/config/annotations | 2 +- > include/linux/kexec.h | 7 +++++++ > kernel/kexec_file.c | 17 +++++++++++++++++ > 5 files changed, 27 insertions(+), 30 deletions(-) > Applied to jammy:master-next. Thanks! Roxana
BugLink: https://bugs.launchpad.net/bugs/2033007 SRU Justification: [Impact] The kdump service operates by utilizing the kexec_file_load system call, which loads a new kernel image intended for subsequent execution. However, this process encounters a hindrance if the CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate signature verification. In addition, a noteworthy point is that if the kernel image is signed with a MOK, it will face rejection due to ARM64's reliance solely on the .builtin_trusted_keys for verification purposes. To enhance flexibility, it's suggested that we align the behavior on x86 platforms. This alignment could potentially involve expanding the scope to encompass more keyrings, such as .secondary_trusted_keys and platform keyrings, thereby broadening the options available for verification mechanisms. [Fix] Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary, along with the incorporation of two specific commits, in order to enhance the capabilities of the kexec_file_load system call on ARM64. The commits that need to be applied are as follows: c903dae8941d kexec, KEYS: make the code in bzImage64_verify_sig generic 0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel image signature [Test Plan] 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64 2. Install 'kdump-tools' sudo apt install linux-crashdump 3. Reboot and verify kdump status with 'kdump-config show' root@ubuntu:~# kdump-config show DUMP_MODE: kdump USE_KDUMP: 1 KDUMP_COREDIR: /var/crash crashkernel addr: 0xde000000 /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-78-generic kdump initrd: /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-78-generic current state: Not ready to kdump kexec command: /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz 4. Check the log using 'systemctl status kdump-tools' Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture service... Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools: Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/vmlinuz Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/initrd.img Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-78-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7 Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service. [Where problems could occur] The problem is specific to kexec image signature verification on ARM64. This change allows additional keyrings and impacts only the ARM64 kexec_file_load system call. Chengen Du (1): UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG Coiby Xu (2): kexec, KEYS: make the code in bzImage64_verify_sig generic arm64: kexec_file: use more system keyrings to verify kernel image signature arch/arm64/kernel/kexec_image.c | 11 +---------- arch/x86/kernel/kexec-bzimage64.c | 20 +------------------- debian.master/config/annotations | 2 +- include/linux/kexec.h | 7 +++++++ kernel/kexec_file.c | 17 +++++++++++++++++ 5 files changed, 27 insertions(+), 30 deletions(-)