mbox series

[SRU,N,0/1] UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64

Message ID 20240716202914.1927239-1-kevin.becker@canonical.com
Headers show
Series UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64 | expand

Message

Kevin Becker July 16, 2024, 8:29 p.m. UTC
BugLink: https://bugs.launchpad.net/bugs/2033007

[Impact]
The kdump service operates by utilizing the kexec_file_load system call,
which loads a new kernel image intended for subsequent execution.
However, this process encounters a problem on ARM64 with Secure Boot
when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate 
signature verification.

[Fix]
Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary.

[Test Plan]
1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
2. Install kdump-tools: 'apt install linux-crashdump'
3. Reboot and verify kdump status with 'kdump-config show'
4. Check the log using 'systemctl status kdump-tools'

[Where problems could occur]
The problem is specific to kexec image signature verification on ARM64.
This change impacts only the ARM64 kexec_file_load system call.

Kevin Becker (1):
  UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64

 debian.master/config/annotations | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Noah Wager July 16, 2024, 8:59 p.m. UTC | #1
Acked-by: Noah Wager <noah.wager@canonical.com>

On Tue, Jul 16, 2024 at 04:29:12PM -0400, Kevin Becker wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007
> 
> [Impact]
> The kdump service operates by utilizing the kexec_file_load system call,
> which loads a new kernel image intended for subsequent execution.
> However, this process encounters a problem on ARM64 with Secure Boot
> when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate 
> signature verification.
> 
> [Fix]
> Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary.
> 
> [Test Plan]
> 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
> 2. Install kdump-tools: 'apt install linux-crashdump'
> 3. Reboot and verify kdump status with 'kdump-config show'
> 4. Check the log using 'systemctl status kdump-tools'
> 
> [Where problems could occur]
> The problem is specific to kexec image signature verification on ARM64.
> This change impacts only the ARM64 kexec_file_load system call.
> 
> Kevin Becker (1):
>   UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
> 
>  debian.master/config/annotations | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Paolo Pisati July 17, 2024, 6:12 a.m. UTC | #2
On Tue, Jul 16, 2024 at 04:29:12PM -0400, Kevin Becker wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007

Acked-by: Paolo Pisati <paolo.pisati@canonical.com>
Philip Cox July 17, 2024, 6:20 a.m. UTC | #3
On Tue, 2024-07-16 at 16:29 -0400, Kevin Becker wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007
> 
> [Impact]
> The kdump service operates by utilizing the kexec_file_load system
> call,
> which loads a new kernel image intended for subsequent execution.
> However, this process encounters a problem on ARM64 with Secure Boot
> when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate
> signature verification.
> 
> [Fix]
> Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary.
> 
> [Test Plan]
> 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on
> ARM64
> 2. Install kdump-tools: 'apt install linux-crashdump'
> 3. Reboot and verify kdump status with 'kdump-config show'
> 4. Check the log using 'systemctl status kdump-tools'
> 
> [Where problems could occur]
> The problem is specific to kexec image signature verification on
> ARM64.
> This change impacts only the ARM64 kexec_file_load system call.
> 
> Kevin Becker (1):
>   UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
> 
>  debian.master/config/annotations | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> -- 
> 2.43.0
> 
> 

Thanks Kevin for taking care of this!

I also tested this with an arm64 QEMU vm with secure boot enabled.
Stefan Bader July 17, 2024, 9:27 a.m. UTC | #4
On 17.07.24 08:12, Paolo Pisati wrote:
> On Tue, Jul 16, 2024 at 04:29:12PM -0400, Kevin Becker wrote:
>> BugLink: https://bugs.launchpad.net/bugs/2033007
> 
> Acked-by: Paolo Pisati <paolo.pisati@canonical.com>

Is this already changed in oracular/unstable as well?

-Stefan
Paolo Pisati July 17, 2024, 9:41 a.m. UTC | #5
On Wed, Jul 17, 2024 at 11:27 AM Stefan Bader
<stefan.bader@canonical.com> wrote:
>
> Is this already changed in oracular/unstable as well?
>

ATM it's off in Oracular, i will apply this patch too.
Paolo Pisati July 17, 2024, 10:18 a.m. UTC | #6
On Tue, Jul 16, 2024 at 04:29:12PM -0400, Kevin Becker wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007
Stefan Bader July 19, 2024, 9:43 a.m. UTC | #7
On 16.07.24 22:29, Kevin Becker wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007
> 
> [Impact]
> The kdump service operates by utilizing the kexec_file_load system call,
> which loads a new kernel image intended for subsequent execution.
> However, this process encounters a problem on ARM64 with Secure Boot
> when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate
> signature verification.
> 
> [Fix]
> Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary.
> 
> [Test Plan]
> 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
> 2. Install kdump-tools: 'apt install linux-crashdump'
> 3. Reboot and verify kdump status with 'kdump-config show'
> 4. Check the log using 'systemctl status kdump-tools'
> 
> [Where problems could occur]
> The problem is specific to kexec image signature verification on ARM64.
> This change impacts only the ARM64 kexec_file_load system call.
> 
> Kevin Becker (1):
>    UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
> 
>   debian.master/config/annotations | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Applied to noble:linux/master-next. Thanks.

-Stefan