| Message ID | 20240716202914.1927239-1-kevin.becker@canonical.com |
|---|---|
| Headers | show |
| Series | UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64 | expand |
Acked-by: Noah Wager <noah.wager@canonical.com> On Tue, Jul 16, 2024 at 04:29:12PM -0400, Kevin Becker wrote: > BugLink: https://bugs.launchpad.net/bugs/2033007 > > [Impact] > The kdump service operates by utilizing the kexec_file_load system call, > which loads a new kernel image intended for subsequent execution. > However, this process encounters a problem on ARM64 with Secure Boot > when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate > signature verification. > > [Fix] > Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary. > > [Test Plan] > 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64 > 2. Install kdump-tools: 'apt install linux-crashdump' > 3. Reboot and verify kdump status with 'kdump-config show' > 4. Check the log using 'systemctl status kdump-tools' > > [Where problems could occur] > The problem is specific to kexec image signature verification on ARM64. > This change impacts only the ARM64 kexec_file_load system call. > > Kevin Becker (1): > UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64 > > debian.master/config/annotations | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > -- > 2.43.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Tue, Jul 16, 2024 at 04:29:12PM -0400, Kevin Becker wrote: > BugLink: https://bugs.launchpad.net/bugs/2033007 Acked-by: Paolo Pisati <paolo.pisati@canonical.com>
On Tue, 2024-07-16 at 16:29 -0400, Kevin Becker wrote: > BugLink: https://bugs.launchpad.net/bugs/2033007 > > [Impact] > The kdump service operates by utilizing the kexec_file_load system > call, > which loads a new kernel image intended for subsequent execution. > However, this process encounters a problem on ARM64 with Secure Boot > when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate > signature verification. > > [Fix] > Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary. > > [Test Plan] > 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on > ARM64 > 2. Install kdump-tools: 'apt install linux-crashdump' > 3. Reboot and verify kdump status with 'kdump-config show' > 4. Check the log using 'systemctl status kdump-tools' > > [Where problems could occur] > The problem is specific to kexec image signature verification on > ARM64. > This change impacts only the ARM64 kexec_file_load system call. > > Kevin Becker (1): > UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64 > > debian.master/config/annotations | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > -- > 2.43.0 > > Thanks Kevin for taking care of this! I also tested this with an arm64 QEMU vm with secure boot enabled.
On 17.07.24 08:12, Paolo Pisati wrote: > On Tue, Jul 16, 2024 at 04:29:12PM -0400, Kevin Becker wrote: >> BugLink: https://bugs.launchpad.net/bugs/2033007 > > Acked-by: Paolo Pisati <paolo.pisati@canonical.com> Is this already changed in oracular/unstable as well? -Stefan
On Wed, Jul 17, 2024 at 11:27 AM Stefan Bader <stefan.bader@canonical.com> wrote: > > Is this already changed in oracular/unstable as well? > ATM it's off in Oracular, i will apply this patch too.
On Tue, Jul 16, 2024 at 04:29:12PM -0400, Kevin Becker wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007
On 16.07.24 22:29, Kevin Becker wrote: > BugLink: https://bugs.launchpad.net/bugs/2033007 > > [Impact] > The kdump service operates by utilizing the kexec_file_load system call, > which loads a new kernel image intended for subsequent execution. > However, this process encounters a problem on ARM64 with Secure Boot > when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate > signature verification. > > [Fix] > Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary. > > [Test Plan] > 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64 > 2. Install kdump-tools: 'apt install linux-crashdump' > 3. Reboot and verify kdump status with 'kdump-config show' > 4. Check the log using 'systemctl status kdump-tools' > > [Where problems could occur] > The problem is specific to kexec image signature verification on ARM64. > This change impacts only the ARM64 kexec_file_load system call. > > Kevin Becker (1): > UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64 > > debian.master/config/annotations | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Applied to noble:linux/master-next. Thanks. -Stefan