Bug 1469450

Summary: [KEXEC] kexec_load failed: Operation not permitted on UEFI SecureBoot enable machine
Product: Red Hat Enterprise Linux 7 Reporter: Qiao Zhao <qzhao>
Component: kexec-toolsAssignee: kdump team <kdump-team-bugs>
Status: CLOSED NOTABUG QA Contact: Qiao Zhao <qzhao>
Severity: medium Docs Contact: Mark Flitter <mflitter>
Priority: high    
Version: 7.5CC: bhe, bhsharma, ruyang
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-20 03:03:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1473055    

Description Qiao Zhao 2017-07-11 09:45:48 UTC 
Description of problem:
kexec can't work on UEFI secureboot enable machine,
# kexec -l /boot/vmlinuz-3.10.0-691.el7.x86_64 --initrd=/boot/initramfs-3.10.0-691.el7.x86_64.img --reuse-cmdline
kexec_load failed: Operation not permitted
entry       = 0x21f5f7730 flags = 0x3e0000
nr_segments = 6
segment[0].buf   = 0xdb6c60
segment[0].bufsz = 0x70
segment[0].mem   = 0x100000
segment[0].memsz = 0x1000
segment[1].buf   = 0xdb6ac0
segment[1].bufsz = 0x190
segment[1].mem   = 0x101000
segment[1].memsz = 0x1000
segment[2].buf   = 0x7fa891baf010
segment[2].bufsz = 0x149c970
segment[2].mem   = 0x21cb63000
segment[2].memsz = 0x149d000
segment[3].buf   = 0x7fa893050410
segment[3].bufsz = 0x596650
segment[3].mem   = 0x21e000000
segment[3].memsz = 0x1411000
segment[4].buf   = 0xdb25f0
segment[4].bufsz = 0x44c6
segment[4].mem   = 0x21f5f2000
segment[4].memsz = 0x5000
segment[5].buf   = 0xdab500
segment[5].bufsz = 0x70e0
segment[5].mem   = 0x21f5f7000
segment[5].memsz = 0x9000

# cat /sys/kernel/security/securelevel 
1


Version-Release number of selected component (if applicable):
kernel-3.10.0-691.el7.x86_64
kexec-tools-2.0.14-17.el7.x86_64
dracut-033-502.el7.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Kddump work well on UEFI secureboot enable machine.
Comment 1 Baoquan He 2017-07-11 10:15:55 UTC 
Do you use 'root' to execute the command?
Comment 2 Dave Young 2017-07-11 10:31:37 UTC 
Please use kexec -l -s to load the kernel..
Comment 3 Qiao Zhao 2017-07-11 11:54:42 UTC 
(In reply to Baoquan He from comment #1)
> Do you use 'root' to execute the command?

Yes, user is root.
Comment 4 Qiao Zhao 2017-07-11 11:57:53 UTC 
(In reply to Dave Young from comment #2)
> Please use kexec -l -s to load the kernel..

Great! '-s' options work.

# kexec -l -s /boot/vmlinuz-3.10.0-691.el7.x86_64 --initrd=/boot/initramfs-3.10.0-691.el7.x86_64.img --reuse-cmdline

Other: I didn't find '-s' option from 'man kexec'. So, can we add this?
Comment 5 Qiao Zhao 2017-07-11 12:07:37 UTC 
(In reply to Qiao Zhao from comment #4)
> (In reply to Dave Young from comment #2)
> > Please use kexec -l -s to load the kernel..
> 
> Great! '-s' options work.
> 
> # kexec -l -s /boot/vmlinuz-3.10.0-691.el7.x86_64
> --initrd=/boot/initramfs-3.10.0-691.el7.x86_64.img --reuse-cmdline
> 
> Other: I didn't find '-s' option from 'man kexec'. So, can we add this?

I find some from kdumpctl code:

        # For secureboot enabled machines, use new kexec file based syscall.
        # Old syscall will always fail as it does not have capability to
        # to kernel signature verification.
        if is_secure_boot_enforced; then
                echo "Secure Boot is enabled. Using kexec file based syscall."
                KEXEC_ARGS="$KEXEC_ARGS -s"
        elif is_secure_mode_enforced; then
                echo "securelevel is set to 1 (Secure Mode). Using kexec file based syscall."
                KEXEC_ARGS="$KEXEC_ARGS -s"
        fi

I think if we add '-s' options to kexec manual, it is useful for the customer.