Bug 1651016
Summary: | kexec/kdump kernel fails to load with EFI secure boot enabled | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lyude <lyude> |
Component: | shim | Assignee: | Bootloader engineering team <bootloader-eng-team> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | bhe, dkaylor, jaredz, joe, kasong, mattdm, mjg59, pbrobinson, pjones, root, ruyang, samuel-rhbugs, xiawu |
Target Milestone: | --- | Keywords: | Reopened, Tracking |
Target Release: | --- | Flags: | bcotton:
fedora_prioritized_bug-
|
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | shim-15.4-4 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-04-23 21:03:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lyude
2018-11-18 18:57:30 UTC
Root cause is MokListRT is missing after shim-15. Rollback to shim < 15, or add Fedora Secure Boot CA key to trusted keys in EFI would fix it. Reassigning to shim. Any update on this? Hi, any update? This should have been fixed in upstream, need to be backported. Is this Fedora 30 only or also including 31 and rawhide? Also, if kdump does not work then kexec reboot will not work as well, updated the bug summary line The fix is needed for rawhide, f32, and f31. Rejected as a prioritized bug. Assigning it to an active maintainer should be enough to move this along. https://meetbot.fedoraproject.org/fedora-meeting/2020-02-26/fedora_prioritized_bugs_and_issues.2020-02-26-16.00.log.html#l-85 Setting status to POST since there's an upstream fix This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component. Hello all, Fedora 32 still affected uname -a Linux localhost.localdomain 5.6.4-300.fc32.x86_64 #1 SMP Mon Apr 13 14:31:58 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux cat /etc/fedora-release Fedora release 32 (Thirty Two) I followed manual https://fedoraproject.org/wiki/How_to_use_kdump_to_debug_kernel_crashes systemctl start kdump.service Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: Using kexec file based syscall. Apr 15 08:52:11 localhost.localdomain kdumpctl[10388]: kexec_file_load failed: Operation not permitted Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec: failed to load kdump kernel Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec_file_load() failed, please try kexec_load() crashkernel is reserverd cat /proc/iomem |grep -i crash b0000000-b7ffffff : Crash kernel secureboot is enabled dmesg|grep -i secure [ 0.000000] secureboot: Secure boot enabled [ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 [ 0.029362] secureboot: Secure boot enabled Feel free to reach me if you need a hand to debug, but I need some input here This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Hi, any update? This bug has been in POST status for some time. Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. (In reply to kevit from comment #9) > Hello all, > Fedora 32 still affected > > uname -a > Linux localhost.localdomain 5.6.4-300.fc32.x86_64 #1 SMP Mon Apr 13 14:31:58 > UTC 2020 x86_64 x86_64 x86_64 GNU/Linux > > cat /etc/fedora-release > Fedora release 32 (Thirty Two) > > I followed manual > https://fedoraproject.org/wiki/How_to_use_kdump_to_debug_kernel_crashes > > systemctl start kdump.service > Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: Using kexec file > based syscall. > Apr 15 08:52:11 localhost.localdomain kdumpctl[10388]: kexec_file_load > failed: Operation not permitted > Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec: failed to load > kdump kernel > Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec_file_load() > failed, please try kexec_load() > > crashkernel is reserverd > cat /proc/iomem |grep -i crash > b0000000-b7ffffff : Crash kernel > > secureboot is enabled > dmesg|grep -i secure > [ 0.000000] secureboot: Secure boot enabled > [ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man > kernel_lockdown.7 > [ 0.029362] secureboot: Secure boot enabled > > Feel free to reach me if you need a hand to debug, but I need some input here Same as my Fedora occured, I didn't know how can fix it, and seems like the bug page is EOL, should we reopen or open a new bug with this info? FEDORA-2021-cab258a413 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cab258a413 Update pending FEDORA-2021-cab258a413 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cab258a413` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cab258a413 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-cab258a413 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |