Bug 1994858

Summary: Set CONFIG_KEXEC_SIG=y in the ARM RHEL9 kernel?
Product: Red Hat Enterprise Linux 9 Reporter: Coiby <coxu>
Component: kernelAssignee: Coiby <coxu>
kernel sub component: kexec - kdump QA Contact: Ruowen Qin <ruqin>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: cye, hkrzesin, jieli, lijiang, ruqin, ruyang, skurup, xiawu
Version: 9.0Keywords: Triaged
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-5.14.0-21.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1976835
: 2133262 (view as bug list) Environment:
Last Closed: 2022-05-17 15:38:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976835    
Bug Blocks: 1951392    

Description Coiby 2021-08-18 02:44:35 UTC 
+++ This bug was initially created as a clone of Bug #1976835 +++

+++ This bug was initially created as a clone of Bug #1815369 +++

Description of problem:

Previously, with kexec_file_load() interface, kernel prevents unsigned kernel image from being loaded if secure boot is enabled.
    
Now, the implementation of kexec_file_load() is adjusted in below commit. With this change, if CONFIG_KEXEC_SIG_FORCE is not set, unsigned kernel still has a chance to be allowed to load under some conditions.
    
commit 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")

Version-Release number of selected component (if applicable):


How reproducible:
Always.

Steps to Reproduce:
1. kexec -s -l xxx
2. 
3.

Actual results:


Expected results:


Additional info:

Test unsigned and signed kernel in Secure boot and Legacy mode.

--- Additional comment from Thomas Huth on 2021-06-28 18:44:05 HKT ---

Seems like the related Kconfig settings have not been forwarded to RHEL9 - at least on s390x, I cannot see CONFIG_KEXEC_SIG=y set yet

--- Additional comment from Emma Wu on 2021-06-29 11:33:27 HKT ---

Hi Ruowen, 


Can you check whether it's reproducible on RHEL9? We have a x86_64 bare-emtal in office which you could enable/disable secureboot.
kexec load is expected to fail on a secureboot enabled system if the kexec kernel is unsigned .

Thanks,
Emma

--- Additional comment from Ruowen Qin on 2021-07-01 13:41:58 HKT ---

(In reply to Emma Wu from comment #2)
> Hi Ruowen, 
> 
> 
> Can you check whether it's reproducible on RHEL9? We have a x86_64
> bare-emtal in office which you could enable/disable secureboot.
> kexec load is expected to fail on a secureboot enabled system if the kexec
> kernel is unsigned .
> 
> Thanks,
> Emma

Hi Emma,

This bug currently is blocked by bz1977707 and bz1977651, which makes kdump cannot run kexec_file_load syscall on UEFI machine.

Thanks,
Ruowen

--- Additional comment from Dave Young on 2021-07-13 17:19:02 HKT ---

https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1227

--- Additional comment from Ruowen Qin on 2021-08-02 13:53:45 HKT ---


Tested on RHEL-9.0.0-20210726.1 
Components:
distro=RHEL-9.0.0-20210726.1
kexec-tools-2.0.22-10.el9
kernel-5.14.0-0.rc2.23.el9



# New option doesn’t present on kernel-5.13.0-1.el9
cat /lib/modules/5.13.0-1.el9.x86_64/config
CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
# CONFIG_KEXEC_SIG is not set
CONFIG_CRASH_DUMP=y

# Verified kernel config has been changed on kernel-5.14.0-0.rc2.23.el9
cat /lib/modules/5.14.0-0.rc2.23.el9.x86_64/config
...
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
...


# kexec_file_load() works on legacy BIOS
Verified by automation
https://beaker.engineering.redhat.com/jobs/5658891
https://beaker.engineering.redhat.com/jobs/5658475 
https://beaker.engineering.redhat.com/jobs/5658471 
https://beaker.engineering.redhat.com/jobs/5658468 

ppc64le local dump failed due to bz1987138
aarch64 case warned due to bz1930494

# kexec_file_load() works on UEFI without secure boot
Verified by automation
https://beaker.engineering.redhat.com/jobs/5648308 

kexec_file_load() on UEFI with secure boot enable blocks by bz1977651

--- Additional comment from errata-xmlrpc on 2021-08-02 14:00:48 HKT ---

This bug has been added to advisory RHSA-2021:74866 by auto/ptp-jenkins (auto/ptp-jenkins)

--- Additional comment from errata-xmlrpc on 2021-08-02 14:00:50 HKT ---

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHSA-2021:74866-18
https://errata.devel.redhat.com/advisory/74866

--- Additional comment from errata-xmlrpc on 2021-08-02 14:01:02 HKT ---

This bug has been added to advisory RHSA-2021:74866 by auto/ptp-jenkins (auto/ptp-jenkins)

--- Additional comment from Ruowen Qin on 2021-08-03 12:33:15 HKT ---

Tested on RHEL-9.0.0-20210729.2 
Components:
distro=RHEL-9.0.0-20210729.2
kexec-tools-2.0.22-11.el9
kernel-5.14.0-0.rc3.29.el9



# New option doesn’t present on kernel-5.13.0-1.el9
cat /lib/modules/5.13.0-1.el9.x86_64/config
...
CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
# CONFIG_KEXEC_SIG is not set
CONFIG_CRASH_DUMP=y
...

# Verified kernel config has been changed on kernel-5.14.0-0.rc3.29.el9
cat /lib/modules/5.14.0-0.rc3.29.el9.x86_64/config
...
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_CRASH_DUMP=y
...


# kexec_file_load() works on legacy BIOS
Verified by automation
https://beaker.engineering.redhat.com/jobs/5659072 s390x
https://beaker.engineering.redhat.com/jobs/5659532 x86_64
https://beaker.engineering.redhat.com/jobs/5659533 ppc64le
https://beaker.engineering.redhat.com/jobs/5659071 aarch64

ppc64le local dump failed due to bz1987138
aarch64 case warned due to bz1930494

# kexec_file_load() works on UEFI without secure boot
Verified by automation
https://beaker.engineering.redhat.com/jobs/5659074 

kexec_file_load() on UEFI with secure boot enable blocks by bz1977651
Comment 1 Coiby 2021-08-18 02:52:15 UTC 
After having discussion with Dave, the plan is to fix it in GA. The solution is to revert https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1227 and enable common/generic/CONFIG_KEXEC_SIG since all arches will be supported as suggested by pbrobinsin [1].

[1] https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1227#note_623274617
Comment 14 errata-xmlrpc 2022-05-17 15:38:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: kernel), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3907