Bug 2004384

Summary: [aarch64] kernel image signed by MOK key couldn't be loaded via kexec when lockdown is enabled
Product: Red Hat Enterprise Linux 9 Reporter: Coiby <coxu>
Component: kernelAssignee: Coiby <coxu>
kernel sub component: kexec - kdump QA Contact: Jie Li <jieli>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: medium CC: jieli, piliu, ruyang, xiawu, yiyan
Version: 9.0Keywords: Triaged
Target Milestone: beta   
Target Release: ---   
Hardware: aarch64   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-5.14.0-178.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1986249 Environment:
Last Closed: 2023-05-09 07:55:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1986249, 2002350    
Bug Blocks:    

Description Coiby 2021-09-15 07:35:15 UTC 
+++ This bug was initially created as a clone of Bug #1986249 +++

Description of problem:

If a kernel image is signed by a MOK key which has been enrolled but is not included in the system keyring, this kernel image would be rejected with the error "Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7". 

Version-Release number of selected component (if applicable):


How reproducible:

always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 14 errata-xmlrpc 2023-05-09 07:55:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2458