1469450 – [KEXEC] kexec_load failed: Operation not permitted on UEFI SecureBoot enable machine

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1469450 - [KEXEC] kexec_load failed: Operation not permitted on UEFI SecureBoot enable machine

Summary: [KEXEC] kexec_load failed: Operation not permitted on UEFI SecureBoot enable ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	kexec-tools
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	kdump team
QA Contact:	Qiao Zhao
Docs Contact:	Mark Flitter
URL:
Whiteboard:
Depends On:
Blocks:	1473055
TreeView+	depends on / blocked

Reported:	2017-07-11 09:45 UTC by Qiao Zhao
Modified:	2017-11-30 13:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2017-07-20 03:03:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Qiao Zhao 2017-07-11 09:45:48 UTC

Description of problem:
kexec can't work on UEFI secureboot enable machine,
# kexec -l /boot/vmlinuz-3.10.0-691.el7.x86_64 --initrd=/boot/initramfs-3.10.0-691.el7.x86_64.img --reuse-cmdline
kexec_load failed: Operation not permitted
entry       = 0x21f5f7730 flags = 0x3e0000
nr_segments = 6
segment[0].buf   = 0xdb6c60
segment[0].bufsz = 0x70
segment[0].mem   = 0x100000
segment[0].memsz = 0x1000
segment[1].buf   = 0xdb6ac0
segment[1].bufsz = 0x190
segment[1].mem   = 0x101000
segment[1].memsz = 0x1000
segment[2].buf   = 0x7fa891baf010
segment[2].bufsz = 0x149c970
segment[2].mem   = 0x21cb63000
segment[2].memsz = 0x149d000
segment[3].buf   = 0x7fa893050410
segment[3].bufsz = 0x596650
segment[3].mem   = 0x21e000000
segment[3].memsz = 0x1411000
segment[4].buf   = 0xdb25f0
segment[4].bufsz = 0x44c6
segment[4].mem   = 0x21f5f2000
segment[4].memsz = 0x5000
segment[5].buf   = 0xdab500
segment[5].bufsz = 0x70e0
segment[5].mem   = 0x21f5f7000
segment[5].memsz = 0x9000

# cat /sys/kernel/security/securelevel 
1


Version-Release number of selected component (if applicable):
kernel-3.10.0-691.el7.x86_64
kexec-tools-2.0.14-17.el7.x86_64
dracut-033-502.el7.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Kddump work well on UEFI secureboot enable machine.

Comment 1 Baoquan He 2017-07-11 10:15:55 UTC

Do you use 'root' to execute the command?

Comment 2 Dave Young 2017-07-11 10:31:37 UTC

Please use kexec -l -s to load the kernel..

Comment 3 Qiao Zhao 2017-07-11 11:54:42 UTC

(In reply to Baoquan He from comment #1)
> Do you use 'root' to execute the command?

Yes, user is root.

Comment 4 Qiao Zhao 2017-07-11 11:57:53 UTC

(In reply to Dave Young from comment #2)
> Please use kexec -l -s to load the kernel..

Great! '-s' options work.

# kexec -l -s /boot/vmlinuz-3.10.0-691.el7.x86_64 --initrd=/boot/initramfs-3.10.0-691.el7.x86_64.img --reuse-cmdline

Other: I didn't find '-s' option from 'man kexec'. So, can we add this?

Comment 5 Qiao Zhao 2017-07-11 12:07:37 UTC

(In reply to Qiao Zhao from comment #4)
> (In reply to Dave Young from comment #2)
> > Please use kexec -l -s to load the kernel..
> 
> Great! '-s' options work.
> 
> # kexec -l -s /boot/vmlinuz-3.10.0-691.el7.x86_64
> --initrd=/boot/initramfs-3.10.0-691.el7.x86_64.img --reuse-cmdline
> 
> Other: I didn't find '-s' option from 'man kexec'. So, can we add this?

I find some from kdumpctl code:

        # For secureboot enabled machines, use new kexec file based syscall.
        # Old syscall will always fail as it does not have capability to
        # to kernel signature verification.
        if is_secure_boot_enforced; then
                echo "Secure Boot is enabled. Using kexec file based syscall."
                KEXEC_ARGS="$KEXEC_ARGS -s"
        elif is_secure_mode_enforced; then
                echo "securelevel is set to 1 (Secure Mode). Using kexec file based syscall."
                KEXEC_ARGS="$KEXEC_ARGS -s"
        fi

I think if we add '-s' options to kexec manual, it is useful for the customer.

Note You need to log in before you can comment on or make changes to this bug.