Bug 1469450 - [KEXEC] kexec_load failed: Operation not permitted on UEFI SecureBoot enable machine
[KEXEC] kexec_load failed: Operation not permitted on UEFI SecureBoot enable ...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: kexec-tools (Show other bugs)
7.5
Unspecified Linux
high Severity medium
: rc
: ---
Assigned To: kdump team
Qiao Zhao
Mark Flitter
:
Depends On:
Blocks: 1473055
  Show dependency treegraph
 
Reported: 2017-07-11 05:45 EDT by Qiao Zhao
Modified: 2017-11-30 08:00 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-19 23:03:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Qiao Zhao 2017-07-11 05:45:48 EDT
Description of problem:
kexec can't work on UEFI secureboot enable machine,
# kexec -l /boot/vmlinuz-3.10.0-691.el7.x86_64 --initrd=/boot/initramfs-3.10.0-691.el7.x86_64.img --reuse-cmdline
kexec_load failed: Operation not permitted
entry       = 0x21f5f7730 flags = 0x3e0000
nr_segments = 6
segment[0].buf   = 0xdb6c60
segment[0].bufsz = 0x70
segment[0].mem   = 0x100000
segment[0].memsz = 0x1000
segment[1].buf   = 0xdb6ac0
segment[1].bufsz = 0x190
segment[1].mem   = 0x101000
segment[1].memsz = 0x1000
segment[2].buf   = 0x7fa891baf010
segment[2].bufsz = 0x149c970
segment[2].mem   = 0x21cb63000
segment[2].memsz = 0x149d000
segment[3].buf   = 0x7fa893050410
segment[3].bufsz = 0x596650
segment[3].mem   = 0x21e000000
segment[3].memsz = 0x1411000
segment[4].buf   = 0xdb25f0
segment[4].bufsz = 0x44c6
segment[4].mem   = 0x21f5f2000
segment[4].memsz = 0x5000
segment[5].buf   = 0xdab500
segment[5].bufsz = 0x70e0
segment[5].mem   = 0x21f5f7000
segment[5].memsz = 0x9000

# cat /sys/kernel/security/securelevel 
1


Version-Release number of selected component (if applicable):
kernel-3.10.0-691.el7.x86_64
kexec-tools-2.0.14-17.el7.x86_64
dracut-033-502.el7.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Kddump work well on UEFI secureboot enable machine.
Comment 1 Baoquan He 2017-07-11 06:15:55 EDT
Do you use 'root' to execute the command?
Comment 2 Dave Young 2017-07-11 06:31:37 EDT
Please use kexec -l -s to load the kernel..
Comment 3 Qiao Zhao 2017-07-11 07:54:42 EDT
(In reply to Baoquan He from comment #1)
> Do you use 'root' to execute the command?

Yes, user is root.
Comment 4 Qiao Zhao 2017-07-11 07:57:53 EDT
(In reply to Dave Young from comment #2)
> Please use kexec -l -s to load the kernel..

Great! '-s' options work.

# kexec -l -s /boot/vmlinuz-3.10.0-691.el7.x86_64 --initrd=/boot/initramfs-3.10.0-691.el7.x86_64.img --reuse-cmdline

Other: I didn't find '-s' option from 'man kexec'. So, can we add this?
Comment 5 Qiao Zhao 2017-07-11 08:07:37 EDT
(In reply to Qiao Zhao from comment #4)
> (In reply to Dave Young from comment #2)
> > Please use kexec -l -s to load the kernel..
> 
> Great! '-s' options work.
> 
> # kexec -l -s /boot/vmlinuz-3.10.0-691.el7.x86_64
> --initrd=/boot/initramfs-3.10.0-691.el7.x86_64.img --reuse-cmdline
> 
> Other: I didn't find '-s' option from 'man kexec'. So, can we add this?

I find some from kdumpctl code:

        # For secureboot enabled machines, use new kexec file based syscall.
        # Old syscall will always fail as it does not have capability to
        # to kernel signature verification.
        if is_secure_boot_enforced; then
                echo "Secure Boot is enabled. Using kexec file based syscall."
                KEXEC_ARGS="$KEXEC_ARGS -s"
        elif is_secure_mode_enforced; then
                echo "securelevel is set to 1 (Secure Mode). Using kexec file based syscall."
                KEXEC_ARGS="$KEXEC_ARGS -s"
        fi

I think if we add '-s' options to kexec manual, it is useful for the customer.

Note You need to log in before you can comment on or make changes to this bug.