Description of problem: While this seemed to work on Fedora 27, since updating to F28 and F29 I haven't been able to get kdump to work on my server with EFI secure boot enabled. Version-Release number of selected component (if applicable): kexec-tools-2.0.17-10.fc29 kernel-4.19.2-300.fc29 How reproducible: Always Steps to Reproduce: 1. Enable secure boot 2. Setup kdump 3. Try to get kdump to load kdump kernel Actual results: -- Logs begin at Tue 2017-10-17 12:09:10 EDT, end at Sun 2018-11-18 13:48:29 EST. -- Nov 17 02:38:41 Sapphire systemd[1]: Starting Crash recovery kernel arming... Nov 17 02:38:41 Sapphire kdumpctl[1505]: No kdump initial ramdisk found. Nov 17 02:38:41 Sapphire kdumpctl[1505]: Rebuilding /boot/initramfs-4.18.18-300.fc29.x86_64kdump.img Nov 17 02:38:46 Sapphire dracut[2979]: Executing: /usr/bin/dracut --quiet --hostonly --hostonly-cmdline --hostonly-i18n --hostonly-mode strict -o "plymouth dash resume ifcfg" -a watchdog --mount "/dev/mapper/Sapphire-root /sysroot xfs defaults" --no-hostonly-default-device -f /boot/initramfs-4.18.18-300.fc29.x86_64kdump.img 4.18.18-300.fc29.x86_64 Nov 17 02:38:47 Sapphire dracut[2979]: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Nov 17 02:38:47 Sapphire dracut[2979]: dracut module 'ifcfg' will not be installed, because it's in the list to be omitted! Nov 17 02:38:47 Sapphire dracut[2979]: dracut module 'plymouth' will not be installed, because it's in the list to be omitted! Nov 17 02:38:47 Sapphire dracut[2979]: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Nov 17 02:38:48 Sapphire dracut[2979]: dracut module 'stratis' will not be installed, because command 'stratisd-init' could not be found! Nov 17 02:38:48 Sapphire dracut[2979]: dracut module 'resume' will not be installed, because it's in the list to be omitted! Nov 17 02:38:49 Sapphire dracut[2979]: dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found! Nov 17 02:38:49 Sapphire dracut[2979]: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Nov 17 02:38:49 Sapphire dracut[2979]: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Nov 17 02:38:50 Sapphire dracut[2979]: dracut module 'stratis' will not be installed, because command 'stratisd-init' could not be found! Nov 17 02:38:50 Sapphire dracut[2979]: *** Including module: bash *** Nov 17 02:38:50 Sapphire dracut[2979]: *** Including module: systemd *** Nov 17 02:38:53 Sapphire dracut[2979]: *** Including module: systemd-initrd *** Nov 17 02:38:53 Sapphire dracut[2979]: *** Including module: watchdog *** Nov 17 02:38:53 Sapphire kdumpctl[1505]: /usr/lib/dracut/modules.d/04watchdog/module-setup.sh: line 44: /sys/class/watchdog/watchdog0/device/modalias: No such file or directory Nov 17 02:38:53 Sapphire dracut[2979]: *** Including module: nss-softokn *** Nov 17 02:38:53 Sapphire dracut[2979]: *** Including module: i18n *** Nov 17 02:38:54 Sapphire dracut[2979]: *** Including module: drm *** Nov 17 02:38:57 Sapphire dracut[2979]: *** Including module: dm *** Nov 17 02:38:58 Sapphire dracut[2979]: Skipping udev rule: 64-device-mapper.rules Nov 17 02:38:58 Sapphire dracut[2979]: Skipping udev rule: 60-persistent-storage-dm.rules Nov 17 02:38:58 Sapphire dracut[2979]: Skipping udev rule: 55-dm.rules Nov 17 02:38:58 Sapphire dracut[2979]: *** Including module: kernel-modules *** Nov 17 02:39:00 Sapphire dracut[2979]: *** Including module: kernel-modules-extra *** Nov 17 02:39:00 Sapphire dracut[2979]: kernel-modules-extra: configuration source "/run/depmod.d/" does not exist Nov 17 02:39:00 Sapphire dracut[2979]: kernel-modules-extra: configuration source "/etc/depmod.d/" is ignored (directory or doesn't exist) Nov 17 02:39:00 Sapphire dracut[2979]: kernel-modules-extra: configuration source "/lib/depmod.d/" does not exist Nov 17 02:39:00 Sapphire dracut[2979]: *** Including module: lvm *** Nov 17 02:39:01 Sapphire dracut[2979]: Skipping udev rule: 64-device-mapper.rules Nov 17 02:39:01 Sapphire dracut[2979]: Skipping udev rule: 56-lvm.rules Nov 17 02:39:01 Sapphire dracut[2979]: Skipping udev rule: 60-persistent-storage-lvm.rules Nov 17 02:39:01 Sapphire dracut[2979]: *** Including module: mdraid *** Nov 17 02:39:01 Sapphire dracut[2979]: Skipping udev rule: 64-md-raid.rules Nov 17 02:39:02 Sapphire dracut[2979]: *** Including module: fstab-sys *** Nov 17 02:39:02 Sapphire dracut[2979]: *** Including module: rootfs-block *** Nov 17 02:39:02 Sapphire dracut[2979]: *** Including module: terminfo *** Nov 17 02:39:02 Sapphire dracut[2979]: *** Including module: udev-rules *** Nov 17 02:39:02 Sapphire dracut[2979]: Skipping udev rule: 40-redhat.rules Nov 17 02:39:02 Sapphire dracut[2979]: Skipping udev rule: 50-firmware.rules Nov 17 02:39:02 Sapphire dracut[2979]: Skipping udev rule: 50-udev.rules Nov 17 02:39:03 Sapphire dracut[2979]: Skipping udev rule: 91-permissions.rules Nov 17 02:39:03 Sapphire dracut[2979]: Skipping udev rule: 80-drivers-modprobe.rules Nov 17 02:39:03 Sapphire dracut[2979]: *** Including module: dracut-systemd *** Nov 17 02:39:03 Sapphire dracut[2979]: *** Including module: usrmount *** Nov 17 02:39:03 Sapphire dracut[2979]: *** Including module: base *** Nov 17 02:39:04 Sapphire dracut[2979]: *** Including module: fs-lib *** Nov 17 02:39:04 Sapphire dracut[2979]: *** Including module: kdumpbase *** Nov 17 02:39:06 Sapphire dracut[2979]: *** Including module: shutdown *** Nov 17 02:39:07 Sapphire dracut[2979]: *** Including modules done *** Nov 17 02:39:07 Sapphire dracut[2979]: *** Installing kernel module dependencies *** Nov 17 02:39:07 Sapphire dracut[2979]: *** Installing kernel module dependencies done *** Nov 17 02:39:07 Sapphire dracut[2979]: *** Resolving executable dependencies *** Nov 17 02:39:11 Sapphire dracut[2979]: *** Resolving executable dependencies done *** Nov 17 02:39:11 Sapphire dracut[2979]: *** Hardlinking files *** Nov 17 02:39:11 Sapphire dracut[2979]: *** Hardlinking files done *** Nov 17 02:39:11 Sapphire dracut[2979]: *** Stripping files *** Nov 17 02:39:11 Sapphire dracut[2979]: *** Stripping files done *** Nov 17 02:39:11 Sapphire dracut[2979]: *** Generating early-microcode cpio image *** Nov 17 02:39:11 Sapphire dracut[2979]: *** Constructing AuthenticAMD.bin **** Nov 17 02:39:11 Sapphire dracut[2979]: *** Store current command line parameters *** Nov 17 02:39:11 Sapphire dracut[2979]: Stored kernel commandline: Nov 17 02:39:11 Sapphire dracut[2979]: rd.lvm.lv=Sapphire/root Nov 17 02:39:11 Sapphire dracut[2979]: rd.md.uuid=46c281b8:f0f444a7:dfebee61:2a9edd77 Nov 17 02:39:11 Sapphire dracut[2979]: *** Creating image file '/boot/initramfs-4.18.18-300.fc29.x86_64kdump.img' *** Nov 17 02:39:14 Sapphire dracut[2979]: *** Creating initramfs image file '/boot/initramfs-4.18.18-300.fc29.x86_64kdump.img' done *** Nov 17 02:39:16 Sapphire kdumpctl[1505]: Secure Boot is enabled. Using kexec file based syscall. Nov 17 02:39:17 Sapphire kdumpctl[1505]: kexec_file_load failed: Required key not available Nov 17 02:39:17 Sapphire kdumpctl[1505]: kexec: failed to load kdump kernel Nov 17 02:39:17 Sapphire kdumpctl[1505]: Starting kdump: [FAILED] Nov 17 02:39:17 Sapphire systemd[1]: kdump.service: Main process exited, code=exited, status=1/FAILURE Nov 17 02:39:17 Sapphire systemd[1]: kdump.service: Failed with result 'exit-code'. Nov 17 02:39:17 Sapphire systemd[1]: Failed to start Crash recovery kernel arming. With the addition of: … [ 64.297084] PKCS#7 signature not signed with a trusted key … in dmesg Expected results: kdump kernel should load
Root cause is MokListRT is missing after shim-15. Rollback to shim < 15, or add Fedora Secure Boot CA key to trusted keys in EFI would fix it. Reassigning to shim.
Any update on this?
Hi, any update? This should have been fixed in upstream, need to be backported.
Is this Fedora 30 only or also including 31 and rawhide?
Also, if kdump does not work then kexec reboot will not work as well, updated the bug summary line
The fix is needed for rawhide, f32, and f31.
Rejected as a prioritized bug. Assigning it to an active maintainer should be enough to move this along. https://meetbot.fedoraproject.org/fedora-meeting/2020-02-26/fedora_prioritized_bugs_and_issues.2020-02-26-16.00.log.html#l-85 Setting status to POST since there's an upstream fix
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
Hello all, Fedora 32 still affected uname -a Linux localhost.localdomain 5.6.4-300.fc32.x86_64 #1 SMP Mon Apr 13 14:31:58 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux cat /etc/fedora-release Fedora release 32 (Thirty Two) I followed manual https://fedoraproject.org/wiki/How_to_use_kdump_to_debug_kernel_crashes systemctl start kdump.service Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: Using kexec file based syscall. Apr 15 08:52:11 localhost.localdomain kdumpctl[10388]: kexec_file_load failed: Operation not permitted Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec: failed to load kdump kernel Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec_file_load() failed, please try kexec_load() crashkernel is reserverd cat /proc/iomem |grep -i crash b0000000-b7ffffff : Crash kernel secureboot is enabled dmesg|grep -i secure [ 0.000000] secureboot: Secure boot enabled [ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 [ 0.029362] secureboot: Secure boot enabled Feel free to reach me if you need a hand to debug, but I need some input here
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Hi, any update? This bug has been in POST status for some time.
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
(In reply to kevit from comment #9) > Hello all, > Fedora 32 still affected > > uname -a > Linux localhost.localdomain 5.6.4-300.fc32.x86_64 #1 SMP Mon Apr 13 14:31:58 > UTC 2020 x86_64 x86_64 x86_64 GNU/Linux > > cat /etc/fedora-release > Fedora release 32 (Thirty Two) > > I followed manual > https://fedoraproject.org/wiki/How_to_use_kdump_to_debug_kernel_crashes > > systemctl start kdump.service > Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: Using kexec file > based syscall. > Apr 15 08:52:11 localhost.localdomain kdumpctl[10388]: kexec_file_load > failed: Operation not permitted > Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec: failed to load > kdump kernel > Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec_file_load() > failed, please try kexec_load() > > crashkernel is reserverd > cat /proc/iomem |grep -i crash > b0000000-b7ffffff : Crash kernel > > secureboot is enabled > dmesg|grep -i secure > [ 0.000000] secureboot: Secure boot enabled > [ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man > kernel_lockdown.7 > [ 0.029362] secureboot: Secure boot enabled > > Feel free to reach me if you need a hand to debug, but I need some input here Same as my Fedora occured, I didn't know how can fix it, and seems like the bug page is EOL, should we reopen or open a new bug with this info?
FEDORA-2021-cab258a413 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cab258a413
Update pending
FEDORA-2021-cab258a413 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cab258a413` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cab258a413 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-cab258a413 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.