1651016 – kexec/kdump kernel fails to load with EFI secure boot enabled

Bug 1651016 - kexec/kdump kernel fails to load with EFI secure boot enabled

Summary: kexec/kdump kernel fails to load with EFI secure boot enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	shim
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Bootloader engineering team
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-18 18:57 UTC by Lyude
Modified:	2021-04-23 21:03 UTC (History)
CC List:	13 users (show)
Fixed In Version:	shim-15.4-4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-04-23 21:03:21 UTC
Type:	Bug
Embargoed:
Dependent Products:
Flags:	bcotton: fedora_prioritized_bug-

Attachments	(Terms of Use)

Description Lyude 2018-11-18 18:57:30 UTC

Description of problem:
While this seemed to work on Fedora 27, since updating to F28 and F29 I haven't been able to get kdump to work on my server with EFI secure boot enabled.

Version-Release number of selected component (if applicable):
kexec-tools-2.0.17-10.fc29
kernel-4.19.2-300.fc29

How reproducible:
Always

Steps to Reproduce:
1. Enable secure boot
2. Setup kdump
3. Try to get kdump to load kdump kernel

Actual results:
-- Logs begin at Tue 2017-10-17 12:09:10 EDT, end at Sun 2018-11-18 13:48:29 EST. --
Nov 17 02:38:41 Sapphire systemd[1]: Starting Crash recovery kernel arming...
Nov 17 02:38:41 Sapphire kdumpctl[1505]: No kdump initial ramdisk found.
Nov 17 02:38:41 Sapphire kdumpctl[1505]: Rebuilding /boot/initramfs-4.18.18-300.fc29.x86_64kdump.img
Nov 17 02:38:46 Sapphire dracut[2979]: Executing: /usr/bin/dracut --quiet --hostonly --hostonly-cmdline --hostonly-i18n --hostonly-mode strict -o "plymouth dash resume ifcfg" -a watchdog --mount "/dev/mapper/Sapphire-root /sysroot xfs defaults" --no-hostonly-default-device -f /boot/initramfs-4.18.18-300.fc29.x86_64kdump.img 4.18.18-300.fc29.x86_64
Nov 17 02:38:47 Sapphire dracut[2979]: dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
Nov 17 02:38:47 Sapphire dracut[2979]: dracut module 'ifcfg' will not be installed, because it's in the list to be omitted!
Nov 17 02:38:47 Sapphire dracut[2979]: dracut module 'plymouth' will not be installed, because it's in the list to be omitted!
Nov 17 02:38:47 Sapphire dracut[2979]: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found!
Nov 17 02:38:48 Sapphire dracut[2979]: dracut module 'stratis' will not be installed, because command 'stratisd-init' could not be found!
Nov 17 02:38:48 Sapphire dracut[2979]: dracut module 'resume' will not be installed, because it's in the list to be omitted!
Nov 17 02:38:49 Sapphire dracut[2979]: dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found!
Nov 17 02:38:49 Sapphire dracut[2979]: dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
Nov 17 02:38:49 Sapphire dracut[2979]: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found!
Nov 17 02:38:50 Sapphire dracut[2979]: dracut module 'stratis' will not be installed, because command 'stratisd-init' could not be found!
Nov 17 02:38:50 Sapphire dracut[2979]: *** Including module: bash ***
Nov 17 02:38:50 Sapphire dracut[2979]: *** Including module: systemd ***
Nov 17 02:38:53 Sapphire dracut[2979]: *** Including module: systemd-initrd ***
Nov 17 02:38:53 Sapphire dracut[2979]: *** Including module: watchdog ***
Nov 17 02:38:53 Sapphire kdumpctl[1505]: /usr/lib/dracut/modules.d/04watchdog/module-setup.sh: line 44: /sys/class/watchdog/watchdog0/device/modalias: No such file or directory
Nov 17 02:38:53 Sapphire dracut[2979]: *** Including module: nss-softokn ***
Nov 17 02:38:53 Sapphire dracut[2979]: *** Including module: i18n ***
Nov 17 02:38:54 Sapphire dracut[2979]: *** Including module: drm ***
Nov 17 02:38:57 Sapphire dracut[2979]: *** Including module: dm ***
Nov 17 02:38:58 Sapphire dracut[2979]: Skipping udev rule: 64-device-mapper.rules
Nov 17 02:38:58 Sapphire dracut[2979]: Skipping udev rule: 60-persistent-storage-dm.rules
Nov 17 02:38:58 Sapphire dracut[2979]: Skipping udev rule: 55-dm.rules
Nov 17 02:38:58 Sapphire dracut[2979]: *** Including module: kernel-modules ***
Nov 17 02:39:00 Sapphire dracut[2979]: *** Including module: kernel-modules-extra ***
Nov 17 02:39:00 Sapphire dracut[2979]:   kernel-modules-extra: configuration source "/run/depmod.d/" does not exist
Nov 17 02:39:00 Sapphire dracut[2979]:   kernel-modules-extra: configuration source "/etc/depmod.d/" is ignored (directory or doesn't exist)
Nov 17 02:39:00 Sapphire dracut[2979]:   kernel-modules-extra: configuration source "/lib/depmod.d/" does not exist
Nov 17 02:39:00 Sapphire dracut[2979]: *** Including module: lvm ***
Nov 17 02:39:01 Sapphire dracut[2979]: Skipping udev rule: 64-device-mapper.rules
Nov 17 02:39:01 Sapphire dracut[2979]: Skipping udev rule: 56-lvm.rules
Nov 17 02:39:01 Sapphire dracut[2979]: Skipping udev rule: 60-persistent-storage-lvm.rules
Nov 17 02:39:01 Sapphire dracut[2979]: *** Including module: mdraid ***
Nov 17 02:39:01 Sapphire dracut[2979]: Skipping udev rule: 64-md-raid.rules
Nov 17 02:39:02 Sapphire dracut[2979]: *** Including module: fstab-sys ***
Nov 17 02:39:02 Sapphire dracut[2979]: *** Including module: rootfs-block ***
Nov 17 02:39:02 Sapphire dracut[2979]: *** Including module: terminfo ***
Nov 17 02:39:02 Sapphire dracut[2979]: *** Including module: udev-rules ***
Nov 17 02:39:02 Sapphire dracut[2979]: Skipping udev rule: 40-redhat.rules
Nov 17 02:39:02 Sapphire dracut[2979]: Skipping udev rule: 50-firmware.rules
Nov 17 02:39:02 Sapphire dracut[2979]: Skipping udev rule: 50-udev.rules
Nov 17 02:39:03 Sapphire dracut[2979]: Skipping udev rule: 91-permissions.rules
Nov 17 02:39:03 Sapphire dracut[2979]: Skipping udev rule: 80-drivers-modprobe.rules
Nov 17 02:39:03 Sapphire dracut[2979]: *** Including module: dracut-systemd ***
Nov 17 02:39:03 Sapphire dracut[2979]: *** Including module: usrmount ***
Nov 17 02:39:03 Sapphire dracut[2979]: *** Including module: base ***
Nov 17 02:39:04 Sapphire dracut[2979]: *** Including module: fs-lib ***
Nov 17 02:39:04 Sapphire dracut[2979]: *** Including module: kdumpbase ***
Nov 17 02:39:06 Sapphire dracut[2979]: *** Including module: shutdown ***
Nov 17 02:39:07 Sapphire dracut[2979]: *** Including modules done ***
Nov 17 02:39:07 Sapphire dracut[2979]: *** Installing kernel module dependencies ***
Nov 17 02:39:07 Sapphire dracut[2979]: *** Installing kernel module dependencies done ***
Nov 17 02:39:07 Sapphire dracut[2979]: *** Resolving executable dependencies ***
Nov 17 02:39:11 Sapphire dracut[2979]: *** Resolving executable dependencies done ***
Nov 17 02:39:11 Sapphire dracut[2979]: *** Hardlinking files ***
Nov 17 02:39:11 Sapphire dracut[2979]: *** Hardlinking files done ***
Nov 17 02:39:11 Sapphire dracut[2979]: *** Stripping files ***
Nov 17 02:39:11 Sapphire dracut[2979]: *** Stripping files done ***
Nov 17 02:39:11 Sapphire dracut[2979]: *** Generating early-microcode cpio image ***
Nov 17 02:39:11 Sapphire dracut[2979]: *** Constructing AuthenticAMD.bin ****
Nov 17 02:39:11 Sapphire dracut[2979]: *** Store current command line parameters ***
Nov 17 02:39:11 Sapphire dracut[2979]: Stored kernel commandline:
Nov 17 02:39:11 Sapphire dracut[2979]:  rd.lvm.lv=Sapphire/root
Nov 17 02:39:11 Sapphire dracut[2979]:  rd.md.uuid=46c281b8:f0f444a7:dfebee61:2a9edd77
Nov 17 02:39:11 Sapphire dracut[2979]: *** Creating image file '/boot/initramfs-4.18.18-300.fc29.x86_64kdump.img' ***
Nov 17 02:39:14 Sapphire dracut[2979]: *** Creating initramfs image file '/boot/initramfs-4.18.18-300.fc29.x86_64kdump.img' done ***
Nov 17 02:39:16 Sapphire kdumpctl[1505]: Secure Boot is enabled. Using kexec file based syscall.
Nov 17 02:39:17 Sapphire kdumpctl[1505]: kexec_file_load failed: Required key not available
Nov 17 02:39:17 Sapphire kdumpctl[1505]: kexec: failed to load kdump kernel
Nov 17 02:39:17 Sapphire kdumpctl[1505]: Starting kdump: [FAILED]
Nov 17 02:39:17 Sapphire systemd[1]: kdump.service: Main process exited, code=exited, status=1/FAILURE
Nov 17 02:39:17 Sapphire systemd[1]: kdump.service: Failed with result 'exit-code'.
Nov 17 02:39:17 Sapphire systemd[1]: Failed to start Crash recovery kernel arming.

With the addition of:

…
[   64.297084] PKCS#7 signature not signed with a trusted key
…

in dmesg

Expected results:
kdump kernel should load

Comment 1 Kairui Song 2018-11-20 08:22:14 UTC

Root cause is MokListRT is missing after shim-15.

Rollback to shim < 15, or add Fedora Secure Boot CA key to trusted keys in EFI would fix it.

Reassigning to shim.

Comment 2 Lyude 2019-05-04 18:11:23 UTC

Any update on this?

Comment 3 Kairui Song 2020-02-11 06:02:23 UTC

Hi, any update? This should have been fixed in upstream, need to be backported.

Comment 4 Dave Young 2020-02-25 07:45:17 UTC

Is this Fedora 30 only or also including 31 and rawhide?

Comment 5 Dave Young 2020-02-25 07:47:25 UTC

Also, if kdump does not work then kexec reboot will not work as well, updated the bug summary line

Comment 6 Kairui Song 2020-02-25 07:50:12 UTC

The fix is needed for rawhide, f32, and f31.

Comment 7 Ben Cotton 2020-02-26 18:18:15 UTC

Rejected as a prioritized bug. Assigning it to an active maintainer should be enough to move this along. https://meetbot.fedoraproject.org/fedora-meeting/2020-02-26/fedora_prioritized_bugs_and_issues.2020-02-26-16.00.log.html#l-85

Setting status to POST since there's an upstream fix

Comment 8 Fedora Admin XMLRPC Client 2020-02-27 04:29:41 UTC

This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 9 kevit 2020-04-15 07:19:15 UTC

Hello all, 
Fedora 32 still affected

uname -a
Linux localhost.localdomain 5.6.4-300.fc32.x86_64 #1 SMP Mon Apr 13 14:31:58 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/fedora-release 
Fedora release 32 (Thirty Two)

I followed manual
https://fedoraproject.org/wiki/How_to_use_kdump_to_debug_kernel_crashes

systemctl start kdump.service
Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: Using kexec file based syscall.
Apr 15 08:52:11 localhost.localdomain kdumpctl[10388]: kexec_file_load failed: Operation not permitted
Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec: failed to load kdump kernel
Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec_file_load() failed, please try kexec_load()

crashkernel is reserverd
cat  /proc/iomem |grep -i crash
  b0000000-b7ffffff : Crash kernel

secureboot is enabled
dmesg|grep -i secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.029362] secureboot: Secure boot enabled

Feel free to reach me if you need a hand to debug, but I need some input here

Comment 10 Ben Cotton 2020-04-30 20:13:02 UTC

This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 11 Kairui Song 2020-05-19 18:02:46 UTC

Hi, any update? This bug has been in POST status for some time.

Comment 12 Ben Cotton 2020-05-26 14:28:56 UTC

Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 13 tzwjkl 2020-06-19 04:11:52 UTC

(In reply to kevit from comment #9)
> Hello all, 
> Fedora 32 still affected
> 
> uname -a
> Linux localhost.localdomain 5.6.4-300.fc32.x86_64 #1 SMP Mon Apr 13 14:31:58
> UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
> 
> cat /etc/fedora-release 
> Fedora release 32 (Thirty Two)
> 
> I followed manual
> https://fedoraproject.org/wiki/How_to_use_kdump_to_debug_kernel_crashes
> 
> systemctl start kdump.service
> Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: Using kexec file
> based syscall.
> Apr 15 08:52:11 localhost.localdomain kdumpctl[10388]: kexec_file_load
> failed: Operation not permitted
> Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec: failed to load
> kdump kernel
> Apr 15 08:52:11 localhost.localdomain kdumpctl[10091]: kexec_file_load()
> failed, please try kexec_load()
> 
> crashkernel is reserverd
> cat  /proc/iomem |grep -i crash
>   b0000000-b7ffffff : Crash kernel
> 
> secureboot is enabled
> dmesg|grep -i secure
> [    0.000000] secureboot: Secure boot enabled
> [    0.000000] Kernel is locked down from EFI Secure Boot mode; see man
> kernel_lockdown.7
> [    0.029362] secureboot: Secure boot enabled
> 
> Feel free to reach me if you need a hand to debug, but I need some input here

Same as my Fedora occured, I didn't know how can fix it, and seems like the bug page is EOL, should we reopen or open a new bug with this info?

Comment 14 Fedora Update System 2021-04-21 12:09:50 UTC

FEDORA-2021-cab258a413 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cab258a413

Comment 15 Peter Robinson 2021-04-21 12:10:43 UTC

Update pending

Comment 16 Fedora Update System 2021-04-21 15:00:46 UTC

FEDORA-2021-cab258a413 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cab258a413`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cab258a413

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 17 Fedora Update System 2021-04-23 21:03:21 UTC

FEDORA-2021-cab258a413 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.