Bug 1658508 - [RHEL 8.0] kexec-tools workaround for efi secure boot
Summary: [RHEL 8.0] kexec-tools workaround for efi secure boot
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: kexec-tools
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Kairui Song
QA Contact: Ziqian SUN (Zamir)
Depends On:
Blocks: 1640486
TreeView+ depends on / blocked
Reported: 2018-12-12 10:23 UTC by Kairui Song
Modified: 2019-06-14 00:51 UTC (History)
4 users (show)

Fixed In Version: kexec-tools-2.0.17-23
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-14 00:51:44 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Kairui Song 2018-12-12 10:23:54 UTC
Description of problem:
With secure boot enabled, kexec-tools will use kexec_file_load to load the kernel image, as kexec_file_load is capable of validating the kernel image
against trusted keys.
RHEL kernel image is signed with Red Hat secure boot key, this key is included in and trusted by shim, and shim will expose it to kernel via EFI variables. The kernel is expected to auto-detect and import the key from EFI variables. That's how it's done in RHEL-7 and Fedora.
But the problem is that required patches to get kernel loading the keys properly is neither merged in upstream nor forward ported in RHEL-8, so kexec-tools is not working with EFI secure boot in RHEL-8.
As some other EFI secure boot related patches are also not fore-ported, so a simple workaround exists, just use userspace load instead and bypass the validating.

See bz1568532 for EFI related patch forward-port status
See bz1640486 for kexec-tools failure detail

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Note You need to log in before you can comment on or make changes to this bug.