Description of problem:
With secure boot enabled, kexec-tools will use kexec_file_load to load the kernel image, as kexec_file_load is capable of validating the kernel image
against trusted keys.
RHEL kernel image is signed with Red Hat secure boot key, this key is included in and trusted by shim, and shim will expose it to kernel via EFI variables. The kernel is expected to auto-detect and import the key from EFI variables. That's how it's done in RHEL-7 and Fedora.
But the problem is that required patches to get kernel loading the keys properly is neither merged in upstream nor forward ported in RHEL-8, so kexec-tools is not working with EFI secure boot in RHEL-8.
As some other EFI secure boot related patches are also not fore-ported, so a simple workaround exists, just use userspace load instead and bypass the validating.

See bz1568532 for EFI related patch forward-port status
See bz1640486 for kexec-tools failure detail

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: