1658508 – [RHEL 8.0] kexec-tools workaround for efi secure boot

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1658508 - [RHEL 8.0] kexec-tools workaround for efi secure boot

Summary: [RHEL 8.0] kexec-tools workaround for efi secure boot

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	kexec-tools
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Kairui Song
QA Contact:	Ziqian SUN (Zamir)
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1640486
TreeView+	depends on / blocked

Reported:	2018-12-12 10:23 UTC by Kairui Song
Modified:	2019-06-14 00:51 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kexec-tools-2.0.17-23
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-14 00:51:44 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kairui Song 2018-12-12 10:23:54 UTC

Description of problem:
With secure boot enabled, kexec-tools will use kexec_file_load to load the kernel image, as kexec_file_load is capable of validating the kernel image
against trusted keys.
RHEL kernel image is signed with Red Hat secure boot key, this key is included in and trusted by shim, and shim will expose it to kernel via EFI variables. The kernel is expected to auto-detect and import the key from EFI variables. That's how it's done in RHEL-7 and Fedora.
But the problem is that required patches to get kernel loading the keys properly is neither merged in upstream nor forward ported in RHEL-8, so kexec-tools is not working with EFI secure boot in RHEL-8.
As some other EFI secure boot related patches are also not fore-ported, so a simple workaround exists, just use userspace load instead and bypass the validating.

See bz1568532 for EFI related patch forward-port status
See bz1640486 for kexec-tools failure detail

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Note You need to log in before you can comment on or make changes to this bug.