1994858 – Set CONFIG_KEXEC_SIG=y in the ARM RHEL9 kernel?

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1994858 - Set CONFIG_KEXEC_SIG=y in the ARM RHEL9 kernel?

Summary: Set CONFIG_KEXEC_SIG=y in the ARM RHEL9 kernel?

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	9.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Coiby
QA Contact:	Ruowen Qin
Docs Contact:
URL:
Whiteboard:
Depends On:	1976835
Blocks:	1951392
TreeView+	depends on / blocked

Reported:	2021-08-18 02:44 UTC by Coiby
Modified:	2022-05-17 15:44 UTC (History)
CC List:	8 users (show)
Fixed In Version:	kernel-5.14.0-21.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1976835
Clones:	2133262 (view as bug list)
Environment:
Last Closed:	2022-05-17 15:38:55 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Gitlab	redhat/centos-stream/src/kernel centos-stream-9 merge_requests 77	None	None	None	2021-11-09 13:24:12 UTC
Red Hat Issue Tracker	RHELPLAN-93906	None	None	None	2021-08-18 02:46:12 UTC
Red Hat Product Errata	RHBA-2022:3907	None	None	None	2022-05-17 15:39:06 UTC

Description Coiby 2021-08-18 02:44:35 UTC

+++ This bug was initially created as a clone of Bug #1976835 +++

+++ This bug was initially created as a clone of Bug #1815369 +++

Description of problem:

Previously, with kexec_file_load() interface, kernel prevents unsigned kernel image from being loaded if secure boot is enabled.
    
Now, the implementation of kexec_file_load() is adjusted in below commit. With this change, if CONFIG_KEXEC_SIG_FORCE is not set, unsigned kernel still has a chance to be allowed to load under some conditions.
    
commit 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")

Version-Release number of selected component (if applicable):


How reproducible:
Always.

Steps to Reproduce:
1. kexec -s -l xxx
2. 
3.

Actual results:


Expected results:


Additional info:

Test unsigned and signed kernel in Secure boot and Legacy mode.

--- Additional comment from Thomas Huth on 2021-06-28 18:44:05 HKT ---

Seems like the related Kconfig settings have not been forwarded to RHEL9 - at least on s390x, I cannot see CONFIG_KEXEC_SIG=y set yet

--- Additional comment from Emma Wu on 2021-06-29 11:33:27 HKT ---

Hi Ruowen, 


Can you check whether it's reproducible on RHEL9? We have a x86_64 bare-emtal in office which you could enable/disable secureboot.
kexec load is expected to fail on a secureboot enabled system if the kexec kernel is unsigned .

Thanks,
Emma

--- Additional comment from Ruowen Qin on 2021-07-01 13:41:58 HKT ---

(In reply to Emma Wu from comment #2)
> Hi Ruowen, 
> 
> 
> Can you check whether it's reproducible on RHEL9? We have a x86_64
> bare-emtal in office which you could enable/disable secureboot.
> kexec load is expected to fail on a secureboot enabled system if the kexec
> kernel is unsigned .
> 
> Thanks,
> Emma

Hi Emma,

This bug currently is blocked by bz1977707 and bz1977651, which makes kdump cannot run kexec_file_load syscall on UEFI machine.

Thanks,
Ruowen

--- Additional comment from Dave Young on 2021-07-13 17:19:02 HKT ---

https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1227

--- Additional comment from Ruowen Qin on 2021-08-02 13:53:45 HKT ---


Tested on RHEL-9.0.0-20210726.1 
Components:
distro=RHEL-9.0.0-20210726.1
kexec-tools-2.0.22-10.el9
kernel-5.14.0-0.rc2.23.el9



# New option doesn’t present on kernel-5.13.0-1.el9
cat /lib/modules/5.13.0-1.el9.x86_64/config
CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
# CONFIG_KEXEC_SIG is not set
CONFIG_CRASH_DUMP=y

# Verified kernel config has been changed on kernel-5.14.0-0.rc2.23.el9
cat /lib/modules/5.14.0-0.rc2.23.el9.x86_64/config
...
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
...


# kexec_file_load() works on legacy BIOS
Verified by automation
https://beaker.engineering.redhat.com/jobs/5658891
https://beaker.engineering.redhat.com/jobs/5658475 
https://beaker.engineering.redhat.com/jobs/5658471 
https://beaker.engineering.redhat.com/jobs/5658468 

ppc64le local dump failed due to bz1987138
aarch64 case warned due to bz1930494

# kexec_file_load() works on UEFI without secure boot
Verified by automation
https://beaker.engineering.redhat.com/jobs/5648308 

kexec_file_load() on UEFI with secure boot enable blocks by bz1977651

--- Additional comment from errata-xmlrpc on 2021-08-02 14:00:48 HKT ---

This bug has been added to advisory RHSA-2021:74866 by auto/ptp-jenkins (auto/ptp-jenkins)

--- Additional comment from errata-xmlrpc on 2021-08-02 14:00:50 HKT ---

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHSA-2021:74866-18
https://errata.devel.redhat.com/advisory/74866

--- Additional comment from errata-xmlrpc on 2021-08-02 14:01:02 HKT ---

This bug has been added to advisory RHSA-2021:74866 by auto/ptp-jenkins (auto/ptp-jenkins)

--- Additional comment from Ruowen Qin on 2021-08-03 12:33:15 HKT ---

Tested on RHEL-9.0.0-20210729.2 
Components:
distro=RHEL-9.0.0-20210729.2
kexec-tools-2.0.22-11.el9
kernel-5.14.0-0.rc3.29.el9



# New option doesn’t present on kernel-5.13.0-1.el9
cat /lib/modules/5.13.0-1.el9.x86_64/config
...
CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
# CONFIG_KEXEC_SIG is not set
CONFIG_CRASH_DUMP=y
...

# Verified kernel config has been changed on kernel-5.14.0-0.rc3.29.el9
cat /lib/modules/5.14.0-0.rc3.29.el9.x86_64/config
...
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_CRASH_DUMP=y
...


# kexec_file_load() works on legacy BIOS
Verified by automation
https://beaker.engineering.redhat.com/jobs/5659072 s390x
https://beaker.engineering.redhat.com/jobs/5659532 x86_64
https://beaker.engineering.redhat.com/jobs/5659533 ppc64le
https://beaker.engineering.redhat.com/jobs/5659071 aarch64

ppc64le local dump failed due to bz1987138
aarch64 case warned due to bz1930494

# kexec_file_load() works on UEFI without secure boot
Verified by automation
https://beaker.engineering.redhat.com/jobs/5659074 

kexec_file_load() on UEFI with secure boot enable blocks by bz1977651

Comment 1 Coiby 2021-08-18 02:52:15 UTC

After having discussion with Dave, the plan is to fix it in GA. The solution is to revert https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1227 and enable common/generic/CONFIG_KEXEC_SIG since all arches will be supported as suggested by pbrobinsin [1].

[1] https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1227#note_623274617

Comment 14 errata-xmlrpc 2022-05-17 15:38:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: kernel), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3907

Note You need to log in before you can comment on or make changes to this bug.