Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1994858

Summary: Set CONFIG_KEXEC_SIG=y in the ARM RHEL9 kernel?
Product: Red Hat Enterprise Linux 9 Reporter: Coiby <coxu>
Component: kernelAssignee: Coiby <coxu>
kernel sub component: kexec - kdump QA Contact: Ruowen Qin <ruqin>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: cye, hkrzesin, jieli, lijiang, ruqin, ruyang, skurup, xiawu
Version: 9.0Keywords: Triaged
Target Milestone: betaFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-5.14.0-21.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1976835
: 2133262 (view as bug list) Environment:
Last Closed: 2022-05-17 15:38:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976835    
Bug Blocks: 1951392    

Description Coiby 2021-08-18 02:44:35 UTC 
+++ This bug was initially created as a clone of Bug #1976835 +++

+++ This bug was initially created as a clone of Bug #1815369 +++

Description of problem:

Previously, with kexec_file_load() interface, kernel prevents unsigned kernel image from being loaded if secure boot is enabled.
    
Now, the implementation of kexec_file_load() is adjusted in below commit. With this change, if CONFIG_KEXEC_SIG_FORCE is not set, unsigned kernel still has a chance to be allowed to load under some conditions.
    
commit 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")

Version-Release number of selected component (if applicable):


How reproducible:
Always.

Steps to Reproduce:
1. kexec -s -l xxx
2. 
3.

Actual results:


Expected results:


Additional info:

Test unsigned and signed kernel in Secure boot and Legacy mode.

--- Additional comment from Thomas Huth on 2021-06-28 18:44:05 HKT ---

Seems like the related Kconfig settings have not been forwarded to RHEL9 - at least on s390x, I cannot see CONFIG_KEXEC_SIG=y set yet

--- Additional comment from Emma Wu on 2021-06-29 11:33:27 HKT ---

Hi Ruowen, 


Can you check whether it's reproducible on RHEL9? We have a x86_64 bare-emtal in office which you could enable/disable secureboot.
kexec load is expected to fail on a secureboot enabled system if the kexec kernel is unsigned .

Thanks,
Emma

--- Additional comment from Ruowen Qin on 2021-07-01 13:41:58 HKT ---

(In reply to Emma Wu from comment #2)
> Hi Ruowen, 
> 
> 
> Can you check whether it's reproducible on RHEL9? We have a x86_64
> bare-emtal in office which you could enable/disable secureboot.
> kexec load is expected to fail on a secureboot enabled system if the kexec
> kernel is unsigned .
> 
> Thanks,
> Emma

Hi Emma,

This bug currently is blocked by bz1977707 and bz1977651, which makes kdump cannot run kexec_file_load syscall on UEFI machine.

Thanks,
Ruowen

--- Additional comment from Dave Young on 2021-07-13 17:19:02 HKT ---

https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1227

--- Additional comment from Ruowen Qin on 2021-08-02 13:53:45 HKT ---


Tested on RHEL-9.0.0-20210726.1 
Components:
distro=RHEL-9.0.0-20210726.1
kexec-tools-2.0.22-10.el9
kernel-5.14.0-0.rc2.23.el9



# New option doesn’t present on kernel-5.13.0-1.el9
cat /lib/modules/5.13.0-1.el9.x86_64/config
CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
# CONFIG_KEXEC_SIG is not set
CONFIG_CRASH_DUMP=y

# Verified kernel config has been changed on kernel-5.14.0-0.rc2.23.el9
cat /lib/modules/5.14.0-0.rc2.23.el9.x86_64/config
...
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
...


# kexec_file_load() works on legacy BIOS
Verified by automation
https://beaker.engineering.redhat.com/jobs/5658891
https://beaker.engineering.redhat.com/jobs/5658475 
https://beaker.engineering.redhat.com/jobs/5658471 
https://beaker.engineering.redhat.com/jobs/5658468 

ppc64le local dump failed due to bz1987138
aarch64 case warned due to bz1930494

# kexec_file_load() works on UEFI without secure boot
Verified by automation
https://beaker.engineering.redhat.com/jobs/5648308 

kexec_file_load() on UEFI with secure boot enable blocks by bz1977651

--- Additional comment from errata-xmlrpc on 2021-08-02 14:00:48 HKT ---

This bug has been added to advisory RHSA-2021:74866 by auto/ptp-jenkins (auto/ptp-jenkins)

--- Additional comment from errata-xmlrpc on 2021-08-02 14:00:50 HKT ---

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHSA-2021:74866-18
https://errata.devel.redhat.com/advisory/74866

--- Additional comment from errata-xmlrpc on 2021-08-02 14:01:02 HKT ---

This bug has been added to advisory RHSA-2021:74866 by auto/ptp-jenkins (auto/ptp-jenkins)

--- Additional comment from Ruowen Qin on 2021-08-03 12:33:15 HKT ---

Tested on RHEL-9.0.0-20210729.2 
Components:
distro=RHEL-9.0.0-20210729.2
kexec-tools-2.0.22-11.el9
kernel-5.14.0-0.rc3.29.el9



# New option doesn’t present on kernel-5.13.0-1.el9
cat /lib/modules/5.13.0-1.el9.x86_64/config
...
CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
# CONFIG_KEXEC_SIG is not set
CONFIG_CRASH_DUMP=y
...

# Verified kernel config has been changed on kernel-5.14.0-0.rc3.29.el9
cat /lib/modules/5.14.0-0.rc3.29.el9.x86_64/config
...
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_CRASH_DUMP=y
...


# kexec_file_load() works on legacy BIOS
Verified by automation
https://beaker.engineering.redhat.com/jobs/5659072 s390x
https://beaker.engineering.redhat.com/jobs/5659532 x86_64
https://beaker.engineering.redhat.com/jobs/5659533 ppc64le
https://beaker.engineering.redhat.com/jobs/5659071 aarch64

ppc64le local dump failed due to bz1987138
aarch64 case warned due to bz1930494

# kexec_file_load() works on UEFI without secure boot
Verified by automation
https://beaker.engineering.redhat.com/jobs/5659074 

kexec_file_load() on UEFI with secure boot enable blocks by bz1977651
Comment 1 Coiby 2021-08-18 02:52:15 UTC 
After having discussion with Dave, the plan is to fix it in GA. The solution is to revert https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1227 and enable common/generic/CONFIG_KEXEC_SIG since all arches will be supported as suggested by pbrobinsin [1].

[1] https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1227#note_623274617
Comment 14 errata-xmlrpc 2022-05-17 15:38:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: kernel), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3907