[Bug 1840941] Re: kdump fails to start with secure boot enabled

Wed Oct 9 12:40:52 UTC 2019

Hello, all.

Adding the following information regarding a workaround found by a
customer on this exact situation @ Ubuntu Bionic 18.04.3.

He found that this should be caused by not importing UEFI:MokListRT cert
'Canonical Ltd. Master Certificate Authority, and devised the following
workaround steps:

(1) Convert CA certificate in crt format to der format:
# openssl x509 -outform der -in /etc/ssl/certs/ca-certificates.crt -out new-ca.der

(2) Import the CA certificate using the mokutil tool:
# mokutil --import new-ca.der

(3) Reboot OS

(4) After reboot into MOK management interface, enter

(5) Select Enroll MOK > Yes, then input the password, then reboot

(6) After OS startup finish, we found that the kdump-tools works
root at ubuntu:~# /etc/init.d/kdump-tools status
● kdump-tools.service - Kernel crash dump capture service
Loaded: loaded (/lib/systemd/system/kdump-tools.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2019-10-08 16:13:16 EDT; 55min ago
Main PID: 1061 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/kdump-tools.service

Oct 08 16:13:15 ubuntu systemd[1]: Starting Kernel crash dump capture service...
Oct 08 16:13:15 ubuntu kdump-tools[1061]: Starting kdump-tools: * Creating symlink /var/lib/kdump/vmlinuz
Oct 08 16:13:15 ubuntu kdump-tools[1061]: * Creating symlink /var/lib/kdump/initrd.img
Oct 08 16:13:16 ubuntu kdump-tools[1061]: * loaded kdump kernel
Oct 08 16:13:16 ubuntu kdump-tools[1318]: /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-4.15.0-55-generic root=/dev/mapper/ubuntu--vg-root ro nr_cpus=1 systemd.unit=kdump…b/kdump/vmlinuz
Oct 08 16:13:16 ubuntu kdump-tools[1321]: loaded kdump kernel
Oct 08 16:13:16 ubuntu systemd[1]: Started Kernel crash dump capture service.
Hint: Some lines were ellipsized, use -l to show in full.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1840941

Title:
  kdump fails to start with secure boot enabled

Status in shim-signed package in Ubuntu:
  Confirmed

Bug description:
  The shim shipped in Ubuntu suffers from a bug that does not allow propagating its
  keys into the Linux keyring. Thus at kexec_file_load time, the signature
  validation fails.

  This is explained in these bugs/links:
  https://github.com/rhboot/shim/pull/153
  https://bugzilla.redhat.com/show_bug.cgi?id=1662929

  This problem is in Ubuntu 16.04 as well as 18.04.

  There is a workaround; essentially by loading an additional cert into the
  MOK, the bug goes away. 

  lsb_release -rd
  Description:  Ubuntu 18.04.3 LTS
  Release:      18.04

  apt-cache policy shim-signed
  shim-signed:
    Installed: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Candidate: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Version table:
   *** 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 500
          500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.34.9+13-0ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

  Expected to happen:
  Canonical keys to be listed in the Linux keyring is enabled.
  systemctl start kdump-tools.service is expected to succeeed

  What happened instead:
  Canonical keys not in the Linux keyring, thus kdump fails to load/start.
  systemctl start kdump-tools.service
  systemctl status kdump-tools.service
  Aug 21 15:43:53 vm362 systemd[1]: Starting Kernel crash dump capture service...
  Aug 21 15:43:53 vm362 kdump-tools[980]: Starting kdump-tools:  * Creating symlin
  Aug 21 15:43:53 vm362 kdump-tools[980]:  * Creating symlink /var/lib/kdump/initr
  Aug 21 15:43:54 vm362 kdump-tools[980]: kexec_file_load failed: Required key not
  Aug 21 15:43:54 vm362 kdump-tools[980]:  * failed to load kdump kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions