[Bug 1840941] Re: kdump fails to start with secure boot enabled

William Tu 1840941 at bugs.launchpad.net
Thu Jun 8 02:01:50 UTC 2023 

I'm testing it on ubuntu 2204, with shim version
 apt-cache policy shim-signed
shim-signed:
  Installed: 1.51.3+15.7-0ubuntu1
  Candidate: 1.51.3+15.7-0ubuntu1
  Version table:
 *** 1.51.3+15.7-0ubuntu1 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main arm64 Packages
        100 /var/lib/dpkg/status
     1.51+15.4-0ubuntu9 500
        500 http://ports.ubuntu.com/ubu

However, dump-config show still says
# kdump-config show
DUMP_MODE:		kdump
USE_KDUMP:		1
KDUMP_COREDIR:		/var/crash
crashkernel addr: 0xce000000
   /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-1015-bluefield
kdump initrd:
   /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-1015-bluefield
current state:    Not ready to kdump

dmesg shows
[  109.604563] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7

should I disable kernel_lockdown? or sing the kexec binary?
Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1840941

Title:
  kdump fails to start with secure boot enabled

Status in shim-signed package in Ubuntu:
  Fix Released

Bug description:
  The shim shipped in Ubuntu suffers from a bug that does not allow propagating its
  keys into the Linux keyring. Thus at kexec_file_load time, the signature
  validation fails.

  This is explained in these bugs/links:
  https://github.com/rhboot/shim/pull/153
  https://bugzilla.redhat.com/show_bug.cgi?id=1662929

  This problem is in Ubuntu 16.04 as well as 18.04.

  There is a workaround; essentially by loading an additional cert into the
  MOK, the bug goes away. 

  lsb_release -rd
  Description:  Ubuntu 18.04.3 LTS
  Release:      18.04

  apt-cache policy shim-signed
  shim-signed:
    Installed: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Candidate: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Version table:
   *** 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 500
          500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.34.9+13-0ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

  Expected to happen:
  Canonical keys to be listed in the Linux keyring is enabled.
  systemctl start kdump-tools.service is expected to succeeed

  What happened instead:
  Canonical keys not in the Linux keyring, thus kdump fails to load/start.
  systemctl start kdump-tools.service
  systemctl status kdump-tools.service
  Aug 21 15:43:53 vm362 systemd[1]: Starting Kernel crash dump capture service...
  Aug 21 15:43:53 vm362 kdump-tools[980]: Starting kdump-tools:  * Creating symlin
  Aug 21 15:43:53 vm362 kdump-tools[980]:  * Creating symlink /var/lib/kdump/initr
  Aug 21 15:43:54 vm362 kdump-tools[980]: kexec_file_load failed: Required key not
  Aug 21 15:43:54 vm362 kdump-tools[980]:  * failed to load kdump kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions

More information about the foundations-bugs mailing list