ACK/Cmnt: [SRU][N][PATCH 0/1] UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
Philip Cox
philip.cox at canonical.com
Wed Jul 17 06:20:59 UTC 2024
On Tue, 2024-07-16 at 16:29 -0400, Kevin Becker wrote:
> BugLink: https://bugs.launchpad.net/bugs/2033007
>
> [Impact]
> The kdump service operates by utilizing the kexec_file_load system
> call,
> which loads a new kernel image intended for subsequent execution.
> However, this process encounters a problem on ARM64 with Secure Boot
> when CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate
> signature verification.
>
> [Fix]
> Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary.
>
> [Test Plan]
> 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on
> ARM64
> 2. Install kdump-tools: 'apt install linux-crashdump'
> 3. Reboot and verify kdump status with 'kdump-config show'
> 4. Check the log using 'systemctl status kdump-tools'
>
> [Where problems could occur]
> The problem is specific to kexec image signature verification on
> ARM64.
> This change impacts only the ARM64 kexec_file_load system call.
>
> Kevin Becker (1):
> UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG on arm64
>
> debian.master/config/annotations | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --
> 2.43.0
>
>
Thanks Kevin for taking care of this!
I also tested this with an arm64 QEMU vm with secure boot enabled.
--
Acked-by: Philip Cox <philip.cox at canonical.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240717/45092246/attachment.html>
More information about the kernel-team
mailing list