Your message dated Mon, 30 May 2016 10:31:24 +0000
with message-id <[email protected]>
and subject line Bug#823003: fixed in makedumpfile 1:1.5.9-6
has caused the Debian Bug report #823003,
regarding makedumpfile: kdump support for UEFI Secure Boot
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
823003: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823003
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: makedumpfile
Version: 1:1.5.9-5
Severity: wishlist
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In support of UEFI Secure Boot in Debian stretch (#820036), update
kdump-tools to use kexec_file_load when in secure mode.
Specifically, kdump-config needs to query the state of UEFI Secure Boot in
order to use the kexec_file_load system call boot the crash kernel when
Secure Boot is enabled.
I have attached a patch to kdump-config with this change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXI8hXAAoJEF/3aG7d/FTW2LEP/1JpPODXgt4Tp/3El5FgFQGX
56Ls6f34oH2tfmWCYZJrCkb2D1XN13hpQ3VcICXgwMD1ECLiCvirywHCW7bCUn+J
B0jbYyt5eeL3/CEJgVTh6yN/E9vvPUS5QA5pr7cUdMqsTBq7yOoy3YeSv95Ft0W2
xSBmq5JmULyO7orexKPAMnd6S24efur3L+4KCj43DtZLvb4YKzZFelETTU6DT7V8
8+KVDpcDJ8+FGhCWK9HtI7oUj6fdsYAueutD+Z+Cjj6iOaGoyYGfoo7uaYqQxJf6
pFhJ1kWZfc0ChXNZ1hCo3jWNF9EPgrx0QAjjv1jNMTQomb0CivoQrT0GBh8XNp/H
vIDQL839L15oo+6MUgv4fdR8Q48GBwxn2/8hYuE1KLoBNtyGgagJ+re+b1Wh3K57
wQfeGJfFME30lSSvDR9JvXIcUwijVO7fIDODNAHX4Eq/+zeSIqBcw4WfDV3wWGHU
dRRkY1AyIogO3MNgvgK/UUjnDrP8B+D9lsv2eDy4q3dFZWYaNip2yA4P+Kt3eOTB
n/bB+HgnR8VSsNrh4AmzJfw2vDyE9tz709vTkWePdnaY5dzW74Ihl9Qwe/H9CWlX
D5wDI8cGnk7r0iwycrYt42/i3T2huoX85pKl5iVptpwSMx1qnR0KUtTyiSU9q609
t/krosiT/MQZ6+9zNpYn
=4XBN
-----END PGP SIGNATURE-----
>From 8457b1664a1fbb287dbc3eed26fa204c647acf32 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <[email protected]>
Date: Fri, 29 Apr 2016 14:26:11 -0600
Subject: [PATCH] kdump-tools: add support for UEFI Secure Boot
kdump-config needs to query the state of UEFI Secure Boot in order to correctly
use kexec to boot the crash kernel. Specifically, kexec needs the "-s" option
to use the kexec_file_load system call to validate the image before loading it.
Signed-off-by: Linn Crosetto <[email protected]>
---
debian/kdump-config | 45 ++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 44 insertions(+), 1 deletion(-)
diff --git a/debian/kdump-config b/debian/kdump-config
index 0ff0e6f..9fb00ac 100755
--- a/debian/kdump-config
+++ b/debian/kdump-config
@@ -318,6 +318,40 @@ function check_relocatable()
fi
}
+function check_securelevel()
+{
+ local sl_path="/sys/kernel/security/securelevel"
+ if [ ! -f "$sl_path" ]; then
+ return 1
+ fi
+
+ if [ "$(cat "$sl_path")" = "1" ]; then
+ return 0
+ fi
+
+ return 1
+}
+
+
+function check_secure_boot()
+{
+ local sb_path sm_file sb sm
+
+ sb_path=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
+ sm_path=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
+
+ if [ -f "$sb_path" ] && [ -f "$sm_path" ]; then
+ sb=$(hexdump -v -e '/1 "%d\ "' $sb_path|cut -d' ' -f 5)
+ sm=$(hexdump -v -e '/1 "%d\ "' $sm_path|cut -d' ' -f 5)
+
+ if [ "$sb" = "1" ] && [ "$sm" = "0" ]; then
+ return 0
+ fi
+ fi
+
+ return 1
+}
+
# Find the kexec/kdump kernel and possibly a corresponding initrd.
# A kdump kernel does not need to match the `uname -r` of the booted kernel.
#
@@ -466,6 +500,10 @@ function kdump_load()
# assemble the kexec command used to load the kdump kernel
KEXEC_CMD="$KEXEC -p"
+ if check_secure_boot || check_securelevel; then
+ KEXEC_CMD="$KEXEC_CMD -s"
+ fi
+
# Different kernel types allow/require different options:
# The only special case here is that x86, x86_64 elf style
# binaries require the --args-linux argument.
@@ -524,7 +562,12 @@ function kdump_load()
# Returns: none. prints warnings or exit
function kdump_unload()
{
- $KEXEC -p -u
+ if check_secure_boot || check_securelevel; then
+ $KEXEC -s -p -u
+ else
+ $KEXEC -p -u
+ fi
+
if [ $? == 0 ]; then
log_success_msg "unloaded kdump kernel"
logger -t $NAME "unloaded kdump kernel"
--
2.8.0.rc3
--- End Message ---
--- Begin Message ---
Source: makedumpfile
Source-Version: 1:1.5.9-6
We believe that the bug you reported is fixed in the latest version of
makedumpfile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Louis Bouchard <[email protected]> (supplier of updated makedumpfile
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 30 May 2016 11:39:07 +0200
Source: makedumpfile
Binary: makedumpfile kdump-tools
Architecture: all amd64 source
Version: 1:1.5.9-6
Distribution: sid
Urgency: medium
Maintainer: Louis Bouchard <[email protected]>
Changed-By: Louis Bouchard <[email protected]>
Closes: 823003
Description:
kdump-tools - scripts and tools for automating kdump (Linux crash dumps)
makedumpfile - VMcore extraction tool
Changes:
makedumpfile (1:1.5.9-6) sid; urgency=medium
.
* [ Juerg Haefliger <[email protected]> ]
.
Limit the number of dumps kept on the local machine
.
Introduce a new config variable KDUMP_NUM_DUMPS that specifies how
many dumps should be kept on the machine. This can be use to prevent
running out of disk space. It is ignored if remote dumping (ssh or nfs)
is enabled. If there are too many dump files, older dumps are purged but
only after the current dump operation succeeded.
.
* [ Linn Crosetto <[email protected]> ]
.
kdump-config: add support for UEFI Secure Boot
.
kdump-config needs to query the state of UEFI Secure Boot in order to
correctly
use kexec to boot the crash kernel. Specifically, kexec needs the "-s"
option
to use the kexec_file_load system call to validate the image before
loading it.
(Closes: #823003)
.
* [Hari Bathini <[email protected]>]
.
Fix networked kdump failure to reach remote server. Avoids
"Network is unreachable" message when trying to do remote dumps on either
SSH or NFS. (LP: #1571590)
.
* Add support for architecture-specific crashkernel param
.
On Debian, the crashkernel boot parameter is left undefined. On Ubuntu
it was defined in the kexec-tools package, modified specifically.
.
This parameter is now defined by the kdump-tools package and uses an
architecture-specific file containing the definition. A generic symlink
called /etc/default/grub.d/kdump-tools.cfg points to the architecture
specific file.
.
The default values are :
.
- All but ppc64el : 128M
- ppc64el :
2G-4G:320M,4G-32G:512M,32G-64G:1024M,64G-128G:2048M,128G-:4096M@32M
.
(LP: #1567539)
On s390x architecture, the crashkernel parameter is added to the
/etc/zipl.conf file.
.
/etc/default/kdump-tools is also modified to use the cio_ignore parameter
when kexec loads the crash kernel (LP: #1570775)
Checksums-Sha1:
7093c8f1e384185ea29e4114f08ba975c6d114ef 2120 makedumpfile_1.5.9-6.dsc
84cf4ae1c14894221bc0f5be540531008dc32744 166881 makedumpfile_1.5.9.orig.tar.gz
71556b4643284613ad3329697113eeb8ea473b12 25844
makedumpfile_1.5.9-6.debian.tar.xz
7db03de2ecc0add1c13af2ecbfbb6495e4fdc7c4 30034 kdump-tools_1.5.9-6_all.deb
5b6b284f55386596325e404767c7b232992df843 217446
makedumpfile-dbgsym_1.5.9-6_amd64.deb
cbd753078dec9f24fc49197904bb62b45afa969d 148370 makedumpfile_1.5.9-6_amd64.deb
Checksums-Sha256:
f33374b7c82a33304c825543986362c4d50b2f810b039fece35cd870d1f1813d 2120
makedumpfile_1.5.9-6.dsc
47d16312b3226f6d1a1e6548e22c33d00e8851fedab793d97da8d3c0a6205d4a 166881
makedumpfile_1.5.9.orig.tar.gz
490d27811d861adcdf8a8948dace33d9e15629db34ca2de56c5180c1cc478369 25844
makedumpfile_1.5.9-6.debian.tar.xz
d94ab40dbcf06c6498e76cbdd41f69ecd70ebbb0acc0a954c19f34c5ccd8490d 30034
kdump-tools_1.5.9-6_all.deb
d35201e89bb9fd31789de263533f82e96c3ca1fd4fda7899e3bb91485286e894 217446
makedumpfile-dbgsym_1.5.9-6_amd64.deb
0827e04e004221e3e39cfb50c27fbe7baf96cbd9144b81d6d56542f83f365cd7 148370
makedumpfile_1.5.9-6_amd64.deb
Files:
a477dc51154425b26230e8f18046b5fe 2120 devel optional makedumpfile_1.5.9-6.dsc
e44244db888acdb0e75962bb59feace2 166881 devel optional
makedumpfile_1.5.9.orig.tar.gz
0ddaab4ea0311ff3c939720a26fcff79 25844 devel optional
makedumpfile_1.5.9-6.debian.tar.xz
4d0309194ed32cd6884df34fae2f35dd 30034 devel optional
kdump-tools_1.5.9-6_all.deb
06aa5b647b0b348fb9edb13854148c79 217446 debug extra
makedumpfile-dbgsym_1.5.9-6_amd64.deb
4e38d25ee0af4b7324618cd96c694e76 148370 devel optional
makedumpfile_1.5.9-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXTA1yAAoJEFZStL2qfwOt2pAQAIbTiYTGzzyRTRVV8L8Bh3Zt
14PSCdY34haj1aRd21TNL9xLG66xZBu3oAOZWpMd4BrSVl4jiKTEMoSXfK8+SOUw
ExG+8O6keu11Cyz6z0EQ/7qnCtSYNNhgnmmYAO1cfWbePsmyHD5M8miGQO0k8i6s
bPmMQHyHnDOGLxHIMQmjJ2skogXMUs/O6k/ya6oBAHkAHoaBIiGCCqIjr9f9KoZn
hN1F5kl1HlL9SyRRU4jgJ19G6FeEIFB8H/nItO38YUsQkvO1s4QhTUGLSO/UliKB
/iWr1TDOtb3P60p3hCAbLSBcpbsVkh/+YuY+PHSTmkUlTH/z3qMfab0ZyH8e7dAW
bV+TQzHPUXsE6quDH/XAttJ4aC9zrh/Z6a6dq+0Kiw3TZFH+CsvydCHcB4jQMzIZ
yKpy0yVyvrwXMbUfQ559DQPmdooPXI+3IhWfiQ7NsEcUpFNDN7Ngg1TynUa/Zdkh
THbGuz7xTL6QYZ1guYlW63Mgah7gZ/hnWeQZORjJJwwuBf4ZX0t9UUk52fDO/0qV
1ovKB12F96DnV676fpLCS/OdjJvp3eIUM2fdICCgFGI3cpvUy6bDsHpzmIQ4KN9i
DW7FuhUp+/GSlhweN3RG0TQ7odGrMjEpLTR0m1JTmMj+Uuo5FqTkeb6Kt8roburD
dx622s9YGl+EZT0iw4uX
=xEr5
-----END PGP SIGNATURE-----
--- End Message ---
