This bug is awaiting verification that the linux- aws-6.2/6.2.0-1014.14~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux- aws-6.2' to 'verification-done-jammy-linux-aws-6.2'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws-6.2' to 'verification-failed-jammy-linux-aws-6.2'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-aws-6.2-v2 verification-needed-jammy-linux-aws-6.2 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2033007 Title: kdump doesn't work with UEFI secure boot and kernel lockdown enabled on ARM64 Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: In Progress Status in linux source package in Jammy: Fix Released Status in linux source package in Lunar: Fix Released Bug description: [Impact] The kdump service operates by utilizing the kexec_file_load system call, which loads a new kernel image intended for subsequent execution. However, this process encounters a hindrance if the CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate signature verification. In addition, a noteworthy point is that if the kernel image is signed with a MOK, it will face rejection due to ARM64's reliance solely on the .builtin_trusted_keys for verification purposes. To enhance flexibility, it's suggested that we align the behavior on x86 platforms. This alignment could potentially involve expanding the scope to encompass more keyrings, such as .secondary_trusted_keys and platform keyrings, thereby broadening the options available for verification mechanisms. [Fix] Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary, along with the incorporation of two specific commits, in order to enhance the capabilities of the kexec_file_load system call on ARM64. The commits that need to be applied are as follows: c903dae8941d kexec, KEYS: make the code in bzImage64_verify_sig generic 0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel image signature [Test Plan] 1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64 2. Install 'kdump-tools' sudo apt install linux-crashdump 3. Reboot and verify kdump status with 'kdump-config show' root@ubuntu:~# kdump-config show DUMP_MODE: kdump USE_KDUMP: 1 KDUMP_COREDIR: /var/crash crashkernel addr: 0xde000000 /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-78-generic kdump initrd: /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-78-generic current state: Not ready to kdump kexec command: /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz 4. Check the log using 'systemctl status kdump-tools' Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture service... Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools: Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/vmlinuz Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/initrd.img Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-78-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7 Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service. [Where problems could occur] The problem is specific to kexec image signature verification on ARM64. This change allows additional keyrings and impacts only the ARM64 kexec_file_load system call. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2033007/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
