[Bug 1840941] Re: kdump fails to start with secure boot enabled
This was fixed in 15+1552672080.a4a1fbe-0ubuntu2 as mentioned earlier by Steve, if there are still issues, please open a new bug. ** Changed in: shim-signed (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
** Bug watch added: Red Hat Bugzilla #1662929 https://bugzilla.redhat.com/show_bug.cgi?id=1662929 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1840941] Re: kdump fails to start with secure boot enabled
Steve, Well, I have attempted to replicate and I can state that this specific problem is not present in Ubuntu 20.04 LTS (I downloaded ubuntu-20.04-live-server-amd64.iso on July 1, 2020). Do note that, at least for me, while the kdump capture kernel/initrd load successfully, an attempt to capture dump (ie echo c > /proc/sysrq-trigger), results in the system hanging. I suspect the root cause is the following, which I previously reported: https://bugs.launchpad.net/ubuntu/+source/kexec-tools/+bug/1908090 Bug #1908090 “ubuntu 20.04 kdump fails” : Bugs : kexec-tools package : Ubuntu<https://bugs.launchpad.net/ubuntu/+source/kexec-tools/+bug/1908090> When linux-crashdump (5.4.0.58.61) is enabled on Ubuntu 20.04 LTS, everything appears to be in good working order, according to "systemctl status kdump-tools" and "kdump-config status". However, upon an actual crash, the system hangs, and no crash files are produced. I've investigated and have learned that the capture kernel does indeed start, but it is unable to unpack the rootfs/initrd, and thus fails and hangs. [ 1.070469] Trying to unpack rootfs image as initramfs... [ 1.333182] sw... bugs.launchpad.net Thanks, eric From: boun...@canonical.com on behalf of Benedikt <1840...@bugs.launchpad.net> Sent: Tuesday, February 23, 2021 4:57 PM To: Eric Devolder Subject: [Bug 1840941] Re: kdump fails to start with secure boot enabled This seems still to be a problem? Any news on this bug? -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled Status in shim-signed package in Ubuntu: Fix Committed Bug description: The shim shipped in Ubuntu suffers from a bug that does not allow propagating its keys into the Linux keyring. Thus at kexec_file_load time, the signature validation fails. This is explained in these bugs/links: https://github.com/rhboot/shim/pull/153 https://bugzilla.redhat.com/show_bug.cgi?id=1662929 This problem is in Ubuntu 16.04 as well as 18.04. There is a workaround; essentially by loading an additional cert into the MOK, the bug goes away. lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 apt-cache policy shim-signed shim-signed: Installed: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 Candidate: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 Version table: *** 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 500 500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.34.9+13-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages Expected to happen: Canonical keys to be listed in the Linux keyring is enabled. systemctl start kdump-tools.service is expected to succeeed What happened instead: Canonical keys not in the Linux keyring, thus kdump fails to load/start. systemctl start kdump-tools.service systemctl status kdump-tools.service Aug 21 15:43:53 vm362 systemd[1]: Starting Kernel crash dump capture service... Aug 21 15:43:53 vm362 kdump-tools[980]: Starting kdump-tools: * Creating symlin Aug 21 15:43:53 vm362 kdump-tools[980]: * Creating symlink /var/lib/kdump/initr Aug 21 15:43:54 vm362 kdump-tools[980]: kexec_file_load failed: Required key not Aug 21 15:43:54 vm362 kdump-tools[980]: * failed to load kdump kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
This seems still to be a problem? Any news on this bug? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
** Changed in: shim-signed (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => Julian Andres Klode (juliank) ** Changed in: shim-signed (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
BUT, if I manually download the versions that do work together from the PPA, then kexec works! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
And the PPA mentioned above now holds a set of packages with broken dependencies. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
Still an issue with 20.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
Should be done very soon; we're waiting for the shim review board to review, then it can be submitted to Microsoft for signing. Expect about a week turnaround time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
This bug is resolved upstream in commit 4b27ae03 which is included in the 15+1552672080.a4a1fbe-0ubuntu1 version of shim at https://launchpad.net/~ubuntu-uefi-team/+archive/ubuntu/ppa. Mathieu, can you comment on the timeline for this being submitted for Microsoft signing? ** Changed in: shim-signed (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
Hello, all. Adding the following information regarding a workaround found by a customer on this exact situation @ Ubuntu Bionic 18.04.3. He found that this should be caused by not importing UEFI:MokListRT cert 'Canonical Ltd. Master Certificate Authority, and devised the following workaround steps: (1) Convert CA certificate in crt format to der format: # openssl x509 -outform der -in /etc/ssl/certs/ca-certificates.crt -out new-ca.der (2) Import the CA certificate using the mokutil tool: # mokutil --import new-ca.der (3) Reboot OS (4) After reboot into MOK management interface, enter (5) Select Enroll MOK > Yes, then input the password, then reboot (6) After OS startup finish, we found that the kdump-tools works root@ubuntu:~# /etc/init.d/kdump-tools status ● kdump-tools.service - Kernel crash dump capture service Loaded: loaded (/lib/systemd/system/kdump-tools.service; enabled; vendor preset: enabled) Active: active (exited) since Tue 2019-10-08 16:13:16 EDT; 55min ago Main PID: 1061 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 4915) CGroup: /system.slice/kdump-tools.service Oct 08 16:13:15 ubuntu systemd[1]: Starting Kernel crash dump capture service... Oct 08 16:13:15 ubuntu kdump-tools[1061]: Starting kdump-tools: * Creating symlink /var/lib/kdump/vmlinuz Oct 08 16:13:15 ubuntu kdump-tools[1061]: * Creating symlink /var/lib/kdump/initrd.img Oct 08 16:13:16 ubuntu kdump-tools[1061]: * loaded kdump kernel Oct 08 16:13:16 ubuntu kdump-tools[1318]: /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-4.15.0-55-generic root=/dev/mapper/ubuntu--vg-root ro nr_cpus=1 systemd.unit=kdump…b/kdump/vmlinuz Oct 08 16:13:16 ubuntu kdump-tools[1321]: loaded kdump kernel Oct 08 16:13:16 ubuntu systemd[1]: Started Kernel crash dump capture service. Hint: Some lines were ellipsized, use -l to show in full. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1840941] Re: kdump fails to start with secure boot enabled
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: shim-signed (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs