kdump fails to start with secure boot enabled

Status changed to 'Confirmed' because the bug affects multiple users.

Hello, all.

Adding the following information regarding a workaround found by a customer on this exact situation @ Ubuntu Bionic 18.04.3.

He found that this should be caused by not importing UEFI:MokListRT cert 'Canonical Ltd. Master Certificate Authority, and devised the following workaround steps:

(1) Convert CA certificate in crt format to der format:
# openssl x509 -outform der -in /etc/ssl/certs/ca-certificates.crt -out new-ca.der

(2) Import the CA certificate using the mokutil tool:
# mokutil --import new-ca.der

(3) Reboot OS

(4) After reboot into MOK management interface, enter

(5) Select Enroll MOK > Yes, then input the password, then reboot

(6) After OS startup finish, we found that the kdump-tools works
root@ubuntu:~# /etc/init.d/kdump-tools status
● kdump-tools.service - Kernel crash dump capture service
Loaded: loaded (/lib/systemd/system/kdump-tools.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2019-10-08 16:13:16 EDT; 55min ago
Main PID: 1061 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/kdump-tools.service

Oct 08 16:13:15 ubuntu systemd[1]: Starting Kernel crash dump capture service...
Oct 08 16:13:15 ubuntu kdump-tools[1061]: Starting kdump-tools: * Creating symlink /var/lib/kdump/vmlinuz
Oct 08 16:13:15 ubuntu kdump-tools[1061]: * Creating symlink /var/lib/kdump/initrd.img
Oct 08 16:13:16 ubuntu kdump-tools[1061]: * loaded kdump kernel
Oct 08 16:13:16 ubuntu kdump-tools[1318]: /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-4.15.0-55-generic root=/dev/mapper/ubuntu--vg-root ro nr_cpus=1 systemd.unit=kdump…b/kdump/vmlinuz
Oct 08 16:13:16 ubuntu kdump-tools[1321]: loaded kdump kernel
Oct 08 16:13:16 ubuntu systemd[1]: Started Kernel crash dump capture service.
Hint: Some lines were ellipsized, use -l to show in full.

This bug is resolved upstream in commit 4b27ae03 which is included in the 15+1552672080.a4a1fbe-0ubuntu1 version of shim at https://launchpad.net/~ubuntu-uefi-team/+archive/ubuntu/ppa. Mathieu, can you comment on the timeline for this being submitted for Microsoft signing?

Should be done very soon; we're waiting for the shim review board to review, then it can be submitted to Microsoft for signing. Expect about a week turnaround time.

Still an issue with 20.04

And the PPA mentioned above now holds a set of packages with broken dependencies.

BUT, if I manually download the versions that do work together from the PPA, then kexec works!

This seems still to be a problem? Any news on this bug?

Steve,
Well, I have attempted to replicate and I can state that this specific problem is not present in Ubuntu 20.04 LTS (I downloaded ubuntu-20.04-live-server-amd64.iso on July 1, 2020).
Do note that, at least for me, while the kdump capture kernel/initrd load successfully, an attempt to capture dump (ie echo c > /proc/sysrq-trigger), results in the system hanging. I suspect the root cause is the following, which I previously reported:
https://bugs.launchpad.net/ubuntu/+source/kexec-tools/+bug/1908090
Bug #1908090 “ubuntu 20.04 kdump fails” : Bugs : kexec-tools package : Ubuntu<https://bugs.launchpad.net/ubuntu/+source/kexec-tools/+bug/1908090>
When linux-crashdump (5.4.0.58.61) is enabled on Ubuntu 20.04 LTS, everything appears to be in good working order, according to "systemctl status kdump-tools" and "kdump-config status". However, upon an actual crash, the system hangs, and no crash files are produced. I've investigated and have learned that the capture kernel does indeed start, but it is unable to unpack the rootfs/initrd, and thus fails and hangs. [ 1.070469] Trying to unpack rootfs image as initramfs... [ 1.333182] sw...
bugs.launchpad.net
Thanks,
eric

________________________________
From: <email address hidden> <email address hidden> on behalf of Benedikt <email address hidden>
Sent: Tuesday, February 23, 2021 4:57 PM
To: Eric Devolder <email address hidden>
Subject: [Bug 1840941] Re: kdump fails to start with secure boot enabled

This seems still to be a problem? Any news on this bug?

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1840941

Title:
  kdump fails to start with secure boot enabled

Status in shim-signed package in Ubuntu:
  Fix Committed

Bug description:
  The shim shipped in Ubuntu suffers from a bug that does not allow propagating its
  keys into the Linux keyring. Thus at kexec_file_load time, the signature
  validation fails.

  This is explained in these bugs/links:
  https://github.com/rhboot/shim/pull/153
  https://bugzilla.redhat.com/show_bug.cgi?id=1662929

  This problem is in Ubuntu 16.04 as well as 18.04.

  There is a workaround; essentially by loading an additional cert into the
  MOK, the bug goes away.

  lsb_release -rd
  Description: Ubuntu 18.04.3 LTS
  Release: 18.04

  apt-cache policy shim-signed
  shim-signed:
    Installed: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Candidate: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Version table:
   *** 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 500
          500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.34.9+13-0ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

  Expected to happen:
  Canonical keys to be listed in the Linux keyring is enabled.
  systemctl start kdump-tools.service is expected to succeeed

  What happened instead:
  Canonical keys not in the Linux keyring, thus kdump fails to load/start.
  systemctl start kdump-tools.service
  systemctl status kdump-tools.service
  Aug 21 15:43:53 vm362 systemd[1]: Starting Kernel crash dump capture serv...

This was fixed in 15+1552672080.a4a1fbe-0ubuntu2 as mentioned earlier by Steve, if there are still issues, please open a new bug.

I'm testing it on ubuntu 2204, with shim version
 apt-cache policy shim-signed
shim-signed:
  Installed: 1.51.3+15.7-0ubuntu1
  Candidate: 1.51.3+15.7-0ubuntu1
  Version table:
 *** 1.51.3+15.7-0ubuntu1 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main arm64 Packages
        100 /var/lib/dpkg/status
     1.51+15.4-0ubuntu9 500
        500 http://ports.ubuntu.com/ubu

However, dump-config show still says
# kdump-config show
DUMP_MODE: kdump
USE_KDUMP: 1
KDUMP_COREDIR: /var/crash
crashkernel addr: 0xce000000
   /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-1015-bluefield
kdump initrd:
   /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-1015-bluefield
current state: Not ready to kdump

dmesg shows
[ 109.604563] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7

should I disable kernel_lockdown? or sing the kexec binary?
Thanks!