kdump fails to start with secure boot enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim-signed (Ubuntu) |
Fix Released
|
Undecided
|
Julian Andres Klode |
Bug Description
The shim shipped in Ubuntu suffers from a bug that does not allow propagating its
keys into the Linux keyring. Thus at kexec_file_load time, the signature
validation fails.
This is explained in these bugs/links:
https:/
https:/
This problem is in Ubuntu 16.04 as well as 18.04.
There is a workaround; essentially by loading an additional cert into the
MOK, the bug goes away.
lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04
apt-cache policy shim-signed
shim-signed:
Installed: 1.37~18.
Candidate: 1.37~18.
Version table:
*** 1.37~18.
500 http://
100 /var/lib/
1.
500 http://
Expected to happen:
Canonical keys to be listed in the Linux keyring is enabled.
systemctl start kdump-tools.service is expected to succeeed
What happened instead:
Canonical keys not in the Linux keyring, thus kdump fails to load/start.
systemctl start kdump-tools.service
systemctl status kdump-tools.service
Aug 21 15:43:53 vm362 systemd[1]: Starting Kernel crash dump capture service...
Aug 21 15:43:53 vm362 kdump-tools[980]: Starting kdump-tools: * Creating symlin
Aug 21 15:43:53 vm362 kdump-tools[980]: * Creating symlink /var/lib/
Aug 21 15:43:54 vm362 kdump-tools[980]: kexec_file_load failed: Required key not
Aug 21 15:43:54 vm362 kdump-tools[980]: * failed to load kdump kernel
Changed in shim-signed (Ubuntu): | |
assignee: | Mathieu Trudel-Lapierre (cyphermox) → Julian Andres Klode (juliank) |
status: | Confirmed → Fix Committed |
Status changed to 'Confirmed' because the bug affects multiple users.