Ubuntu
shim-signed package

  1. Bug #1840941
  2. Comment #9

Comment 9 for bug 1840941

Revision history for this message
Eric DeVolder (edevolde) wrote : Re: [Bug 1840941] Re: kdump fails to start with secure boot enabled

Steve,
Well, I have attempted to replicate and I can state that this specific problem is not present in Ubuntu 20.04 LTS (I downloaded ubuntu-20.04-live-server-amd64.iso on July 1, 2020).
Do note that, at least for me, while the kdump capture kernel/initrd load successfully, an attempt to capture dump (ie echo c > /proc/sysrq-trigger), results in the system hanging. I suspect the root cause is the following, which I previously reported:
https://bugs.launchpad.net/ubuntu/+source/kexec-tools/+bug/1908090
Bug #1908090 “ubuntu 20.04 kdump fails” : Bugs : kexec-tools package : Ubuntu<https://bugs.launchpad.net/ubuntu/+source/kexec-tools/+bug/1908090>
When linux-crashdump (5.4.0.58.61) is enabled on Ubuntu 20.04 LTS, everything appears to be in good working order, according to "systemctl status kdump-tools" and "kdump-config status". However, upon an actual crash, the system hangs, and no crash files are produced. I've investigated and have learned that the capture kernel does indeed start, but it is unable to unpack the rootfs/initrd, and thus fails and hangs. [ 1.070469] Trying to unpack rootfs image as initramfs... [ 1.333182] sw...
bugs.launchpad.net
Thanks,
eric

________________________________
From: <email address hidden> <email address hidden> on behalf of Benedikt <email address hidden>
Sent: Tuesday, February 23, 2021 4:57 PM
To: Eric Devolder <email address hidden>
Subject: [Bug 1840941] Re: kdump fails to start with secure boot enabled

This seems still to be a problem? Any news on this bug?

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1840941

Title:
  kdump fails to start with secure boot enabled

Status in shim-signed package in Ubuntu:
  Fix Committed

Bug description:
  The shim shipped in Ubuntu suffers from a bug that does not allow propagating its
  keys into the Linux keyring. Thus at kexec_file_load time, the signature
  validation fails.

  This is explained in these bugs/links:
  https://github.com/rhboot/shim/pull/153
  https://bugzilla.redhat.com/show_bug.cgi?id=1662929

  This problem is in Ubuntu 16.04 as well as 18.04.

  There is a workaround; essentially by loading an additional cert into the
  MOK, the bug goes away.

  lsb_release -rd
  Description: Ubuntu 18.04.3 LTS
  Release: 18.04

  apt-cache policy shim-signed
  shim-signed:
    Installed: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Candidate: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1
    Version table:
   *** 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 500
          500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.34.9+13-0ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

  Expected to happen:
  Canonical keys to be listed in the Linux keyring is enabled.
  systemctl start kdump-tools.service is expected to succeeed

  What happened instead:
  Canonical keys not in the Linux keyring, thus kdump fails to load/start.
  systemctl start kdump-tools.service
  systemctl status kdump-tools.service
  Aug 21 15:43:53 vm362 systemd[1]: Starting Kernel crash dump capture service...
  Aug 21 15:43:53 vm362 kdump-tools[980]: Starting kdump-tools: * Creating symlin
  Aug 21 15:43:53 vm362 kdump-tools[980]: * Creating symlink /var/lib/kdump/initr
  Aug 21 15:43:54 vm362 kdump-tools[980]: kexec_file_load failed: Required key not
  Aug 21 15:43:54 vm362 kdump-tools[980]: * failed to load kdump kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions