Comment # 6 on bug 947816 from Takashi Iwai

(In reply to Joey Lee from comment #5)
> (In reply to Takashi Iwai from comment #4)
> > (In reply to Joey Lee from comment #3)
> > > (In reply to Takashi Iwai from comment #0)
> > > > Loading kdump on openSUSE Leap beta1 failed.
> > > > 
> > > > journal shows:
> > > > 
> > > > kdump[7917]: Loaded kdump kernel: /sbin/kexec -p
> > > > /boot/vmlinuz-4.1.6-10-desktop --append="quiet elevator=deadline sysrq=yes
> > > > reset_devices acpi_no_memhotplug cgroup_disable=memory irqpoll nr_cpus=1
> > > > root=kdump disable_cpu_apicid=0   panic=1"
> > > > --initrd=/boot/initrd-4.1.6-10-desktop-kdump  -s, Result: kexec_file_load
> > > > failed: Key was rejected by service
> > > > load.sh[7861]: kexec_file_load failed: Key was rejected by service
> > > 
> > > openSUSE doesn't support kernel module verification, so kernel didn't
> > > embedded key. I think that's why the crash kernel binary doesn't pass the
> > > verification.
> > 
> > Thanks, this is what I expected from the journal message.
> >  
> 
> I just changed the CONFIG_KEXEC_VERIFY_SIG in config files of x86_64.
> Waiting merge to openSUSE-42.1 kernel.

Now pulled, thanks.  I guess we need to fix the same for stable and master,
too?

> > > I will set CONFIG_KEXEC_VERIFY_SIG=n then check the status of loading crash
> > > kernel by kexec.
> > 
> > OK, that should work.  But this made me wonder whether SLE12 kdump package
> > would ever work with other kernels than SLE's standard one?
> 
> hm... Currently the logic in kdump package is checking x86_64 architecture
> then direct call kexec_file_load() syscall.
> 
> From the viewpoint of security, kernel should blocks non-secure interfaces
> or enable the verification mechanism. I think kdump package should try 2
> interfaces, kexec_load and kexec_file_load, even kernel may blocked them
> because security.
> 
> I will send patch to modify kdump logic.

It sounds good.