Comment # 5 on bug 947816 from 
(In reply to Takashi Iwai from comment #4)
> (In reply to Joey Lee from comment #3)
> > (In reply to Takashi Iwai from comment #0)
> > > Loading kdump on openSUSE Leap beta1 failed.
> > > 
> > > journal shows:
> > > 
> > > kdump[7917]: Loaded kdump kernel: /sbin/kexec -p
> > > /boot/vmlinuz-4.1.6-10-desktop --append="quiet elevator=deadline sysrq=yes
> > > reset_devices acpi_no_memhotplug cgroup_disable=memory irqpoll nr_cpus=1
> > > root=kdump disable_cpu_apicid=0   panic=1"
> > > --initrd=/boot/initrd-4.1.6-10-desktop-kdump  -s, Result: kexec_file_load
> > > failed: Key was rejected by service
> > > load.sh[7861]: kexec_file_load failed: Key was rejected by service
> > 
> > openSUSE doesn't support kernel module verification, so kernel didn't
> > embedded key. I think that's why the crash kernel binary doesn't pass the
> > verification.
> 
> Thanks, this is what I expected from the journal message.
>  

I just changed the CONFIG_KEXEC_VERIFY_SIG in config files of x86_64. Waiting
merge to openSUSE-42.1 kernel.

> > I will set CONFIG_KEXEC_VERIFY_SIG=n then check the status of loading crash
> > kernel by kexec.
> 
> OK, that should work.  But this made me wonder whether SLE12 kdump package
> would ever work with other kernels than SLE's standard one?

hm... Currently the logic in kdump package is checking x86_64 architecture then
direct call kexec_file_load() syscall.

>From the viewpoint of security, kernel should blocks non-secure interfaces or
enable the verification mechanism. I think kdump package should try 2
interfaces, kexec_load and kexec_file_load, even kernel may blocked them
because security.

I will send patch to modify kdump logic.

You are receiving this mail because: