http://bugzilla.opensuse.org/show_bug.cgi?id=947816 http://bugzilla.opensuse.org/show_bug.cgi?id=947816#c7 --- Comment #7 from Joey Lee <jlee@suse.com> --- (In reply to Takashi Iwai from comment #6)
(In reply to Joey Lee from comment #5)
(In reply to Takashi Iwai from comment #4)
(In reply to Joey Lee from comment #3)
(In reply to Takashi Iwai from comment #0)
Loading kdump on openSUSE Leap beta1 failed.
journal shows:
kdump[7917]: Loaded kdump kernel: /sbin/kexec -p /boot/vmlinuz-4.1.6-10-desktop --append="quiet elevator=deadline sysrq=yes reset_devices acpi_no_memhotplug cgroup_disable=memory irqpoll nr_cpus=1 root=kdump disable_cpu_apicid=0 panic=1" --initrd=/boot/initrd-4.1.6-10-desktop-kdump -s, Result: kexec_file_load failed: Key was rejected by service load.sh[7861]: kexec_file_load failed: Key was rejected by service
openSUSE doesn't support kernel module verification, so kernel didn't embedded key. I think that's why the crash kernel binary doesn't pass the verification.
Thanks, this is what I expected from the journal message.
I just changed the CONFIG_KEXEC_VERIFY_SIG in config files of x86_64. Waiting merge to openSUSE-42.1 kernel.
Now pulled, thanks. I guess we need to fix the same for stable and master, too?
Thanks for your reminding, I just push changes to stable and master in my home branch.
I will set CONFIG_KEXEC_VERIFY_SIG=n then check the status of loading crash kernel by kexec.
OK, that should work. But this made me wonder whether SLE12 kdump package would ever work with other kernels than SLE's standard one?
hm... Currently the logic in kdump package is checking x86_64 architecture then direct call kexec_file_load() syscall.
From the viewpoint of security, kernel should blocks non-secure interfaces or enable the verification mechanism. I think kdump package should try 2 interfaces, kexec_load and kexec_file_load, even kernel may blocked them because security.
I will send patch to modify kdump logic.
It sounds good.
-- You are receiving this mail because: You are on the CC list for the bug.