Comment # 7 on bug 947816 from 
(In reply to Takashi Iwai from comment #6)
> (In reply to Joey Lee from comment #5)
> > (In reply to Takashi Iwai from comment #4)
> > > (In reply to Joey Lee from comment #3)
> > > > (In reply to Takashi Iwai from comment #0)
> > > > > Loading kdump on openSUSE Leap beta1 failed.
> > > > > 
> > > > > journal shows:
> > > > > 
> > > > > kdump[7917]: Loaded kdump kernel: /sbin/kexec -p
> > > > > /boot/vmlinuz-4.1.6-10-desktop --append="quiet elevator=deadline sysrq=yes
> > > > > reset_devices acpi_no_memhotplug cgroup_disable=memory irqpoll nr_cpus=1
> > > > > root=kdump disable_cpu_apicid=0   panic=1"
> > > > > --initrd=/boot/initrd-4.1.6-10-desktop-kdump  -s, Result: kexec_file_load
> > > > > failed: Key was rejected by service
> > > > > load.sh[7861]: kexec_file_load failed: Key was rejected by service
> > > > 
> > > > openSUSE doesn't support kernel module verification, so kernel didn't
> > > > embedded key. I think that's why the crash kernel binary doesn't pass the
> > > > verification.
> > > 
> > > Thanks, this is what I expected from the journal message.
> > >  
> > 
> > I just changed the CONFIG_KEXEC_VERIFY_SIG in config files of x86_64.
> > Waiting merge to openSUSE-42.1 kernel.
> 
> Now pulled, thanks.  I guess we need to fix the same for stable and master,
> too?
> 

Thanks for your reminding, I just push changes to stable and master in my home
branch.

> > > > I will set CONFIG_KEXEC_VERIFY_SIG=n then check the status of loading crash
> > > > kernel by kexec.
> > > 
> > > OK, that should work.  But this made me wonder whether SLE12 kdump package
> > > would ever work with other kernels than SLE's standard one?
> > 
> > hm... Currently the logic in kdump package is checking x86_64 architecture
> > then direct call kexec_file_load() syscall.
> > 
> > From the viewpoint of security, kernel should blocks non-secure interfaces
> > or enable the verification mechanism. I think kdump package should try 2
> > interfaces, kexec_load and kexec_file_load, even kernel may blocked them
> > because security.
> > 
> > I will send patch to modify kdump logic.
> 
> It sounds good.

You are receiving this mail because: