Flashes (Alerts)
Abstract
When kexec command is run with kexec_file_load(-s) command on secure boot-enabled systems with static keys, the command fails with the error message Permission Denied. The execution of kexec command with kexec_file_load(-s) command fails when FAdump is enabled.
Content
Linux Releases Affected
Red Hat Enterprise Linux (RHEL) 8.5 and later
RHEL 9.0 and later
IBM Systems Affected
Power10 systems
Symptoms
When you attempt to run the kexec command with the kexec_file_load(-s) command on a secure boot-enabled system with FAdump enabled (fadump=on), the kexec command fails with error message Permission Denied.
[root@ltcrain108-lp13 ~]# kexec -s -l /boot/vmlinuz-$(uname -r) --append="$(cat /proc/cmdline)" --initrd /boot/initramfs-$(uname -r).img
kexec_file_load failed: Permission denied
[root@ltcrain108-lp13 ~]# echo $?
255
[root@ltcrain108-lp13 ~]#
Workaround
You must load the kernel signing key manually before you run the kexec command by using the following command:
cat /usr/share/doc/kernel-keys/`uname -r`/kernel-signing-ppc.cer | keyctl padd asymmetric "" %:.ima
Note: The update made at runtime by using tools such as keyctl does not persist after a system reboot.
You must load the kernel signing key manually after every reboot.
Fix Outlook
You can track the fix outlook by viewing:
RHEL bug numbers: 14002, 14003
[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SGMV157","label":"IBM Support for Red Hat Enterprise Linux Server"},"ARM Category":[{"code":"a8m0z000000Gnl7AAC","label":"Red Hat Enterprise Linux"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
16 November 2023
UID
ibm17051172