[Bug 1869672] Re: Kdump broken since 4.15.0-65 on secureboot - purgatory cannot load

[Guilherme G. Piccoli]

** Description changed:

- Thank you for reading this report.
- This may caused by bugs in kernel, not in kdump. If so, I will report this to 
kernel team.
- I need your comment to solve this.
+ [Impact]
+ * Kdump kernel can't be loaded using Linux kernel 4.15.0-65 and newer on 
Bionic; kexec fails to load using the "new" kexec_file_load() syscall, showing 
the following messages in dmesg:
  
- [Impact]
- * Kdump kernel can't be loaded using linux kernel 4.15.0-76.
+ kexec: Undefined symbol: __stack_chk_fail
+ kexec-bzImage64: Loading purgatory failed
  
- [Environment]
- Description:    Ubuntu 18.04.4 LTS
- Release:        18.04
+ * Reason for this was that backport from upstream commit b059f801a937
+ ("x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS")
+ makes use of a config option guard that wasn't backported to Ubuntu
+ 4.15.x series.
  
- uname:
- Linux ubuntu 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux
- 
- Secure boot is enabled.
- 
- Versions:
- * kexec-tools/bionic-updates,now 1:2.0.16-1ubuntu1.1
- * kdump-tools/bionic-updates,now 1:1.6.5-1ubuntu1~18.04.4
+ * Also, we found another related issue, an undefined memcpy() symbol,
+ that was related to the above patch too. We propose here a specific fix
+ for Bionic, in the form of the patch attached in comment #18.
  
  [Test case]
- 1)After OS booted, run systemctl status kdump-tools shows these messages 
below:
  
- ....
- ● kdump-tools.service - Kernel crash dump capture service
-    Loaded: loaded (/lib/systemd/system/kdump-tools.service; enabled; vendor 
preset: enabled)
-    Active: active (exited) since Fri 2020-03-27 16:40:31 JST; 5min ago
-   Process: 895 ExecStart=/etc/init.d/kdump-tools start (code=exited, 
status=0/SUCCESS)
-  Main PID: 895 (code=exited, status=0/SUCCESS)
+ * Basically the test consists in booting a signed kernel in a secure
+ boot environment (this is required given Ubuntu kernel is built with
+ CONFIG_KEXEC_VERIFY_SIG so to use kexec_file_load() we must be in a
+ proper signed/secure booted system). It works until 4.15.0-64, and
+ starts to fail after this release, until the current proposed version
+ 4.15.0-97. We can also check kdump-tools service in the failing case,
+ which shows:
  
- Mar 27 16:40:31 ubuntu systemd[1]: Starting Kernel crash dump capture 
service...
- Mar 27 16:40:31 ubuntu kdump-tools[895]: Starting kdump-tools:  * Creating 
symlink /var/lib/kdump/vmlinuz
- Mar 27 16:40:31 ubuntu kdump-tools[895]:  * Creating symlink 
/var/lib/kdump/initrd.img
- Mar 27 16:40:31 ubuntu kdump-tools[895]: kexec_file_load failed: Exec format 
error
- Mar 27 16:40:31 ubuntu kdump-tools[895]:  * failed to load kdump kernel
- Mar 27 16:40:31 ubuntu systemd[1]: Started Kernel crash dump capture service.
- ....
+ systemctl status kdump-tools
+ [...]
+ kdump-tools[895]: Starting kdump-tools: * Creating symlink 
/var/lib/kdump/vmlinuz
+ kdump-tools[895]: * Creating symlink /var/lib/kdump/initrd.img
+ kdump-tools[895]: kexec_file_load failed: Exec format error
+ kdump-tools[895]: * failed to load kdump kernel
+ [...]
  
- 2)Run kexec directly:
- $ sudo /sbin/kexec -p --command-line="/boot/vmlinuz-4.15.0-76-generic 
root=UUID=29a89ad8-8923-435e-a88c-aaf5cb379568 ro mce=ignore_ce reset_devices 
systemd.unit=kdump-tools-dump.service nr_cpus=1 irqpoll nousb 
ata_piix.prefer_ms_hyperv=0" --initrd=/boot/initrd.img-4.15.0-76-generic 
/boot/vmlinuz-4.15.0-64-generic
+ * With the patch attached in the LP, it works normally again and I was
+ able to collect a kdump.
  
- Then,these messages are shown:
- Cannot open /proc/kcore: Operation not permitted
- Cannot read /proc/kcore: Operation not permitted
- Cannot load /boot/vmlinuz-4.15.0-76-generic
+ [Regression potential]
  
- On dmesg, these messages are shown:
- ....
- [  538.524718] Lockdown: /proc/kcore is restricted; see man kernel_lockdown.7
- ....
- 
- 3) Changing OS kernel to older one(I used 4.15.0-64), kdump kernel can
- be loaded.
- 
- $ sudo systemctl status kdump-tools
- ● kdump-tools.service - Kernel crash dump capture service
-    Loaded: loaded (/lib/systemd/system/kdump-tools.service; enabled; vendor 
preset: enabled)
-    Active: active (exited) since Wed 2020-03-25 13:39:03 JST; 5 days ago
-  Main PID: 832 (code=exited, status=0/SUCCESS)
-     Tasks: 0 (limit: 4915)
-    CGroup: /system.slice/kdump-tools.service
- 
- Mar 25 13:39:02 ubuntu systemd[1]: Starting Kernel crash dump capture 
service...
- Mar 25 13:39:02 ubuntu kdump-tools[832]: Starting kdump-tools:  * Creating 
symlink /var/lib/kdump/vmlinuz
- Mar 25 13:39:02 ubuntu kdump-tools[832]:  * Creating symlink 
/var/lib/kdump/initrd.img
- Mar 25 13:39:03 ubuntu kdump-tools[832]:  * loaded kdump kernel
- Mar 25 13:39:03 ubuntu kdump-tools[938]: loaded kdump kernel
- Mar 25 13:39:03 ubuntu systemd[1]: Started Kernel crash dump capture service.
+ * Given the patch is quite simple and fixes the build of purgatory, I
+ think the regression potential is low. One potential regression in
+ future would be on backports to purgatory Makefile, making them more
+ difficult/prone to errors; given purgatory is a pretty untouchable code,
+ I consider the regression potential here to be really low.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1869672

Title:
  Kdump broken since 4.15.0-65 on secureboot - purgatory cannot load

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1869672/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs