diff --git a/force-use-secure-load-func.patch b/force-use-secure-load-func.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3dc940af2f1f6d2bc88e4d5c54bd799d0eab81e5
--- /dev/null
+++ b/force-use-secure-load-func.patch
@@ -0,0 +1,160 @@
+From ea8dd9630fb496af5ea32e1b68608f232b1db1d1 Mon Sep 17 00:00:00 2001
+From: zhangjian <zhangjian496@huawei.com>
+Date: Sat, 5 Jul 2025 07:20:57 +0800
+Subject: [PATCH] test
+
+---
+ dracut-early-kdump.sh  |  5 ++---
+ kdump-lib.sh           | 29 +++++++++++++++++++++++++++++
+ kdump.sysconfig.x86_64 |  5 -----
+ kdumpctl               | 13 ++++++-------
+ kexec-tools.spec       |  5 ++++-
+ 5 files changed, 41 insertions(+), 16 deletions(-)
+
+diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh
+index 6788a6b..5f8efcd 100755
+--- a/dracut-early-kdump.sh
++++ b/dracut-early-kdump.sh
+@@ -2,7 +2,6 @@
+ 
+ KEXEC=/sbin/kexec
+ standard_kexec_args="-p"
+-KDUMP_FILE_LOAD=""
+ 
+ EARLY_KDUMP_INITRD=""
+ EARLY_KDUMP_KERNEL=""
+@@ -44,8 +43,8 @@ early_kdump_load()
+ 
+     EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
+ 
+-    if [ "$KDUMP_FILE_LOAD" == "on" ]; then
+-        echo "Using kexec file based syscall."
++    if is_secure_boot_enforced; then
++    	echo "Secure Boot is enabled. Using kexec file based syscall."
+         EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
+     fi
+ 
+diff --git a/kdump-lib.sh b/kdump-lib.sh
+index b079f27..d89f55a 100755
+--- a/kdump-lib.sh
++++ b/kdump-lib.sh
+@@ -558,6 +558,35 @@ need_64bit_headers()
+     print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'`
+ }
+ 
++# Check if secure boot is being enforced.
++#
++# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
++# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
++# bytes are the attributes associated with the variable and can safely be
++# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
++# is 1 and SetupMode is 0, then secure boot is being enforced.
++#
++# Assume efivars is mounted at /sys/firmware/efi/efivars.
++is_secure_boot_enforced()
++{
++    local secure_boot_file setup_mode_file
++    local secure_boot_byte setup_mode_byte
++
++    secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
++    setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
++
++    if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
++        secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5)
++        setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5)
++
++        if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then
++            return 0
++        fi
++    fi
++
++    return 1
++}
++
+ #
+ # prepare_kexec_args <kexec args>
+ # This function prepares kexec argument.
+diff --git a/kdump.sysconfig.x86_64 b/kdump.sysconfig.x86_64
+index 8217204..b010488 100644
+--- a/kdump.sysconfig.x86_64
++++ b/kdump.sysconfig.x86_64
+@@ -39,8 +39,3 @@ KDUMP_IMG="vmlinuz"
+ #What is the images extension.  Relocatable kernels don't have one
+ KDUMP_IMG_EXT=""
+ 
+-# Using kexec file based syscall by default
+-#
+-# Here, the "on" is the only valid value to enable the kexec file load and
+-# anything else is equal to the "off"(disable).
+-KDUMP_FILE_LOAD="off"
+diff --git a/kdumpctl b/kdumpctl
+index 00c0064..e791b0b 100755
+--- a/kdumpctl
++++ b/kdumpctl
+@@ -4,7 +4,6 @@ KEXEC=/sbin/kexec
+ KDUMP_KERNELVER=""
+ KDUMP_COMMANDLINE=""
+ KEXEC_ARGS=""
+-KDUMP_FILE_LOAD=""
+ KDUMP_CONFIG_FILE="/etc/kdump.conf"
+ MKDUMPRD="/sbin/mkdumprd -f"
+ DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
+@@ -680,8 +679,11 @@ load_kdump()
+ 	KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
+ 	KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
+ 
+-	if [ "$KDUMP_FILE_LOAD" == "on" ]; then
+-		echo "Using kexec file based syscall."
++	# For secureboot enabled machines, use new kexec file based syscall.
++	# Old syscall will always fail as it does not have capability to
++	# to kernel signature verification.
++	if is_secure_boot_enforced; then
++		echo "Secure Boot is enabled. Using kexec file based syscall."
+ 		KEXEC_ARGS="$KEXEC_ARGS -s"
+ 	fi
+ 
+@@ -693,9 +695,6 @@ load_kdump()
+ 		return 0
+ 	else
+ 		echo "kexec: failed to load kdump kernel" >&2
+-		if [ "$KDUMP_FILE_LOAD" == "on" ]; then
+-			echo "kexec_file_load() failed, please try kexec_load()" >&2
+-		fi
+ 		return 1
+ 	fi
+ }
+@@ -1156,7 +1155,7 @@ stop_fadump()
+ 
+ stop_kdump()
+ {
+-	if [ "$KDUMP_FILE_LOAD" == "on" ]; then
++	if is_secure_boot_enforced; then
+ 		$KEXEC -s -p -u
+ 	else
+ 		$KEXEC -p -u
+diff --git a/kexec-tools.spec b/kexec-tools.spec
+index 55330d2..f681b3a 100644
+--- a/kexec-tools.spec
++++ b/kexec-tools.spec
+@@ -4,7 +4,7 @@
+ 
+ Name: kexec-tools
+ Version: 2.0.23
+-Release: 11
++Release: 13
+ License: GPLv2
+ Summary: The kexec/kdump userspace component
+ URL:     https://www.kernel.org/
+@@ -312,6 +312,9 @@ done
+ %endif
+ 
+ %changelog
++* Fri Jul 5 2025 zhangjian <zhangjian496@huawei.com> - 2.0.23-13
++- kdump: use kexec_file_load() when secure boot is enabled
++
+ * Fri Dec 30 2022 chenhaixiang <chenhaixiang3@huawei.com> - 2.0.23-11
+ - fix shellcheck error in dracut module setup 
+ 
+-- 
+2.33.0
+
