From 031cf1f84f76cb93b799c493b61cb8173c29270c Mon Sep 17 00:00:00 2001
From: zhangjian <zhangjian496@huawei.com>
Date: Sat, 5 Jul 2025 07:20:57 +0800
Subject: [PATCH] force secure boot and use kexec file based syscall

Signed-off-by: zhangjian <zhangjian496@huawei.com>
---
 dracut-early-kdump.sh  |  5 ++---
 kdump-lib.sh           | 29 +++++++++++++++++++++++++++++
 kdump.sysconfig.x86_64 |  5 -----
 kdumpctl               | 13 ++++++-------
 kexec-tools.spec       |  5 ++++-
 5 files changed, 41 insertions(+), 16 deletions(-)

diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh
index 6788a6b..5f8efcd 100755
--- a/dracut-early-kdump.sh
+++ b/dracut-early-kdump.sh
@@ -2,7 +2,6 @@
 
 KEXEC=/sbin/kexec
 standard_kexec_args="-p"
-KDUMP_FILE_LOAD=""
 
 EARLY_KDUMP_INITRD=""
 EARLY_KDUMP_KERNEL=""
@@ -44,8 +43,8 @@ early_kdump_load()
 
     EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
 
-    if [ "$KDUMP_FILE_LOAD" == "on" ]; then
-        echo "Using kexec file based syscall."
+    if is_secure_boot_enforced; then
+    	echo "Secure Boot is enabled. Using kexec file based syscall."
         EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
     fi
 
diff --git a/kdump-lib.sh b/kdump-lib.sh
index b079f27..d89f55a 100755
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@@ -558,6 +558,35 @@ need_64bit_headers()
     print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'`
 }
 
+# Check if secure boot is being enforced.
+#
+# Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and
+# SetupMode-$(the UUID), they are both 5 bytes binary data. The first four
+# bytes are the attributes associated with the variable and can safely be
+# ignored, the last bytes are one-byte true-or-false variables. If SecureBoot
+# is 1 and SetupMode is 0, then secure boot is being enforced.
+#
+# Assume efivars is mounted at /sys/firmware/efi/efivars.
+is_secure_boot_enforced()
+{
+    local secure_boot_file setup_mode_file
+    local secure_boot_byte setup_mode_byte
+
+    secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null)
+    setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null)
+
+    if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
+        secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5)
+        setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5)
+
+        if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
 #
 # prepare_kexec_args <kexec args>
 # This function prepares kexec argument.
diff --git a/kdump.sysconfig.x86_64 b/kdump.sysconfig.x86_64
index 8217204..b010488 100644
--- a/kdump.sysconfig.x86_64
+++ b/kdump.sysconfig.x86_64
@@ -39,8 +39,3 @@ KDUMP_IMG="vmlinuz"
 #What is the images extension.  Relocatable kernels don't have one
 KDUMP_IMG_EXT=""
 
-# Using kexec file based syscall by default
-#
-# Here, the "on" is the only valid value to enable the kexec file load and
-# anything else is equal to the "off"(disable).
-KDUMP_FILE_LOAD="off"
diff --git a/kdumpctl b/kdumpctl
index 00c0064..e791b0b 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -4,7 +4,6 @@ KEXEC=/sbin/kexec
 KDUMP_KERNELVER=""
 KDUMP_COMMANDLINE=""
 KEXEC_ARGS=""
-KDUMP_FILE_LOAD=""
 KDUMP_CONFIG_FILE="/etc/kdump.conf"
 MKDUMPRD="/sbin/mkdumprd -f"
 DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
@@ -680,8 +679,11 @@ load_kdump()
 	KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
 	KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
 
-	if [ "$KDUMP_FILE_LOAD" == "on" ]; then
-		echo "Using kexec file based syscall."
+	# For secureboot enabled machines, use new kexec file based syscall.
+	# Old syscall will always fail as it does not have capability to
+	# to kernel signature verification.
+	if is_secure_boot_enforced; then
+		echo "Secure Boot is enabled. Using kexec file based syscall."
 		KEXEC_ARGS="$KEXEC_ARGS -s"
 	fi
 
@@ -693,9 +695,6 @@ load_kdump()
 		return 0
 	else
 		echo "kexec: failed to load kdump kernel" >&2
-		if [ "$KDUMP_FILE_LOAD" == "on" ]; then
-			echo "kexec_file_load() failed, please try kexec_load()" >&2
-		fi
 		return 1
 	fi
 }
@@ -1156,7 +1155,7 @@ stop_fadump()
 
 stop_kdump()
 {
-	if [ "$KDUMP_FILE_LOAD" == "on" ]; then
+	if is_secure_boot_enforced; then
 		$KEXEC -s -p -u
 	else
 		$KEXEC -p -u
diff --git a/kexec-tools.spec b/kexec-tools.spec
index 55330d2..d386e77 100644
--- a/kexec-tools.spec
+++ b/kexec-tools.spec
@@ -4,7 +4,7 @@
 
 Name: kexec-tools
 Version: 2.0.23
-Release: 11
+Release: 13
 License: GPLv2
 Summary: The kexec/kdump userspace component
 URL:     https://www.kernel.org/
@@ -312,6 +312,9 @@ done
 %endif
 
 %changelog
+* Fri Jul 4 2025 zhangjian <zhangjian496@huawei.com> - 2.0.23-13
+- kdump: use kexec_file_load() when secure boot is enabled
+
 * Fri Dec 30 2022 chenhaixiang <chenhaixiang3@huawei.com> - 2.0.23-11
 - fix shellcheck error in dracut module setup 
 
-- 
Gitee