Bugzilla – Bug 1168196
kexec-tools should use -s to load the kernel
Last modified: 2020-04-01 10:01:02 UTC
kexec_load leads to: ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.
talking about the kexec call from /usr/sbin/kexec-bootloader
Summing up my comments from the discussion: stable enables CONFIG_KEXEC_SIG=y and IMA rejects the loading of a crash kernel via the old kexec_load syscall (which is the default invoked via kexec-tools/kexec upstream). As a workaround, pass the -s parameter to kexec, which loads the crash kernel via the newer kexec_load_file instead of the legacy kexec_load syscall. That will effectively bypass IMA as long as the lockdown LSM doesn't enforce any policy (this is the default in stable, via CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y). kexec-bootloader probably needs to be updated to pass the -s option to kexec (or alternatively pass the -a option that tries with kexec_load_file first and falls back to kexec_load in case the former is not supported), so that the systemd service doesn't fail to load the unit.
the same bug applies to /lib/kdump/load.sh
in the continued IRC discussion it was brought up that "-a" might be an even better option as it does a fallthrough both syscalls.
related: https://bugzilla.opensuse.org/show_bug.cgi?id=1076839