open-power
FORCE_INTEGRITY=y requires kexec_file_load support in petitboot
Petitboot v1.11 Linux v5.4.13 kexec-lite 5905b3bac86c964e2b7fd1f98582bbf37c22e663
[10:20:13] boot status: [0] Performing kexec load
[10:20:13] device_handler_status: Performing kexec load
[10:20:13] Running command:
exe: /usr/sbin/kexec
argv: '/usr/sbin/kexec' '-l' '--debug' '--initrd=/var/petitboot/mnt/dev/sda2/boot/initrd.img-4.15.0-54-generic' '--dtb=/tmp/tmp.civqjv' '--append=root=UUID=c5a560f9-8c01-4209-86ce-3abe4298b7cc ro' '/var/petitboot/mnt/dev/sda2/boot/vmlinux-4.15.0-54-generic'
[10:20:14] kexec_load: failed: (256)
[10:20:14] boot status: [1] free memory map:
0x01dd0000-0x30000000
0x3bd04000-0x80000000
kernel offset 0x10000 paddr 0x0 filesz 24526272 memsz 27687736
add_kexec_segment kernel buf 0x7fffb1d70010 bufsize 0x01763dc0, dest 0x1dd0000, memsize 0x01a70000
add_kexec_segment initrd buf 0x7fffaf5f0010 bufsize 0x0277f64d, dest 0x3840000, memsize 0x02780000
add_kexec_segment device tree buf 0x7fffb34e0010 bufsize 0x0004e71b, dest 0x7ffb0000, memsize 0x00050000
add_kexec_segment trampoline buf 0x19270680 bufsize 0x00000210, dest 0x7ffa0000, memsize 0x00010000
kexec syscall failed: Operation not permitted
[10:20:14] device_handler_status: free memory map:
0x01dd0000-0x30000000
0x3bd04000-0x80000000
kernel offset 0x10000 paddr 0x0 filesz 24526272 memsz 27687736
add_kexec_segment kernel buf 0x7fffb1d70010 bufsize 0x01763dc0, dest 0x1dd0000, memsize 0x01a70000
add_kexec_segment initrd buf 0x7fffaf5f0010 bufsize 0x0277f64d, dest 0x3840000, memsize 0x02780000
add_kexec_segment device tree buf 0x7fffb34e0010 bufsize 0x0004e71b, dest 0x7ffb0000, memsize 0x00050000
add_kexec_segment trampoline buf 0x19270680 bufsize 0x00000210, dest 0x7ffa0000, memsize 0x00010000
kexec syscall failed: Operation not permitted
[10:20:14] boot_process: kexec_load returned 256
[10:20:14] Failed to load all boot resources
The kernel has CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y which means we must use kexec_file_load instead. This is supported by using -s in place of -l. Doing this manually we can load and boot a kernel:
# kexec -s --debug --initrd=/var/petitboot/mnt/dev/sda2/boot/initrd.img-4.15.0-5
4-generic --dtb=/tmp/tmp.civqjv --append="root=UUID=c5a560f9-8c01-4209-86ce-3abe
4298b7cc ro" /var/petitboot/mnt/dev/sda2/boot/vmlinux-4.15.0-54-generic
kernel_fd=3 initrd_fd=4 cmdline_len=50 flags=0
cmdline="root=UUID=c5a560f9-8c01-4209-86ce-3abe4298b7cc ro"
This work depends on
- Enable CONFIG_KEXEC_FILE and CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY
- Bump kexec-lite to latest, for kexec_file_load support
- Add support to petitboot for the
-soption (https://patchwork.ozlabs.org/patch/1185931/)
https://github.com/open-power/op-build/pull/3408 will be updated to include the KEXEC_FILE option, however this must be done after petitboot and kexec-lite are updated.
I have a kexec-lite change to fix the install path (https://github.com/antonblanchard/kexec-lite/pull/14). If that doesn't get merged in time we can fix this in op-build's petitboot configuration.
The petitboot patch will be released in an upcoming v1.12 release.
The kexec-lite change has been merged, and the version used by op-build bumped.
I amended the kernel config PR to not set FORCE_INTEGRITY, and to set KEXEC_FILE. This means we can merge and test the rest of the changes, and some time after the petitboot release is merged we can turn on FORCE_INTEGRITY.