Rocky Linux 8.5 Secure Boot Error

Hi,

I have a fresh install of RockyLinux 8.5 with UEFI and Secure Boot. My hypervisor is Esxi 7.0U2 and I have configured VM profile to CentOs 8 (64bits).

With bootSecure desactivate, kdump running. But if I activate Secure Boot, kdump failed.

systemctl status kdump
● kdump.service - Crash recovery kernel arming
   Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2021-12-01 17:49:43 CET; 28s ago
  Process: 1276 ExecStart=/usr/bin/kdumpctl start (code=exited, status=1/FAILURE)
 Main PID: 1276 (code=exited, status=1/FAILURE)

déc. 01 17:49:42 srv-proxy-era.codradmz.local systemd[1]: Starting Crash recovery kernel arming...
déc. 01 17:49:43 srv-proxy-era.codradmz.local kdumpctl[1276]: kdump: Secure Boot is enabled. Using kexec file based syscall.
déc. 01 17:49:43 srv-proxy-era.codradmz.local kdumpctl[1276]: kdump: kexec: failed to load kdump kernel
déc. 01 17:49:43 srv-proxy-era.codradmz.local kdumpctl[1276]: kdump: Starting kdump: [FAILED]
déc. 01 17:49:43 srv-proxy-era.codradmz.local systemd[1]: kdump.service: Main process exited, code=exited, status=1/FAILURE
déc. 01 17:49:43 srv-proxy-era.codradmz.local systemd[1]: kdump.service: Failed with result 'exit-code'.
déc. 01 17:49:43 srv-proxy-era.codradmz.local systemd[1]: Failed to start Crash recovery kernel arming.

kdump.log

+ 2021-12-01 15:24:52 /usr/bin/kdumpctl@708: /sbin/kexec -s -s -d -p '--command-line=BOOT_IMAGE=(hd0,gpt2)/vmlinuz-4.18.0-348.2.1.el8_5.x86_64 ro resume=/dev/mapper/rl-swap irqpoll nr_cpus=1 reset_devices cgroup_disable=memory mce=off numa=off udev.children-max=2 panic=10 rootflags=nofail acpi_no_memhotplug transparent_hugepage=never nokaslr novmcoredd hest_disable disable_cpu_apicid=0' --initrd=/boot/initramfs-4.18.0-348.2.1.el8_5.x86_64kdump.img /boot/vmlinuz-4.18.0-348.2.1.el8_5.x86_64
Try gzip decompression.
Try LZMA decompression.
lzma_decompress_file: read on /boot/vmlinuz-4.18.0-348.2.1.el8_5.x86_64 of 65536 bytes failed
kexec_file_load failed: Operation not permitted
+ 2021-12-01 15:24:52 /usr/bin/kdumpctl@712: ret=255
+ 2021-12-01 15:24:52 /usr/bin/kdumpctl@713: set +x

Thanks for your help

This is a known issue. https://bugs.rockylinux.org/show_bug.cgi?id=174

Oh Thank’s.

I test some version to replace CentOs on my production server. I can’t choose a distribution woth No UEFI or no SecureBoot. I hope this problem will be solved quickly, otherwise I would have to turn to AlmaLinux.

Thanks

From the bug report:

Looks like it is a shim bug: mok: delete the existing RT variables only when only_first=TRUE by lcp · Pull Request #387 · rhboot/shim · GitHub and hopefully will be fixed when shim 15.5 released
Also someone else did test some versions of ESXi 7.0.2 and kdump was working fine with SB enabled, so not all ESXi version are affected by this.

When shim 15.5 is released, it will be fixed. I don’t have an ETA on that though (that’s more of an upstream thing). According to Sherif though, there are some versions of ESXi that are working just fine with kdump. @Sherif are you able to give a bit more info here?

Secureboot is working fine on RockyLinux 8.5, you will be able to boot the machine in secureboot and verify that everything is signed with correct certs. We are using shim 15.4 + few critical patches that didn’t make it yet to the upstream distro, more info here about our review and the patches that we included based on the shim-review committee Shim 15.4 for Rocky Linux 8 · Issue #194 · rhboot/shim-review · GitHub

However, there was a bug that seems to be solved with 15.5 which still in RC and didn’t make it to the upstream as well, we did some tests as far as we can since we can’t load certs into EXSi UEFI firmware and we do have an internal ticket open with vmware and they recommend us to include the patch @nazunalika mentioned, which will be included with shim 15.5 once it is released by the upstream distro. The bug is only effecting kexec which is needed to load kdump, doesn’t effect the secureboot verify and booting process. We still have no ETA regarding when 15.5 will be released by the upstream vendor.

Some members managed to get Rocky with secrureboot running without kdump on ESXi 7.0.3 and some other members managed to get secureboot running with kdump on esxi 7.0.2.

I can confirm Rocky 8.5 with secure boot and kdump working with esxi 6.7.

shim 15.4-2.el8_5.2.rocky
kexec-tools 2.0.20.el8

1 Like

Thank you so much for the update @joebeasley3

Thank.

I do to update every esxi and Vcenter, but I need time for this. If I have some news, i answer in this topic. For the moment, with Esxi 7.0.2build17867351, shim 15.4-2.el8_5.2.rocky and kexec-tools 2.0.20.el8 this is not good.

Many thanks

I just stumbled across this thread and can confirm the same issue with Rocky 8.5 on ESXi 7.0.1, 17168206

Secure boot appears to be working, but kdump is not working with secure boot, in Rocky 8.5 with ESXi 6.7U3 (18828794) , kexec-tools-2.0.20-57.el8_5.1.x86_64 and shim-x64-15.4-2.el8_5.2.rocky.x86_64.

I have the same problem with the latest version of Rocky look the image, any idea how to fix? The machine is under VMWARE ESXi Version 6.7 P05… I have also changed the /etc/default/grub in the line from auto to 256M but don’t solve
GRUB_CMDLINE_LINUX=“crashkernel=256M resume=/dev/mapper/rl-swap rd.lvm.lv=rl/root rd.lvm.lv=rl/swap”

Are you saying that Rocky 8.5 works perfectly on VMWARE ESXi Version 6.7 P05, and it’s just the kdump service that doesn’t work?

Yes if you disable “secure boot” into VMware setting all work without any problem.
Kdump seem don’t work when “secure boot” option is enable into VMware settings.

Any news about this issue with secure boot enables in VMWare ESXi?

Hi everybody,

All my server are upgrade in 8.6 GreenObside and kdump is Ok.

Thanks everybody

@Badou_Dream interesting. Are you using VMware ESX (vcenter). Secure Boot enabled in vm options?
I’m using 8.6, too and kdump there did not start (secure boot enabled in vm options)

Sorry Somebody has deactivate the Secure Boot.

No solution for this problem ?

@Opa114 and @Badou_Dream, as I understand it, there’s a bug in the secure boot process that most vendors ignore, which means secure boot works for most people. VMWare doesn’t ignore it, and so secure boot is broken.

shim 15.5 fixes this. It was released in the upstream 8.6 edition, but is not yet in the Rocky one. That’s because MS needs to sign the shim to help secure the entire secure boot chain. Rocky put in a request to sign that shim in March.

They responded to a few questions and up until yesterday, all of the recent posts have been Rocky asking if there are any updates or any more information needed.

That request was closed yesterday without signing the shim because of new CVE’s and Rocky needs to open a new request.

So, there is a fix for this. The ability to implement is out of the Rocky Linux’ team hands. I wouldn’t expect any solution soon, because of both the time this request languished and the need to stay bug for bug compatible with upstream, which already has a signed 15.5 shim.

1 Like