4.6.3 Kdump service fails to start on systems with Secure Boot enabled

In Oracle Linux 8, the Kdump service fails to start on systems that have Secure Boot enabled. This issue has been observed on both bare metal systems, as well as KVM guests. The following errors are reported by syslog:

Jun 24 03:12:18 vmx209-ps kdumpctl[930]: kexec_file_load failed: Required key
not available
Jun 24 03:12:18 vmx209-ps kdumpctl[930]: kexec: failed to load kdump kernel
Jun 24 03:12:18 vmx209-ps kdumpctl[930]: Starting kdump: [FAILED]
Jun 24 03:12:18 vmx209-ps systemd[1]: kdump.service: Failed with result
'exit-code'.
Jun 24 03:12:18 vmx209-ps systemd[1]: Failed to start Crash recovery kernel
arming.

If you want to use Kdump, the easiest workaround for this issue is to disable Secure Boot.

If you require Secure Boot and wish to continue to use Kdump, you can consider updating the UEFI key database for your system. The key database is used as a store for the key certificates issued by a vendor, so that signed EFI binaries can be validated when the system is operating in secure mode. To perform this update you may require physical access to the system to access the UEFI console and enroll the key there. You can use the Machine Owner Key (MOK) facility to update the UEFI Secure Boot key database and import the keys manually. The certificate keys that are used to sign each kernel are contained in the shim source packages that are used to verify the keys the kernels use.

Important

Using the MOK utility with your system may depend on server firmware implementation and configuration. Check that your server supports this before attempting to manually update signature keys used for UEFI Secure Boot. If you are unsure, do not follow the instructions provided here.

Adding certificates to the UEFI Secure Boot key database by using the MOK utility requires that you have physical access to the system so that you can complete the enrollment request at the UEFI console. If you do not have physical access to the system, do not follow the instructions that are provided here.

  1. Certificates used to sign each kernel, built by Oracle, are contained in the shim source package. You can download this package using the yumdownloader command available in the dnf-utils package:

    # dnf install -y dnf-utils
    # mkdir /tmp/shim
    # cd /tmp/shim
    # yumdownloader --source shim
  2. Extract the source package to access the Extended Validation certificate that is included as a secureboot.cer file. Use the rpm2cpio command to extract the package:

    # rpm2cpio ./shim*.rpm | cpio -idmv
  3. Use the mokutil command to request that the certificate that you have extracted from the shim package is included in the MOK list:

    # mokutil --import ./secureboot.cer

    The command prompts you to enter and confirm a password for the MOK enrollment request. You can use any password for this purpose, but you should note the password that you use, as you are prompted for it again when the system reboots.

  4. Reboot the system.

  5. The pending MOK key enrollment request is detected, and you must complete the enrollment from the UEFI console. You are prompted for the password that you set when you imported the certificate. When you have entered the correct password, the certificate is added to the MOK list and is automatically propagated to the system key ring on this boot, as well as subsequent boots.

(Bug ID 29954639)