FORCE_INTEGRITY=y requires kexec_file_load support in petitboot

[shenki]

Petitboot v1.11
Linux v5.4.13
kexec-lite 5905b3bac86c964e2b7fd1f98582bbf37c22e663

[10:20:13] boot status: [0] Performing kexec load
[10:20:13] device_handler_status: Performing kexec load
[10:20:13] Running command:
 exe:  /usr/sbin/kexec
 argv: '/usr/sbin/kexec' '-l' '--debug' '--initrd=/var/petitboot/mnt/dev/sda2/boot/initrd.img-4.15.0-54-generic' '--dtb=/tmp/tmp.civqjv' '--append=root=UUID=c5a560f9-8c01-4209-86ce-3abe4298b7cc ro' '/var/petitboot/mnt/dev/sda2/boot/vmlinux-4.15.0-54-generic'
[10:20:14] kexec_load: failed: (256)
[10:20:14] boot status: [1] free memory map:
0x01dd0000-0x30000000
0x3bd04000-0x80000000
kernel offset 0x10000 paddr 0x0 filesz 24526272 memsz 27687736
add_kexec_segment kernel      buf 0x7fffb1d70010 bufsize 0x01763dc0, dest 0x1dd0000, memsize 0x01a70000
add_kexec_segment initrd      buf 0x7fffaf5f0010 bufsize 0x0277f64d, dest 0x3840000, memsize 0x02780000
add_kexec_segment device tree buf 0x7fffb34e0010 bufsize 0x0004e71b, dest 0x7ffb0000, memsize 0x00050000
add_kexec_segment trampoline  buf 0x19270680 bufsize 0x00000210, dest 0x7ffa0000, memsize 0x00010000
kexec syscall failed: Operation not permitted

[10:20:14] device_handler_status: free memory map:
0x01dd0000-0x30000000
0x3bd04000-0x80000000
kernel offset 0x10000 paddr 0x0 filesz 24526272 memsz 27687736
add_kexec_segment kernel      buf 0x7fffb1d70010 bufsize 0x01763dc0, dest 0x1dd0000, memsize 0x01a70000
add_kexec_segment initrd      buf 0x7fffaf5f0010 bufsize 0x0277f64d, dest 0x3840000, memsize 0x02780000
add_kexec_segment device tree buf 0x7fffb34e0010 bufsize 0x0004e71b, dest 0x7ffb0000, memsize 0x00050000
add_kexec_segment trampoline  buf 0x19270680 bufsize 0x00000210, dest 0x7ffa0000, memsize 0x00010000
kexec syscall failed: Operation not permitted

[10:20:14] boot_process: kexec_load returned 256
[10:20:14] Failed to load all boot resources

The kernel has CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y which means we must use kexec_file_load instead. This is supported by using -s in place of -l. Doing this manually we can load and boot a kernel:

# kexec -s --debug --initrd=/var/petitboot/mnt/dev/sda2/boot/initrd.img-4.15.0-5
4-generic --dtb=/tmp/tmp.civqjv --append="root=UUID=c5a560f9-8c01-4209-86ce-3abe
4298b7cc ro" /var/petitboot/mnt/dev/sda2/boot/vmlinux-4.15.0-54-generic
kernel_fd=3 initrd_fd=4 cmdline_len=50 flags=0
cmdline="root=UUID=c5a560f9-8c01-4209-86ce-3abe4298b7cc ro"

[shenki]

This work depends on

• Enable CONFIG_KEXEC_FILE and CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY
• Bump kexec-lite to latest, for kexec_file_load support
• Add support to petitboot for the -s option (https://patchwork.ozlabs.org/patch/1185931/)

[shenki]

#3408 will be updated to include the KEXEC_FILE option, however this must be done after petitboot and kexec-lite are updated.

I have a kexec-lite change to fix the install path (antonblanchard/kexec-lite#14). If that doesn't get merged in time we can fix this in op-build's petitboot configuration.

The petitboot patch will be released in an upcoming v1.12 release.

[shenki]

The kexec-lite change has been merged, and the version used by op-build bumped.

I amended the kernel config PR to not set FORCE_INTEGRITY, and to set KEXEC_FILE. This means we can merge and test the rest of the changes, and some time after the petitboot release is merged we can turn on FORCE_INTEGRITY.