powerpc: drivers/char: Enable DLPAR operations with systems that have Guest Secure Boot and lockdown enabled
BUGZILLA
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2046472
UPSTREAM STATUS
Upstream Status: RHEL only
CONFLICTS
None
BUILD INFORMATION
Build Info: http://brewweb.engineering.redhat.com/brew/taskinfo?taskID=43052092
TESTING
With the use of a patched kernel, DLPAR operations succeeds even when kernel is under lockdow, as follows:
[root@ltcrain108-lp2 ~]# cat /proc/cmdline
BOOT_IMAGE=(ieee1275//vdevice/v-scsi@30000066/disk@8200000000000000,msdos2)/vmlinuz-5.14.0-39.reopen_rtas.el9.ppc64le lockdown=integrity root=/dev/mapper/rhel_ltcrain108--lp200-root ro crashkernel=2G-4G:384M,4G-16G:512M,16G-64G:1G,64G-128G:2G,128G-:4G rd.lvm.lv=rhel_ltcrain108-lp200/root rd.lvm.lv=rhel_ltcrain108-lp200/swap biosdevname=0
[root@ltcrain108-lp2 ~]# dmesg | grep -i "secure boot\|lockdown"
[ 0.000000] Kernel is locked down from command line; see man kernel_lockdown.7
[ 0.000000] Kernel command line: BOOT_IMAGE=(ieee1275//vdevice/v-scsi@30000066/disk@8200000000000000,msdos2)/vmlinuz-5.14.0-39.reopen_rtas.el9.ppc64le lockdown=integrity root=/dev/mapper/rhel_ltcrain108--lp200-root ro crashkernel=2G-4G:384M,4G-16G:512M,16G-64G:1G,64G-128G:2G,128G-:4G rd.lvm.lv=rhel_ltcrain108-lp200/root rd.lvm.lv=rhel_ltcrain108-lp200/swap biosdevname=0
[ 1.309550] Loaded X.509 cert 'Red Hat Secure Boot CA 4 (beta): 5291cb6dc598c655d2a5faeb0583dac377b08724'
[ 1.313768] Secure boot mode disabled
[ 1.325256] Secure boot mode disabled
[root@ltcrain108-lp2 ~]# lssrc -a
Subsystem Group PID Status
ctrmc rsct 1705 active
IBM.DRM rsct_rm 2704 active
IBM.ServiceRM rsct_rm 2886 active
IBM.MgmtDomainRM rsct_rm 2990 active
IBM.HostRM rsct_rm 3026 active
ctcas rsct inoperative
IBM.ERRM rsct_rm inoperative
IBM.AuditRM rsct_rm inoperative
IBM.SensorRM rsct_rm inoperative
IBM.ConfigRM rsct_rm inoperative
[root@ltcrain108-lp2 ~]# lscpu | grep CPU
CPU(s): 32
On-line CPU(s) list: 0-31
NUMA node2 CPU(s): 0-31
[root@ltcrain108-lp2 ~]# [ 75.597567] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7
[ 76.918570] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7
Added CPU:
lscpu | grep CPU
CPU(s): 40
On-line CPU(s) list: 0-39
NUMA node2 CPU(s): 0-39
[root@ltcrain108-lp2 ~]# [ 103.377214] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[ 103.377591] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[ 103.507061] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[ 103.746969] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[ 104.386957] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[ 104.576938] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[ 104.766936] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
Removed CPU
lscpu | grep CPU
CPU(s): 32
On-line CPU(s) list: 0-31
NUMA node2 CPU(s): 0-31
[root@ltcrain108-lp2 ~]# lsmcode
Version of System Firmware is FW1020.00 (NL1020_010) (t) FW1020.00 (NL1020_010) (p) FW1020.00 (NL1020_010) (b)
Version of PFW is 16112021121081CF0681
[root@ltcrain108-lp2 ~]# uname -a
Linux ltcrain108-lp2.aus.stglabs.ibm.com 5.14.0-39.reopen_rtas.el9.ppc64le #1 SMP Thu Jan 20 23:28:02 EST 2022 ppc64le ppc64le ppc64le GNU/Linux
[root@ltcrain108-lp2 ~]#
DESCRIPTION
When Guest Secure Boot is enabled and lockdown is running in 'integrity or confidentiality' mode, any Dynamic LPAR operations can't be executed from the HMC. The following error will be observed:
HSCL2957 Either there is currently no RMC connection between the management console and the partition <LPAR name> or the partition does not support dynamic partitioning operations. Verify the network setup on the management console and the partition and ensure that any firewall authentication between the management console and the partition has occurred. Run the management console diagrmc command to identify problems that might be causing no RMC connection.
A new RTAS interface will be written in the future upstream. In the meantime, this proposed RHEL-only patch solves the above error by performing special handling of /dev/mem access, when the kernel is under lockdown through the RTAS interface.
Signed-off-by: Desnes A. Nunes do Rosario drosario@redhat.com