powerpc: drivers/char: Enable DLPAR operations with systems that have Guest Secure Boot and lockdown enabled (!532) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Desnes Nunes requested to merge desnesn/centos-stream-9:rh2046472 into main Feb 15, 2022

BUGZILLA

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2046472

UPSTREAM STATUS

Upstream Status: RHEL only

CONFLICTS

None

BUILD INFORMATION

Build Info: http://brewweb.engineering.redhat.com/brew/taskinfo?taskID=43052092

TESTING

With the use of a patched kernel, DLPAR operations succeeds even when kernel is under lockdow, as follows:

[root@ltcrain108-lp2 ~]# cat /proc/cmdline
BOOT_IMAGE=(ieee1275//vdevice/v-scsi@30000066/disk@8200000000000000,msdos2)/vmlinuz-5.14.0-39.reopen_rtas.el9.ppc64le lockdown=integrity root=/dev/mapper/rhel_ltcrain108--lp200-root ro crashkernel=2G-4G:384M,4G-16G:512M,16G-64G:1G,64G-128G:2G,128G-:4G rd.lvm.lv=rhel_ltcrain108-lp200/root rd.lvm.lv=rhel_ltcrain108-lp200/swap biosdevname=0

[root@ltcrain108-lp2 ~]# dmesg | grep -i "secure boot\|lockdown"
[    0.000000] Kernel is locked down from command line; see man kernel_lockdown.7
[    0.000000] Kernel command line: BOOT_IMAGE=(ieee1275//vdevice/v-scsi@30000066/disk@8200000000000000,msdos2)/vmlinuz-5.14.0-39.reopen_rtas.el9.ppc64le lockdown=integrity root=/dev/mapper/rhel_ltcrain108--lp200-root ro crashkernel=2G-4G:384M,4G-16G:512M,16G-64G:1G,64G-128G:2G,128G-:4G rd.lvm.lv=rhel_ltcrain108-lp200/root rd.lvm.lv=rhel_ltcrain108-lp200/swap biosdevname=0
[    1.309550] Loaded X.509 cert 'Red Hat Secure Boot CA 4 (beta): 5291cb6dc598c655d2a5faeb0583dac377b08724'
[    1.313768] Secure boot mode disabled
[    1.325256] Secure boot mode disabled

[root@ltcrain108-lp2 ~]# lssrc -a
Subsystem         Group            PID     Status
 ctrmc            rsct             1705    active
 IBM.DRM          rsct_rm          2704    active
 IBM.ServiceRM    rsct_rm          2886    active
 IBM.MgmtDomainRM rsct_rm          2990    active
 IBM.HostRM       rsct_rm          3026    active
 ctcas            rsct                     inoperative
 IBM.ERRM         rsct_rm                  inoperative
 IBM.AuditRM      rsct_rm                  inoperative
 IBM.SensorRM     rsct_rm                  inoperative
 IBM.ConfigRM     rsct_rm                  inoperative

[root@ltcrain108-lp2 ~]# lscpu | grep CPU
CPU(s):                          32
On-line CPU(s) list:             0-31
NUMA node2 CPU(s):               0-31
[root@ltcrain108-lp2 ~]# [   75.597567] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7
[   76.918570] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7

Added CPU:

lscpu | grep CPU
CPU(s):                          40
On-line CPU(s) list:             0-39
NUMA node2 CPU(s):               0-39

[root@ltcrain108-lp2 ~]# [  103.377214] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[  103.377591] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[  103.507061] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[  103.746969] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[  104.386957] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[  104.576938] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!
[  104.766936] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #20!!!

Removed CPU

lscpu | grep CPU
CPU(s):                          32
On-line CPU(s) list:             0-31
NUMA node2 CPU(s):               0-31

[root@ltcrain108-lp2 ~]# lsmcode
Version of System Firmware is FW1020.00 (NL1020_010) (t) FW1020.00 (NL1020_010) (p) FW1020.00 (NL1020_010) (b)
Version of PFW is 16112021121081CF0681

[root@ltcrain108-lp2 ~]# uname -a
Linux ltcrain108-lp2.aus.stglabs.ibm.com 5.14.0-39.reopen_rtas.el9.ppc64le #1 SMP Thu Jan 20 23:28:02 EST 2022 ppc64le ppc64le ppc64le GNU/Linux
[root@ltcrain108-lp2 ~]#

DESCRIPTION

When Guest Secure Boot is enabled and lockdown is running in 'integrity or confidentiality' mode, any Dynamic LPAR operations can't be executed from the HMC. The following error will be observed:

HSCL2957 Either there is currently no RMC connection between the management console and the partition <LPAR name> or the partition does not support dynamic partitioning operations. Verify the network setup on the management console and the partition and ensure that any firewall authentication between the management console and the partition has occurred. Run the management console diagrmc command to identify problems that might be causing no RMC connection.

A new RTAS interface will be written in the future upstream. In the meantime, this proposed RHEL-only patch solves the above error by performing special handling of /dev/mem access, when the kernel is under lockdown through the RTAS interface.

Signed-off-by: Desnes A. Nunes do Rosario drosario@redhat.com

Edited Feb 15, 2022 by Desnes Nunes

powerpc: drivers/char: Enable DLPAR operations with systems that have Guest Secure Boot and lockdown enabled