FORCE_INTEGRITY=y requires kexec_file_load support in petitboot #3418
Description
Petitboot v1.11
Linux v5.4.13
kexec-lite 5905b3bac86c964e2b7fd1f98582bbf37c22e663
[10:20:13] boot status: [0] Performing kexec load
[10:20:13] device_handler_status: Performing kexec load
[10:20:13] Running command:
exe: /usr/sbin/kexec
argv: '/usr/sbin/kexec' '-l' '--debug' '--initrd=/var/petitboot/mnt/dev/sda2/boot/initrd.img-4.15.0-54-generic' '--dtb=/tmp/tmp.civqjv' '--append=root=UUID=c5a560f9-8c01-4209-86ce-3abe4298b7cc ro' '/var/petitboot/mnt/dev/sda2/boot/vmlinux-4.15.0-54-generic'
[10:20:14] kexec_load: failed: (256)
[10:20:14] boot status: [1] free memory map:
0x01dd0000-0x30000000
0x3bd04000-0x80000000
kernel offset 0x10000 paddr 0x0 filesz 24526272 memsz 27687736
add_kexec_segment kernel buf 0x7fffb1d70010 bufsize 0x01763dc0, dest 0x1dd0000, memsize 0x01a70000
add_kexec_segment initrd buf 0x7fffaf5f0010 bufsize 0x0277f64d, dest 0x3840000, memsize 0x02780000
add_kexec_segment device tree buf 0x7fffb34e0010 bufsize 0x0004e71b, dest 0x7ffb0000, memsize 0x00050000
add_kexec_segment trampoline buf 0x19270680 bufsize 0x00000210, dest 0x7ffa0000, memsize 0x00010000
kexec syscall failed: Operation not permitted
[10:20:14] device_handler_status: free memory map:
0x01dd0000-0x30000000
0x3bd04000-0x80000000
kernel offset 0x10000 paddr 0x0 filesz 24526272 memsz 27687736
add_kexec_segment kernel buf 0x7fffb1d70010 bufsize 0x01763dc0, dest 0x1dd0000, memsize 0x01a70000
add_kexec_segment initrd buf 0x7fffaf5f0010 bufsize 0x0277f64d, dest 0x3840000, memsize 0x02780000
add_kexec_segment device tree buf 0x7fffb34e0010 bufsize 0x0004e71b, dest 0x7ffb0000, memsize 0x00050000
add_kexec_segment trampoline buf 0x19270680 bufsize 0x00000210, dest 0x7ffa0000, memsize 0x00010000
kexec syscall failed: Operation not permitted
[10:20:14] boot_process: kexec_load returned 256
[10:20:14] Failed to load all boot resources
The kernel has CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y which means we must use kexec_file_load instead. This is supported by using -s in place of -l. Doing this manually we can load and boot a kernel:
# kexec -s --debug --initrd=/var/petitboot/mnt/dev/sda2/boot/initrd.img-4.15.0-5
4-generic --dtb=/tmp/tmp.civqjv --append="root=UUID=c5a560f9-8c01-4209-86ce-3abe
4298b7cc ro" /var/petitboot/mnt/dev/sda2/boot/vmlinux-4.15.0-54-generic
kernel_fd=3 initrd_fd=4 cmdline_len=50 flags=0
cmdline="root=UUID=c5a560f9-8c01-4209-86ce-3abe4298b7cc ro"