1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 2
3 menu "Kexec and crash features" 3 menu "Kexec and crash features"
4 4
5 config CRASH_RESERVE 5 config CRASH_RESERVE
6 bool 6 bool
7 7
8 config VMCORE_INFO 8 config VMCORE_INFO
9 bool 9 bool
10 10
11 config KEXEC_CORE 11 config KEXEC_CORE
12 bool 12 bool
13 13
14 config KEXEC_ELF 14 config KEXEC_ELF
15 bool 15 bool
16 16
17 config HAVE_IMA_KEXEC 17 config HAVE_IMA_KEXEC
18 bool 18 bool
19 19
20 config KEXEC 20 config KEXEC
21 bool "Enable kexec system call" 21 bool "Enable kexec system call"
22 depends on ARCH_SUPPORTS_KEXEC 22 depends on ARCH_SUPPORTS_KEXEC
23 select KEXEC_CORE 23 select KEXEC_CORE
24 help 24 help
25 kexec is a system call that implemen 25 kexec is a system call that implements the ability to shutdown your
26 current kernel, and to start another 26 current kernel, and to start another kernel. It is like a reboot
27 but it is independent of the system 27 but it is independent of the system firmware. And like a reboot
28 you can start any kernel with it, no 28 you can start any kernel with it, not just Linux.
29 29
30 The name comes from the similarity t 30 The name comes from the similarity to the exec system call.
31 31
32 It is an ongoing process to be certa 32 It is an ongoing process to be certain the hardware in a machine
33 is properly shutdown, so do not be s 33 is properly shutdown, so do not be surprised if this code does not
34 initially work for you. As of this w 34 initially work for you. As of this writing the exact hardware
35 interface is strongly in flux, so no 35 interface is strongly in flux, so no good recommendation can be
36 made. 36 made.
37 37
38 config KEXEC_FILE 38 config KEXEC_FILE
39 bool "Enable kexec file based system c 39 bool "Enable kexec file based system call"
40 depends on ARCH_SUPPORTS_KEXEC_FILE 40 depends on ARCH_SUPPORTS_KEXEC_FILE
41 select CRYPTO 41 select CRYPTO
42 select CRYPTO_SHA256 42 select CRYPTO_SHA256
43 select KEXEC_CORE 43 select KEXEC_CORE
44 help 44 help
45 This is new version of kexec system 45 This is new version of kexec system call. This system call is
46 file based and takes file descriptor 46 file based and takes file descriptors as system call argument
47 for kernel and initramfs as opposed 47 for kernel and initramfs as opposed to list of segments as
48 accepted by kexec system call. 48 accepted by kexec system call.
49 49
50 config KEXEC_SIG 50 config KEXEC_SIG
51 bool "Verify kernel signature during k 51 bool "Verify kernel signature during kexec_file_load() syscall"
52 depends on ARCH_SUPPORTS_KEXEC_SIG 52 depends on ARCH_SUPPORTS_KEXEC_SIG
53 depends on KEXEC_FILE 53 depends on KEXEC_FILE
54 help 54 help
55 This option makes the kexec_file_loa 55 This option makes the kexec_file_load() syscall check for a valid
56 signature of the kernel image. The i 56 signature of the kernel image. The image can still be loaded without
57 a valid signature unless you also en 57 a valid signature unless you also enable KEXEC_SIG_FORCE, though if
58 there's a signature that we can chec 58 there's a signature that we can check, then it must be valid.
59 59
60 In addition to this option, you need 60 In addition to this option, you need to enable signature
61 verification for the corresponding k 61 verification for the corresponding kernel image type being
62 loaded in order for this to work. 62 loaded in order for this to work.
63 63
64 config KEXEC_SIG_FORCE 64 config KEXEC_SIG_FORCE
65 bool "Require a valid signature in kex 65 bool "Require a valid signature in kexec_file_load() syscall"
66 depends on ARCH_SUPPORTS_KEXEC_SIG_FOR 66 depends on ARCH_SUPPORTS_KEXEC_SIG_FORCE
67 depends on KEXEC_SIG 67 depends on KEXEC_SIG
68 help 68 help
69 This option makes kernel signature v 69 This option makes kernel signature verification mandatory for
70 the kexec_file_load() syscall. 70 the kexec_file_load() syscall.
71 71
72 config KEXEC_IMAGE_VERIFY_SIG 72 config KEXEC_IMAGE_VERIFY_SIG
73 bool "Enable Image signature verificat 73 bool "Enable Image signature verification support (ARM)"
74 default ARCH_DEFAULT_KEXEC_IMAGE_VERIF 74 default ARCH_DEFAULT_KEXEC_IMAGE_VERIFY_SIG
75 depends on ARCH_SUPPORTS_KEXEC_IMAGE_V 75 depends on ARCH_SUPPORTS_KEXEC_IMAGE_VERIFY_SIG
76 depends on KEXEC_SIG 76 depends on KEXEC_SIG
77 depends on EFI && SIGNED_PE_FILE_VERIF 77 depends on EFI && SIGNED_PE_FILE_VERIFICATION
78 help 78 help
79 Enable Image signature verification 79 Enable Image signature verification support.
80 80
81 config KEXEC_BZIMAGE_VERIFY_SIG 81 config KEXEC_BZIMAGE_VERIFY_SIG
82 bool "Enable bzImage signature verific 82 bool "Enable bzImage signature verification support"
83 depends on ARCH_SUPPORTS_KEXEC_BZIMAGE 83 depends on ARCH_SUPPORTS_KEXEC_BZIMAGE_VERIFY_SIG
84 depends on KEXEC_SIG 84 depends on KEXEC_SIG
85 depends on SIGNED_PE_FILE_VERIFICATION 85 depends on SIGNED_PE_FILE_VERIFICATION
86 select SYSTEM_TRUSTED_KEYRING 86 select SYSTEM_TRUSTED_KEYRING
87 help 87 help
88 Enable bzImage signature verificatio 88 Enable bzImage signature verification support.
89 89
90 config KEXEC_JUMP 90 config KEXEC_JUMP
91 bool "kexec jump" 91 bool "kexec jump"
92 depends on ARCH_SUPPORTS_KEXEC_JUMP 92 depends on ARCH_SUPPORTS_KEXEC_JUMP
93 depends on KEXEC && HIBERNATION 93 depends on KEXEC && HIBERNATION
94 help 94 help
95 Jump between original kernel and kex 95 Jump between original kernel and kexeced kernel and invoke
96 code in physical address mode via KE 96 code in physical address mode via KEXEC
97 97
98 config CRASH_DUMP 98 config CRASH_DUMP
99 bool "kernel crash dumps" 99 bool "kernel crash dumps"
100 default y 100 default y
101 depends on ARCH_SUPPORTS_CRASH_DUMP 101 depends on ARCH_SUPPORTS_CRASH_DUMP
102 depends on KEXEC_CORE 102 depends on KEXEC_CORE
103 select VMCORE_INFO 103 select VMCORE_INFO
104 select CRASH_RESERVE 104 select CRASH_RESERVE
105 help 105 help
106 Generate crash dump after being star 106 Generate crash dump after being started by kexec.
107 This should be normally only set in 107 This should be normally only set in special crash dump kernels
108 which are loaded in the main kernel 108 which are loaded in the main kernel with kexec-tools into
109 a specially reserved region and then 109 a specially reserved region and then later executed after
110 a crash by kdump/kexec. The crash du 110 a crash by kdump/kexec. The crash dump kernel must be compiled
111 to a memory address not used by the 111 to a memory address not used by the main kernel or BIOS using
112 PHYSICAL_START, or it must be built 112 PHYSICAL_START, or it must be built as a relocatable image
113 (CONFIG_RELOCATABLE=y). 113 (CONFIG_RELOCATABLE=y).
114 For more details see Documentation/a 114 For more details see Documentation/admin-guide/kdump/kdump.rst
115 115
116 For s390, this option also enables z 116 For s390, this option also enables zfcpdump.
117 See also <file:Documentation/arch/s3 117 See also <file:Documentation/arch/s390/zfcpdump.rst>
118 118
119 config CRASH_HOTPLUG 119 config CRASH_HOTPLUG
120 bool "Update the crash elfcorehdr on s 120 bool "Update the crash elfcorehdr on system configuration changes"
121 default y 121 default y
122 depends on CRASH_DUMP && (HOTPLUG_CPU 122 depends on CRASH_DUMP && (HOTPLUG_CPU || MEMORY_HOTPLUG)
123 depends on ARCH_SUPPORTS_CRASH_HOTPLUG 123 depends on ARCH_SUPPORTS_CRASH_HOTPLUG
124 help 124 help
125 Enable direct update to the crash el 125 Enable direct update to the crash elfcorehdr (which contains
126 the list of CPUs and memory regions 126 the list of CPUs and memory regions to be dumped upon a crash)
127 in response to hot plug/unplug or on 127 in response to hot plug/unplug or online/offline of CPUs or
128 memory. This is a much more advanced 128 memory. This is a much more advanced approach than userspace
129 attempting that. 129 attempting that.
130 130
131 If unsure, say Y. 131 If unsure, say Y.
132 132
133 config CRASH_MAX_MEMORY_RANGES 133 config CRASH_MAX_MEMORY_RANGES
134 int "Specify the maximum number of mem 134 int "Specify the maximum number of memory regions for the elfcorehdr"
135 default 8192 135 default 8192
136 depends on CRASH_HOTPLUG 136 depends on CRASH_HOTPLUG
137 help 137 help
138 For the kexec_file_load() syscall pa 138 For the kexec_file_load() syscall path, specify the maximum number of
139 memory regions that the elfcorehdr b 139 memory regions that the elfcorehdr buffer/segment can accommodate.
140 These regions are obtained via walk_ 140 These regions are obtained via walk_system_ram_res(); eg. the
141 'System RAM' entries in /proc/iomem. 141 'System RAM' entries in /proc/iomem.
142 This value is combined with NR_CPUS_ 142 This value is combined with NR_CPUS_DEFAULT and multiplied by
143 sizeof(Elf64_Phdr) to determine the 143 sizeof(Elf64_Phdr) to determine the final elfcorehdr memory buffer/
144 segment size. 144 segment size.
145 The value 8192, for example, covers 145 The value 8192, for example, covers a (sparsely populated) 1TiB system
146 consisting of 128MiB memblocks, whil 146 consisting of 128MiB memblocks, while resulting in an elfcorehdr
147 memory buffer/segment size under 1Mi 147 memory buffer/segment size under 1MiB. This represents a sane choice
148 to accommodate both baremetal and vi 148 to accommodate both baremetal and virtual machine configurations.
149 149
150 For the kexec_load() syscall path, C 150 For the kexec_load() syscall path, CRASH_MAX_MEMORY_RANGES is part of
151 the computation behind the value pro 151 the computation behind the value provided through the
152 /sys/kernel/crash_elfcorehdr_size at 152 /sys/kernel/crash_elfcorehdr_size attribute.
153 153
154 endmenu 154 endmenu
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.