Re: [PATCH v4 2/7] crash_dump: make dm crypt keys persist for the kdump kernel

From: Coiby Xu
Date: Fri Jun 07 2024 - 08:30:25 EST


On Thu, Jun 06, 2024 at 11:11:30AM +0800, Baoquan He wrote:
On 05/23/24 at 01:04pm, Coiby Xu wrote:
A sysfs /sys/kernel/crash_dm_crypt_keys is provided for user space to make
the dm crypt keys persist for the kdump kernel. User space can send the
following commands,
- "init KEY_NUM"
Initialize needed structures
- "record KEY_DESC"
Record a key description. The key must be a logon key.

This patch highly lack document to describe what it's doing. For
example, how you will manipulate the /sys/kernel/crash_dm_crypt_keys to
initialize, record the keys, can you give examples how you opeate on
them?

Thanks for the suggestion! v5 now includes
Documentation/ABI/testing/crash_dm_crypt_keys.



User space can also read this API to learn about current state.

Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>
---
include/linux/crash_core.h | 5 +-
kernel/Kconfig.kexec | 8 +++
kernel/Makefile | 1 +
kernel/crash_dump_dm_crypt.c | 113 +++++++++++++++++++++++++++++++++++
kernel/ksysfs.c | 22 +++++++
5 files changed, 148 insertions(+), 1 deletion(-)
create mode 100644 kernel/crash_dump_dm_crypt.c

diff --git a/include/linux/crash_core.h b/include/linux/crash_core.h
index 44305336314e..6bff1c24efa3 100644
--- a/include/linux/crash_core.h
+++ b/include/linux/crash_core.h
@@ -34,7 +34,10 @@ static inline void arch_kexec_protect_crashkres(void) { }
static inline void arch_kexec_unprotect_crashkres(void) { }
#endif

-
+#ifdef CONFIG_CRASH_DM_CRYPT
+int crash_sysfs_dm_crypt_keys_read(char *buf);
+int crash_sysfs_dm_crypt_keys_write(const char *buf, size_t count);
+#endif

#ifndef arch_crash_handle_hotplug_event
static inline void arch_crash_handle_hotplug_event(struct kimage *image, void *arg) { }
diff --git a/kernel/Kconfig.kexec b/kernel/Kconfig.kexec
index 6c34e63c88ff..88525ad1c80a 100644
--- a/kernel/Kconfig.kexec
+++ b/kernel/Kconfig.kexec
@@ -116,6 +116,14 @@ config CRASH_DUMP
For s390, this option also enables zfcpdump.
See also <file:Documentation/arch/s390/zfcpdump.rst>

+config CRASH_DM_CRYPT
+ bool "Support saving crash dump to dm-crypt encrypted volume"
+ depends on CRASH_DUMP

Do we need add dependency on some security features, e.g KEYS?
The current code will enable the CRASH_DM_CRYPT regardless of the
existence of LUKS disk at all.

Good suggestion! I make CRASH_DM_CRYPT depend on DM_CRYPT in v5.

[...]
+static int init(const char *buf)
+{
+ unsigned int total_keys;
+ char dummy[5];
+
+ if (sscanf(buf, "%4s %u", dummy, &total_keys) != 2)
+ return -EINVAL;

This is what I wondered and tried to find a document to get why. Can we
search in the current system and deduce how many keys we can could use
for kdump kernel? Or we have to retrieve and pass it from user space?

I don't think we can get this info from the kernel space directly
because the kernel don't know the kdump target. So we have to pass this
info from user space.


+
+ if (key_count > KEY_NUM_MAX) {
+ pr_err("Exceed the maximum number of keys (KEY_NUM_MAX=%u)\n",
+ KEY_NUM_MAX);
+ return -EINVAL;
+ }

Why chekcing key_count in init()? Don't you need to check
total_keys instead? Clearly you don't do a boundary test for total_keys,
otherwise it will trigger issue.

Good catch! Yes, I should check total_keys instead.


+
+ keys_header_size = get_keys_header_size(keys_header, total_keys);
+ key_count = 0;
+
+ keys_header = kzalloc(keys_header_size, GFP_KERNEL);
+ if (!keys_header)
+ return -ENOMEM;
+
+ keys_header->key_count = total_keys;
+ state = INITIALIZED;
+ return 0;
+}

Please add more code comments, kernel-doc for your code, we can't assume
people reading these codes know the entire matter.

Thanks for the suggestion! I've added some comments and documentation in
v5. Please let me know if there is anything more to improve.

--
Best regards,
Coiby