1994-05-26 06:35:07 +00:00
|
|
|
/*-
|
2017-11-20 19:49:47 +00:00
|
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
|
*
|
2002-03-31 22:26:56 +00:00
|
|
|
* Copyright (c) 2002 Poul-Henning Kamp
|
|
|
|
|
* Copyright (c) 2002 Networks Associates Technology, Inc.
|
|
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* This software was developed for the FreeBSD Project by Poul-Henning Kamp
|
|
|
|
|
* and NAI Labs, the Security Research Division of Network Associates, Inc.
|
|
|
|
|
* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
|
|
|
|
|
* DARPA CHATS research program.
|
1994-05-26 06:35:07 +00:00
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
2002-03-31 22:26:56 +00:00
|
|
|
* 3. The names of the authors may not be used to endorse or promote
|
|
|
|
|
* products derived from this software without specific prior written
|
|
|
|
|
* permission.
|
1994-05-26 06:35:07 +00:00
|
|
|
*
|
2002-03-31 22:26:56 +00:00
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
1994-05-26 06:35:07 +00:00
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
2002-03-31 22:26:56 +00:00
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
1994-05-26 06:35:07 +00:00
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
|
* SUCH DAMAGE.
|
2002-05-05 01:04:00 +00:00
|
|
|
*
|
|
|
|
|
* Copyright (c) 1986, 1992, 1993
|
|
|
|
|
* The Regents of the University of California. All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
2017-02-28 23:42:47 +00:00
|
|
|
* 3. Neither the name of the University nor the names of its contributors
|
2002-05-05 01:04:00 +00:00
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
|
* without specific prior written permission.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
|
* SUCH DAMAGE.
|
1994-05-26 06:35:07 +00:00
|
|
|
*/
|
|
|
|
|
|
2002-04-21 07:18:16 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
|
2002-05-05 01:04:00 +00:00
|
|
|
#include <sys/param.h>
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
#include <sys/disk.h>
|
|
|
|
|
#include <sys/kerneldump.h>
|
2002-05-04 10:36:35 +00:00
|
|
|
#include <sys/mount.h>
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
#include <sys/stat.h>
|
2019-01-02 17:09:35 +00:00
|
|
|
|
|
|
|
|
#include <capsicum_helpers.h>
|
2017-04-14 19:41:48 +00:00
|
|
|
#include <ctype.h>
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
#include <errno.h>
|
2002-03-31 22:26:56 +00:00
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <fstab.h>
|
2002-05-04 10:36:35 +00:00
|
|
|
#include <paths.h>
|
2012-04-09 20:55:23 +00:00
|
|
|
#include <signal.h>
|
2002-05-05 01:04:00 +00:00
|
|
|
#include <stdarg.h>
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
#include <stdbool.h>
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
2002-05-05 01:04:00 +00:00
|
|
|
#include <syslog.h>
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
#include <time.h>
|
2002-03-31 22:26:56 +00:00
|
|
|
#include <unistd.h>
|
2019-01-02 17:09:35 +00:00
|
|
|
|
|
|
|
|
#include <libcasper.h>
|
|
|
|
|
#include <casper/cap_fileargs.h>
|
|
|
|
|
#include <casper/cap_syslog.h>
|
|
|
|
|
|
2015-03-22 17:29:14 +00:00
|
|
|
#include <libxo/xo.h>
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2002-06-02 19:20:37 +00:00
|
|
|
/* The size of the buffer used for I/O. */
|
|
|
|
|
#define BUFFERSIZE (1024*1024)
|
|
|
|
|
|
2005-02-26 01:19:21 +00:00
|
|
|
#define STATUS_BAD 0
|
|
|
|
|
#define STATUS_GOOD 1
|
|
|
|
|
#define STATUS_UNKNOWN 2
|
2005-02-24 02:45:10 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
static cap_channel_t *capsyslog;
|
|
|
|
|
static fileargs_t *capfa;
|
2004-08-16 07:02:14 +00:00
|
|
|
static int checkfor, compress, clear, force, keep, verbose; /* flags */
|
|
|
|
|
static int nfound, nsaved, nerr; /* statistics */
|
2012-12-16 23:06:12 +00:00
|
|
|
static int maxdumps;
|
2002-05-05 01:04:00 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
extern FILE *zdopen(int, const char *);
|
2002-03-31 22:26:56 +00:00
|
|
|
|
2009-08-25 06:21:45 +00:00
|
|
|
static sig_atomic_t got_siginfo;
|
|
|
|
|
static void infohandler(int);
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
static void
|
|
|
|
|
logmsg(int pri, const char *fmt, ...)
|
|
|
|
|
{
|
|
|
|
|
va_list ap;
|
|
|
|
|
|
|
|
|
|
va_start(ap, fmt);
|
|
|
|
|
if (capsyslog != NULL)
|
|
|
|
|
cap_vsyslog(capsyslog, pri, fmt, ap);
|
|
|
|
|
else
|
|
|
|
|
vsyslog(pri, fmt, ap);
|
|
|
|
|
va_end(ap);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static FILE *
|
|
|
|
|
xfopenat(int dirfd, const char *path, int flags, const char *modestr, ...)
|
|
|
|
|
{
|
|
|
|
|
va_list ap;
|
|
|
|
|
FILE *fp;
|
|
|
|
|
mode_t mode;
|
|
|
|
|
int error, fd;
|
|
|
|
|
|
|
|
|
|
if ((flags & O_CREAT) == O_CREAT) {
|
|
|
|
|
va_start(ap, modestr);
|
|
|
|
|
mode = (mode_t)va_arg(ap, int);
|
|
|
|
|
va_end(ap);
|
|
|
|
|
} else
|
|
|
|
|
mode = 0;
|
|
|
|
|
|
|
|
|
|
fd = openat(dirfd, path, flags, mode);
|
|
|
|
|
if (fd < 0)
|
|
|
|
|
return (NULL);
|
|
|
|
|
fp = fdopen(fd, modestr);
|
|
|
|
|
if (fp == NULL) {
|
|
|
|
|
error = errno;
|
|
|
|
|
(void)close(fd);
|
|
|
|
|
errno = error;
|
|
|
|
|
}
|
|
|
|
|
return (fp);
|
|
|
|
|
}
|
|
|
|
|
|
2002-03-31 22:26:56 +00:00
|
|
|
static void
|
2017-07-24 21:51:41 +00:00
|
|
|
printheader(xo_handle_t *xo, const struct kerneldumpheader *h,
|
|
|
|
|
const char *device, int bounds, const int status)
|
2002-03-31 22:26:56 +00:00
|
|
|
{
|
2002-04-03 07:24:12 +00:00
|
|
|
uint64_t dumplen;
|
2002-03-31 22:26:56 +00:00
|
|
|
time_t t;
|
2020-01-13 22:01:37 +00:00
|
|
|
struct tm tm;
|
|
|
|
|
char time_str[64];
|
2005-02-24 02:45:10 +00:00
|
|
|
const char *stat_str;
|
2018-02-13 19:28:02 +00:00
|
|
|
const char *comp_str;
|
2002-03-31 22:26:56 +00:00
|
|
|
|
2015-03-22 17:29:14 +00:00
|
|
|
xo_flush_h(xo);
|
2017-07-24 21:51:41 +00:00
|
|
|
xo_emit_h(xo, "{Lwc:Dump header from device}{:dump_device/%s}\n",
|
|
|
|
|
device);
|
|
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Architecture}{:architecture/%s}\n",
|
|
|
|
|
h->architecture);
|
|
|
|
|
xo_emit_h(xo,
|
|
|
|
|
"{P: }{Lwc:Architecture Version}{:architecture_version/%u}\n",
|
|
|
|
|
dtoh32(h->architectureversion));
|
2002-04-03 07:24:12 +00:00
|
|
|
dumplen = dtoh64(h->dumplength);
|
2017-07-24 21:51:41 +00:00
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Dump Length}{:dump_length_bytes/%lld}\n",
|
|
|
|
|
(long long)dumplen);
|
|
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Blocksize}{:blocksize/%d}\n",
|
|
|
|
|
dtoh32(h->blocksize));
|
2018-02-13 19:28:02 +00:00
|
|
|
switch (h->compression) {
|
|
|
|
|
case KERNELDUMP_COMP_NONE:
|
|
|
|
|
comp_str = "none";
|
|
|
|
|
break;
|
|
|
|
|
case KERNELDUMP_COMP_GZIP:
|
|
|
|
|
comp_str = "gzip";
|
|
|
|
|
break;
|
|
|
|
|
case KERNELDUMP_COMP_ZSTD:
|
|
|
|
|
comp_str = "zstd";
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
comp_str = "???";
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Compression}{:compression/%s}\n", comp_str);
|
2002-04-03 07:24:12 +00:00
|
|
|
t = dtoh64(h->dumptime);
|
2020-01-13 22:01:37 +00:00
|
|
|
localtime_r(&t, &tm);
|
|
|
|
|
if (strftime(time_str, sizeof(time_str), "%F %T %z", &tm) == 0)
|
|
|
|
|
time_str[0] = '\0';
|
|
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Dumptime}{:dumptime/%s}\n", time_str);
|
2015-03-22 17:29:14 +00:00
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Hostname}{:hostname/%s}\n", h->hostname);
|
|
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Magic}{:magic/%s}\n", h->magic);
|
2017-07-24 21:51:41 +00:00
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Version String}{:version_string/%s}",
|
|
|
|
|
h->versionstring);
|
|
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Panic String}{:panic_string/%s}\n",
|
|
|
|
|
h->panicstring);
|
2015-03-22 17:29:14 +00:00
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Dump Parity}{:dump_parity/%u}\n", h->parity);
|
|
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Bounds}{:bounds/%d}\n", bounds);
|
2005-02-24 02:45:10 +00:00
|
|
|
|
2017-07-24 21:51:41 +00:00
|
|
|
switch (status) {
|
2005-02-24 02:45:10 +00:00
|
|
|
case STATUS_BAD:
|
2005-02-26 01:19:21 +00:00
|
|
|
stat_str = "bad";
|
|
|
|
|
break;
|
2005-02-24 02:45:10 +00:00
|
|
|
case STATUS_GOOD:
|
2005-02-26 01:19:21 +00:00
|
|
|
stat_str = "good";
|
|
|
|
|
break;
|
2005-02-24 02:45:10 +00:00
|
|
|
default:
|
2005-02-26 01:19:21 +00:00
|
|
|
stat_str = "unknown";
|
2017-07-24 21:51:41 +00:00
|
|
|
break;
|
2005-02-24 02:45:10 +00:00
|
|
|
}
|
2015-03-22 17:29:14 +00:00
|
|
|
xo_emit_h(xo, "{P: }{Lwc:Dump Status}{:dump_status/%s}\n", stat_str);
|
|
|
|
|
xo_flush_h(xo);
|
2002-03-31 22:26:56 +00:00
|
|
|
}
|
2002-04-03 07:24:12 +00:00
|
|
|
|
2002-05-05 01:04:00 +00:00
|
|
|
static int
|
2019-01-02 17:09:35 +00:00
|
|
|
getbounds(int savedirfd)
|
2017-07-24 21:51:41 +00:00
|
|
|
{
|
2002-05-05 01:04:00 +00:00
|
|
|
FILE *fp;
|
|
|
|
|
char buf[6];
|
|
|
|
|
int ret;
|
|
|
|
|
|
2018-02-16 06:51:39 +00:00
|
|
|
/*
|
|
|
|
|
* If we are just checking, then we haven't done a chdir to the dump
|
|
|
|
|
* directory and we should not try to read a bounds file.
|
|
|
|
|
*/
|
|
|
|
|
if (checkfor)
|
|
|
|
|
return (0);
|
|
|
|
|
|
2002-05-05 01:04:00 +00:00
|
|
|
ret = 0;
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
if ((fp = xfopenat(savedirfd, "bounds", O_RDONLY, "r")) == NULL) {
|
2005-09-13 19:15:28 +00:00
|
|
|
if (verbose)
|
|
|
|
|
printf("unable to open bounds file, using 0\n");
|
2005-06-20 20:01:29 +00:00
|
|
|
return (ret);
|
2002-05-05 01:04:00 +00:00
|
|
|
}
|
2019-01-02 17:09:35 +00:00
|
|
|
if (fgets(buf, sizeof(buf), fp) == NULL) {
|
2014-09-17 19:09:58 +00:00
|
|
|
if (feof(fp))
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING, "bounds file is empty, using 0");
|
2014-09-17 19:09:58 +00:00
|
|
|
else
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING, "bounds file: %s", strerror(errno));
|
2002-05-05 01:04:00 +00:00
|
|
|
fclose(fp);
|
2005-06-20 20:01:29 +00:00
|
|
|
return (ret);
|
2002-05-05 01:04:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
|
ret = (int)strtol(buf, NULL, 10);
|
|
|
|
|
if (ret == 0 && (errno == EINVAL || errno == ERANGE))
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING, "invalid value found in bounds, using 0");
|
2014-09-17 19:09:58 +00:00
|
|
|
fclose(fp);
|
2005-06-20 20:01:29 +00:00
|
|
|
return (ret);
|
|
|
|
|
}
|
2002-05-05 01:04:00 +00:00
|
|
|
|
2005-06-20 20:01:29 +00:00
|
|
|
static void
|
2019-01-02 17:09:35 +00:00
|
|
|
writebounds(int savedirfd, int bounds)
|
2017-07-24 21:51:41 +00:00
|
|
|
{
|
2005-06-20 20:01:29 +00:00
|
|
|
FILE *fp;
|
2002-05-05 01:04:00 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
if ((fp = xfopenat(savedirfd, "bounds", O_WRONLY | O_CREAT | O_TRUNC,
|
2019-01-02 17:34:25 +00:00
|
|
|
"w", 0644)) == NULL) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING, "unable to write to bounds file: %m");
|
2005-06-20 20:01:29 +00:00
|
|
|
return;
|
2002-05-05 01:04:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (verbose)
|
2005-06-20 20:01:29 +00:00
|
|
|
printf("bounds number: %d\n", bounds);
|
2002-05-05 01:04:00 +00:00
|
|
|
|
2005-06-20 20:01:29 +00:00
|
|
|
fprintf(fp, "%d\n", bounds);
|
2002-05-05 01:04:00 +00:00
|
|
|
fclose(fp);
|
|
|
|
|
}
|
|
|
|
|
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
static bool
|
2019-01-02 17:09:35 +00:00
|
|
|
writekey(int savedirfd, const char *keyname, uint8_t *dumpkey,
|
|
|
|
|
uint32_t dumpkeysize)
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
{
|
|
|
|
|
int fd;
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
fd = openat(savedirfd, keyname, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
if (fd == -1) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "Unable to open %s to write the key: %m.",
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
keyname);
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (write(fd, dumpkey, dumpkeysize) != (ssize_t)dumpkeysize) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "Unable to write the key to %s: %m.", keyname);
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
close(fd);
|
|
|
|
|
return (false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
close(fd);
|
|
|
|
|
return (true);
|
|
|
|
|
}
|
|
|
|
|
|
2012-12-16 23:06:12 +00:00
|
|
|
static off_t
|
2019-01-02 17:09:35 +00:00
|
|
|
file_size(int savedirfd, const char *path)
|
2012-12-16 23:06:12 +00:00
|
|
|
{
|
|
|
|
|
struct stat sb;
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
/* Ignore all errors, this file may not exist. */
|
|
|
|
|
if (fstatat(savedirfd, path, &sb, 0) == -1)
|
2012-12-16 23:06:12 +00:00
|
|
|
return (0);
|
|
|
|
|
return (sb.st_size);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static off_t
|
2019-01-02 17:09:35 +00:00
|
|
|
saved_dump_size(int savedirfd, int bounds)
|
2012-12-16 23:06:12 +00:00
|
|
|
{
|
|
|
|
|
static char path[PATH_MAX];
|
|
|
|
|
off_t dumpsize;
|
|
|
|
|
|
|
|
|
|
dumpsize = 0;
|
|
|
|
|
|
|
|
|
|
(void)snprintf(path, sizeof(path), "info.%d", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
dumpsize += file_size(savedirfd, path);
|
2012-12-16 23:06:12 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "vmcore.%d", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
dumpsize += file_size(savedirfd, path);
|
2012-12-16 23:06:12 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "vmcore.%d.gz", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
dumpsize += file_size(savedirfd, path);
|
2018-02-13 19:28:02 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "vmcore.%d.zst", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
dumpsize += file_size(savedirfd, path);
|
2012-12-16 23:06:12 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "textdump.tar.%d", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
dumpsize += file_size(savedirfd, path);
|
2012-12-16 23:06:12 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "textdump.tar.%d.gz", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
dumpsize += file_size(savedirfd, path);
|
2012-12-16 23:06:12 +00:00
|
|
|
|
|
|
|
|
return (dumpsize);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
2019-01-02 17:09:35 +00:00
|
|
|
saved_dump_remove(int savedirfd, int bounds)
|
2012-12-16 23:06:12 +00:00
|
|
|
{
|
|
|
|
|
static char path[PATH_MAX];
|
|
|
|
|
|
|
|
|
|
(void)snprintf(path, sizeof(path), "info.%d", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
(void)unlinkat(savedirfd, path, 0);
|
2012-12-16 23:06:12 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "vmcore.%d", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
(void)unlinkat(savedirfd, path, 0);
|
2012-12-16 23:06:12 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "vmcore.%d.gz", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
(void)unlinkat(savedirfd, path, 0);
|
2018-02-13 19:28:02 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "vmcore.%d.zst", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
(void)unlinkat(savedirfd, path, 0);
|
2012-12-16 23:06:12 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "textdump.tar.%d", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
(void)unlinkat(savedirfd, path, 0);
|
2012-12-16 23:06:12 +00:00
|
|
|
(void)snprintf(path, sizeof(path), "textdump.tar.%d.gz", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
(void)unlinkat(savedirfd, path, 0);
|
2012-12-16 23:06:12 +00:00
|
|
|
}
|
|
|
|
|
|
2012-12-16 23:09:27 +00:00
|
|
|
static void
|
2019-01-02 17:09:35 +00:00
|
|
|
symlinks_remove(int savedirfd)
|
2012-12-16 23:09:27 +00:00
|
|
|
{
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
(void)unlinkat(savedirfd, "info.last", 0);
|
|
|
|
|
(void)unlinkat(savedirfd, "key.last", 0);
|
|
|
|
|
(void)unlinkat(savedirfd, "vmcore.last", 0);
|
|
|
|
|
(void)unlinkat(savedirfd, "vmcore.last.gz", 0);
|
|
|
|
|
(void)unlinkat(savedirfd, "vmcore.last.zst", 0);
|
|
|
|
|
(void)unlinkat(savedirfd, "vmcore_encrypted.last", 0);
|
|
|
|
|
(void)unlinkat(savedirfd, "vmcore_encrypted.last.gz", 0);
|
|
|
|
|
(void)unlinkat(savedirfd, "textdump.tar.last", 0);
|
|
|
|
|
(void)unlinkat(savedirfd, "textdump.tar.last.gz", 0);
|
2012-12-16 23:09:27 +00:00
|
|
|
}
|
|
|
|
|
|
2002-05-04 10:36:35 +00:00
|
|
|
/*
|
|
|
|
|
* Check that sufficient space is available on the disk that holds the
|
|
|
|
|
* save directory.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2019-01-02 17:09:35 +00:00
|
|
|
check_space(const char *savedir, int savedirfd, off_t dumpsize, int bounds)
|
2002-05-04 10:36:35 +00:00
|
|
|
{
|
2019-01-02 17:09:35 +00:00
|
|
|
char buf[100];
|
|
|
|
|
struct statfs fsbuf;
|
2002-05-04 10:36:35 +00:00
|
|
|
FILE *fp;
|
2017-04-14 19:41:48 +00:00
|
|
|
off_t available, minfree, spacefree, totfree, needed;
|
2002-05-04 10:36:35 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
if (fstatfs(savedirfd, &fsbuf) < 0) {
|
|
|
|
|
logmsg(LOG_ERR, "%s: %m", savedir);
|
2002-05-05 01:04:00 +00:00
|
|
|
exit(1);
|
|
|
|
|
}
|
2012-12-14 15:01:23 +00:00
|
|
|
spacefree = ((off_t) fsbuf.f_bavail * fsbuf.f_bsize) / 1024;
|
2002-05-04 10:36:35 +00:00
|
|
|
totfree = ((off_t) fsbuf.f_bfree * fsbuf.f_bsize) / 1024;
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
if ((fp = xfopenat(savedirfd, "minfree", O_RDONLY, "r")) == NULL)
|
2002-05-04 10:36:35 +00:00
|
|
|
minfree = 0;
|
|
|
|
|
else {
|
|
|
|
|
if (fgets(buf, sizeof(buf), fp) == NULL)
|
|
|
|
|
minfree = 0;
|
2017-04-14 19:41:48 +00:00
|
|
|
else {
|
|
|
|
|
char *endp;
|
|
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
|
minfree = strtoll(buf, &endp, 10);
|
|
|
|
|
if (minfree == 0 && errno != 0)
|
|
|
|
|
minfree = -1;
|
|
|
|
|
else {
|
|
|
|
|
while (*endp != '\0' && isspace(*endp))
|
|
|
|
|
endp++;
|
|
|
|
|
if (*endp != '\0' || minfree < 0)
|
|
|
|
|
minfree = -1;
|
|
|
|
|
}
|
|
|
|
|
if (minfree < 0)
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING,
|
2017-04-14 19:41:48 +00:00
|
|
|
"`minfree` didn't contain a valid size "
|
|
|
|
|
"(`%s`). Defaulting to 0", buf);
|
|
|
|
|
}
|
2002-05-04 10:36:35 +00:00
|
|
|
(void)fclose(fp);
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-14 19:41:48 +00:00
|
|
|
available = minfree > 0 ? spacefree - minfree : totfree;
|
2002-05-05 01:04:00 +00:00
|
|
|
needed = dumpsize / 1024 + 2; /* 2 for info file */
|
2019-01-02 17:09:35 +00:00
|
|
|
needed -= saved_dump_size(savedirfd, bounds);
|
2017-04-14 19:41:48 +00:00
|
|
|
if (available < needed) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING,
|
2017-04-14 19:41:48 +00:00
|
|
|
"no dump: not enough free space on device (need at least "
|
2017-04-15 06:53:07 +00:00
|
|
|
"%jdkB for dump; %jdkB available; %jdkB reserved)",
|
2017-04-14 19:41:48 +00:00
|
|
|
(intmax_t)needed,
|
|
|
|
|
(intmax_t)available + minfree,
|
|
|
|
|
(intmax_t)minfree);
|
2002-05-04 10:36:35 +00:00
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
if (spacefree - needed < 0)
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING,
|
2002-05-05 01:04:00 +00:00
|
|
|
"dump performed, but free space threshold crossed");
|
2002-05-04 10:36:35 +00:00
|
|
|
return (1);
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-11 18:24:05 +00:00
|
|
|
static bool
|
|
|
|
|
compare_magic(const struct kerneldumpheader *kdh, const char *magic)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
return (strncmp(kdh->magic, magic, sizeof(kdh->magic)) == 0);
|
|
|
|
|
}
|
|
|
|
|
|
2002-05-05 01:04:00 +00:00
|
|
|
#define BLOCKSIZE (1<<12)
|
|
|
|
|
#define BLOCKMASK (~(BLOCKSIZE-1))
|
2002-03-31 22:26:56 +00:00
|
|
|
|
2007-12-26 11:42:10 +00:00
|
|
|
static int
|
2017-10-25 00:51:00 +00:00
|
|
|
DoRegularFile(int fd, off_t dumpsize, u_int sectorsize, bool sparse, char *buf,
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
const char *device, const char *filename, FILE *fp)
|
2007-12-26 11:42:10 +00:00
|
|
|
{
|
|
|
|
|
int he, hs, nr, nw, wl;
|
2009-08-25 06:21:45 +00:00
|
|
|
off_t dmpcnt, origsize;
|
2007-12-26 11:42:10 +00:00
|
|
|
|
|
|
|
|
dmpcnt = 0;
|
2009-08-25 06:21:45 +00:00
|
|
|
origsize = dumpsize;
|
2007-12-26 11:42:10 +00:00
|
|
|
he = 0;
|
|
|
|
|
while (dumpsize > 0) {
|
|
|
|
|
wl = BUFFERSIZE;
|
|
|
|
|
if (wl > dumpsize)
|
|
|
|
|
wl = dumpsize;
|
2017-10-25 00:51:00 +00:00
|
|
|
nr = read(fd, buf, roundup(wl, sectorsize));
|
|
|
|
|
if (nr != (int)roundup(wl, sectorsize)) {
|
2007-12-26 11:42:10 +00:00
|
|
|
if (nr == 0)
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING,
|
2007-12-26 11:42:10 +00:00
|
|
|
"WARNING: EOF on dump device");
|
|
|
|
|
else
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "read error on %s: %m", device);
|
2007-12-26 11:42:10 +00:00
|
|
|
nerr++;
|
|
|
|
|
return (-1);
|
|
|
|
|
}
|
2017-10-25 00:51:00 +00:00
|
|
|
if (!sparse) {
|
2007-12-26 11:42:10 +00:00
|
|
|
nw = fwrite(buf, 1, wl, fp);
|
|
|
|
|
} else {
|
|
|
|
|
for (nw = 0; nw < nr; nw = he) {
|
|
|
|
|
/* find a contiguous block of zeroes */
|
|
|
|
|
for (hs = nw; hs < nr; hs += BLOCKSIZE) {
|
|
|
|
|
for (he = hs; he < nr && buf[he] == 0;
|
|
|
|
|
++he)
|
|
|
|
|
/* nothing */ ;
|
|
|
|
|
/* is the hole long enough to matter? */
|
|
|
|
|
if (he >= hs + BLOCKSIZE)
|
|
|
|
|
break;
|
|
|
|
|
}
|
2012-12-14 15:01:23 +00:00
|
|
|
|
2007-12-26 11:42:10 +00:00
|
|
|
/* back down to a block boundary */
|
|
|
|
|
he &= BLOCKMASK;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* 1) Don't go beyond the end of the buffer.
|
|
|
|
|
* 2) If the end of the buffer is less than
|
|
|
|
|
* BLOCKSIZE bytes away, we're at the end
|
|
|
|
|
* of the file, so just grab what's left.
|
|
|
|
|
*/
|
|
|
|
|
if (hs + BLOCKSIZE > nr)
|
|
|
|
|
hs = he = nr;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* At this point, we have a partial ordering:
|
|
|
|
|
* nw <= hs <= he <= nr
|
2017-07-24 21:51:41 +00:00
|
|
|
* If hs > nw, buf[nw..hs] contains non-zero
|
|
|
|
|
* data. If he > hs, buf[hs..he] is all zeroes.
|
2007-12-26 11:42:10 +00:00
|
|
|
*/
|
|
|
|
|
if (hs > nw)
|
|
|
|
|
if (fwrite(buf + nw, hs - nw, 1, fp)
|
|
|
|
|
!= 1)
|
|
|
|
|
break;
|
|
|
|
|
if (he > hs)
|
|
|
|
|
if (fseeko(fp, he - hs, SEEK_CUR) == -1)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (nw != wl) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR,
|
2007-12-26 11:42:10 +00:00
|
|
|
"write error on %s file: %m", filename);
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING,
|
2007-12-26 11:42:10 +00:00
|
|
|
"WARNING: vmcore may be incomplete");
|
|
|
|
|
nerr++;
|
|
|
|
|
return (-1);
|
|
|
|
|
}
|
|
|
|
|
if (verbose) {
|
|
|
|
|
dmpcnt += wl;
|
|
|
|
|
printf("%llu\r", (unsigned long long)dmpcnt);
|
|
|
|
|
fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
dumpsize -= wl;
|
2009-08-25 06:21:45 +00:00
|
|
|
if (got_siginfo) {
|
|
|
|
|
printf("%s %.1lf%%\n", filename, (100.0 - (100.0 *
|
|
|
|
|
(double)dumpsize / (double)origsize)));
|
|
|
|
|
got_siginfo = 0;
|
|
|
|
|
}
|
2007-12-26 11:42:10 +00:00
|
|
|
}
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Specialized version of dump-reading logic for use with textdumps, which
|
|
|
|
|
* are written backwards from the end of the partition, and must be reversed
|
|
|
|
|
* before being written to the file. Textdumps are small, so do a bit less
|
|
|
|
|
* work to optimize/sparsify.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
DoTextdumpFile(int fd, off_t dumpsize, off_t lasthd, char *buf,
|
|
|
|
|
const char *device, const char *filename, FILE *fp)
|
|
|
|
|
{
|
|
|
|
|
int nr, nw, wl;
|
|
|
|
|
off_t dmpcnt, totsize;
|
|
|
|
|
|
|
|
|
|
totsize = dumpsize;
|
|
|
|
|
dmpcnt = 0;
|
|
|
|
|
wl = 512;
|
|
|
|
|
if ((dumpsize % wl) != 0) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "textdump uneven multiple of 512 on %s",
|
2007-12-26 11:42:10 +00:00
|
|
|
device);
|
|
|
|
|
nerr++;
|
|
|
|
|
return (-1);
|
|
|
|
|
}
|
|
|
|
|
while (dumpsize > 0) {
|
|
|
|
|
nr = pread(fd, buf, wl, lasthd - (totsize - dumpsize) - wl);
|
|
|
|
|
if (nr != wl) {
|
|
|
|
|
if (nr == 0)
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING,
|
2007-12-26 11:42:10 +00:00
|
|
|
"WARNING: EOF on dump device");
|
|
|
|
|
else
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "read error on %s: %m", device);
|
2007-12-26 11:42:10 +00:00
|
|
|
nerr++;
|
|
|
|
|
return (-1);
|
|
|
|
|
}
|
|
|
|
|
nw = fwrite(buf, 1, wl, fp);
|
|
|
|
|
if (nw != wl) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR,
|
2007-12-26 11:42:10 +00:00
|
|
|
"write error on %s file: %m", filename);
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING,
|
2007-12-26 11:42:10 +00:00
|
|
|
"WARNING: textdump may be incomplete");
|
|
|
|
|
nerr++;
|
|
|
|
|
return (-1);
|
|
|
|
|
}
|
|
|
|
|
if (verbose) {
|
|
|
|
|
dmpcnt += wl;
|
|
|
|
|
printf("%llu\r", (unsigned long long)dmpcnt);
|
|
|
|
|
fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
dumpsize -= wl;
|
|
|
|
|
}
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
2002-03-31 22:26:56 +00:00
|
|
|
static void
|
2019-01-02 17:09:35 +00:00
|
|
|
DoFile(const char *savedir, int savedirfd, const char *device)
|
2002-03-31 22:26:56 +00:00
|
|
|
{
|
2015-03-22 17:29:14 +00:00
|
|
|
xo_handle_t *xostdout, *xoinfo;
|
2012-12-16 23:09:27 +00:00
|
|
|
static char infoname[PATH_MAX], corename[PATH_MAX], linkname[PATH_MAX];
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
static char keyname[PATH_MAX];
|
2016-10-06 05:16:44 +00:00
|
|
|
static char *buf = NULL;
|
|
|
|
|
char *temp = NULL;
|
2002-03-31 22:26:56 +00:00
|
|
|
struct kerneldumpheader kdhf, kdhl;
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
uint8_t *dumpkey;
|
2017-10-25 00:51:00 +00:00
|
|
|
off_t mediasize, dumpextent, dumplength, firsthd, lasthd;
|
2019-01-02 17:09:35 +00:00
|
|
|
FILE *core, *info;
|
|
|
|
|
int fdcore, fddev, error;
|
2005-02-24 02:45:10 +00:00
|
|
|
int bounds, status;
|
2015-03-22 17:29:14 +00:00
|
|
|
u_int sectorsize, xostyle;
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
uint32_t dumpkeysize;
|
2017-10-25 00:51:00 +00:00
|
|
|
bool iscompressed, isencrypted, istextdump, ret;
|
2002-05-05 01:04:00 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
bounds = getbounds(savedirfd);
|
2017-02-04 14:10:16 +00:00
|
|
|
dumpkey = NULL;
|
2002-05-05 01:04:00 +00:00
|
|
|
mediasize = 0;
|
2005-02-24 02:45:10 +00:00
|
|
|
status = STATUS_UNKNOWN;
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2015-03-22 17:29:14 +00:00
|
|
|
xostdout = xo_create_to_file(stdout, XO_STYLE_TEXT, 0);
|
|
|
|
|
if (xostdout == NULL) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "%s: %m", infoname);
|
2015-03-22 17:29:14 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2012-12-16 23:06:12 +00:00
|
|
|
if (maxdumps > 0 && bounds == maxdumps)
|
|
|
|
|
bounds = 0;
|
|
|
|
|
|
2002-05-27 07:54:43 +00:00
|
|
|
if (buf == NULL) {
|
2002-06-02 19:20:37 +00:00
|
|
|
buf = malloc(BUFFERSIZE);
|
2002-05-27 07:54:43 +00:00
|
|
|
if (buf == NULL) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "%m");
|
2002-05-27 07:54:43 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
if (verbose)
|
2002-05-05 01:04:00 +00:00
|
|
|
printf("checking for kernel dump on device %s\n", device);
|
2002-03-31 22:26:56 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
fddev = fileargs_open(capfa, device);
|
|
|
|
|
if (fddev < 0) {
|
|
|
|
|
logmsg(LOG_ERR, "%s: %m", device);
|
2002-03-31 22:26:56 +00:00
|
|
|
return;
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
2002-05-27 07:54:43 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
error = ioctl(fddev, DIOCGMEDIASIZE, &mediasize);
|
2002-03-31 22:26:56 +00:00
|
|
|
if (!error)
|
2019-01-02 17:09:35 +00:00
|
|
|
error = ioctl(fddev, DIOCGSECTORSIZE, §orsize);
|
2002-03-31 22:26:56 +00:00
|
|
|
if (error) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR,
|
2002-05-05 01:04:00 +00:00
|
|
|
"couldn't find media and/or sector size of %s: %m", device);
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
goto closefd;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (verbose) {
|
2017-04-12 20:20:04 +00:00
|
|
|
printf("mediasize = %lld bytes\n", (long long)mediasize);
|
|
|
|
|
printf("sectorsize = %u bytes\n", sectorsize);
|
1999-05-13 04:29:09 +00:00
|
|
|
}
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2016-04-15 17:45:12 +00:00
|
|
|
if (sectorsize < sizeof(kdhl)) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR,
|
2016-04-15 17:45:12 +00:00
|
|
|
"Sector size is less the kernel dump header %zu",
|
|
|
|
|
sizeof(kdhl));
|
|
|
|
|
goto closefd;
|
|
|
|
|
}
|
|
|
|
|
|
2002-03-31 22:26:56 +00:00
|
|
|
lasthd = mediasize - sectorsize;
|
2016-10-06 05:16:44 +00:00
|
|
|
temp = malloc(sectorsize);
|
2016-04-15 17:45:12 +00:00
|
|
|
if (temp == NULL) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "%m");
|
2016-10-06 05:16:44 +00:00
|
|
|
goto closefd;
|
2016-04-15 17:45:12 +00:00
|
|
|
}
|
2019-01-02 17:09:35 +00:00
|
|
|
if (lseek(fddev, lasthd, SEEK_SET) != lasthd ||
|
|
|
|
|
read(fddev, temp, sectorsize) != (ssize_t)sectorsize) {
|
|
|
|
|
logmsg(LOG_ERR,
|
2002-05-05 01:04:00 +00:00
|
|
|
"error reading last dump header at offset %lld in %s: %m",
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
(long long)lasthd, device);
|
|
|
|
|
goto closefd;
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
2016-04-15 17:45:12 +00:00
|
|
|
memcpy(&kdhl, temp, sizeof(kdhl));
|
2017-10-25 00:51:00 +00:00
|
|
|
iscompressed = istextdump = false;
|
2017-07-11 18:24:05 +00:00
|
|
|
if (compare_magic(&kdhl, TEXTDUMPMAGIC)) {
|
2007-12-26 11:42:10 +00:00
|
|
|
if (verbose)
|
|
|
|
|
printf("textdump magic on last dump header on %s\n",
|
|
|
|
|
device);
|
2017-10-25 00:51:00 +00:00
|
|
|
istextdump = true;
|
2007-12-27 21:28:48 +00:00
|
|
|
if (dtoh32(kdhl.version) != KERNELDUMP_TEXT_VERSION) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR,
|
2007-12-27 21:28:48 +00:00
|
|
|
"unknown version (%d) in last dump header on %s",
|
|
|
|
|
dtoh32(kdhl.version), device);
|
2012-12-14 15:01:23 +00:00
|
|
|
|
2007-12-27 21:28:48 +00:00
|
|
|
status = STATUS_BAD;
|
|
|
|
|
if (force == 0)
|
|
|
|
|
goto closefd;
|
|
|
|
|
}
|
2017-07-11 18:24:05 +00:00
|
|
|
} else if (compare_magic(&kdhl, KERNELDUMPMAGIC)) {
|
2007-12-27 21:28:48 +00:00
|
|
|
if (dtoh32(kdhl.version) != KERNELDUMPVERSION) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR,
|
2007-12-27 21:28:48 +00:00
|
|
|
"unknown version (%d) in last dump header on %s",
|
|
|
|
|
dtoh32(kdhl.version), device);
|
2012-12-14 15:01:23 +00:00
|
|
|
|
2007-12-27 21:28:48 +00:00
|
|
|
status = STATUS_BAD;
|
|
|
|
|
if (force == 0)
|
|
|
|
|
goto closefd;
|
|
|
|
|
}
|
2017-10-25 00:51:00 +00:00
|
|
|
switch (kdhl.compression) {
|
|
|
|
|
case KERNELDUMP_COMP_NONE:
|
|
|
|
|
break;
|
|
|
|
|
case KERNELDUMP_COMP_GZIP:
|
2018-02-13 19:28:02 +00:00
|
|
|
case KERNELDUMP_COMP_ZSTD:
|
2017-10-25 00:51:00 +00:00
|
|
|
if (compress && verbose)
|
|
|
|
|
printf("dump is already compressed\n");
|
|
|
|
|
compress = false;
|
|
|
|
|
iscompressed = true;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "unknown compression type %d on %s",
|
2017-10-25 00:51:00 +00:00
|
|
|
kdhl.compression, device);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2007-12-27 21:28:48 +00:00
|
|
|
} else {
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
if (verbose)
|
2002-05-05 01:04:00 +00:00
|
|
|
printf("magic mismatch on last dump header on %s\n",
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
device);
|
2002-05-05 01:04:00 +00:00
|
|
|
|
2005-02-24 02:45:10 +00:00
|
|
|
status = STATUS_BAD;
|
2002-05-05 01:04:00 +00:00
|
|
|
if (force == 0)
|
|
|
|
|
goto closefd;
|
|
|
|
|
|
2017-07-11 18:24:05 +00:00
|
|
|
if (compare_magic(&kdhl, KERNELDUMPMAGIC_CLEARED)) {
|
2002-05-05 01:04:00 +00:00
|
|
|
if (verbose)
|
|
|
|
|
printf("forcing magic on %s\n", device);
|
2017-10-25 00:51:00 +00:00
|
|
|
memcpy(kdhl.magic, KERNELDUMPMAGIC, sizeof(kdhl.magic));
|
2002-05-05 01:04:00 +00:00
|
|
|
} else {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "unable to force dump - bad magic");
|
2002-05-05 01:04:00 +00:00
|
|
|
goto closefd;
|
|
|
|
|
}
|
2007-12-27 21:28:48 +00:00
|
|
|
if (dtoh32(kdhl.version) != KERNELDUMPVERSION) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR,
|
2007-12-27 21:28:48 +00:00
|
|
|
"unknown version (%d) in last dump header on %s",
|
|
|
|
|
dtoh32(kdhl.version), device);
|
2012-12-14 15:01:23 +00:00
|
|
|
|
2007-12-27 21:28:48 +00:00
|
|
|
status = STATUS_BAD;
|
|
|
|
|
if (force == 0)
|
|
|
|
|
goto closefd;
|
|
|
|
|
}
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nfound++;
|
|
|
|
|
if (clear)
|
|
|
|
|
goto nuke;
|
|
|
|
|
|
|
|
|
|
if (kerneldump_parity(&kdhl)) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR,
|
2002-05-05 01:04:00 +00:00
|
|
|
"parity error on last dump header on %s", device);
|
2002-05-04 10:36:35 +00:00
|
|
|
nerr++;
|
2005-02-24 02:45:10 +00:00
|
|
|
status = STATUS_BAD;
|
|
|
|
|
if (force == 0)
|
|
|
|
|
goto closefd;
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
2017-10-25 00:51:00 +00:00
|
|
|
dumpextent = dtoh64(kdhl.dumpextent);
|
|
|
|
|
dumplength = dtoh64(kdhl.dumplength);
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
dumpkeysize = dtoh32(kdhl.dumpkeysize);
|
2017-10-25 00:51:00 +00:00
|
|
|
firsthd = lasthd - dumpextent - sectorsize - dumpkeysize;
|
2019-01-02 17:09:35 +00:00
|
|
|
if (lseek(fddev, firsthd, SEEK_SET) != firsthd ||
|
|
|
|
|
read(fddev, temp, sectorsize) != (ssize_t)sectorsize) {
|
|
|
|
|
logmsg(LOG_ERR,
|
2002-05-05 01:04:00 +00:00
|
|
|
"error reading first dump header at offset %lld in %s: %m",
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
(long long)firsthd, device);
|
2002-05-04 10:36:35 +00:00
|
|
|
nerr++;
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
goto closefd;
|
2000-09-28 20:09:36 +00:00
|
|
|
}
|
2016-04-15 17:45:12 +00:00
|
|
|
memcpy(&kdhf, temp, sizeof(kdhf));
|
2005-02-24 02:45:10 +00:00
|
|
|
|
|
|
|
|
if (verbose >= 2) {
|
|
|
|
|
printf("First dump headers:\n");
|
2015-03-22 17:29:14 +00:00
|
|
|
printheader(xostdout, &kdhf, device, bounds, -1);
|
2005-02-24 02:45:10 +00:00
|
|
|
|
|
|
|
|
printf("\nLast dump headers:\n");
|
2015-03-22 17:29:14 +00:00
|
|
|
printheader(xostdout, &kdhl, device, bounds, -1);
|
2005-02-24 02:45:10 +00:00
|
|
|
printf("\n");
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-15 17:45:12 +00:00
|
|
|
if (memcmp(&kdhl, &kdhf, sizeof(kdhl))) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR,
|
2002-05-05 01:04:00 +00:00
|
|
|
"first and last dump headers disagree on %s", device);
|
2002-05-04 10:36:35 +00:00
|
|
|
nerr++;
|
2005-02-24 02:45:10 +00:00
|
|
|
status = STATUS_BAD;
|
|
|
|
|
if (force == 0)
|
|
|
|
|
goto closefd;
|
|
|
|
|
} else {
|
|
|
|
|
status = STATUS_GOOD;
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2003-09-04 10:07:01 +00:00
|
|
|
if (checkfor) {
|
|
|
|
|
printf("A dump exists on %s\n", device);
|
2019-01-02 17:09:35 +00:00
|
|
|
close(fddev);
|
2003-09-04 10:07:01 +00:00
|
|
|
exit(0);
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-15 17:45:12 +00:00
|
|
|
if (kdhl.panicstring[0] != '\0')
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ALERT, "reboot after panic: %.*s",
|
2015-10-23 19:28:24 +00:00
|
|
|
(int)sizeof(kdhl.panicstring), kdhl.panicstring);
|
2002-05-05 01:04:00 +00:00
|
|
|
else
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ALERT, "reboot");
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2002-05-05 01:04:00 +00:00
|
|
|
if (verbose)
|
|
|
|
|
printf("Checking for available free space\n");
|
2012-12-16 23:06:12 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
if (!check_space(savedir, savedirfd, dumplength, bounds)) {
|
2002-05-04 10:36:35 +00:00
|
|
|
nerr++;
|
|
|
|
|
goto closefd;
|
|
|
|
|
}
|
2002-05-05 01:04:00 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
writebounds(savedirfd, bounds + 1);
|
2005-06-20 20:01:29 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
saved_dump_remove(savedirfd, bounds);
|
2012-12-16 23:06:12 +00:00
|
|
|
|
|
|
|
|
snprintf(infoname, sizeof(infoname), "info.%d", bounds);
|
2002-05-05 01:04:00 +00:00
|
|
|
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
/*
|
2005-02-24 02:45:10 +00:00
|
|
|
* Create or overwrite any existing dump header files.
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
*/
|
2019-01-02 17:09:35 +00:00
|
|
|
if ((info = xfopenat(savedirfd, infoname,
|
|
|
|
|
O_WRONLY | O_CREAT | O_TRUNC, "w", 0600)) == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "open(%s): %m", infoname);
|
2002-05-04 10:36:35 +00:00
|
|
|
nerr++;
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
goto closefd;
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
2015-03-22 17:29:14 +00:00
|
|
|
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
isencrypted = (dumpkeysize > 0);
|
2019-01-02 17:09:35 +00:00
|
|
|
if (compress)
|
2012-12-16 23:06:12 +00:00
|
|
|
snprintf(corename, sizeof(corename), "%s.%d.gz",
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
istextdump ? "textdump.tar" :
|
|
|
|
|
(isencrypted ? "vmcore_encrypted" : "vmcore"), bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
else if (iscompressed && !isencrypted)
|
2018-02-13 19:28:02 +00:00
|
|
|
snprintf(corename, sizeof(corename), "vmcore.%d.%s", bounds,
|
|
|
|
|
(kdhl.compression == KERNELDUMP_COMP_GZIP) ? "gz" : "zst");
|
2019-01-02 17:09:35 +00:00
|
|
|
else
|
2012-12-16 23:06:12 +00:00
|
|
|
snprintf(corename, sizeof(corename), "%s.%d",
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
istextdump ? "textdump.tar" :
|
|
|
|
|
(isencrypted ? "vmcore_encrypted" : "vmcore"), bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
fdcore = openat(savedirfd, corename, O_WRONLY | O_CREAT | O_TRUNC,
|
|
|
|
|
0600);
|
|
|
|
|
if (fdcore < 0) {
|
|
|
|
|
logmsg(LOG_ERR, "open(%s): %m", corename);
|
|
|
|
|
fclose(info);
|
2002-05-04 10:36:35 +00:00
|
|
|
nerr++;
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
goto closefd;
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
2002-05-05 01:04:00 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
if (compress)
|
|
|
|
|
core = zdopen(fdcore, "w");
|
|
|
|
|
else
|
|
|
|
|
core = fdopen(fdcore, "w");
|
|
|
|
|
if (core == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "%s: %m", corename);
|
|
|
|
|
(void)close(fdcore);
|
|
|
|
|
(void)fclose(info);
|
2007-05-28 09:48:25 +00:00
|
|
|
nerr++;
|
2019-01-02 17:09:35 +00:00
|
|
|
goto closefd;
|
2007-05-28 09:48:25 +00:00
|
|
|
}
|
2019-01-02 17:09:35 +00:00
|
|
|
fdcore = -1;
|
2007-05-28 09:48:25 +00:00
|
|
|
|
2015-03-22 17:29:14 +00:00
|
|
|
xostyle = xo_get_style(NULL);
|
|
|
|
|
xoinfo = xo_create_to_file(info, xostyle, 0);
|
|
|
|
|
if (xoinfo == NULL) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "%s: %m", infoname);
|
|
|
|
|
fclose(info);
|
2015-03-22 17:29:14 +00:00
|
|
|
nerr++;
|
2015-10-23 19:28:24 +00:00
|
|
|
goto closeall;
|
2015-03-22 17:29:14 +00:00
|
|
|
}
|
|
|
|
|
xo_open_container_h(xoinfo, "crashdump");
|
|
|
|
|
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
if (verbose)
|
2015-03-22 17:29:14 +00:00
|
|
|
printheader(xostdout, &kdhl, device, bounds, status);
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2015-03-22 17:29:14 +00:00
|
|
|
printheader(xoinfo, &kdhl, device, bounds, status);
|
|
|
|
|
xo_close_container_h(xoinfo, "crashdump");
|
|
|
|
|
xo_flush_h(xoinfo);
|
|
|
|
|
xo_finish_h(xoinfo);
|
2002-05-05 01:04:00 +00:00
|
|
|
fclose(info);
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
if (isencrypted) {
|
|
|
|
|
dumpkey = calloc(1, dumpkeysize);
|
|
|
|
|
if (dumpkey == NULL) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "Unable to allocate kernel dump key.");
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
nerr++;
|
|
|
|
|
goto closeall;
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
if (read(fddev, dumpkey, dumpkeysize) != (ssize_t)dumpkeysize) {
|
|
|
|
|
logmsg(LOG_ERR, "Unable to read kernel dump key: %m.");
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
nerr++;
|
|
|
|
|
goto closeall;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
snprintf(keyname, sizeof(keyname), "key.%d", bounds);
|
2019-01-02 17:09:35 +00:00
|
|
|
ret = writekey(savedirfd, keyname, dumpkey, dumpkeysize);
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
explicit_bzero(dumpkey, dumpkeysize);
|
|
|
|
|
if (!ret) {
|
|
|
|
|
nerr++;
|
|
|
|
|
goto closeall;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_NOTICE, "writing %s%score to %s/%s",
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
isencrypted ? "encrypted " : "", compress ? "compressed " : "",
|
|
|
|
|
savedir, corename);
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2007-12-26 11:42:10 +00:00
|
|
|
if (istextdump) {
|
2019-01-02 17:09:35 +00:00
|
|
|
if (DoTextdumpFile(fddev, dumplength, lasthd, buf, device,
|
|
|
|
|
corename, core) < 0)
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
goto closeall;
|
2007-12-26 11:42:10 +00:00
|
|
|
} else {
|
2019-01-02 17:09:35 +00:00
|
|
|
if (DoRegularFile(fddev, dumplength, sectorsize,
|
2017-10-25 00:51:00 +00:00
|
|
|
!(compress || iscompressed || isencrypted), buf, device,
|
2019-01-02 17:09:35 +00:00
|
|
|
corename, core) < 0) {
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
goto closeall;
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
}
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
2002-05-05 01:04:00 +00:00
|
|
|
if (verbose)
|
|
|
|
|
printf("\n");
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
if (fclose(core) < 0) {
|
|
|
|
|
logmsg(LOG_ERR, "error on %s: %m", corename);
|
2002-05-05 01:04:00 +00:00
|
|
|
nerr++;
|
2014-04-14 21:44:34 +00:00
|
|
|
goto closefd;
|
2002-05-05 01:04:00 +00:00
|
|
|
}
|
2012-12-16 23:06:12 +00:00
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
symlinks_remove(savedirfd);
|
|
|
|
|
if (symlinkat(infoname, savedirfd, "info.last") == -1) {
|
|
|
|
|
logmsg(LOG_WARNING, "unable to create symlink %s/%s: %m",
|
2012-12-16 23:09:27 +00:00
|
|
|
savedir, "info.last");
|
|
|
|
|
}
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
if (isencrypted) {
|
2019-01-02 17:09:35 +00:00
|
|
|
if (symlinkat(keyname, savedirfd, "key.last") == -1) {
|
|
|
|
|
logmsg(LOG_WARNING,
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
"unable to create symlink %s/%s: %m", savedir,
|
|
|
|
|
"key.last");
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-10-25 00:51:00 +00:00
|
|
|
if (compress || iscompressed) {
|
2018-02-13 19:28:02 +00:00
|
|
|
snprintf(linkname, sizeof(linkname), "%s.last.%s",
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
istextdump ? "textdump.tar" :
|
2018-02-13 19:28:02 +00:00
|
|
|
(isencrypted ? "vmcore_encrypted" : "vmcore"),
|
|
|
|
|
(kdhl.compression == KERNELDUMP_COMP_ZSTD) ? "zst" : "gz");
|
2012-12-16 23:09:27 +00:00
|
|
|
} else {
|
|
|
|
|
snprintf(linkname, sizeof(linkname), "%s.last",
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
istextdump ? "textdump.tar" :
|
|
|
|
|
(isencrypted ? "vmcore_encrypted" : "vmcore"));
|
2012-12-16 23:09:27 +00:00
|
|
|
}
|
2019-01-02 17:09:35 +00:00
|
|
|
if (symlinkat(corename, savedirfd, linkname) == -1) {
|
|
|
|
|
logmsg(LOG_WARNING, "unable to create symlink %s/%s: %m",
|
2012-12-16 23:09:27 +00:00
|
|
|
savedir, linkname);
|
|
|
|
|
}
|
|
|
|
|
|
2002-05-04 10:36:35 +00:00
|
|
|
nsaved++;
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
|
|
|
|
if (verbose)
|
2002-05-05 01:04:00 +00:00
|
|
|
printf("dump saved\n");
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2002-05-05 01:04:00 +00:00
|
|
|
nuke:
|
2012-12-14 15:03:12 +00:00
|
|
|
if (!keep) {
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
if (verbose)
|
2002-05-05 01:04:00 +00:00
|
|
|
printf("clearing dump header\n");
|
2016-04-15 17:45:12 +00:00
|
|
|
memcpy(kdhl.magic, KERNELDUMPMAGIC_CLEARED, sizeof(kdhl.magic));
|
|
|
|
|
memcpy(temp, &kdhl, sizeof(kdhl));
|
2019-01-02 17:09:35 +00:00
|
|
|
if (lseek(fddev, lasthd, SEEK_SET) != lasthd ||
|
|
|
|
|
write(fddev, temp, sectorsize) != (ssize_t)sectorsize)
|
|
|
|
|
logmsg(LOG_ERR,
|
2002-05-05 01:04:00 +00:00
|
|
|
"error while clearing the dump header: %m");
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
}
|
2015-03-22 17:29:14 +00:00
|
|
|
xo_close_container_h(xostdout, "crashdump");
|
|
|
|
|
xo_finish_h(xostdout);
|
2017-02-04 14:10:16 +00:00
|
|
|
free(dumpkey);
|
2016-10-06 05:16:44 +00:00
|
|
|
free(temp);
|
2019-01-02 17:09:35 +00:00
|
|
|
close(fddev);
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
return;
|
|
|
|
|
|
2002-05-05 01:04:00 +00:00
|
|
|
closeall:
|
2019-01-02 17:09:35 +00:00
|
|
|
fclose(core);
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2002-05-05 01:04:00 +00:00
|
|
|
closefd:
|
2017-02-04 14:10:16 +00:00
|
|
|
free(dumpkey);
|
2016-10-06 05:16:44 +00:00
|
|
|
free(temp);
|
2019-01-02 17:09:35 +00:00
|
|
|
close(fddev);
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-29 22:12:23 +00:00
|
|
|
/* Prepend "/dev/" to any arguments that don't already have it */
|
|
|
|
|
static char **
|
|
|
|
|
devify(int argc, char **argv)
|
|
|
|
|
{
|
|
|
|
|
char **devs;
|
|
|
|
|
int i, l;
|
|
|
|
|
|
|
|
|
|
devs = malloc(argc * sizeof(*argv));
|
|
|
|
|
if (devs == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "malloc(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
for (i = 0; i < argc; i++) {
|
|
|
|
|
if (strncmp(argv[i], _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0)
|
|
|
|
|
devs[i] = strdup(argv[i]);
|
|
|
|
|
else {
|
|
|
|
|
char *fullpath;
|
|
|
|
|
|
|
|
|
|
fullpath = malloc(PATH_MAX);
|
|
|
|
|
if (fullpath == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "malloc(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
l = snprintf(fullpath, PATH_MAX, "%s%s", _PATH_DEV,
|
|
|
|
|
argv[i]);
|
|
|
|
|
if (l < 0) {
|
|
|
|
|
logmsg(LOG_ERR, "snprintf(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
} else if (l >= PATH_MAX) {
|
|
|
|
|
logmsg(LOG_ERR, "device name too long");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
devs[i] = fullpath;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return (devs);
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-02 17:09:35 +00:00
|
|
|
static char **
|
|
|
|
|
enum_dumpdevs(int *argcp)
|
|
|
|
|
{
|
|
|
|
|
struct fstab *fsp;
|
|
|
|
|
char **argv;
|
|
|
|
|
int argc, n;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We cannot use getfsent(3) in capability mode, so we must
|
|
|
|
|
* scan /etc/fstab and build up a list of candidate devices
|
|
|
|
|
* before proceeding.
|
|
|
|
|
*/
|
|
|
|
|
argc = 0;
|
|
|
|
|
n = 8;
|
|
|
|
|
argv = malloc(n * sizeof(*argv));
|
|
|
|
|
if (argv == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "malloc(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
for (;;) {
|
|
|
|
|
fsp = getfsent();
|
|
|
|
|
if (fsp == NULL)
|
|
|
|
|
break;
|
|
|
|
|
if (strcmp(fsp->fs_vfstype, "swap") != 0 &&
|
|
|
|
|
strcmp(fsp->fs_vfstype, "dump") != 0)
|
|
|
|
|
continue;
|
|
|
|
|
if (argc >= n) {
|
|
|
|
|
n *= 2;
|
|
|
|
|
argv = realloc(argv, n * sizeof(*argv));
|
|
|
|
|
if (argv == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "realloc(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
argv[argc] = strdup(fsp->fs_spec);
|
|
|
|
|
if (argv[argc] == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "strdup(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
argc++;
|
|
|
|
|
}
|
|
|
|
|
*argcp = argc;
|
|
|
|
|
return (argv);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
init_caps(int argc, char **argv)
|
|
|
|
|
{
|
|
|
|
|
cap_rights_t rights;
|
|
|
|
|
cap_channel_t *capcas;
|
|
|
|
|
|
|
|
|
|
capcas = cap_init();
|
|
|
|
|
if (capcas == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "cap_init(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* The fileargs capability does not currently provide a way to limit
|
|
|
|
|
* ioctls.
|
|
|
|
|
*/
|
|
|
|
|
(void)cap_rights_init(&rights, CAP_PREAD, CAP_WRITE, CAP_IOCTL);
|
|
|
|
|
capfa = fileargs_init(argc, argv, checkfor || keep ? O_RDONLY : O_RDWR,
|
2019-04-17 16:18:14 +00:00
|
|
|
0, &rights, FA_OPEN);
|
2019-01-02 17:09:35 +00:00
|
|
|
if (capfa == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "fileargs_init(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
caph_cache_catpages();
|
|
|
|
|
caph_cache_tzdata();
|
|
|
|
|
if (caph_enter_casper() != 0) {
|
|
|
|
|
logmsg(LOG_ERR, "caph_enter_casper(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
capsyslog = cap_service_open(capcas, "system.syslog");
|
|
|
|
|
if (capsyslog == NULL) {
|
|
|
|
|
logmsg(LOG_ERR, "cap_service_open(system.syslog): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
cap_close(capcas);
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
|
|
|
|
|
2002-03-31 22:26:56 +00:00
|
|
|
static void
|
|
|
|
|
usage(void)
|
1994-05-26 06:35:07 +00:00
|
|
|
{
|
2015-03-22 17:29:14 +00:00
|
|
|
xo_error("%s\n%s\n%s\n",
|
2012-12-14 15:12:08 +00:00
|
|
|
"usage: savecore -c [-v] [device ...]",
|
|
|
|
|
" savecore -C [-v] [device ...]",
|
2012-12-16 23:06:12 +00:00
|
|
|
" savecore [-fkvz] [-m maxdumps] [directory [device ...]]");
|
|
|
|
|
exit(1);
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
2002-03-31 22:26:56 +00:00
|
|
|
main(int argc, char **argv)
|
1999-08-31 18:12:44 +00:00
|
|
|
{
|
2019-01-02 17:09:35 +00:00
|
|
|
cap_rights_t rights;
|
|
|
|
|
const char *savedir;
|
2020-06-29 22:12:23 +00:00
|
|
|
char **devs;
|
2019-01-02 17:09:35 +00:00
|
|
|
int i, ch, error, savedirfd;
|
1999-08-31 18:12:44 +00:00
|
|
|
|
2005-02-24 02:45:10 +00:00
|
|
|
checkfor = compress = clear = force = keep = verbose = 0;
|
|
|
|
|
nfound = nsaved = nerr = 0;
|
2019-01-02 17:09:35 +00:00
|
|
|
savedir = ".";
|
2005-02-24 02:45:10 +00:00
|
|
|
|
2002-05-05 01:04:00 +00:00
|
|
|
openlog("savecore", LOG_PERROR, LOG_DAEMON);
|
2009-08-25 06:21:45 +00:00
|
|
|
signal(SIGINFO, infohandler);
|
2002-05-05 01:04:00 +00:00
|
|
|
|
2015-03-22 17:29:14 +00:00
|
|
|
argc = xo_parse_args(argc, argv);
|
|
|
|
|
if (argc < 0)
|
|
|
|
|
exit(1);
|
|
|
|
|
|
2012-12-16 23:06:12 +00:00
|
|
|
while ((ch = getopt(argc, argv, "Ccfkm:vz")) != -1)
|
2002-03-31 22:26:56 +00:00
|
|
|
switch(ch) {
|
2003-09-04 10:07:01 +00:00
|
|
|
case 'C':
|
|
|
|
|
checkfor = 1;
|
|
|
|
|
break;
|
2002-03-31 22:26:56 +00:00
|
|
|
case 'c':
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
clear = 1;
|
|
|
|
|
break;
|
2012-12-16 22:59:58 +00:00
|
|
|
case 'f':
|
|
|
|
|
force = 1;
|
|
|
|
|
break;
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
case 'k':
|
|
|
|
|
keep = 1;
|
|
|
|
|
break;
|
2012-12-16 23:06:12 +00:00
|
|
|
case 'm':
|
|
|
|
|
maxdumps = atoi(optarg);
|
|
|
|
|
if (maxdumps <= 0) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "Invalid maxdump value");
|
2012-12-16 23:06:12 +00:00
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
break;
|
2002-03-31 22:26:56 +00:00
|
|
|
case 'v':
|
2005-02-24 02:45:10 +00:00
|
|
|
verbose++;
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
break;
|
2002-05-05 01:04:00 +00:00
|
|
|
case 'z':
|
|
|
|
|
compress = 1;
|
|
|
|
|
break;
|
2002-03-31 22:26:56 +00:00
|
|
|
case '?':
|
|
|
|
|
default:
|
|
|
|
|
usage();
|
|
|
|
|
}
|
2003-09-04 10:07:01 +00:00
|
|
|
if (checkfor && (clear || force || keep))
|
|
|
|
|
usage();
|
2012-12-14 15:04:39 +00:00
|
|
|
if (clear && (compress || keep))
|
|
|
|
|
usage();
|
2012-12-16 23:06:12 +00:00
|
|
|
if (maxdumps > 0 && (checkfor || clear))
|
|
|
|
|
usage();
|
2002-03-31 22:26:56 +00:00
|
|
|
argc -= optind;
|
|
|
|
|
argv += optind;
|
2012-12-14 15:12:08 +00:00
|
|
|
if (argc >= 1 && !checkfor && !clear) {
|
2002-03-31 22:26:56 +00:00
|
|
|
error = chdir(argv[0]);
|
2002-05-05 01:04:00 +00:00
|
|
|
if (error) {
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_ERR, "chdir(%s): %m", argv[0]);
|
2002-05-05 01:04:00 +00:00
|
|
|
exit(1);
|
|
|
|
|
}
|
2002-05-04 10:36:35 +00:00
|
|
|
savedir = argv[0];
|
2002-03-31 22:26:56 +00:00
|
|
|
argc--;
|
|
|
|
|
argv++;
|
|
|
|
|
}
|
2019-01-02 17:09:35 +00:00
|
|
|
if (argc == 0)
|
2020-06-29 22:12:23 +00:00
|
|
|
devs = enum_dumpdevs(&argc);
|
|
|
|
|
else
|
|
|
|
|
devs = devify(argc, argv);
|
2019-01-02 17:09:35 +00:00
|
|
|
|
|
|
|
|
savedirfd = open(savedir, O_RDONLY | O_DIRECTORY);
|
|
|
|
|
if (savedirfd < 0) {
|
|
|
|
|
logmsg(LOG_ERR, "open(%s): %m", savedir);
|
|
|
|
|
exit(1);
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
2019-01-02 17:09:35 +00:00
|
|
|
(void)cap_rights_init(&rights, CAP_CREATE, CAP_FCNTL, CAP_FSTATAT,
|
|
|
|
|
CAP_FSTATFS, CAP_PREAD, CAP_SYMLINKAT, CAP_FTRUNCATE, CAP_UNLINKAT,
|
|
|
|
|
CAP_WRITE);
|
|
|
|
|
if (caph_rights_limit(savedirfd, &rights) < 0) {
|
|
|
|
|
logmsg(LOG_ERR, "cap_rights_limit(): %m");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Enter capability mode. */
|
2020-06-29 22:12:23 +00:00
|
|
|
init_caps(argc, devs);
|
2019-01-02 17:09:35 +00:00
|
|
|
|
|
|
|
|
for (i = 0; i < argc; i++)
|
2020-06-29 22:12:23 +00:00
|
|
|
DoFile(savedir, savedirfd, devs[i]);
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
|
|
|
|
/* Emit minimal output. */
|
2003-09-04 10:07:01 +00:00
|
|
|
if (nfound == 0) {
|
|
|
|
|
if (checkfor) {
|
2015-11-07 23:27:03 +00:00
|
|
|
if (verbose)
|
|
|
|
|
printf("No dump exists\n");
|
2003-09-04 10:07:01 +00:00
|
|
|
exit(1);
|
|
|
|
|
}
|
2015-11-07 23:27:03 +00:00
|
|
|
if (verbose)
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING, "no dumps found");
|
2015-11-07 23:27:03 +00:00
|
|
|
} else if (nsaved == 0) {
|
|
|
|
|
if (nerr != 0) {
|
|
|
|
|
if (verbose)
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING,
|
2017-07-24 21:51:41 +00:00
|
|
|
"unsaved dumps found but not saved");
|
2015-11-07 23:27:03 +00:00
|
|
|
exit(1);
|
|
|
|
|
} else if (verbose)
|
2019-01-02 17:09:35 +00:00
|
|
|
logmsg(LOG_WARNING, "no unsaved dumps found");
|
2002-05-04 10:36:35 +00:00
|
|
|
}
|
High-level changes (user visible):
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
2002-04-13 08:20:15 +00:00
|
|
|
|
2002-03-31 22:26:56 +00:00
|
|
|
return (0);
|
1994-05-26 06:35:07 +00:00
|
|
|
}
|
2009-08-25 06:21:45 +00:00
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
infohandler(int sig __unused)
|
|
|
|
|
{
|
|
|
|
|
got_siginfo = 1;
|
|
|
|
|
}
|
