Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
Currently, '/etc/rc.d/swaplate stop' removes all swap devices. This can be
very slow and may not even be possible if there is a lot of swap space in
use. However, removing swap devices is only needed for late swap devices
that may depend on daemons that subsequent shutdown steps stop. Normal swap
devices such as hard disk partitions will remain available throughout the
shutdown process and need not be removed.
In swapoff, interpret -aL to remove late swap devices only, and use this in
etc/rc.d/swaplate. The meaning of -aL in swapon remains unchanged (add all
swap devices, both normal and late).
PR: 187081
Reviewed by: wblock (man page only), ngie
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D8126
Currently zfsbe ensures that subordinate filesystems are mounted at the
right mount points.
The script assumes that the subordinate filesystems of a boot environment
have their canmount property set to noauto, so that they are not
automatically mounted on boot. Whereas the root filesystem is mounted
by the kernel, there was nothing to mount its subordinates.
rc.d/zfsbe fills that gap.
Discussed with: allanjude, will
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D7797
because they can use sysrc in conjunction with ssh and xargs to perform
en-masse changes in a large distribution with lots of jails spread over
many hosts on a LAN/WAN.
Provide a mechanism for disabling the warning eschewed by /etc/rc.d/jail
in said situation. If jail_confwarn="NO" is in rc.conf(5) (default "YES")
skip the warning that per-jail configurations are obsolete and that the
user should migrate to jail.conf(5).
Reviewed by: jelischer
MFC after: 3 days
Sponsored by: FIS Global, Inc.
Differential Revision: https://reviews.freebsd.org/D7465
1. Use the leap-seconds version number (update time) to determine
whether to update the file or not.
2. If the version numbers of the files is the same, use the later
expiry date to determine which file to use.
Suggested by: ian@
MFC after: 1 day
ldconfig is already required by mountcritremote indirectly, as noted by rcorder:
> rcorder: Circular dependency on provision `mountcritremote' in file `ldconfig'.
Having mountcritremote REQUIRE ldconfig breaks dependency ordering.
Making the ldconfig hints be conditionally regenerated from mountcritremote when
remote filesystems are mounted is done after this change, similar to cleanvar
being conditionally called after the change.
Differential Revision: https://reviews.freebsd.org/D6621
PR: 202726
Reviewed by: jilles
Sponsored by: EMC / Isilon Storage Division
As noted in the PR, if etc/rc.d/zvol is removed, netif will be run before
hostid, and the MAC address generated for any bridge devices will be
non-deterministic. Make the MAC address generated be deterministic for
bridge devices by explicitly REQUIRE'ing hostid.
This fixes up the rest of the PR, inadvertently committed in r299844
MFC after: 1 week
PR: 195188
Sponsored by: EMC / Isilon Storage Division
Add zfsd, which deals with hard drive faults in ZFS pools. It manages
hotspares and replements in drive slots that publish physical paths.
cddl/usr.sbin/zfsd
Add zfsd(8) and its unit tests
cddl/usr.sbin/Makefile
Add zfsd to the build
lib/libdevdctl
A C++ library that helps devd clients process events
lib/Makefile
share/mk/bsd.libnames.mk
share/mk/src.libnames.mk
Add libdevdctl to the build. It's a private library, unusable by
out-of-tree software.
etc/defaults/rc.conf
By default, set zfsd_enable to NO
etc/mtree/BSD.include.dist
Add a directory for libdevdctl's include files
etc/mtree/BSD.tests.dist
Add a directory for zfsd's unit tests
etc/mtree/BSD.var.dist
Add /var/db/zfsd/cases, where zfsd stores case files while it's shut
down.
etc/rc.d/Makefile
etc/rc.d/zfsd
Add zfsd's rc script
sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev.c
Fix the resource.fs.zfs.statechange message. It had a number of
problems:
It was only being emitted on a transition to the HEALTHY state.
That made it impossible for zfsd to take actions based on drives
getting sicker.
It compared the new state to vdev_prevstate, which is the state that
the vdev had the last time it was opened. That doesn't make sense,
because a vdev can change state multiple times without being
reopened.
vdev_set_state contains logic that will change the device's new
state based on various conditions. However, the statechange event
was being posted _before_ that logic took effect. Now it's being
posted after.
Submitted by: gibbs, asomers, mav, allanjude
Reviewed by: mav, delphij
Relnotes: yes
Sponsored by: Spectra Logic Corp, iX Systems
Differential Revision: https://reviews.freebsd.org/D6564
Always create loopback routes on every fib, for both IPv4 and IPv6
etc/rc.d/routing
Create loopback IPv4 and IPv6 routes on every fib at boot. Revert
278302; now that all FIBs have IPv6 loopback routes, the
"route add -reject" commands won't fail.
tests/etc/rc.d/routing_test.sh
Greatly simplify static_ipv6_loopback_route_for_each_fib. It was
written under the assumption that loopback routes would be added to
a given fib by the kernel as soon as an interface is configured on
that fib. However, the logic can be much simpler now that we simply
add loopback routes to all fibs at boot. This also removes the need
to run the test as root, removes the restriction that
net.add_addr_allfibs=0, and removes the need to configure fibs in
kyua.conf.
Also, add a test case for IPv4 loopback routes
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D6582
Remove routed as a requirement in NETWORKING, and put it in routed as a BEFORE
requirement instead
MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
`BEFORE: netif` was already in etc/rc.d/atm1, so no additional changes
are needed in that script
MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
- Use BINDIR instead of FILESDIR
- Default all <FILESGROUPS>MODEs to BINMODE with a single for-loop at the
bottom of the Makefile
- Move all of the conditionals under the relevant MK_* != no build conditional
blocks
Sponsored by: EMC / Isilon Storage Division
This fixes mounting (non-root) USB drives on boot with fsck enabled
(with non-zero 'Pass#' field in fstab(5)).
Reported by: Graham Menhennitt <graham at menhennitt.com.au>
Reviewed by: jilles@
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6221
Make kdc run BEFORE SERVERS instead of being REQUIREd by SERVERS,
so systems that pedantically check REQUIREs function after r270782
MFC after: 1 week
X-MFC with: r270782
Sponsored by: EMC / Isilon Storage Division
By default set to 'YES' so it does not change the current behaviour for users,
this variable allows to decide to not extract crach dumps from the dump
device at boot time by setting it to "NO" in rc.conf.
Sponsored by: Gandi.net
Check if pf.ko is loaded (i.e. /dev/pf exists) before trying to use it. This
means that '/etc/rc.d/pf status' will no longer return 'pfctl: /dev/pf: No such
file or directory' but 'pf.ko is not loaded'.
PR: 205671
Submitted by: Johannes Jost Meixner <xmj@FreeBSD.org>