d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
480f31c214
freebsd-dev/sys/kern
History
Konrad Witaszczyk 480f31c214 Add support for encrypted kernel crash dumps. 
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.

A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.

dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable.  Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.

When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore

A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.

Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.

savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.

decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.

Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.

EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.

Designed by:	def, pjd
Reviewed by:	cem, oshogbo, pjd
Partial review:	delphij, emaste, jhb, kib
Approved by:	pjd (mentor)
Differential Revision:	https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
..
bus_if.m INTRNG: Rework handling with resources. Partially revert r301453. 2016-08-19 10:52:39 +00:00
capabilities.conf Update capabilities.conf comment 2016-09-08 14:04:04 +00:00
clock_if.m
cpufreq_if.m
device_if.m Import the 'iflib' API library for network drivers. From the author: 2016-05-18 04:35:58 +00:00
genassym.sh genassym.sh: call nm(1) with NMFLAGS. 2015-08-14 22:57:13 +00:00
imgact_aout.c Implement vsyscall hack. Prior to 2.13 glibc uses vsyscall 2016-01-09 20:18:53 +00:00
imgact_binmisc.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
imgact_elf32.c
imgact_elf64.c
imgact_elf.c Style. 2016-10-04 15:23:03 +00:00
imgact_gzip.c
imgact_shell.c
inflate.c ANSIfy inflate.c 2016-10-04 17:57:30 +00:00
init_main.c Fix improper use of "its". 2016-11-08 23:59:41 +00:00
init_sysent.c Regnerate system-call definitions following r309677 correcting a whitespace 2016-12-07 16:12:27 +00:00
kern_acct.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_alq.c Use SI_SUB_LAST instead of SI_SUB_SMP as the "catch-all" subsystem. 2016-03-11 23:18:06 +00:00
kern_clock.c Initialize 'ticks' earlier in boot after 'hz' is set. 2016-11-22 01:02:59 +00:00
kern_clocksource.c Add an EARLY_AP_STARTUP option to start APs earlier during boot. 2016-05-14 18:22:52 +00:00
kern_condvar.c cv: do a lockless check for no waiters in cv_signal and cv_broadcastpri 2016-09-06 17:16:59 +00:00
kern_conf.c Provide yet another KPI for cdev creation, make_dev_s(9). 2016-01-07 20:08:02 +00:00
kern_cons.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_context.c
kern_cpu.c Add an EARLY_AP_STARTUP option to start APs earlier during boot. 2016-05-14 18:22:52 +00:00
kern_cpuset.c Add more fine-grained kernel options for NUMA support. 2016-04-09 13:58:04 +00:00
kern_ctf.c Fix improper use of "its". 2016-11-08 23:59:41 +00:00
kern_descrip.c Audit 'fd' and 'cmd' arguments to fcntl(2), and when generating BSM, 2016-11-22 00:41:24 +00:00
kern_dtrace.c
kern_dump.c Add support for encrypted kernel crash dumps. 2016-12-10 16:20:39 +00:00
kern_environment.c Create wrappers for uint64_t and int64_t for the tunables. While not 2016-04-15 03:09:55 +00:00
kern_et.c
kern_event.c Another issue reported on http://seclists.org/oss-sec/2016/q3/68 is 2016-07-16 13:24:58 +00:00
kern_exec.c Remove most of the code for implementing PG_CACHED pages. (This change does 2016-11-15 18:22:50 +00:00
kern_exit.c Restructure the code to handle reporting of non-exited processes from 2016-12-04 20:44:58 +00:00
kern_fail.c Fix some cosmetic issues in kern_fail.c omitted from r296927. 2016-06-09 13:17:08 +00:00
kern_ffclock.c kernel: use our nitems() macro when it is available through param.h. 2016-04-19 23:48:27 +00:00
kern_fork.c Add PROC_TRAPCAP procctl(2) controls and global sysctl kern.trap_enocap. 2016-09-21 08:23:33 +00:00
kern_gzio.c
kern_hhook.c Get closer to a VIMAGE network stack teardown from top to bottom rather 2016-06-21 13:48:49 +00:00
kern_idle.c
kern_intr.c The part of r285680 which removed release semantic for two stores to 2015-07-21 14:39:34 +00:00
kern_jail.c Move IPv4-specific jail functions to new file netinet/in_jail.c 2016-08-09 02:16:21 +00:00
kern_khelp.c
kern_kthread.c Re-schedule signals after kthread exits, since apparently there are 2016-08-10 13:47:12 +00:00
kern_ktr.c Fix the logic in the ddb command 'show ktr /a'. Prior to r118269 it would 2016-01-31 17:32:20 +00:00
kern_ktrace.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_linker.c kern_linker: Handle module-loading failures in preloaded .ko files 2016-10-13 02:06:23 +00:00
kern_lock.c Microoptimize locking primitives by avoiding unnecessary atomic ops. 2016-06-01 18:32:20 +00:00
kern_lockf.c Fix LINT building. 2016-09-18 07:37:00 +00:00
kern_lockstat.c Consistently use a reader/writer flag for lockstat probes in rwlock(9) and 2015-07-19 22:24:33 +00:00
kern_loginclass.c Speed up rctl operation with large rulesets, by holding the lock 2015-11-15 12:10:51 +00:00
kern_malloc.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_mbuf.c Import the 'iflib' API library for network drivers. From the author: 2016-05-18 04:35:58 +00:00
kern_mib.c Mark a bunch of mpsafe sysctls as such. 2016-10-19 19:42:01 +00:00
kern_module.c Provide better debug message on kernel module name clash. 2015-10-10 09:21:55 +00:00
kern_mtxpool.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
kern_mutex.c Use a consistent snapshot of the lock state in owner_mtx(). 2016-12-10 02:59:34 +00:00
kern_ntptime.c Fix a bug in r302252. 2016-07-27 11:40:06 +00:00
kern_numa.c Add an initial NUMA affinity/policy configuration for threads and processes. 2015-07-11 15:21:37 +00:00
kern_osd.c osd(9): Change array pointer to array pointer type from void* 2016-04-26 19:57:35 +00:00
kern_physio.c Add four new RCTL resources - readbps, readiops, writebps and writeiops, 2016-04-07 04:23:25 +00:00
kern_pmc.c
kern_poll.c
kern_priv.c
kern_proc.c Export the whole thread name in kinfo_proc 2016-12-07 15:04:22 +00:00
kern_procctl.c Add the foundation copyrights to procctl kernel sources. 2016-09-23 12:32:20 +00:00
kern_prot.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_racct.c Get rid of rctl_lock; use racct_lock where appropriate. The fast paths 2016-04-21 16:22:52 +00:00
kern_rangelock.c
kern_rctl.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
kern_resource.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_rmlock.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
kern_rwlock.c locks: fix compilation for KDTRACE_HOOKS && !ADAPTIVE_* case 2016-08-02 03:05:59 +00:00
kern_sdt.c
kern_sema.c
kern_sendfile.c Add flag SF_USER_READAHEAD to sendfile(2). When specified, the syscall won't 2016-11-17 21:36:18 +00:00
kern_sharedpage.c Split kerne timekeep ABI structure vdso_sv_tk out of the struct 2015-11-23 07:09:35 +00:00
kern_shutdown.c Add support for encrypted kernel crash dumps. 2016-12-10 16:20:39 +00:00
kern_sig.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_switch.c
kern_sx.c Return a non-NULL owner only if the lock is exclusively held in owner_sx(). 2016-12-10 02:56:44 +00:00
kern_synch.c Remove remnants of the recursive sleep support. Instead assert that 2016-11-02 20:57:20 +00:00
kern_syscalls.c
kern_sysctl.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_tc.c Implement userspace gettimeofday(2) with HPET timecounter. 2016-08-17 09:52:09 +00:00
kern_thr.c thr_set_name(): silently truncate the given name as needed 2016-12-03 01:14:21 +00:00
kern_thread.c Rewrite subr_sleepqueue.c use of callouts to not depend on the 2016-07-28 09:09:55 +00:00
kern_time.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_timeout.c Permit timed sleeps for threads other than thread0 before timers are working. 2016-11-25 18:02:43 +00:00
kern_umtx.c [mips] make UMTX_CHAINS configurable at compile time. 2016-11-15 01:34:38 +00:00
kern_uuid.c
kern_xxx.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
ksched.c Use P1B_PRIO_MAX to designate max posix priority for the RR/FIFO 2015-08-30 18:02:57 +00:00
link_elf_obj.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
link_elf.c kern: for pointers replace 0 with NULL. 2016-04-15 16:10:11 +00:00
linker_if.m sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
Make.tags.inc Bring the tags and links entries for amd64 up to date. 2015-10-27 22:59:24 +00:00
Makefile Don't create pointless backups of generated files in "make sysent". 2016-07-28 21:29:04 +00:00
makesyscalls.sh makesyscalls.sh: remove trailing space on the "created from" line 2016-10-17 13:52:24 +00:00
md4c.c crypto routines: Hint minimum buffer sizes to the compiler 2016-05-26 19:29:29 +00:00
md5c.c crypto routines: Hint minimum buffer sizes to the compiler 2016-05-26 19:29:29 +00:00
msi_if.m Introduce MSI and MSI-X support to intrng. This adds a new msi device 2016-05-16 09:11:40 +00:00
p1003_1b.c
pic_if.m INTRNG: Rework handling with resources. Partially revert r301453. 2016-08-19 10:52:39 +00:00
posix4_mib.c posix4_mib: Don't overrun facility_initialized array 2016-04-27 00:10:32 +00:00
sched_4bsd.c Allow scheduling during early boot. 2016-11-12 00:23:09 +00:00
sched_ule.c Get rid of struct proc p_sched and struct thread td_sched pointers. 2016-06-05 17:04:03 +00:00
serdev_if.m
stack_protector.c
subr_acl_nfs4.c Expose an interface to determine if an ACE is inherited. 2015-09-04 00:14:20 +00:00
subr_acl_posix1e.c
subr_autoconf.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_blist.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_bufring.c
subr_bus_dma.c Fix a bug introduced in r291716: 2016-01-11 20:38:39 +00:00
subr_bus.c Add two new ddb commands: show device/show all devices 2016-11-13 00:46:11 +00:00
subr_busdma_bufalloc.c Fix printf format to allow for bus_size_t not being u_long on all platforms. 2015-10-20 03:25:17 +00:00
subr_capability.c capsicum: plug spurious memset in __cap_rights_init 2015-12-01 02:48:42 +00:00
subr_clock.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_counter.c Use acquire write to cr_lock to complement with release write at end 2016-12-09 19:07:31 +00:00
subr_devmap.c Include machine/acle-compat.h in cdefs.h on arm if the compiler doesn't 2016-05-25 19:44:26 +00:00
subr_devstat.c Add support for managing Shingled Magnetic Recording (SMR) drives. 2016-05-19 14:08:36 +00:00
subr_disk.c
subr_dummy_vdso_tc.c
subr_eventhandler.c
subr_fattime.c
subr_firmware.c Fix improper use of "its". 2016-11-08 23:59:41 +00:00
subr_gtaskqueue.c Resolve whitespace diff to NextBSD. 2016-10-19 21:01:24 +00:00
subr_hash.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_hints.c
subr_intr.c INTRNG - fix MSI/MSIX release path 2016-10-11 17:00:29 +00:00
subr_kdb.c
subr_kobj.c
subr_lock.c Implement trivial backoff for locking primitives. 2016-08-01 21:48:37 +00:00
subr_log.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_mbpool.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
subr_mchain.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_module.c preload_search_info: make sure mod is set 2015-08-21 15:57:57 +00:00
subr_msgbuf.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
subr_param.c Initialize 'ticks' earlier in boot after 'hz' is set. 2016-11-22 01:02:59 +00:00
subr_pcpu.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_pctrie.c sys: extend use of the howmany() macro when available. 2016-04-26 15:38:17 +00:00
subr_power.c
subr_prf.c Include <stdarg.h> instead of <machine/stdarg.h> when compiled as 2016-10-24 18:03:04 +00:00
subr_prof.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_rman.c Add new bus methods for mapping resources. 2016-05-20 17:57:47 +00:00
subr_rtc.c Make resettodr_lock accessible outside subr_rtc.c. Protect 2016-09-21 10:15:08 +00:00
subr_sbuf.c Fail the sbuf if vsnprintf(3) fails. 2015-10-02 09:23:14 +00:00
subr_scanf.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_sfbuf.c
subr_sglist.c Add sglist functions for working with arrays of VM pages. 2016-05-20 23:28:43 +00:00
subr_sleepqueue.c Permit timed sleeps for threads other than thread0 before timers are working. 2016-11-25 18:02:43 +00:00
subr_smp.c Handle broadcast NMIs. 2016-10-24 16:40:27 +00:00
subr_stack.c Add support for a configurable output channel to witness(4). 2015-11-19 05:56:59 +00:00
subr_syscall.c Add PROC_TRAPCAP procctl(2) controls and global sysctl kern.trap_enocap. 2016-09-21 08:23:33 +00:00
subr_taskqueue.c While draining a timeout task prevent the taskqueue_enqueue_timeout() 2016-09-29 10:38:20 +00:00
subr_terminal.c
subr_trap.c The assertion re-added in r302614 was triggered when stopping signal 2016-07-18 10:53:47 +00:00
subr_turnstile.c ddb(4): Add sleepchains to "show allchains" 2016-10-22 18:02:20 +00:00
subr_uio.c In the fueword64(9) wrapper for architectures which do not implemented 2016-10-23 11:23:17 +00:00
subr_unit.c Fix build of kern/subr_unit.c, broken by r300539 2016-05-24 00:14:58 +00:00
subr_vmem.c subr_vmem: Fix double-free in error case of vmem_create 2016-05-11 23:16:11 +00:00
subr_witness.c Fix WITNESS hints for pagequeue locks. 2016-10-29 20:01:48 +00:00
sys_capability.c capsicum: perform copyout without the fildesc lock held in sys_cap_ioctls_get 2016-10-21 16:12:23 +00:00
sys_generic.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
sys_pipe.c Generate syscall tables and update pipe() implementation after r302094. 2016-06-22 21:18:19 +00:00
sys_procdesc.c Hide the boottime and bootimebin globals, provide the getboottime(9) 2016-07-27 11:08:59 +00:00
sys_process.c Don't set P2_PTRACE_FSTP in a process that invokes ptrace(PT_TRACE_ME). 2016-08-19 17:57:14 +00:00
sys_socket.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
syscalls.c Regnerate system-call definitions following r309677 correcting a whitespace 2016-12-07 16:12:27 +00:00
syscalls.master Replace spaces with tabs in definition of SCTP system calls, for consistency 2016-12-07 16:11:55 +00:00
systrace_args.c Regenerate syscall provider argument strings. 2016-09-22 04:50:03 +00:00
sysv_ipc.c
sysv_msg.c Remove a comment that was part of copied code, and is misleading in 2016-06-09 15:34:33 +00:00
sysv_sem.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
sysv_shm.c Add shmatt_t. 2016-07-26 17:23:49 +00:00
tty_compat.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
tty_info.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
tty_inq.c
tty_outq.c
tty_pts.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
tty_tty.c tty: replace several curthread->td_proc with stored curproc 2015-07-06 18:53:56 +00:00
tty_ttydisc.c Don't clear the software flow control flag before draining for last 2016-01-26 14:46:39 +00:00
tty.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
uipc_accf.c Use correct size type in do_setopt_accept_filter 2016-10-12 00:56:49 +00:00
uipc_debug.c Refactor the AIO subsystem to permit file-type-specific handling and 2016-03-01 18:12:14 +00:00
uipc_domain.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
uipc_mbuf2.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
uipc_mbuf.c Fix improper use of "its". 2016-11-08 23:59:41 +00:00
uipc_mbufhash.c
uipc_mqueue.c Initialize reserved bytes in struct mq_attr and its 32compat 2016-11-14 13:20:10 +00:00
uipc_sem.c Clean up some style(9) violations. 2016-04-14 17:07:26 +00:00
uipc_shm.c Remove most of the code for implementing PG_CACHED pages. (This change does 2016-11-15 18:22:50 +00:00
uipc_sockbuf.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
uipc_socket.c Revert r306186 ("Adjust the sopt_val pointer on bigendian systems"). 2016-11-22 18:31:43 +00:00
uipc_syscalls.c Rework r306337. 2016-10-21 18:27:30 +00:00
uipc_usrreq.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
vfs_acl.c
vfs_aio.c Remove duplicated code. 2016-08-17 10:14:22 +00:00
vfs_bio.c Release laundered vnode pages to the head of the inactive queue. 2016-11-23 17:53:07 +00:00
vfs_cache.c cache: ensure that the number of bucket locks does not exceed hash size 2016-11-23 19:50:12 +00:00
vfs_cluster.c Add BUF_TRACKING and FULL_BUF_TRACKING buffer debugging 2016-10-31 23:09:52 +00:00
vfs_default.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
vfs_export.c Fix build when no INET and INET6 in kernel config. 2016-11-17 16:13:30 +00:00
vfs_extattr.c
vfs_hash.c Add vfs_hash_ref(9) function, which finds a vnode by the hash value 2016-05-11 06:32:22 +00:00
vfs_init.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
vfs_lookup.c vfs: provide fake locking primitives for the crossmp vnode 2016-12-02 18:03:15 +00:00
vfs_mount.c Provide simple mutual exclusion between mount point update and unmount. 2016-11-13 21:49:51 +00:00
vfs_mountroot.c Limit scope of the optimization in r306608 to dounmount() caller only. 2016-10-07 11:38:28 +00:00
vfs_subr.c Launder VPO_NOSYNC pages upon vnode deactivation. 2016-11-26 21:00:27 +00:00
vfs_syscalls.c Allow some dotdot lookups in capability mode. 2016-11-02 12:43:15 +00:00
vfs_vnops.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
vnode_if.src Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00