2015-01-07 01:01:39 +00:00
|
|
|
/*-
|
|
|
|
|
* Copyright (c) 2002 Marcel Moolenaar
|
|
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
*
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <sys/cdefs.h>
|
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
|
|
|
|
|
#include <sys/param.h>
|
|
|
|
|
#include <sys/systm.h>
|
|
|
|
|
#include <sys/conf.h>
|
|
|
|
|
#include <sys/cons.h>
|
Allow minidumps to be performed on the live system
Add a boolean parameter to minidumpsys(), to indicate a live dump. When
requested, take a snapshot of important global state, and pass this to
the machine-dependent minidump function. For now this includes the
kernel message buffer, and the bitset of pages to be dumped. Beyond
this, we don't take much action to protect the integrity of the dump
from changes in the running system.
A new function msgbuf_duplicate() is added for snapshotting the message
buffer. msgbuf_copy() is insufficient for this purpose since it marks
any new characters it finds as read.
For now, nothing can actually trigger a live minidump. A future patch
will add the mechanism for this. For simplicity and safety, live dumps
are disallowed for mips.
Reviewed by: markj, jhb
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D31993
2021-11-17 15:35:59 +00:00
|
|
|
#include <sys/kdb.h>
|
2015-01-07 01:01:39 +00:00
|
|
|
#include <sys/kernel.h>
|
|
|
|
|
#include <sys/kerneldump.h>
|
Allow minidumps to be performed on the live system
Add a boolean parameter to minidumpsys(), to indicate a live dump. When
requested, take a snapshot of important global state, and pass this to
the machine-dependent minidump function. For now this includes the
kernel message buffer, and the bitset of pages to be dumped. Beyond
this, we don't take much action to protect the integrity of the dump
from changes in the running system.
A new function msgbuf_duplicate() is added for snapshotting the message
buffer. msgbuf_copy() is insufficient for this purpose since it marks
any new characters it finds as read.
For now, nothing can actually trigger a live minidump. A future patch
will add the mechanism for this. For simplicity and safety, live dumps
are disallowed for mips.
Reviewed by: markj, jhb
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D31993
2021-11-17 15:35:59 +00:00
|
|
|
#include <sys/malloc.h>
|
minidump: Parameterize minidumpsys()
The minidump code is written assuming that certain global state will not
change, and rightly so, since it executes from a kernel debugger
context. In order to support taking minidumps of a live system, we
should allow copies of relevant global state that is likely to change to
be passed as parameters to the minidumpsys() function.
This patch does the work of parameterizing this function, by adding a
struct minidumpstate argument. For now, this struct allows for copies of
the kernel message buffer, and the bitset that tracks which pages should
be dumped (vm_page_dump). Follow-up changes will actually make use of
these arguments.
Notably, dump_avail[] does not need a snapshot, since it is not expected
to change after system initialization.
The existing minidumpsys() definitions are renamed, and a thin MI
wrapper is added to kern_dump.c, which handles the construction of
the state struct. Thus, calling minidumpsys() remains as simple as
before.
Reviewed by: kib, markj, jhb
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31989
2021-11-17 15:26:59 +00:00
|
|
|
#include <sys/msgbuf.h>
|
|
|
|
|
#include <sys/proc.h>
|
2015-01-07 01:01:39 +00:00
|
|
|
#include <sys/watchdog.h>
|
minidump: Parameterize minidumpsys()
The minidump code is written assuming that certain global state will not
change, and rightly so, since it executes from a kernel debugger
context. In order to support taking minidumps of a live system, we
should allow copies of relevant global state that is likely to change to
be passed as parameters to the minidumpsys() function.
This patch does the work of parameterizing this function, by adding a
struct minidumpstate argument. For now, this struct allows for copies of
the kernel message buffer, and the bitset that tracks which pages should
be dumped (vm_page_dump). Follow-up changes will actually make use of
these arguments.
Notably, dump_avail[] does not need a snapshot, since it is not expected
to change after system initialization.
The existing minidumpsys() definitions are renamed, and a thin MI
wrapper is added to kern_dump.c, which handles the construction of
the state struct. Thus, calling minidumpsys() remains as simple as
before.
Reviewed by: kib, markj, jhb
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31989
2021-11-17 15:26:59 +00:00
|
|
|
|
2015-01-07 01:01:39 +00:00
|
|
|
#include <vm/vm.h>
|
|
|
|
|
#include <vm/vm_param.h>
|
2019-08-16 00:45:14 +00:00
|
|
|
#include <vm/vm_page.h>
|
|
|
|
|
#include <vm/vm_phys.h>
|
2020-10-14 22:51:40 +00:00
|
|
|
#include <vm/vm_dumpset.h>
|
2015-01-07 01:01:39 +00:00
|
|
|
#include <vm/pmap.h>
|
minidump: Parameterize minidumpsys()
The minidump code is written assuming that certain global state will not
change, and rightly so, since it executes from a kernel debugger
context. In order to support taking minidumps of a live system, we
should allow copies of relevant global state that is likely to change to
be passed as parameters to the minidumpsys() function.
This patch does the work of parameterizing this function, by adding a
struct minidumpstate argument. For now, this struct allows for copies of
the kernel message buffer, and the bitset that tracks which pages should
be dumped (vm_page_dump). Follow-up changes will actually make use of
these arguments.
Notably, dump_avail[] does not need a snapshot, since it is not expected
to change after system initialization.
The existing minidumpsys() definitions are renamed, and a thin MI
wrapper is added to kern_dump.c, which handles the construction of
the state struct. Thus, calling minidumpsys() remains as simple as
before.
Reviewed by: kib, markj, jhb
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31989
2021-11-17 15:26:59 +00:00
|
|
|
|
2015-01-07 01:01:39 +00:00
|
|
|
#include <machine/dump.h>
|
|
|
|
|
#include <machine/elf.h>
|
|
|
|
|
#include <machine/md_var.h>
|
|
|
|
|
#include <machine/pcb.h>
|
|
|
|
|
|
|
|
|
|
CTASSERT(sizeof(struct kerneldumpheader) == 512);
|
|
|
|
|
|
2016-04-15 17:45:12 +00:00
|
|
|
#define MD_ALIGN(x) roundup2((off_t)(x), PAGE_SIZE)
|
2015-01-07 01:01:39 +00:00
|
|
|
|
|
|
|
|
/* Handle buffered writes. */
|
|
|
|
|
static size_t fragsz;
|
|
|
|
|
|
|
|
|
|
struct dump_pa dump_map[DUMPSYS_MD_PA_NPAIRS];
|
|
|
|
|
|
2020-07-28 10:58:37 +00:00
|
|
|
#if !defined(__powerpc__)
|
2015-01-07 01:01:39 +00:00
|
|
|
void
|
|
|
|
|
dumpsys_gen_pa_init(void)
|
|
|
|
|
{
|
|
|
|
|
int n, idx;
|
|
|
|
|
|
|
|
|
|
bzero(dump_map, sizeof(dump_map));
|
2016-04-19 23:48:27 +00:00
|
|
|
for (n = 0; n < nitems(dump_map); n++) {
|
2015-01-07 01:01:39 +00:00
|
|
|
idx = n * 2;
|
|
|
|
|
if (dump_avail[idx] == 0 && dump_avail[idx + 1] == 0)
|
|
|
|
|
break;
|
|
|
|
|
dump_map[n].pa_start = dump_avail[idx];
|
|
|
|
|
dump_map[n].pa_size = dump_avail[idx + 1] - dump_avail[idx];
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-11-16 23:02:33 +00:00
|
|
|
#endif
|
2015-01-07 01:01:39 +00:00
|
|
|
|
|
|
|
|
struct dump_pa *
|
|
|
|
|
dumpsys_gen_pa_next(struct dump_pa *mdp)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
if (mdp == NULL)
|
|
|
|
|
return (&dump_map[0]);
|
|
|
|
|
|
|
|
|
|
mdp++;
|
|
|
|
|
if (mdp->pa_size == 0)
|
|
|
|
|
mdp = NULL;
|
|
|
|
|
return (mdp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
dumpsys_gen_wbinv_all(void)
|
|
|
|
|
{
|
2015-11-16 23:02:33 +00:00
|
|
|
|
2015-01-07 01:01:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
dumpsys_gen_unmap_chunk(vm_paddr_t pa __unused, size_t chunk __unused,
|
|
|
|
|
void *va __unused)
|
|
|
|
|
{
|
2015-11-16 23:02:33 +00:00
|
|
|
|
2015-01-07 01:01:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dumpsys_gen_write_aux_headers(struct dumperinfo *di)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
int
|
|
|
|
|
dumpsys_buf_seek(struct dumperinfo *di, size_t sz)
|
|
|
|
|
{
|
|
|
|
|
static uint8_t buf[DEV_BSIZE];
|
|
|
|
|
size_t nbytes;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
bzero(buf, sizeof(buf));
|
|
|
|
|
|
|
|
|
|
while (sz > 0) {
|
|
|
|
|
nbytes = MIN(sz, sizeof(buf));
|
|
|
|
|
|
2022-05-13 13:40:05 +00:00
|
|
|
error = dump_append(di, buf, nbytes);
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
sz -= nbytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-07 01:01:39 +00:00
|
|
|
int
|
|
|
|
|
dumpsys_buf_write(struct dumperinfo *di, char *ptr, size_t sz)
|
|
|
|
|
{
|
|
|
|
|
size_t len;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
while (sz) {
|
2016-04-15 17:45:12 +00:00
|
|
|
len = di->blocksize - fragsz;
|
2015-01-07 01:01:39 +00:00
|
|
|
if (len > sz)
|
|
|
|
|
len = sz;
|
2016-04-15 17:45:12 +00:00
|
|
|
memcpy((char *)di->blockbuf + fragsz, ptr, len);
|
2015-01-07 01:01:39 +00:00
|
|
|
fragsz += len;
|
|
|
|
|
ptr += len;
|
|
|
|
|
sz -= len;
|
2016-04-15 17:45:12 +00:00
|
|
|
if (fragsz == di->blocksize) {
|
2022-05-13 13:40:05 +00:00
|
|
|
error = dump_append(di, di->blockbuf, di->blocksize);
|
2015-01-07 01:01:39 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
fragsz = 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dumpsys_buf_flush(struct dumperinfo *di)
|
|
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
if (fragsz == 0)
|
|
|
|
|
return (0);
|
|
|
|
|
|
2022-05-13 13:40:05 +00:00
|
|
|
error = dump_append(di, di->blockbuf, di->blocksize);
|
2015-01-07 01:01:39 +00:00
|
|
|
fragsz = 0;
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CTASSERT(PAGE_SHIFT < 20);
|
|
|
|
|
#define PG2MB(pgs) ((pgs + (1 << (20 - PAGE_SHIFT)) - 1) >> (20 - PAGE_SHIFT))
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dumpsys_cb_dumpdata(struct dump_pa *mdp, int seqnr, void *arg)
|
|
|
|
|
{
|
|
|
|
|
struct dumperinfo *di = (struct dumperinfo*)arg;
|
|
|
|
|
vm_paddr_t pa;
|
|
|
|
|
void *va;
|
|
|
|
|
uint64_t pgs;
|
|
|
|
|
size_t counter, sz, chunk;
|
|
|
|
|
int c, error;
|
|
|
|
|
u_int maxdumppgs;
|
|
|
|
|
|
|
|
|
|
error = 0; /* catch case in which chunk size is 0 */
|
|
|
|
|
counter = 0; /* Update twiddle every 16MB */
|
2016-04-15 16:10:11 +00:00
|
|
|
va = NULL;
|
2015-01-07 01:01:39 +00:00
|
|
|
pgs = mdp->pa_size / PAGE_SIZE;
|
|
|
|
|
pa = mdp->pa_start;
|
|
|
|
|
maxdumppgs = min(di->maxiosize / PAGE_SIZE, MAXDUMPPGS);
|
|
|
|
|
if (maxdumppgs == 0) /* seatbelt */
|
|
|
|
|
maxdumppgs = 1;
|
|
|
|
|
|
|
|
|
|
printf(" chunk %d: %juMB (%ju pages)", seqnr, (uintmax_t)PG2MB(pgs),
|
|
|
|
|
(uintmax_t)pgs);
|
|
|
|
|
|
|
|
|
|
dumpsys_wbinv_all();
|
|
|
|
|
while (pgs) {
|
|
|
|
|
chunk = pgs;
|
|
|
|
|
if (chunk > maxdumppgs)
|
|
|
|
|
chunk = maxdumppgs;
|
|
|
|
|
sz = chunk << PAGE_SHIFT;
|
|
|
|
|
counter += sz;
|
|
|
|
|
if (counter >> 24) {
|
|
|
|
|
printf(" %ju", (uintmax_t)PG2MB(pgs));
|
|
|
|
|
counter &= (1 << 24) - 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dumpsys_map_chunk(pa, chunk, &va);
|
|
|
|
|
wdog_kern_pat(WD_LASTVAL);
|
|
|
|
|
|
2022-05-13 13:40:05 +00:00
|
|
|
error = dump_append(di, va, sz);
|
2015-01-07 01:01:39 +00:00
|
|
|
dumpsys_unmap_chunk(pa, chunk, va);
|
|
|
|
|
if (error)
|
|
|
|
|
break;
|
|
|
|
|
pgs -= chunk;
|
|
|
|
|
pa += sz;
|
|
|
|
|
|
|
|
|
|
/* Check for user abort. */
|
|
|
|
|
c = cncheckc();
|
|
|
|
|
if (c == 0x03)
|
|
|
|
|
return (ECANCELED);
|
|
|
|
|
if (c != -1)
|
|
|
|
|
printf(" (CTRL-C to abort) ");
|
|
|
|
|
}
|
|
|
|
|
printf(" ... %s\n", (error) ? "fail" : "ok");
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dumpsys_foreach_chunk(dumpsys_callback_t cb, void *arg)
|
|
|
|
|
{
|
|
|
|
|
struct dump_pa *mdp;
|
|
|
|
|
int error, seqnr;
|
|
|
|
|
|
|
|
|
|
seqnr = 0;
|
|
|
|
|
mdp = dumpsys_pa_next(NULL);
|
|
|
|
|
while (mdp != NULL) {
|
|
|
|
|
error = (*cb)(mdp, seqnr++, arg);
|
|
|
|
|
if (error)
|
|
|
|
|
return (-error);
|
|
|
|
|
mdp = dumpsys_pa_next(mdp);
|
|
|
|
|
}
|
|
|
|
|
return (seqnr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static off_t fileofs;
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
cb_dumphdr(struct dump_pa *mdp, int seqnr, void *arg)
|
|
|
|
|
{
|
|
|
|
|
struct dumperinfo *di = (struct dumperinfo*)arg;
|
|
|
|
|
Elf_Phdr phdr;
|
|
|
|
|
uint64_t size;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
size = mdp->pa_size;
|
|
|
|
|
bzero(&phdr, sizeof(phdr));
|
|
|
|
|
phdr.p_type = PT_LOAD;
|
|
|
|
|
phdr.p_flags = PF_R; /* XXX */
|
|
|
|
|
phdr.p_offset = fileofs;
|
|
|
|
|
#ifdef __powerpc__
|
|
|
|
|
phdr.p_vaddr = (do_minidump? mdp->pa_start : ~0L);
|
|
|
|
|
phdr.p_paddr = (do_minidump? ~0L : mdp->pa_start);
|
|
|
|
|
#else
|
|
|
|
|
phdr.p_vaddr = mdp->pa_start;
|
|
|
|
|
phdr.p_paddr = mdp->pa_start;
|
|
|
|
|
#endif
|
|
|
|
|
phdr.p_filesz = size;
|
|
|
|
|
phdr.p_memsz = size;
|
|
|
|
|
phdr.p_align = PAGE_SIZE;
|
|
|
|
|
|
|
|
|
|
error = dumpsys_buf_write(di, (char*)&phdr, sizeof(phdr));
|
|
|
|
|
fileofs += phdr.p_filesz;
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
cb_size(struct dump_pa *mdp, int seqnr, void *arg)
|
|
|
|
|
{
|
|
|
|
|
uint64_t *sz;
|
|
|
|
|
|
|
|
|
|
sz = (uint64_t *)arg;
|
|
|
|
|
*sz += (uint64_t)mdp->pa_size;
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dumpsys_generic(struct dumperinfo *di)
|
|
|
|
|
{
|
|
|
|
|
static struct kerneldumpheader kdh;
|
|
|
|
|
Elf_Ehdr ehdr;
|
|
|
|
|
uint64_t dumpsize;
|
|
|
|
|
off_t hdrgap;
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
size_t hdrsz;
|
2015-01-07 01:01:39 +00:00
|
|
|
int error;
|
|
|
|
|
|
2020-12-03 17:12:31 +00:00
|
|
|
#if MINIDUMP_PAGE_TRACKING == 1
|
2015-01-07 01:01:39 +00:00
|
|
|
if (do_minidump)
|
Allow minidumps to be performed on the live system
Add a boolean parameter to minidumpsys(), to indicate a live dump. When
requested, take a snapshot of important global state, and pass this to
the machine-dependent minidump function. For now this includes the
kernel message buffer, and the bitset of pages to be dumped. Beyond
this, we don't take much action to protect the integrity of the dump
from changes in the running system.
A new function msgbuf_duplicate() is added for snapshotting the message
buffer. msgbuf_copy() is insufficient for this purpose since it marks
any new characters it finds as read.
For now, nothing can actually trigger a live minidump. A future patch
will add the mechanism for this. For simplicity and safety, live dumps
are disallowed for mips.
Reviewed by: markj, jhb
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D31993
2021-11-17 15:35:59 +00:00
|
|
|
return (minidumpsys(di, false));
|
2015-01-07 01:01:39 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
bzero(&ehdr, sizeof(ehdr));
|
|
|
|
|
ehdr.e_ident[EI_MAG0] = ELFMAG0;
|
|
|
|
|
ehdr.e_ident[EI_MAG1] = ELFMAG1;
|
|
|
|
|
ehdr.e_ident[EI_MAG2] = ELFMAG2;
|
|
|
|
|
ehdr.e_ident[EI_MAG3] = ELFMAG3;
|
|
|
|
|
ehdr.e_ident[EI_CLASS] = ELF_CLASS;
|
|
|
|
|
#if BYTE_ORDER == LITTLE_ENDIAN
|
|
|
|
|
ehdr.e_ident[EI_DATA] = ELFDATA2LSB;
|
|
|
|
|
#else
|
|
|
|
|
ehdr.e_ident[EI_DATA] = ELFDATA2MSB;
|
|
|
|
|
#endif
|
|
|
|
|
ehdr.e_ident[EI_VERSION] = EV_CURRENT;
|
|
|
|
|
ehdr.e_ident[EI_OSABI] = ELFOSABI_STANDALONE; /* XXX big picture? */
|
|
|
|
|
ehdr.e_type = ET_CORE;
|
|
|
|
|
ehdr.e_machine = EM_VALUE;
|
|
|
|
|
ehdr.e_phoff = sizeof(ehdr);
|
|
|
|
|
ehdr.e_flags = 0;
|
|
|
|
|
ehdr.e_ehsize = sizeof(ehdr);
|
|
|
|
|
ehdr.e_phentsize = sizeof(Elf_Phdr);
|
|
|
|
|
ehdr.e_shentsize = sizeof(Elf_Shdr);
|
|
|
|
|
|
|
|
|
|
dumpsys_pa_init();
|
|
|
|
|
|
|
|
|
|
/* Calculate dump size. */
|
|
|
|
|
dumpsize = 0L;
|
|
|
|
|
ehdr.e_phnum = dumpsys_foreach_chunk(cb_size, &dumpsize) +
|
|
|
|
|
DUMPSYS_NUM_AUX_HDRS;
|
|
|
|
|
hdrsz = ehdr.e_phoff + ehdr.e_phnum * ehdr.e_phentsize;
|
|
|
|
|
fileofs = MD_ALIGN(hdrsz);
|
|
|
|
|
dumpsize += fileofs;
|
2016-04-15 17:45:12 +00:00
|
|
|
hdrgap = fileofs - roundup2((off_t)hdrsz, di->blocksize);
|
2015-01-07 01:01:39 +00:00
|
|
|
|
2017-08-18 04:04:09 +00:00
|
|
|
dump_init_header(di, &kdh, KERNELDUMPMAGIC, KERNELDUMP_ARCH_VERSION,
|
|
|
|
|
dumpsize);
|
2015-01-07 01:01:39 +00:00
|
|
|
|
2017-10-18 15:38:05 +00:00
|
|
|
error = dump_start(di, &kdh);
|
2017-08-18 03:52:35 +00:00
|
|
|
if (error != 0)
|
2015-01-07 01:01:39 +00:00
|
|
|
goto fail;
|
|
|
|
|
|
2018-05-01 17:32:43 +00:00
|
|
|
printf("Dumping %ju MB (%d chunks)\n", (uintmax_t)dumpsize >> 20,
|
|
|
|
|
ehdr.e_phnum - DUMPSYS_NUM_AUX_HDRS);
|
|
|
|
|
|
2015-01-07 01:01:39 +00:00
|
|
|
/* Dump ELF header */
|
|
|
|
|
error = dumpsys_buf_write(di, (char*)&ehdr, sizeof(ehdr));
|
|
|
|
|
if (error)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
/* Dump program headers */
|
|
|
|
|
error = dumpsys_foreach_chunk(cb_dumphdr, di);
|
|
|
|
|
if (error < 0)
|
|
|
|
|
goto fail;
|
|
|
|
|
error = dumpsys_write_aux_headers(di);
|
|
|
|
|
if (error < 0)
|
|
|
|
|
goto fail;
|
|
|
|
|
dumpsys_buf_flush(di);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* All headers are written using blocked I/O, so we know the
|
|
|
|
|
* current offset is (still) block aligned. Skip the alignement
|
|
|
|
|
* in the file to have the segment contents aligned at page
|
2017-10-18 15:38:05 +00:00
|
|
|
* boundary.
|
2015-01-07 01:01:39 +00:00
|
|
|
*/
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
error = dumpsys_buf_seek(di, (size_t)hdrgap);
|
|
|
|
|
if (error)
|
|
|
|
|
goto fail;
|
2015-01-07 01:01:39 +00:00
|
|
|
|
2017-10-18 15:38:05 +00:00
|
|
|
/* Dump memory chunks. */
|
2015-01-07 01:01:39 +00:00
|
|
|
error = dumpsys_foreach_chunk(dumpsys_cb_dumpdata, di);
|
|
|
|
|
if (error < 0)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
2017-10-18 15:38:05 +00:00
|
|
|
error = dump_finish(di, &kdh);
|
2017-08-18 03:52:35 +00:00
|
|
|
if (error != 0)
|
2015-01-07 01:01:39 +00:00
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
printf("\nDump complete\n");
|
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
|
|
fail:
|
|
|
|
|
if (error < 0)
|
|
|
|
|
error = -error;
|
|
|
|
|
|
|
|
|
|
if (error == ECANCELED)
|
|
|
|
|
printf("\nDump aborted\n");
|
2017-08-18 03:52:35 +00:00
|
|
|
else if (error == E2BIG || error == ENOSPC)
|
2015-01-07 01:01:39 +00:00
|
|
|
printf("\nDump failed. Partition too small.\n");
|
|
|
|
|
else
|
|
|
|
|
printf("\n** DUMP FAILED (ERROR %d) **\n", error);
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
2021-09-29 17:44:27 +00:00
|
|
|
|
minidump: Parameterize minidumpsys()
The minidump code is written assuming that certain global state will not
change, and rightly so, since it executes from a kernel debugger
context. In order to support taking minidumps of a live system, we
should allow copies of relevant global state that is likely to change to
be passed as parameters to the minidumpsys() function.
This patch does the work of parameterizing this function, by adding a
struct minidumpstate argument. For now, this struct allows for copies of
the kernel message buffer, and the bitset that tracks which pages should
be dumped (vm_page_dump). Follow-up changes will actually make use of
these arguments.
Notably, dump_avail[] does not need a snapshot, since it is not expected
to change after system initialization.
The existing minidumpsys() definitions are renamed, and a thin MI
wrapper is added to kern_dump.c, which handles the construction of
the state struct. Thus, calling minidumpsys() remains as simple as
before.
Reviewed by: kib, markj, jhb
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31989
2021-11-17 15:26:59 +00:00
|
|
|
#if MINIDUMP_PAGE_TRACKING == 1
|
|
|
|
|
|
2021-09-29 17:44:27 +00:00
|
|
|
/* Minidump progress bar */
|
|
|
|
|
static struct {
|
|
|
|
|
const int min_per;
|
|
|
|
|
const int max_per;
|
|
|
|
|
bool visited;
|
|
|
|
|
} progress_track[10] = {
|
|
|
|
|
{ 0, 10, false},
|
|
|
|
|
{ 10, 20, false},
|
|
|
|
|
{ 20, 30, false},
|
|
|
|
|
{ 30, 40, false},
|
|
|
|
|
{ 40, 50, false},
|
|
|
|
|
{ 50, 60, false},
|
|
|
|
|
{ 60, 70, false},
|
|
|
|
|
{ 70, 80, false},
|
|
|
|
|
{ 80, 90, false},
|
|
|
|
|
{ 90, 100, false}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static uint64_t dumpsys_pb_size;
|
|
|
|
|
static uint64_t dumpsys_pb_remaining;
|
|
|
|
|
static uint64_t dumpsys_pb_check;
|
|
|
|
|
|
|
|
|
|
/* Reset the progress bar for a dump of dumpsize. */
|
|
|
|
|
void
|
|
|
|
|
dumpsys_pb_init(uint64_t dumpsize)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
dumpsys_pb_size = dumpsys_pb_remaining = dumpsize;
|
|
|
|
|
dumpsys_pb_check = 0;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < nitems(progress_track); i++)
|
|
|
|
|
progress_track[i].visited = false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Update the progress according to the delta bytes that were written out.
|
|
|
|
|
* Check and print the progress percentage.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
dumpsys_pb_progress(size_t delta)
|
|
|
|
|
{
|
|
|
|
|
int sofar, i;
|
|
|
|
|
|
|
|
|
|
dumpsys_pb_remaining -= delta;
|
|
|
|
|
dumpsys_pb_check += delta;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* To save time while dumping, only loop through progress_track
|
|
|
|
|
* occasionally.
|
|
|
|
|
*/
|
|
|
|
|
if ((dumpsys_pb_check >> DUMPSYS_PB_CHECK_BITS) == 0)
|
|
|
|
|
return;
|
|
|
|
|
else
|
|
|
|
|
dumpsys_pb_check &= (1 << DUMPSYS_PB_CHECK_BITS) - 1;
|
|
|
|
|
|
|
|
|
|
sofar = 100 - ((dumpsys_pb_remaining * 100) / dumpsys_pb_size);
|
|
|
|
|
for (i = 0; i < nitems(progress_track); i++) {
|
|
|
|
|
if (sofar < progress_track[i].min_per ||
|
|
|
|
|
sofar > progress_track[i].max_per)
|
|
|
|
|
continue;
|
|
|
|
|
if (!progress_track[i].visited) {
|
|
|
|
|
progress_track[i].visited = true;
|
|
|
|
|
printf("..%d%%", sofar);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
minidump: Parameterize minidumpsys()
The minidump code is written assuming that certain global state will not
change, and rightly so, since it executes from a kernel debugger
context. In order to support taking minidumps of a live system, we
should allow copies of relevant global state that is likely to change to
be passed as parameters to the minidumpsys() function.
This patch does the work of parameterizing this function, by adding a
struct minidumpstate argument. For now, this struct allows for copies of
the kernel message buffer, and the bitset that tracks which pages should
be dumped (vm_page_dump). Follow-up changes will actually make use of
these arguments.
Notably, dump_avail[] does not need a snapshot, since it is not expected
to change after system initialization.
The existing minidumpsys() definitions are renamed, and a thin MI
wrapper is added to kern_dump.c, which handles the construction of
the state struct. Thus, calling minidumpsys() remains as simple as
before.
Reviewed by: kib, markj, jhb
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31989
2021-11-17 15:26:59 +00:00
|
|
|
|
|
|
|
|
int
|
Allow minidumps to be performed on the live system
Add a boolean parameter to minidumpsys(), to indicate a live dump. When
requested, take a snapshot of important global state, and pass this to
the machine-dependent minidump function. For now this includes the
kernel message buffer, and the bitset of pages to be dumped. Beyond
this, we don't take much action to protect the integrity of the dump
from changes in the running system.
A new function msgbuf_duplicate() is added for snapshotting the message
buffer. msgbuf_copy() is insufficient for this purpose since it marks
any new characters it finds as read.
For now, nothing can actually trigger a live minidump. A future patch
will add the mechanism for this. For simplicity and safety, live dumps
are disallowed for mips.
Reviewed by: markj, jhb
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D31993
2021-11-17 15:35:59 +00:00
|
|
|
minidumpsys(struct dumperinfo *di, bool livedump)
|
minidump: Parameterize minidumpsys()
The minidump code is written assuming that certain global state will not
change, and rightly so, since it executes from a kernel debugger
context. In order to support taking minidumps of a live system, we
should allow copies of relevant global state that is likely to change to
be passed as parameters to the minidumpsys() function.
This patch does the work of parameterizing this function, by adding a
struct minidumpstate argument. For now, this struct allows for copies of
the kernel message buffer, and the bitset that tracks which pages should
be dumped (vm_page_dump). Follow-up changes will actually make use of
these arguments.
Notably, dump_avail[] does not need a snapshot, since it is not expected
to change after system initialization.
The existing minidumpsys() definitions are renamed, and a thin MI
wrapper is added to kern_dump.c, which handles the construction of
the state struct. Thus, calling minidumpsys() remains as simple as
before.
Reviewed by: kib, markj, jhb
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31989
2021-11-17 15:26:59 +00:00
|
|
|
{
|
|
|
|
|
struct minidumpstate state;
|
Allow minidumps to be performed on the live system
Add a boolean parameter to minidumpsys(), to indicate a live dump. When
requested, take a snapshot of important global state, and pass this to
the machine-dependent minidump function. For now this includes the
kernel message buffer, and the bitset of pages to be dumped. Beyond
this, we don't take much action to protect the integrity of the dump
from changes in the running system.
A new function msgbuf_duplicate() is added for snapshotting the message
buffer. msgbuf_copy() is insufficient for this purpose since it marks
any new characters it finds as read.
For now, nothing can actually trigger a live minidump. A future patch
will add the mechanism for this. For simplicity and safety, live dumps
are disallowed for mips.
Reviewed by: markj, jhb
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D31993
2021-11-17 15:35:59 +00:00
|
|
|
struct msgbuf mb_copy;
|
|
|
|
|
char *msg_ptr;
|
|
|
|
|
size_t sz;
|
minidump: Parameterize minidumpsys()
The minidump code is written assuming that certain global state will not
change, and rightly so, since it executes from a kernel debugger
context. In order to support taking minidumps of a live system, we
should allow copies of relevant global state that is likely to change to
be passed as parameters to the minidumpsys() function.
This patch does the work of parameterizing this function, by adding a
struct minidumpstate argument. For now, this struct allows for copies of
the kernel message buffer, and the bitset that tracks which pages should
be dumped (vm_page_dump). Follow-up changes will actually make use of
these arguments.
Notably, dump_avail[] does not need a snapshot, since it is not expected
to change after system initialization.
The existing minidumpsys() definitions are renamed, and a thin MI
wrapper is added to kern_dump.c, which handles the construction of
the state struct. Thus, calling minidumpsys() remains as simple as
before.
Reviewed by: kib, markj, jhb
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31989
2021-11-17 15:26:59 +00:00
|
|
|
int error;
|
|
|
|
|
|
Allow minidumps to be performed on the live system
Add a boolean parameter to minidumpsys(), to indicate a live dump. When
requested, take a snapshot of important global state, and pass this to
the machine-dependent minidump function. For now this includes the
kernel message buffer, and the bitset of pages to be dumped. Beyond
this, we don't take much action to protect the integrity of the dump
from changes in the running system.
A new function msgbuf_duplicate() is added for snapshotting the message
buffer. msgbuf_copy() is insufficient for this purpose since it marks
any new characters it finds as read.
For now, nothing can actually trigger a live minidump. A future patch
will add the mechanism for this. For simplicity and safety, live dumps
are disallowed for mips.
Reviewed by: markj, jhb
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D31993
2021-11-17 15:35:59 +00:00
|
|
|
if (livedump) {
|
|
|
|
|
KASSERT(!dumping, ("live dump invoked from incorrect context"));
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Before invoking cpu_minidumpsys() on the live system, we
|
|
|
|
|
* must snapshot some required global state: the message
|
|
|
|
|
* buffer, and the page dump bitset. They may be modified at
|
|
|
|
|
* any moment, so for the sake of the live dump it is best to
|
|
|
|
|
* have an unchanging snapshot to work with. Both are included
|
|
|
|
|
* as part of the dump and consumed by userspace tools.
|
|
|
|
|
*
|
|
|
|
|
* Other global state important to the minidump code is the
|
|
|
|
|
* dump_avail array and the kernel's page tables, but snapshots
|
|
|
|
|
* are not taken of these. For one, dump_avail[] is expected
|
|
|
|
|
* not to change after boot. Snapshotting the kernel page
|
|
|
|
|
* tables would involve an additional walk, so this is avoided
|
|
|
|
|
* too.
|
|
|
|
|
*
|
|
|
|
|
* This means live dumps are best effort, and the result may or
|
|
|
|
|
* may not be usable; there are no guarantees about the
|
|
|
|
|
* consistency of the dump's contents. Any of the following
|
|
|
|
|
* (and likely more) may affect the live dump:
|
|
|
|
|
*
|
|
|
|
|
* - Data may be modified, freed, or remapped during the
|
|
|
|
|
* course of the dump, such that the contents written out
|
|
|
|
|
* are partially or entirely unrecognizable. This means
|
|
|
|
|
* valid references may point to destroyed/mangled objects,
|
|
|
|
|
* and vice versa.
|
|
|
|
|
*
|
|
|
|
|
* - The dumped context of any threads that ran during the
|
|
|
|
|
* dump process may be unreliable.
|
|
|
|
|
*
|
|
|
|
|
* - The set of kernel page tables included in the dump likely
|
|
|
|
|
* won't correspond exactly to the copy of the dump bitset.
|
|
|
|
|
* This means some pages will be dumped without any way to
|
|
|
|
|
* locate them, and some pages may not have been dumped
|
|
|
|
|
* despite appearing as if they should.
|
|
|
|
|
*/
|
|
|
|
|
msg_ptr = malloc(msgbufsize, M_TEMP, M_WAITOK);
|
|
|
|
|
msgbuf_duplicate(msgbufp, &mb_copy, msg_ptr);
|
|
|
|
|
state.msgbufp = &mb_copy;
|
|
|
|
|
|
|
|
|
|
sz = BITSET_SIZE(vm_page_dump_pages);
|
|
|
|
|
state.dump_bitset = malloc(sz, M_TEMP, M_WAITOK);
|
|
|
|
|
BIT_COPY_STORE_REL(sz, vm_page_dump, state.dump_bitset);
|
|
|
|
|
} else {
|
|
|
|
|
KASSERT(dumping, ("minidump invoked outside of doadump()"));
|
|
|
|
|
|
|
|
|
|
/* Use the globals. */
|
|
|
|
|
state.msgbufp = msgbufp;
|
|
|
|
|
state.dump_bitset = vm_page_dump;
|
|
|
|
|
}
|
minidump: Parameterize minidumpsys()
The minidump code is written assuming that certain global state will not
change, and rightly so, since it executes from a kernel debugger
context. In order to support taking minidumps of a live system, we
should allow copies of relevant global state that is likely to change to
be passed as parameters to the minidumpsys() function.
This patch does the work of parameterizing this function, by adding a
struct minidumpstate argument. For now, this struct allows for copies of
the kernel message buffer, and the bitset that tracks which pages should
be dumped (vm_page_dump). Follow-up changes will actually make use of
these arguments.
Notably, dump_avail[] does not need a snapshot, since it is not expected
to change after system initialization.
The existing minidumpsys() definitions are renamed, and a thin MI
wrapper is added to kern_dump.c, which handles the construction of
the state struct. Thus, calling minidumpsys() remains as simple as
before.
Reviewed by: kib, markj, jhb
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31989
2021-11-17 15:26:59 +00:00
|
|
|
|
|
|
|
|
error = cpu_minidumpsys(di, &state);
|
Allow minidumps to be performed on the live system
Add a boolean parameter to minidumpsys(), to indicate a live dump. When
requested, take a snapshot of important global state, and pass this to
the machine-dependent minidump function. For now this includes the
kernel message buffer, and the bitset of pages to be dumped. Beyond
this, we don't take much action to protect the integrity of the dump
from changes in the running system.
A new function msgbuf_duplicate() is added for snapshotting the message
buffer. msgbuf_copy() is insufficient for this purpose since it marks
any new characters it finds as read.
For now, nothing can actually trigger a live minidump. A future patch
will add the mechanism for this. For simplicity and safety, live dumps
are disallowed for mips.
Reviewed by: markj, jhb
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D31993
2021-11-17 15:35:59 +00:00
|
|
|
if (livedump) {
|
|
|
|
|
free(msg_ptr, M_TEMP);
|
|
|
|
|
free(state.dump_bitset, M_TEMP);
|
|
|
|
|
}
|
minidump: Parameterize minidumpsys()
The minidump code is written assuming that certain global state will not
change, and rightly so, since it executes from a kernel debugger
context. In order to support taking minidumps of a live system, we
should allow copies of relevant global state that is likely to change to
be passed as parameters to the minidumpsys() function.
This patch does the work of parameterizing this function, by adding a
struct minidumpstate argument. For now, this struct allows for copies of
the kernel message buffer, and the bitset that tracks which pages should
be dumped (vm_page_dump). Follow-up changes will actually make use of
these arguments.
Notably, dump_avail[] does not need a snapshot, since it is not expected
to change after system initialization.
The existing minidumpsys() definitions are renamed, and a thin MI
wrapper is added to kern_dump.c, which handles the construction of
the state struct. Thus, calling minidumpsys() remains as simple as
before.
Reviewed by: kib, markj, jhb
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31989
2021-11-17 15:26:59 +00:00
|
|
|
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
#endif /* MINIDUMP_PAGE_TRACKING == 1 */
|
