[CFT] Encrypted kernel crash dumps.

From: Konrad Witaszczyk <def_at_FreeBSD.org>
Date: Thu, 25 Aug 2016 02:15:03 +0200
Dear FreeBSD Community,

I would like to ask you for help with testing encrypted kernel crash dumps.
The current patch can be downloaded from Phabricator [1].

You can read more about the feature in the review [2] and in the previous
message posted to freebsd-security [3]. Below you can find a description of four
tests. Please note that the tests will cause a panic and you may lose your data
so do not perform them on a production machine. EKCD should work with mini dumps
and full dumps on all architectures supporting them. Encrypted textdumps are not
supported. I managed to successfully test EKCD on my laptop running amd64 and on
arm64 (only minidump), i386 using QEMU.

First two tests require a kernel compiled with the EKCD kernel option and RSA
keys which will be used to encrypt and decrypt core dump keys. The RSA keys can
be generated in the following way:
# openssl genrsa -out /etc/private.pem 4096
# openssl rsa -in /etc/private.pem -out /etc/public.pem -pubout

1. Encryped minidump:
# dumpon -k /etc/public.pem /dev/dumpdevice
# sysctl debug.minidump=1
# sysctl debug.kdb.panic=1
db> call doadump(0)
db> reset
# savecore /var/crash /dev/dumpdevice
# decryptcore -p /etc/private.pem -n NR
# kgdb -n NR /path/to/kernel

2. Encrypted full dump:
# dumpon -k /etc/public.pem /dev/dumpdevice
# sysctl debug.minidump=0
# sysctl debug.kdb.panic=1
db> call doadump(0)
db> reset
# savecore /var/crash /dev/dumpdevice
# decryptcore -p /etc/private.pem -n NR
# kgdb -n NR /path/to/kernel

The next two tests should be performed using a kernel compiled with the EKCD
kernel option and also using a kernel compiled without the EKCD option:

3. Minidump:
# dumpon /dev/dumpdevice
# sysctl debug.minidump=1
# sysctl debug.kdb.panic=1
db> call doadump(0)
db> reset
# savecore /var/crash /dev/dumpdevice
# kgdb -n NR /path/to/kernel

4. Full dump:
# dumpon /dev/dumpdevice
# sysctl debug.minidump=0
# sysctl debug.kdb.panic=1
db> call doadump(0)
db> reset
# savecore /var/crash /dev/dumpdevice
# kgdb -n NR /path/to/kernel

NR is the number of the core dump saved by savecore(8). The test is successful
if kgdb can read the core dump. You can read more about above steps in
dumpon(8), savecore(8) and decryptcore(8).

Thanks!

[1] https://reviews.freebsd.org/D4712?download=true
[2] https://reviews.freebsd.org/D4712
[3] https://lists.freebsd.org/pipermail/freebsd-security/2015-December/008780.html


Best regards,
Konrad Witaszczyk
Received on Wed Aug 24 2016 - 22:15:10 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:07 UTC