Page MenuHomeFreeBSD
Differential D34474

dumpon: use underlying device if encrypted swap is in use
ClosedPublic
Actions

Authored by emaste on Mar 7 2022, 7:26 PM.
Tags
None
Referenced Files
F102950900: D34474.diff
Tue, Nov 19, 3:04 AM
Unknown Object (File)
Oct 1 2024, 11:33 AM
Unknown Object (File)
Sep 25 2024, 3:10 PM
Unknown Object (File)
Sep 25 2024, 3:10 PM
Unknown Object (File)
Sep 25 2024, 3:10 PM
Unknown Object (File)
Sep 25 2024, 3:10 PM
Unknown Object (File)
Sep 25 2024, 3:10 PM
Unknown Object (File)
Sep 25 2024, 3:10 PM
View All Files
Subscribers
jamie_catflap.org
jhb
jilles
jrtc27

Details

Reviewers
kevans
imp
jhb
jilles
Commits
rG2a719333189d: dumpon: use underlying device if encrypted swap is in use
rG67e751f167c9: dumpon: use underlying device if encrypted swap is in use
Summary
/etc/rc.d/dumpon runs before /etc/rc.d/swap.  When encrypted swap is in
use the .eli device will not exist at the time dumpon runs.  Even if
this is addressed it does not make sense to dump core to encrypted swap,
as the encryption key will not be available after reboot.  Thus, for the
case that dumpdev=AUTO and encrypted swap is in use, strip .eli and use
the underlying device.  Emit a warning in this case so that the user is
aware that the dump will not be encrypted.

PR:             238301
Reported by:    Ivan Rozhuk
MFC after:      1 week
Sponsored by:   The FreeBSD Foundation

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

emaste requested review of this revision.Mar 7 2022, 7:26 PM
emaste created this revision.
jrtc27 added a subscriber: jrtc27.Mar 7 2022, 7:38 PM
jrtc27 added inline comments.
libexec/rc/rc.d/dumpon
67

Is there a reason not to do this?

emaste added inline comments.Mar 7 2022, 7:42 PM
libexec/rc/rc.d/dumpon
67

No, I guess I just forgot about warn() (and the echo just below here didn't remind me).

75

So perhaps also this

jhb added a subscriber: jhb.Mar 7 2022, 7:43 PM
jhb added inline comments.
libexec/rc/rc.d/dumpon
67

I think this is non-optional as otherwise you can never read the dump. IIRC, encrypted swap uses a randomly-generated key on each boot. There's no persistent key that would let you recover the dump. I'm not sure this is worth warning about as there's nothing the user can really do to mitigate the warning? Possibly you could only warn if EKCD isn't enabled, but those are only tangentially related. (EKCD uses a persistent key I think?)

emaste updated this revision to Diff 103602.Mar 7 2022, 7:47 PM

use warn for warning (also for one existing case)

jrtc27 added inline comments.Mar 7 2022, 7:49 PM
libexec/rc/rc.d/dumpon
67

My question was whether there was a reason not to use warn instead of echo, not about whether to strip the .eli or not.

emaste added a comment.Mar 7 2022, 7:51 PM

@jhb I added the warning to ensure the user is aware - they chose to encrypt their swap, and (with dumpdev=AUTO) by default we will write unencrypted data to that swap partition. The user could specify the parent device explicitly to avoid the warning.

kevans added a comment.Mar 7 2022, 8:10 PM
In D34474#781097, @emaste wrote:

@jhb I added the warning to ensure the user is aware - they chose to encrypt their swap, and (with dumpdev=AUTO) by default we will write unencrypted data to that swap partition. The user could specify the parent device explicitly to avoid the warning.

This is the default, too, isn't it? IMO being noisy about it is good, it may be the signal someone needs to reconfigure the system for netdump or avoiding dump.

emaste updated this revision to Diff 103604.Mar 7 2022, 8:28 PM

Omit warning if the user provided an encryption key

emaste added a comment.Mar 7 2022, 8:29 PM

This is the default, too, isn't it?

Swap is not encrypted by default in the installer at present.

emaste updated this revision to Diff 103605.Mar 7 2022, 8:40 PM

drop change to existing message, it may not warrant warn()

kevans added a comment.Mar 7 2022, 8:47 PM
In D34474#781105, @emaste wrote:

This is the default, too, isn't it?

Swap is not encrypted by default in the installer at present.

I meant dumpdev=auto

emaste added a comment.Mar 7 2022, 8:48 PM

I meant dumpdev=auto

Ah, yes it is indeed.

emaste edited reviewers, added: jhb; removed: markj.Mar 8 2022, 2:28 PM
emaste updated this revision to Diff 103632.Mar 8 2022, 2:38 PM

Update expr quoting

jamie_catflap.org added a subscriber: jamie_catflap.org.Mar 8 2022, 7:40 PM
jamie_catflap.org added inline comments.Mar 8 2022, 8:03 PM
libexec/rc/rc.d/dumpon
67

@jhb The point is to warn someone who may be using encrypted swap that if they have dumps

67

I think Ed added that in response to my comment on the bug:

"As for dumping to swap, doesn't that negate the purpose of using encrypted swap in the first place? All someone would need to do is force a panic, and the memory contents would be dumped in the clear." ( https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238301 )

I could quite easily see someone not realising that if dump was enabled, their swap may not be completely secure.. Though I can see your point that some people may get annoyed seeing that message all the time even when they know what they are doing!

Cheers, Jamie

jamie_catflap.org added inline comments.Mar 8 2022, 8:06 PM
libexec/rc/rc.d/dumpon
68

The manual page for fstab also mentions the GBDE swap option, with prefix .bde

jamie_catflap.org added a comment.Mar 8 2022, 8:27 PM
In D34474#781108, @kevans wrote:

I meant dumpdev=auto

But before this patch, dumping failed when encrypted swap was enabled (I assumed this was intentional, as you normally wouldn't want unecrypted swap data written to disk under any circumstances)

For anyone in a similar situation, this patch would enabled swapping with no warning.

The warning message could be suppressed by specifically setting the dumpdev (In my earlier comment, I missed the fact that Ed had pointed this out)

jilles added a subscriber: jilles.Mar 8 2022, 8:48 PM
jilles added inline comments.
libexec/rc/rc.d/dumpon
66

This can be checked using shell builtins: case $dev in *.eli) ...

This avoids that it does not work for certain values for $dev like - which are admittedly unlikely, and therefore sets a better example for other code.

emaste added inline comments.Mar 8 2022, 9:28 PM
libexec/rc/rc.d/dumpon
66

It does work for $dev starting with -:

expr -- -foo.eli : '.*\.eli$' >/dev/null && echo true
true

but as Jamie points out we should handle .bde also, so perhaps something like

case $dev in
*.eli)
        dumpon_warn_unencrypted
        dev=${dev%.eli}
       ;;
*.bde)
        dumpon_warn_unencrypted
        dev=${dev%.bde}
        ;;
esac
emaste added inline comments.Mar 8 2022, 9:29 PM
libexec/rc/rc.d/dumpon
66

Ah, but indeed not exactly -.

jrtc27 added inline comments.Mar 8 2022, 9:30 PM
libexec/rc/rc.d/dumpon
66

Or less repetitively:

case $dev in
*.bde|*.eli)
        warn "..."
        dev=${dev%.*}
        ;;
esac

(single % is the right one to leave foo.bar.eli as foo.bar not foo)

emaste updated this revision to Diff 103643.Mar 8 2022, 9:32 PM

Use case as suggested by @jilles and handle .bde as well

emaste updated this revision to Diff 103644.Mar 8 2022, 9:33 PM

Incorporate @jrtc27 suggestion

emaste added a comment.Mar 9 2022, 8:49 PM

Any other feedback?

jilles accepted this revision.Mar 9 2022, 10:35 PM
This revision is now accepted and ready to land.Mar 9 2022, 10:35 PM
jamie_catflap.org added a comment.Mar 9 2022, 10:42 PM
In D34474#781829, @emaste wrote:

Any other feedback?

Looks perfect!

Closed by commit rG67e751f167c9: dumpon: use underlying device if encrypted swap is in use (authored by emaste). · Explain WhyMar 10 2022, 12:47 AM
This revision was automatically updated to reflect the committed changes.
emaste added a commit: rG67e751f167c9: dumpon: use underlying device if encrypted swap is in use.
emaste added a commit: rG2a719333189d: dumpon: use underlying device if encrypted swap is in use.Mar 17 2022, 1:10 AM

Revision Contents
Changeset List

PathSize
libexec/
rc/
rc.d/
19 lines

Diff 103644

View Options

libexec/rc/rc.d/dumpon

Loading...