[PATCH v2 0/8] makedumpfile: makedumpfile enhancement to filter out kernel data from vmcore
vgoyal at redhat.com
Wed May 25 15:53:21 EDT 2011
On Wed, May 25, 2011 at 10:41:55AM +0200, Reinhard Buendgen wrote:
> to answer Vivek questions first: Eventually we want to be able to erase
> all data that a customer may consider sensitive to her privacy. In
> addition to encryption key that may be the contents (i.e. payload within)
> of all kinds of I/O buffers. Consider you are running a kvm based
> hypervisor and want its dump to be analyized while promising your
> customers whose guests you run on that hypervisor that none of their data
> will be externalized. Or consider your system reads a spreadsheat with
> bank account or health information. You might not want to send fractions
> of that information sitting in some buffers to a service organization.
So for direct IO, buffer is still in user space and should be filtered
out when we filter out user space pages using mkdumpfile. For kvm, I am
assuming that all the pages belong to qemu process and once we are
filtering out user space pages, any data belonging to guest will go away.
So atleast for above examples it does not sound as if we need symbol
> to answer Daves concern: there is no intention that crash should ever look
> into the erased structures. In theroy it should not be needed because the
> contents of structures to be deleted should be irrelevant to kernel
So what are those kernel structures which we are planning to delete and
are irrelevant to kernel debugging by crash?
I think we are missing something here. If there are only few known
structures we want to get rid of, lets hardcode it in makedumpfile
instead of giving user a generic infrastructure. That way we know
that we are not leaking information at the same time making sure
that analysis tools are working.
More information about the kexec