[PATCH v2 0/8] makedumpfile: makedumpfile enhancement to filter out kernel data from vmcore

Thu May 26 07:15:14 EDT 2011

Vivek,

I/O is not restricted to disk I/O (it may be network I/O, data sent to 
crtypto cards etc.) and it is not always direct, Device drivers may have 
buffers to which such data is copied. 

So it is more than just keys, and it may change over time.
I do not think hardwiring a filter in makedumpfile is a good idea because 
you would need a new makedumpfile release for every Distribution 
(release).

Allowing to configure makedumpfile allows each distribution and each 
platform to provide appropriate filters.

Mit freundlichen Grüßen/Best Regards/Cordialement 

Reinhard

Dr. Reinhard Bündgen 
RAS & Crypto Architect for Linux on System z 
Virtualization and Systems Management 

Mail:buendgen at de.ibm.com
Phone: ++49-(0)7031-16-1130
Fax: ++49-(0)7031-16-3456 

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Dirk Wittkopp 
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

From:   Vivek Goyal <vgoyal at redhat.com>
To:     Reinhard Buendgen/Germany/IBM at IBMDE
Cc:     Dave Anderson <anderson at redhat.com>, Ananth N Mavinakayanahalli 
<ananth at in.ibm.com>, kexec at lists.infradead.org, Mahesh J Salgaonkar 
<mahesh at linux.vnet.ibm.com>, "Ken'ichi Ohmichi" 
<oomichi at mxs.nes.nec.co.jp>, V Srivatsa <vsrivatsa at in.ibm.com>
Date:   25.05.2011 21:53
Subject:        Re: [PATCH v2 0/8] makedumpfile: makedumpfile enhancement 
to filter out kernel data from vmcore

On Wed, May 25, 2011 at 10:41:55AM +0200, Reinhard Buendgen wrote:
> Hi,
> 
> to answer Vivek questions first: Eventually we want to be able to erase 
> all data that a customer may consider sensitive to her privacy. In 
> addition to encryption key that may be the contents (i.e. payload 
within) 
> of all kinds of I/O buffers. Consider you are running a kvm based 
> hypervisor and want its dump to be analyized while promising your 
> customers whose guests you run on that hypervisor that none of their 
data 
> will be externalized. Or consider your system reads a spreadsheat with 
> bank account or health information. You might not want to send fractions 

> of that information sitting in some buffers to a service organization.

So for direct IO, buffer is still in user space and should be filtered
out when we filter out user space pages using mkdumpfile. For kvm, I am
assuming that all the pages belong to qemu process and once we are
filtering out user space pages, any data belonging to guest will go away.

So atleast for above examples it does not sound as if we need symbol
erase infrastructure.

> 
> to answer Daves concern: there is no intention that crash should ever 
look 
> into the erased structures. In theroy it should not be needed because 
the 
> contents of structures to be deleted should be irrelevant to kernel 
> debugging.

So what are those kernel structures which we are planning to delete and
are irrelevant to kernel debugging by crash?

I think we are missing something here. If there are only few known
structures we want to get rid of, lets hardcode it in makedumpfile
instead of giving user a generic infrastructure. That way we know
that we are not leaking information at the same time making sure
that analysis tools are working.

Thanks
Vivek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/kexec/attachments/20110526/f8451157/attachment-0001.html>