[PATCH v2 0/7] makedumpfile security key filtering with eppic
Vivek Goyal
vgoyal at redhat.com
Mon Dec 3 08:20:59 EST 2012
On Mon, Dec 03, 2012 at 11:32:27AM +0530, Aravinda Prasad wrote:
>
>
> On 2012-11-26 19:34, Vivek Goyal wrote:
>
> > On Thu, Nov 22, 2012 at 10:44:49PM +0530, Aravinda Prasad wrote:
> >
> > [..]
> >> Customers who want to filter their dump would certainly prefer a single
> >> tool and a single shot to throw away pages, scrub data and then
> >> compress, split or send the resulting dump to some target using ssh.
> >> This important functionality is lost if scrubbing is not part of
> >> makedumpfile and a separate tool is developed which just does scrubbing.
> >
> > Customers do filtering from initramfs context. It is not practical to
> > save TB of memory and filter it later. And we just concluded that is
> > it not practical to do scrubbing from initramfs due to need of vmlinux.
> >
> > So doing filtering and doing scrubbing will not happen at the same
> > time practically. So bloating size of makedumpfile does not make
> > sense to me.
> >
>
>
> Another approach is to dynamically load libeppic library - similar way
> how crash does it. No major changes will be done to makedumpfile code,
> except the addition of --eppic flag. Upon specifying --eppic flag
> makedumpfile will dlopen libeppic.so, which will have functionality to
> scrub the specified data. This will prevent makedumpfile bloat and will
> not affect the size of initramfs as --eppic is only specified during
> post processing. The distribution should build and ship libeppic.so and
> the procedure for building .so will be similar to what we have in crash.
It will still show up in dynamic library dependencing using ldd. We will
have to put some hack to exclude the leppic despite the fact that
makedumpfile is dependent on it.
In F18, now we use dracut to build kdump initramfs. On command line we
specify any extra binaries to be included and makedumpfile is one of
those. Dracut will determine all the dependencies and automatically pull
these in. So even if we don't use --eppic flag, dracult will pull in
eppic shared library anyway.
Thanks
Vivek
More information about the kexec
mailing list