[PATCH v2 0/7] makedumpfile security key filtering with eppic

Aravinda Prasad aravinda at linux.vnet.ibm.com
Mon Dec 3 09:35:54 EST 2012 


On 2012-12-03 18:50, Vivek Goyal wrote:

> On Mon, Dec 03, 2012 at 11:32:27AM +0530, Aravinda Prasad wrote:
>>
>>
>> On 2012-11-26 19:34, Vivek Goyal wrote:
>>
>>> On Thu, Nov 22, 2012 at 10:44:49PM +0530, Aravinda Prasad wrote:
>>>
>>> [..]
>>>> Customers who want to filter their dump would certainly prefer a single
>>>> tool and a single shot to throw away pages, scrub data and then
>>>> compress, split or send the resulting dump to some target using ssh.
>>>> This important functionality is lost if scrubbing is not part of
>>>> makedumpfile and a separate tool is developed which just does scrubbing.
>>>
>>> Customers do filtering from initramfs context. It is not practical to
>>> save TB of memory and filter it later. And we just concluded that is
>>> it not practical to do scrubbing from initramfs due to need of vmlinux.
>>>
>>> So doing filtering and doing scrubbing will not happen at the same
>>> time practically. So bloating size of makedumpfile does not make
>>> sense to me.
>>>
>>
>>
>> Another approach is to dynamically load libeppic library - similar way
>> how crash does it. No major changes will be done to makedumpfile code,
>> except the addition of --eppic flag. Upon specifying --eppic flag
>> makedumpfile will dlopen libeppic.so, which will have functionality to
>> scrub the specified data. This will prevent makedumpfile bloat and will
>> not affect the size of initramfs as --eppic is only specified during
>> post processing. The distribution should build and ship libeppic.so and
>> the procedure for building .so will be similar to what we have in crash.
> 
> It will still show up in dynamic library dependencing using ldd. We will
> have to put some hack to exclude the leppic despite the fact that
> makedumpfile is dependent on it. 
> 
> In F18, now we use dracut to build kdump initramfs. On command line we
> specify any extra binaries to be included and makedumpfile is one of
> those. Dracut will determine all the dependencies and automatically pull
> these in. So even if we don't use --eppic flag, dracult will pull in
> eppic shared library anyway.


I think ldd or dracut will not be able to make out that we are dependent
on libeppic.so as we will be using the dlopen("libeppic.so, ...) call to
dynamically load. No extra flags will be added to Makefile to specify
-leppic while building makedumpfile. Hence, from my understanding, while
building kdump initramfs, dracut cannot determine that we are dependent
on eppic

> 
> Thanks
> Vivek
> 


-- 
Regards,
Aravinda

More information about the kexec mailing list