[PATCH v2 0/7] makedumpfile security key filtering with eppic
Vivek Goyal
vgoyal at redhat.com
Mon Dec 3 13:40:01 EST 2012
On Mon, Dec 03, 2012 at 08:05:54PM +0530, Aravinda Prasad wrote:
[..]
> >> Another approach is to dynamically load libeppic library - similar way
> >> how crash does it. No major changes will be done to makedumpfile code,
> >> except the addition of --eppic flag. Upon specifying --eppic flag
> >> makedumpfile will dlopen libeppic.so, which will have functionality to
> >> scrub the specified data. This will prevent makedumpfile bloat and will
> >> not affect the size of initramfs as --eppic is only specified during
> >> post processing. The distribution should build and ship libeppic.so and
> >> the procedure for building .so will be similar to what we have in crash.
> >
> > It will still show up in dynamic library dependencing using ldd. We will
> > have to put some hack to exclude the leppic despite the fact that
> > makedumpfile is dependent on it.
> >
> > In F18, now we use dracut to build kdump initramfs. On command line we
> > specify any extra binaries to be included and makedumpfile is one of
> > those. Dracut will determine all the dependencies and automatically pull
> > these in. So even if we don't use --eppic flag, dracult will pull in
> > eppic shared library anyway.
>
>
> I think ldd or dracut will not be able to make out that we are dependent
> on libeppic.so as we will be using the dlopen("libeppic.so, ...) call to
> dynamically load. No extra flags will be added to Makefile to specify
> -leppic while building makedumpfile. Hence, from my understanding, while
> building kdump initramfs, dracut cannot determine that we are dependent
> on eppic
Ok, if dracut does not pull in libeppic and does not bloat size of
initramfs, I am fine.
Thanks
Vivek
More information about the kexec
mailing list