[PATCH v2 0/7] makedumpfile security key filtering with eppic

Atsushi Kumagai kumagai-atsushi at mxc.nes.nec.co.jp
Tue Dec 4 03:36:25 EST 2012 

Hello Aravinda,

On Mon, 3 Dec 2012 13:40:01 -0500
Vivek Goyal <vgoyal at redhat.com> wrote:

> On Mon, Dec 03, 2012 at 08:05:54PM +0530, Aravinda Prasad wrote:
> 
> [..]
> > >> Another approach is to dynamically load libeppic library - similar way
> > >> how crash does it. No major changes will be done to makedumpfile code,
> > >> except the addition of --eppic flag. Upon specifying --eppic flag
> > >> makedumpfile will dlopen libeppic.so, which will have functionality to
> > >> scrub the specified data. This will prevent makedumpfile bloat and will
> > >> not affect the size of initramfs as --eppic is only specified during
> > >> post processing. The distribution should build and ship libeppic.so and
> > >> the procedure for building .so will be similar to what we have in crash.
> > > 
> > > It will still show up in dynamic library dependencing using ldd. We will
> > > have to put some hack to exclude the leppic despite the fact that
> > > makedumpfile is dependent on it. 
> > > 
> > > In F18, now we use dracut to build kdump initramfs. On command line we
> > > specify any extra binaries to be included and makedumpfile is one of
> > > those. Dracut will determine all the dependencies and automatically pull
> > > these in. So even if we don't use --eppic flag, dracult will pull in
> > > eppic shared library anyway.
> > 
> > 
> > I think ldd or dracut will not be able to make out that we are dependent
> > on libeppic.so as we will be using the dlopen("libeppic.so, ...) call to
> > dynamically load. No extra flags will be added to Makefile to specify
> > -leppic while building makedumpfile. Hence, from my understanding, while
> > building kdump initramfs, dracut cannot determine that we are dependent
> > on eppic
> 
> Ok, if dracut does not pull in libeppic and does not bloat size of
> initramfs, I am fine.

I agree with this idea too.

However, the release date is closing in, so would you re-send the patch set
based on v1.5.1 ? I will accept it as official feature in v1.5.2.


Thanks
Atsushi Kumagai

More information about the kexec mailing list