[PATCH v2 0/7] makedumpfile security key filtering with eppic

Aravinda Prasad aravinda at linux.vnet.ibm.com
Tue Dec 4 03:56:11 EST 2012 


On 2012-12-04 14:06, Atsushi Kumagai wrote:

> Hello Aravinda,
> 
> On Mon, 3 Dec 2012 13:40:01 -0500
> Vivek Goyal <vgoyal at redhat.com> wrote:
> 
>> On Mon, Dec 03, 2012 at 08:05:54PM +0530, Aravinda Prasad wrote:
>>
>> [..]
>>>>> Another approach is to dynamically load libeppic library - similar way
>>>>> how crash does it. No major changes will be done to makedumpfile code,
>>>>> except the addition of --eppic flag. Upon specifying --eppic flag
>>>>> makedumpfile will dlopen libeppic.so, which will have functionality to
>>>>> scrub the specified data. This will prevent makedumpfile bloat and will
>>>>> not affect the size of initramfs as --eppic is only specified during
>>>>> post processing. The distribution should build and ship libeppic.so and
>>>>> the procedure for building .so will be similar to what we have in crash.
>>>>
>>>> It will still show up in dynamic library dependencing using ldd. We will
>>>> have to put some hack to exclude the leppic despite the fact that
>>>> makedumpfile is dependent on it. 
>>>>
>>>> In F18, now we use dracut to build kdump initramfs. On command line we
>>>> specify any extra binaries to be included and makedumpfile is one of
>>>> those. Dracut will determine all the dependencies and automatically pull
>>>> these in. So even if we don't use --eppic flag, dracult will pull in
>>>> eppic shared library anyway.
>>>
>>>
>>> I think ldd or dracut will not be able to make out that we are dependent
>>> on libeppic.so as we will be using the dlopen("libeppic.so, ...) call to
>>> dynamically load. No extra flags will be added to Makefile to specify
>>> -leppic while building makedumpfile. Hence, from my understanding, while
>>> building kdump initramfs, dracut cannot determine that we are dependent
>>> on eppic
>>
>> Ok, if dracut does not pull in libeppic and does not bloat size of
>> initramfs, I am fine.
> 
> I agree with this idea too.
> 
> However, the release date is closing in, so would you re-send the patch set
> based on v1.5.1 ? I will accept it as official feature in v1.5.2.
> 


sure. Thanks Atsushi

> 
> Thanks
> Atsushi Kumagai
> 


-- 
Regards,
Aravinda

More information about the kexec mailing list