Crash kernel will retrieve the dm crypt keys based on the dmcryptkeys command line parameter. When user space writes the key description to /sys/kernel/crash_dm_crypt_key, the crash kernel will save the encryption keys to the user keyring. Then user space e.g. cryptsetup's --volume-key-keyring API can use it to unlock the encrypted device.
Signed-off-by: Coiby Xu <[email protected]> --- Documentation/ABI/testing/crash_dm_crypt_keys | 3 + include/linux/crash_core.h | 1 + kernel/crash_dump_dm_crypt.c | 101 +++++++++++++++++- 3 files changed, 103 insertions(+), 2 deletions(-) diff --git a/Documentation/ABI/testing/crash_dm_crypt_keys b/Documentation/ABI/testing/crash_dm_crypt_keys index 7426c9d8de97..56a4b878a4dd 100644 --- a/Documentation/ABI/testing/crash_dm_crypt_keys +++ b/Documentation/ABI/testing/crash_dm_crypt_keys @@ -29,4 +29,7 @@ Description: read/write the kdump kernel has been loaded with the dm crypt keys stored to kdump reserved memory + After the kdump kernel gets booted, user space can write anything to this API + so the dm crypt keys can be restored to the keyring. + User: Kdump service diff --git a/include/linux/crash_core.h b/include/linux/crash_core.h index ab20829d0bc9..d7308b6e83f4 100644 --- a/include/linux/crash_core.h +++ b/include/linux/crash_core.h @@ -38,6 +38,7 @@ static inline void arch_kexec_unprotect_crashkres(void) { } int crash_sysfs_dm_crypt_keys_read(char *buf); int crash_sysfs_dm_crypt_keys_write(const char *buf, size_t count); int crash_load_dm_crypt_keys(struct kimage *image); +ssize_t dm_crypt_keys_read(char *buf, size_t count, u64 *ppos); #else static inline int crash_load_dm_crypt_keys(struct kimage *image) {return 0; } #endif diff --git a/kernel/crash_dump_dm_crypt.c b/kernel/crash_dump_dm_crypt.c index 9a6bd39adf76..00223343473b 100644 --- a/kernel/crash_dump_dm_crypt.c +++ b/kernel/crash_dump_dm_crypt.c @@ -40,12 +40,67 @@ static struct keys_header { struct dm_crypt_key keys[] __counted_by(total_keys); } *keys_header; +unsigned long long dm_crypt_keys_addr; +EXPORT_SYMBOL_GPL(dm_crypt_keys_addr); + +static int __init setup_dmcryptkeys(char *arg) +{ + char *end; + + if (!arg) + return -EINVAL; + dm_crypt_keys_addr = memparse(arg, &end); + if (end > arg) + return 0; + + dm_crypt_keys_addr = 0; + return -EINVAL; +} + +early_param("dmcryptkeys", setup_dmcryptkeys); + static size_t get_keys_header_size(struct keys_header *keys_header, size_t total_keys) { return struct_size(keys_header, keys, total_keys); } +/* + * Architectures may override this function to read dm crypt keys + */ +ssize_t __weak dm_crypt_keys_read(char *buf, size_t count, u64 *ppos) +{ + struct kvec kvec = { .iov_base = buf, .iov_len = count }; + struct iov_iter iter; + + iov_iter_kvec(&iter, READ, &kvec, 1, count); + return read_from_oldmem(&iter, count, ppos, false); +} + +static int add_key_to_keyring(struct dm_crypt_key *dm_key, + key_ref_t keyring_ref) +{ + key_ref_t key_ref; + int r; + + /* create or update the requested key and add it to the target keyring */ + key_ref = key_create_or_update(keyring_ref, "user", dm_key->key_desc, + dm_key->data, dm_key->key_size, + KEY_USR_ALL, KEY_ALLOC_IN_QUOTA); + + if (!IS_ERR(key_ref)) { + r = key_ref_to_ptr(key_ref)->serial; + key_ref_put(key_ref); + kexec_dprintk("Success adding key %s", dm_key->key_desc); + } else { + r = PTR_ERR(key_ref); + kexec_dprintk("Error when adding key"); + } + + key_ref_put(keyring_ref); + return r; +} + /* * Let the kernel know the number of dm crypt keys and allocate memory to * initialize related structures. @@ -139,11 +194,53 @@ static int process_cmd(const char *buf, size_t count) return -EINVAL; } +static int restore_dm_crypt_keys_to_thread_keyring(const char *key_desc) +{ + struct dm_crypt_key *key; + key_ref_t keyring_ref; + u64 addr; + + /* find the target keyring (which must be writable) */ + keyring_ref = + lookup_user_key(KEY_SPEC_USER_KEYRING, 0x01, KEY_NEED_WRITE); + if (IS_ERR(keyring_ref)) { + kexec_dprintk("Failed to get keyring %s\n", key_desc); + return PTR_ERR(keyring_ref); + } + + addr = dm_crypt_keys_addr; + dm_crypt_keys_read((char *)&key_count, sizeof(key_count), &addr); + if (key_count < 0 || key_count > KEY_NUM_MAX) { + pr_info("Failed to read the number of dm_crypt keys\n"); + return -1; + } + + kexec_dprintk("There are %u keys\n", key_count); + addr = dm_crypt_keys_addr; + + keys_header_size = get_keys_header_size(keys_header, key_count); + + keys_header = kzalloc(keys_header_size, GFP_KERNEL); + if (!keys_header) + return -ENOMEM; + + dm_crypt_keys_read((char *)keys_header, keys_header_size, &addr); + + for (int i = 0; i < keys_header->total_keys; i++) { + key = &keys_header->keys[i]; + kexec_dprintk("Get key (size=%u)\n", key->key_size); + add_key_to_keyring(key, keyring_ref); + } + + return 0; +} + int crash_sysfs_dm_crypt_keys_write(const char *buf, size_t count) { if (!is_kdump_kernel()) return process_cmd(buf, count); - return -EINVAL; + else + return restore_dm_crypt_keys_to_thread_keyring(buf); } EXPORT_SYMBOL_GPL(crash_sysfs_dm_crypt_keys_write); @@ -184,7 +281,7 @@ static int build_keys_header(void) for (i = 0; i < key_count; i++) { r = read_key_from_user_keying(&keys_header->keys[i]); if (r != 0) { - pr_err("Failed to read key %s\n", keys_header->keys[i].key_desc); + kexec_dprintk("Failed to read key %s\n", keys_header->keys[i].key_desc); return r; } } -- 2.45.1 _______________________________________________ kexec mailing list [email protected] http://lists.infradead.org/mailman/listinfo/kexec
