1:48 a.m.
This series make kdump support LUKS targets with a lower memory usage
and allow second kernel to decrypt the target automatically without
password or keyfile.
Current the problem with LUKS is master key decryption from key slot
consume massive memory and require keyfile or password prompt, make it
not very usable for kdump. This series improve it by passing master key
directly.
When there is a LUKS crypt target, and key is stored in dm-crypt,
kdump will try to retrive the key automatically. If it success, second
kernel will just work without any manual input.
Output of kdumpctl restart in such case:
# kdumpctl restart
kdump: kexec: unloaded kdump kernel
kdump: Stopping kdump: [OK]
kdump: kexec: loaded kdump kernel
kdump: Starting kdump: [OK]
<second kernel works with normal crashkernel and no password prompt>
If LUKS key is stored in kernel keyring, then kdump can't retrive
the key. kdump will still work but kdumpctl will print a warning
message, warn the user second kernel have some extra requirement:
Output of kdumpctl restart in such case:
# kdumpctl restart
kdump: kexec: unloaded kdump kernel
kdump: Stopping kdump: [OK]
kdump: Can't get key of LUKS device /dev/vda3
kdump: Can't retrive LUKS key, crashkernel value should be large enough for LUKS key
decryption, and kdump kernel will prompt for password.
kdump: kexec: loaded kdump kernel
kdump: Starting kdump: [OK]
<second kernel need a large crashkernel and need password prompt>
If LUKS key is stored in kernel keyring, and a --askpass param is passed
to kdumpctl, kdumpctl will prompt for password for the LUKS device.
This way it can also get the LUKS key and pass it to second kernel,
bypass key decryption in second kernel, and avoids the extra memory
requirement and password promption.
Output of kdumpctl restart in such case:
# kdumpctl restart --askpass
kdump: kexec: unloaded kdump kernel
kdump: Stopping kdump: [OK]
Enter passphrase for /dev/vda3: <user input password here>
kdump: kexec: loaded kdump kernel
kdump: Starting kdump: [OK]
<second kernel works with normal crashkernel and no password prompt>
There is no need to rebuild initramfs for key location or LUKS config
change, just need a kdumpctl restart or reload.
And this only works for kdump, not for fadump as fadump reuse the
initramfs and we can't append the key to the default initramfs which is
too dangerous.
Useful commands for testing the patch:
To check LUKS key status:
# cryptsetup status luks-a0d62a54-6b2f-4667-ae33-65751343e212
Output of a LUKS config with key in keyring:
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/vda3
sector size: 512
offset: 32768 sectors
size: 38580224 sectors
mode: read/write
flags: discards
Output of a LUKS config with key in dm-crypt:
type: LUKS1
cipher: aes-xts-plain64
keysize: 512 bits
key location: dm-crypt
device: /dev/nvme0n1p2
sector size: 512
offset: 4096 sectors
size: 1997780992 sectors
mode: read/write
flags: discards
To change the key location at runtime for LUKS2 (LUKS1 is always stored
in dm-crypt):
Change the key location to keyring:
# cryptsetup refresh luks-a0d62a54-6b2f-4667-ae33-65751343e212
Change the key location to dm-crypt:
# cryptsetup refresh luks-a0d62a54-6b2f-4667-ae33-65751343e212 --disable-keyring
Kairui Song (8):
kdump-lib: add support to get dev name from dev ID
kdump-lib: add a helper to append files into existing initramfs
kdump-lib.sh: introduce a helper to get underlying crypt device
mkdumprd: make use of the new get_luks_crypt_dev helper
Add helper to get LUKS key of a crypted target
Add master key based crypt target support
kdumpctl: accept a --askpass param for loading kdump resource
mkdumprd: remove LUKS target warning for non-fadump case
dracut-module-setup.sh | 13 +++++
kdump-lib.sh | 126 +++++++++++++++++++++++++++++++++++++++++
kdumpctl | 124 +++++++++++++++++++++++++++++++++++-----
kexec-crypt-init.sh | 18 ++++++
kexec-crypt-setup.sh | 18 ++++++
kexec-tools.spec | 4 ++
mkdumprd | 34 +++--------
7 files changed, 296 insertions(+), 41 deletions(-)
create mode 100644 kexec-crypt-init.sh
create mode 100644 kexec-crypt-setup.sh
--
2.30.2