Crash kernel will retrieve the dm crypt keys based on the dmcryptkeys command line parameter. When user space writes the key description to /sys/kernel/crash_dm_crypt_key, the crash kernel will save the encryption keys to the user keyring. Then user space e.g. cryptsetup's --volume-key-keyring API can use it to unlock the encrypted device. Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx> --- include/linux/crash_core.h | 1 + kernel/crash_dump_dm_crypt.c | 99 +++++++++++++++++++++++++++++++++++- 2 files changed, 99 insertions(+), 1 deletion(-) diff --git a/include/linux/crash_core.h b/include/linux/crash_core.h index ab20829d0bc9..d7308b6e83f4 100644 --- a/include/linux/crash_core.h +++ b/include/linux/crash_core.h @@ -38,6 +38,7 @@ static inline void arch_kexec_unprotect_crashkres(void) { } int crash_sysfs_dm_crypt_keys_read(char *buf); int crash_sysfs_dm_crypt_keys_write(const char *buf, size_t count); int crash_load_dm_crypt_keys(struct kimage *image); +ssize_t dm_crypt_keys_read(char *buf, size_t count, u64 *ppos); #else static inline int crash_load_dm_crypt_keys(struct kimage *image) {return 0; } #endif diff --git a/kernel/crash_dump_dm_crypt.c b/kernel/crash_dump_dm_crypt.c index b4dc881cc867..dd818581858b 100644 --- a/kernel/crash_dump_dm_crypt.c +++ b/kernel/crash_dump_dm_crypt.c @@ -33,12 +33,67 @@ static struct keys_header { struct dm_crypt_key keys[] __counted_by(key_count); } *keys_header; +unsigned long long dm_crypt_keys_addr; +EXPORT_SYMBOL_GPL(dm_crypt_keys_addr); + +static int __init setup_dmcryptkeys(char *arg) +{ + char *end; + + if (!arg) + return -EINVAL; + dm_crypt_keys_addr = memparse(arg, &end); + if (end > arg) + return 0; + + dm_crypt_keys_addr = 0; + return -EINVAL; +} + +early_param("dmcryptkeys", setup_dmcryptkeys); + static size_t get_keys_header_size(struct keys_header *keys_header, size_t key_count) { return struct_size(keys_header, keys, key_count); } +/* + * Architectures may override this function to read dm crypt key + */ +ssize_t __weak dm_crypt_keys_read(char *buf, size_t count, u64 *ppos) +{ + struct kvec kvec = { .iov_base = buf, .iov_len = count }; + struct iov_iter iter; + + iov_iter_kvec(&iter, READ, &kvec, 1, count); + return read_from_oldmem(&iter, count, ppos, false); +} + +static int add_key_to_keyring(struct dm_crypt_key *dm_key, + key_ref_t keyring_ref) +{ + key_ref_t key_ref; + int r; + + /* create or update the requested key and add it to the target keyring */ + key_ref = key_create_or_update(keyring_ref, "user", dm_key->key_desc, + dm_key->data, dm_key->key_size, + KEY_USR_ALL, KEY_ALLOC_IN_QUOTA); + + if (!IS_ERR(key_ref)) { + r = key_ref_to_ptr(key_ref)->serial; + key_ref_put(key_ref); + pr_alert("Success adding key %s", dm_key->key_desc); + } else { + r = PTR_ERR(key_ref); + pr_alert("Error when adding key"); + } + + key_ref_put(keyring_ref); + return r; +} + static int init(const char *buf) { unsigned int total_keys; @@ -120,11 +175,53 @@ static int process_cmd(const char *buf, size_t count) return -EINVAL; } +static int restore_dm_crypt_keys_to_thread_keyring(const char *key_desc) +{ + struct dm_crypt_key *key; + key_ref_t keyring_ref; + u64 addr; + + /* find the target keyring (which must be writable) */ + keyring_ref = + lookup_user_key(KEY_SPEC_USER_KEYRING, 0x01, KEY_NEED_WRITE); + if (IS_ERR(keyring_ref)) { + pr_alert("Failed to get keyring"); + return PTR_ERR(keyring_ref); + } + + addr = dm_crypt_keys_addr; + dm_crypt_keys_read((char *)&key_count, sizeof(key_count), &addr); + if (key_count < 0 || key_count > KEY_NUM_MAX) { + pr_info("Failed to the number of dm_crypt keys\n"); + return -1; + } + + pr_debug("There are %u keys\n", key_count); + addr = dm_crypt_keys_addr; + + keys_header_size = get_keys_header_size(keys_header, key_count); + + keys_header = kzalloc(keys_header_size, GFP_KERNEL); + if (!keys_header) + return -ENOMEM; + + dm_crypt_keys_read((char *)keys_header, keys_header_size, &addr); + + for (int i = 0; i < keys_header->key_count; i++) { + key = &keys_header->keys[i]; + pr_alert("Get key (size=%u): %8ph...\n", key->key_size, key->data); + add_key_to_keyring(key, keyring_ref); + } + + return 0; +} + int crash_sysfs_dm_crypt_keys_write(const char *buf, size_t count) { if (!is_kdump_kernel()) return process_cmd(buf, count); - return -EINVAL; + else + return restore_dm_crypt_keys_to_thread_keyring(buf); } EXPORT_SYMBOL(crash_sysfs_dm_crypt_keys_write); -- 2.45.0 _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec