OS-7828 add support for kernel crash dump encryption

Reviewed by: Robert Mustacchi <robert.mustacchi@joyent.com> Approved by: Joshua M. Clulow <jmc@joyent.com>
author: Bryan Cantrill <bryan@joyent.com> 2019-06-29 18:17:08 +0000
committer: Joshua M. Clulow <jmc@joyent.com> 2019-06-29 21:53:45 +0000
commit: d2cb459496a9ba43c051f163b6233046ccb5bcdf (patch)
tree: 5551d1e4587b4b047866d5b0f925f00decfa01ac /usr/src/cmd/dumpadm
parent: e9686f2048541f02e63b97976f385b6efa0f4831 (diff)
download: illumos-joyent-d2cb459496a9ba43c051f163b6233046ccb5bcdf.tar.gz
3 files changed, 53 insertions, 3 deletions
diff --git a/usr/src/cmd/dumpadm/dconf.c b/usr/src/cmd/dumpadm/dconf.c
index 440004eac5..5a1da87148 100644
--- a/usr/src/cmd/dumpadm/dconf.c
+++ b/usr/src/cmd/dumpadm/dconf.c
@@ -21,12 +21,14 @@
 /*
  * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
+ * Copyright 2019 Joyent, Inc.
  */
 
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/swap.h>
 #include <sys/dumpadm.h>
+#include <sys/dumphdr.h>
 #include <sys/utsname.h>
 
 #include <unistd.h>
@@ -537,6 +539,42 @@ dconf_get_dumpsize(dumpconf_t *dcp)
 	return (0);
 }
 
+int
+dconf_set_crypt(dumpconf_t *dcp, const char *keyfile)
+{
+	int fd;
+	uint8_t key[DUMP_CRYPT_KEYLEN];
+
+	if ((fd = open(keyfile, O_RDONLY)) == -1) {
+		warn(gettext("failed to open %s"), keyfile);
+		return (-1);
+	}
+
+	if (read(fd, key, sizeof (key)) != sizeof (key)) {
+		warn(gettext("failed to read %d byte key from %s"),
+		    DUMP_CRYPT_KEYLEN, keyfile);
+		(void) close(fd);
+		return (-1);
+	}
+
+	(void) close(fd);
+
+	if (ioctl(dcp->dc_dump_fd, DIOCSCRYPTKEY, key) == -1) {
+		warn(gettext("failed to set encryption key"));
+		return (-1);
+	}
+
+	/*
+	 * Reload our config flags as they may have changed.
+	 */
+	if ((dcp->dc_cflags = ioctl(dcp->dc_dump_fd, DIOCGETCONF, 0)) == -1) {
+		warn(gettext("failed to get kernel dump settings"));
+		return (-1);
+	}
+
+	return (0);
+}
+
 void
 dconf_print(dumpconf_t *dcp, FILE *fp)
 {
@@ -578,6 +616,8 @@ dconf_print(dumpconf_t *dcp, FILE *fp)
 	(void) fprintf(fp, gettext("   Save compressed: %s\n"),
 	    (dcp->dc_csave == DC_UNCOMPRESSED) ? gettext("off") :
 	    gettext("on"));
+	(void) fprintf(fp, gettext("    Dump encrypted: %s\n"),
+	    (dcp->dc_cflags & DUMP_ENCRYPT) ? gettext("yes") : gettext("no"));
 }
 
 int
diff --git a/usr/src/cmd/dumpadm/dconf.h b/usr/src/cmd/dumpadm/dconf.h
index 74920f0def..e2f609cee7 100644
--- a/usr/src/cmd/dumpadm/dconf.h
+++ b/usr/src/cmd/dumpadm/dconf.h
@@ -21,6 +21,7 @@
 /*
  * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
+ * Copyright 2019 Joyent, Inc.
  */
 
 #ifndef	_DCONF_H
@@ -73,6 +74,7 @@ extern int dconf_update(dumpconf_t *, int);
 extern void dconf_print(dumpconf_t *, FILE *);
 extern int dconf_write_uuid(dumpconf_t *);
 extern int dconf_get_dumpsize(dumpconf_t *);
+extern int dconf_set_crypt(dumpconf_t *, const char *);
 
 extern int dconf_str2device(dumpconf_t *, char *);
 extern int dconf_str2savdir(dumpconf_t *, char *);
diff --git a/usr/src/cmd/dumpadm/main.c b/usr/src/cmd/dumpadm/main.c
index 07a7dd5207..dccafbba33 100644
--- a/usr/src/cmd/dumpadm/main.c
+++ b/usr/src/cmd/dumpadm/main.c
@@ -21,6 +21,7 @@
 /*
  * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
+ * Copyright 2019 Joyent, Inc.
  */
 
 #include <sys/stat.h>
@@ -36,10 +37,10 @@
 
 static const char USAGE[] = "\
 Usage: %s [-enuy] [-c kernel | curproc | all ]\n\
-	[-d dump-device | swap | none ] [-m min {k|m|%%} ] [-s savecore-dir]\n\
-	[-r root-dir] [-z on|off]\n";
+	[-d dump-device | swap | none ] [-k key-file] [-m min {k|m|%%} ]\n\
+	[-s savecore-dir] [-r root-dir] [-z on|off]\n";
 
-static const char OPTS[] = "einuyc:d:m:s:r:z:";
+static const char OPTS[] = "einuyc:d:m:s:r:z:k:";
 
 static const char PATH_DEVICE[] = "/dev/dump";
 static const char PATH_CONFIG[] = "/etc/dumpadm.conf";
@@ -57,6 +58,7 @@ main(int argc, char *argv[])
 	int dcmode = DC_CURRENT;	/* kernel settings override unless -u */
 	int modified = 0;		/* have we modified the dump config? */
 	char *minfstr = NULL;		/* string value of -m argument */
+	char *keyfile = NULL;		/* key file for -k argument */
 	dumpconf_t dc;			/* current configuration */
 	int chrooted = 0;
 	int douuid = 0;
@@ -136,6 +138,9 @@ main(int argc, char *argv[])
 				}
 				douuid++;
 				break;
+			case 'k':
+				keyfile = optarg;
+				break;
 
 			case 'm':
 				minfstr = optarg;
@@ -191,6 +196,9 @@ main(int argc, char *argv[])
 			return (E_ERROR);
 	}
 
+	if (keyfile != NULL && dconf_set_crypt(&dc, keyfile) == -1)
+		return (E_ERROR);
+
 	if (dcmode == DC_OVERRIDE) {
 		/*
 		 * In override mode, we try to force an update.  If this
author	Bryan Cantrill <bryan@joyent.com>	2019-06-29 18:17:08 +0000
committer	Joshua M. Clulow <jmc@joyent.com>	2019-06-29 21:53:45 +0000
commit	d2cb459496a9ba43c051f163b6233046ccb5bcdf (patch)
tree	5551d1e4587b4b047866d5b0f925f00decfa01ac /usr/src/cmd/dumpadm
parent	e9686f2048541f02e63b97976f385b6efa0f4831 (diff)
download	illumos-joyent-d2cb459496a9ba43c051f163b6233046ccb5bcdf.tar.gz