Re: [PATCH v8 0/7] Support kdump with LUKS encryption by reusing LUKS volume keys

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Baoquan He <bhe@redhat.com>
To: akpm@linux-foundation.org
Cc: kexec@lists.infradead.org, "Ondrej Kozina" <okozina@redhat.com>,
	"Milan Broz" <gmazyland@gmail.com>,
	"Thomas Staudt" <tstaudt@de.ibm.com>,
	"Daniel P . Berrangé" <berrange@redhat.com>,
	"Kairui Song" <ryncsn@gmail.com>,
	"Pingfan Liu" <kernelfans@gmail.com>,
	"Dave Young" <dyoung@redhat.com>,
	linux-kernel@vger.kernel.org, x86@kernel.org,
	"Dave Hansen" <dave.hansen@intel.com>,
	"Vitaly Kuznetsov" <vkuznets@redhat.com>,
	"Coiby Xu" <coxu@redhat.com>
Subject: Re: [PATCH v8 0/7] Support kdump with LUKS encryption by reusing LUKS volume keys
Date: Mon, 24 Feb 2025 09:36:48 +0800	[thread overview]
Message-ID: <Z7vNMJPQPr4N6Dih@MiWiFi-R3L-srv> (raw)
In-Reply-To: <Z6sljm1lurDKPCvj@MiWiFi-R3L-srv>

Hi Andrew,

On 02/11/25 at 06:25pm, Baoquan He wrote:
> On 02/07/25 at 04:08pm, Coiby Xu wrote:
> > LUKS is the standard for Linux disk encryption, widely adopted by users,
> > and in some cases, such as Confidential VMs, it is a requirement. With 
> > kdump enabled, when the first kernel crashes, the system can boot into
> > the kdump/crash kernel to dump the memory image (i.e., /proc/vmcore) 
> > to a specified target. However, there are two challenges when dumping
> > vmcore to a LUKS-encrypted device:
> > 
> >  - Kdump kernel may not be able to decrypt the LUKS partition. For some
> >    machines, a system administrator may not have a chance to enter the
> >    password to decrypt the device in kdump initramfs after the 1st kernel
> >    crashes; For cloud confidential VMs, depending on the policy the
> >    kdump kernel may not be able to unseal the keys with TPM and the
> >    console virtual keyboard is untrusted.
> > 
> >  - LUKS2 by default use the memory-hard Argon2 key derivation function
> >    which is quite memory-consuming compared to the limited memory reserved
> >    for kdump. Take Fedora example, by default, only 256M is reserved for
> >    systems having memory between 4G-64G. With LUKS enabled, ~1300M needs
> >    to be reserved for kdump. Note if the memory reserved for kdump can't
> >    be used by 1st kernel i.e. an user sees ~1300M memory missing in the
> >    1st kernel.
> > 
> > Besides users (at least for Fedora) usually expect kdump to work out of
> > the box i.e. no manual password input or custom crashkernel value is
> > needed. And it doesn't make sense to derivate the keys again in kdump
> > kernel which seems to be redundant work.
> > 
> > This patch set addresses the above issues by making the LUKS volume keys
> > persistent for kdump kernel with the help of cryptsetup's new APIs
> > (--link-vk-to-keyring/--volume-key-keyring). Here is the life cycle of
> > the kdump copies of LUKS volume keys,
> > 
> >  1. After the 1st kernel loads the initramfs during boot, systemd
> >     use an user-input passphrase to de-crypt the LUKS volume keys
> >     or TPM-sealed key and then save the volume keys to specified keyring
> >     (using the --link-vk-to-keyring API) and the key will expire within
> >     specified time.
> > 
> >  2. A user space tool (kdump initramfs loader like kdump-utils) create
> >     key items inside /sys/kernel/config/crash_dm_crypt_keys to inform
> >     the 1st kernel which keys are needed.
> > 
> >  3. When the kdump initramfs is loaded by the kexec_file_load
> >     syscall, the 1st kernel will iterate created key items, save the
> >     keys to kdump reserved memory.
> > 
> >  4. When the 1st kernel crashes and the kdump initramfs is booted, the
> >     kdump initramfs asks the kdump kernel to create a user key using the
> >     key stored in kdump reserved memory by writing yes to
> >     /sys/kernel/crash_dm_crypt_keys/restore. Then the LUKS encrypted
> >     device is unlocked with libcryptsetup's --volume-key-keyring API.
> > 
> >  5. The system gets rebooted to the 1st kernel after dumping vmcore to
> >     the LUKS encrypted device is finished
> > 
> > After libcryptsetup saving the LUKS volume keys to specified keyring,
> > whoever takes this should be responsible for the safety of these copies
> > of keys. The keys will be saved in the memory area exclusively reserved
> > for kdump where even the 1st kernel has no direct access. And further
> > more, two additional protections are added,
> >  - save the copy randomly in kdump reserved memory as suggested by Jan
> >  - clear the _PAGE_PRESENT flag of the page that stores the copy as
> >    suggested by Pingfan
> > 
> > This patch set only supports x86. There will be patches to support other
> > architectures once this patch set gets merged.

Could you pick this patchset into your tree since no conern from other
reviewers?

Thanks
Baoquan

> 
> This v8 looks good to me, thanks for the great effort, Coiby.
> 
> Acked-by: Baoquan He <bhe@redhat.com>
>

next prev parent reply	other threads:[~2025-02-24  1:37 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-07  8:08 [PATCH v8 0/7] Support kdump with LUKS encryption by reusing LUKS volume keys Coiby Xu
2025-02-07  8:08 ` [PATCH v8 1/7] kexec_file: allow to place kexec_buf randomly Coiby Xu
2025-02-07  8:08 ` [PATCH v8 2/7] crash_dump: make dm crypt keys persist for the kdump kernel Coiby Xu
2025-04-23 20:44   ` Arnaud Lefebvre
2025-04-29  9:34     ` Coiby Xu
2025-02-07  8:08 ` [PATCH v8 3/7] crash_dump: store dm crypt keys in kdump reserved memory Coiby Xu
2025-02-07  8:08 ` [PATCH v8 4/7] crash_dump: reuse saved dm crypt keys for CPU/memory hot-plugging Coiby Xu
2025-02-07  8:08 ` [PATCH v8 5/7] crash_dump: retrieve dm crypt keys in kdump kernel Coiby Xu
2025-02-07  8:08 ` [PATCH v8 6/7] x86/crash: pass dm crypt keys to " Coiby Xu
2025-04-23 20:59   ` Arnaud Lefebvre
2025-04-29  9:40     ` Coiby Xu
2025-04-30 14:48       ` Arnaud Lefebvre
2025-05-02  0:13         ` Coiby Xu
2025-02-07  8:13 ` [PATCH v8 7/7] x86/crash: make the page that stores the dm crypt keys inaccessible Coiby Xu
2025-02-11 10:25 ` [PATCH v8 0/7] Support kdump with LUKS encryption by reusing LUKS volume keys Baoquan He
2025-02-12  0:43   ` Coiby Xu
2025-02-24  1:36   ` Baoquan He [this message]
2025-03-21  6:54     ` Coiby Xu
2025-03-10  3:30 ` Baoquan He
2025-04-14  5:44 ` Baoquan He
2025-04-24  0:08 ` Arnaud Lefebvre
2025-04-28  9:02   ` Coiby Xu
2025-04-28 18:40     ` Arnaud Lefebvre
2025-04-28 23:56       ` Coiby Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z7vNMJPQPr4N6Dih@MiWiFi-R3L-srv \
    --to=bhe@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=berrange@redhat.com \
    --cc=coxu@redhat.com \
    --cc=dave.hansen@intel.com \
    --cc=dyoung@redhat.com \
    --cc=gmazyland@gmail.com \
    --cc=kernelfans@gmail.com \
    --cc=kexec@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=okozina@redhat.com \
    --cc=ryncsn@gmail.com \
    --cc=tstaudt@de.ibm.com \
    --cc=vkuznets@redhat.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox