git: 67e751f167c9 - main - dumpon: use underlying device if encrypted swap is in use

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ed Maste <emaste_at_FreeBSD.org>
Date: Thu, 10 Mar 2022 00:46:55 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=67e751f167c98d02f85eb38401e3e6388db09ac1

commit 67e751f167c98d02f85eb38401e3e6388db09ac1
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-03-07 19:17:01 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-03-10 00:43:14 +0000

    dumpon: use underlying device if encrypted swap is in use
    
    /etc/rc.d/dumpon runs before /etc/rc.d/swap.  When encrypted swap is in
    use the .eli or .bde device will not exist at the time dumpon runs.
    
    Even if this is addressed it does not make sense to dump core to
    encrypted swap, as the encryption key will not be available after
    reboot rendering the dump useless.  Thus, for the case that dumpdev=AUTO
    and encrypted swap is in use, strip the extension and use the underlying
    device.
    
    Emit a warning if we are using the underlying device and the user has not
    configured dump encryption, so that the user knows that the will not be
    encrypted.
    
    PR:             238301
    Reported by:    Ivan Rozhuk
    Reviewed by:    jilles
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D34474
---
 libexec/rc/rc.d/dumpon | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/libexec/rc/rc.d/dumpon b/libexec/rc/rc.d/dumpon
index 752f52315f49..6ca335b73842 100755
--- a/libexec/rc/rc.d/dumpon
+++ b/libexec/rc/rc.d/dumpon
@@ -33,6 +33,19 @@ dumpon_try()
 	return 1
 }
 
+dumpon_warn_unencrypted()
+{
+	if [ -n "${dumppubkey}" ]; then
+		return
+	fi
+	for flag in ${dumpon_flags}; do
+		if [ $flag = -k ]; then
+			return
+		fi
+	done
+	warn "Kernel dumps will be written to the swap partition without encryption."
+}
+
 dumpon_start()
 {
 	# Enable dumpdev so that savecore can see it. Enable it
@@ -50,6 +63,12 @@ dumpon_start()
 		fi
 		while read dev mp type more ; do
 			[ "${type}" = "swap" ] || continue
+			case ${dev} in
+			*.bde|*.eli)
+				dumpon_warn_unencrypted
+				dev=${dev%.*}
+				;;
+			esac
 			[ -c "${dev}" ] || continue
 			dumpon_try "${dev}" 2>/dev/null && return 0
 		done </etc/fstab