socsvn commit: r289827 - in soc2013/def/crashdump-head: sbin/cryptcore sys/kern sys/sys

def at FreeBSD.org def at FreeBSD.org
Mon Aug 17 15:27:29 UTC 2015 

Author: def
Date: Mon Aug 17 15:27:26 2015
New Revision: 289827
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=289827

Log:
  Use only one sysctl to setup EKCD.

Modified:
  soc2013/def/crashdump-head/sbin/cryptcore/cryptcore.c
  soc2013/def/crashdump-head/sys/kern/kern_shutdown.c
  soc2013/def/crashdump-head/sys/sys/kerneldump.h

Modified: soc2013/def/crashdump-head/sbin/cryptcore/cryptcore.c
==============================================================================
--- soc2013/def/crashdump-head/sbin/cryptcore/cryptcore.c	Mon Aug 17 13:07:12 2015	(r289826)
+++ soc2013/def/crashdump-head/sbin/cryptcore/cryptcore.c	Mon Aug 17 15:27:26 2015	(r289827)
@@ -30,10 +30,10 @@
 static void
 cryptcore_genkey(const char *pubkeyfile)
 {
-	uint8_t key[KERNELDUMP_KEY_SIZE];
-	uint8_t *encryptedkey;
 	FILE *fp;
+	struct kerneldumpsetup *kds;
 	RSA *pubkey;
+	size_t kdssize;
 	int pubkeysize;
 
 	PJDLOG_ASSERT(pubkeyfile != NULL);
@@ -51,13 +51,14 @@
 		pjdlog_exitx(1, "Unable to read data from %s.", pubkeyfile);
 
 	pubkeysize = RSA_size(pubkey);
-	encryptedkey = calloc(1, pubkeysize);
-	if (encryptedkey == NULL)
-		pjdlog_exit(1, "Unable to allocate encrypted key");
-
-	arc4random_buf(key, sizeof(key));
-	if (RSA_public_encrypt(sizeof(key), key, encryptedkey, pubkey,
-	    RSA_PKCS1_PADDING) != pubkeysize) {
+	kdssize = sizeof(*kds) + pubkeysize;
+	kds = calloc(1, kdssize);
+	if (kds == NULL)
+		pjdlog_exit(1, "Unable to allocate kernel dump setup");
+
+	arc4random_buf(kds->kds_key, sizeof(kds->kds_key));
+	if (RSA_public_encrypt(sizeof(kds->kds_key), kds->kds_key,
+	    kds->kds_encryptedkey, pubkey, RSA_PKCS1_PADDING) != pubkeysize) {
 		pjdlog_errno(LOG_ERR, "Unable to encrypt the one-time key");
 		goto failed;
 	}
@@ -65,25 +66,20 @@
 	/*
 	 * From this moment on keys have to be erased before exit.
 	 */
-	if (sysctlbyname("security.ekcd.key", NULL, NULL, key,
-	    KERNELDUMP_KEY_SIZE) != 0) {
+	if (sysctlbyname("security.ekcd.setup", NULL, NULL,
+	    kds, kdssize) != 0) {
 		pjdlog_errno(LOG_ERR, "Unable to set key");
 		goto failed;
 	}
-	if (sysctlbyname("security.ekcd.encryptedkey", NULL, NULL,
-	    encryptedkey, pubkeysize) != 0) {
-		pjdlog_errno(LOG_ERR, "Unable to set encrypted key");
-		goto failed;
-	}
 
-	bzero(key, sizeof(key));
-	free(encryptedkey);
+	bzero(kds, kdssize);
+	free(kds);
 	RSA_free(pubkey);
 
 	return;
 failed:
-	bzero(key, sizeof(key));
-	free(encryptedkey);
+	bzero(kds, kdssize);
+	free(kds);
 	RSA_free(pubkey);
 	exit(1);
 }

Modified: soc2013/def/crashdump-head/sys/kern/kern_shutdown.c
==============================================================================
--- soc2013/def/crashdump-head/sys/kern/kern_shutdown.c	Mon Aug 17 13:07:12 2015	(r289826)
+++ soc2013/def/crashdump-head/sys/kern/kern_shutdown.c	Mon Aug 17 15:27:26 2015	(r289827)
@@ -159,8 +159,7 @@
 static struct kerneldumpkey *dumpkey;
 
 static int kerneldump_sysctl_enable(SYSCTL_HANDLER_ARGS);
-static int kerneldump_sysctl_key(SYSCTL_HANDLER_ARGS);
-static int kerneldump_sysctl_encryptedkey(SYSCTL_HANDLER_ARGS);
+static int kerneldump_sysctl_setup(SYSCTL_HANDLER_ARGS);
 
 SYSCTL_NODE(_security, OID_AUTO, ekcd, CTLFLAG_RW, 0,
     "Encrypted kernel crash dumps");
@@ -168,11 +167,8 @@
 SYSCTL_PROC(_security_ekcd, OID_AUTO, enable, CTLTYPE_INT | CTLFLAG_RW, NULL, 0,
     kerneldump_sysctl_enable, "I", "Enable encrypted kernel crash dumps");
 
-SYSCTL_PROC(_security_ekcd, OID_AUTO, key, CTLTYPE_OPAQUE | CTLFLAG_WR, NULL, 0,
-    kerneldump_sysctl_key, "", "Key");
-
-SYSCTL_PROC(_security_ekcd, OID_AUTO, encryptedkey, CTLTYPE_OPAQUE | CTLFLAG_WR,
-    NULL, 0, kerneldump_sysctl_encryptedkey, "", "Encrypted key");
+SYSCTL_PROC(_security_ekcd, OID_AUTO, setup, CTLTYPE_OPAQUE | CTLFLAG_WR, NULL,
+    0, kerneldump_sysctl_setup, "", "Setup");
 #endif /* EKCD */
 
 /*
@@ -884,6 +880,9 @@
 	kdc->kdc_lastoffset = 0;
 	kdc->kdc_lastlength = 0;
 
+	di->kdc = kdc;
+	di->kdk = kdk;
+
 	return (0);
 }
 
@@ -901,47 +900,36 @@
 	if (error != 0)
 		return (error);
 
-	if (enable == 1)
-		dumper.kdk = dumpkey;
-	else
+	if (enable == 0) {
+		free(dumpkey, M_KDK);
+		dumpkey = NULL;
 		dumper.kdk = NULL;
+	}
 
 	return (0);
 }
 
 static int
-kerneldump_sysctl_key(SYSCTL_HANDLER_ARGS)
+kerneldump_sysctl_setup(SYSCTL_HANDLER_ARGS)
 {
+	struct kerneldumpsetup kds;
+	struct kerneldumpkey *kdk;
+	size_t kdksize;
 	int error;
 
 	if (req->newptr == NULL)
 		return (EPERM);
 
-	error = sysctl_handle_opaque(oidp, dumpcrypto.kdc_key,
-	    sizeof(dumpcrypto.kdc_key), req);
+	error = sysctl_handle_opaque(oidp, &kds, sizeof(kds), req);
 	if (error != 0)
 		return (error);
 
+	bcopy(kds.kds_key, dumpcrypto.kdc_key, sizeof(dumpcrypto.kdc_key));
 	arc4rand(dumpcrypto.kdc_iv, sizeof(dumpcrypto.kdc_iv), 0);
 
-	return (kerneldump_crypto_init(&dumper, &dumpcrypto, dumpkey));
-}
-
-static int
-kerneldump_sysctl_encryptedkey(SYSCTL_HANDLER_ARGS)
-{
-	struct kerneldumpkey *kdk;
-	size_t encryptedkeylen, kdksize;
-	int error;
-
-	if (req->newptr == NULL)
-		return (EPERM);
-
-	encryptedkeylen = req->newlen;
-	kdksize = ((sizeof(*kdk) + encryptedkeylen +
+	kdksize = ((sizeof(*kdk) + kds.kds_encryptedkeylen +
 	    KERNELDUMP_BLOCK_SIZE - 1) / KERNELDUMP_BLOCK_SIZE) *
 	    KERNELDUMP_BLOCK_SIZE;
-
 	kdk = (struct kerneldumpkey *)malloc(kdksize, M_KDK, M_WAITOK);
 	if (kdk == NULL)
 		return (ENOMEM);
@@ -950,7 +938,7 @@
 	kdk->kdk_algorithm = CRYPTO_AES_CBC;
 	kdk->kdk_keysize = KERNELDUMP_KEY_SIZE;
 	bcopy(dumpcrypto.kdc_iv, kdk->kdk_iv, sizeof(kdk->kdk_iv));
-	kdk->kdk_encryptedkeylen = encryptedkeylen;
+	kdk->kdk_encryptedkeylen = kds.kds_encryptedkeylen;
 
 	error = sysctl_handle_opaque(oidp, kdk->kdk_encryptedkey,
 	    kdk->kdk_encryptedkeylen, req);
@@ -963,7 +951,7 @@
 	dumpkey = kdk;
 	dumper.kdk = dumpkey;
 
-	return (0);
+	return (kerneldump_crypto_init(&dumper, &dumpcrypto, dumpkey));
 }
 #endif /* EKCD */
 

Modified: soc2013/def/crashdump-head/sys/sys/kerneldump.h
==============================================================================
--- soc2013/def/crashdump-head/sys/sys/kerneldump.h	Mon Aug 17 13:07:12 2015	(r289826)
+++ soc2013/def/crashdump-head/sys/sys/kerneldump.h	Mon Aug 17 15:27:26 2015	(r289827)
@@ -91,6 +91,12 @@
 	uint32_t	parity;
 };
 
+struct kerneldumpsetup {
+	uint8_t		kds_key[KERNELDUMP_KEY_SIZE];
+	uint32_t	kds_encryptedkeylen;
+	uint8_t		kds_encryptedkey[];
+};
+
 struct kerneldumpkey {
 	uint32_t	kdk_size;
 	uint8_t		kdk_algorithm;

More information about the svn-soc-all mailing list