[vox-tech] Secure kernel panic

Bill Broadley bill at broadley.org
Fri Dec 17 11:28:04 PST 2010 

On 12/17/2010 09:39 AM, Nicole Carlson wrote:
> Hello, beautiful people!  How I have missed you.
>
> A question for your enormous brains.  Suppose that the kernel panics.
> Further suppose that I do NOT want it to dump core.

I don't believe it's the default.  Are you worried about it dumping core 
without you asking?  Or are you worried that someone with physical access to 
the machine could force it to dump core?

> Can I set up the
> system to do this?  Can I set up the system to perform any arbitrary
> commands when the kernel panics?  If so, how?

I believe it's a compile time option for the kernel side, and user space 
tools.  The trick is that in a panic you need to trust as little of the kernel 
as possible to avoid trashing a filesystem.  So you'll need diskdump (write to 
disk), netdump (dump to net), and/or kdump.  Source for these tools will give 
you an idea of what is necessary to handle a kernel dump.  Because it's unsafe 
to trust the filesystem code typically if you are writing to disk you either 
give it a device, a partition, or a swap partition.

If you don't have dmesg on boot mentioning the dump utility you are using 
(kdump, netdump, or diskdump) or a /proc/diskdump (or related) then you likely 
don't have it enabled.   Which might be what you want.

> The motivation behind all this: I'm trying to figure out how to get
> Linux on satellites.

Cool.

> One of the barriers is paperwork: the gub'mint
> says "You must do X, Y, and Z".  One of those requirements is that all
> system startups, shutdowns, and aborts keep the system in a secure
> state.  Secure aborts is the one I'm having trouble proving--I think
> that dumping core is a problem, because it preserves possibly
> sensitive information (internal state at the time of panic) in a place
> that isn't supposed to hold it (namely, wherever the core is dumped,
> which appears to be in the swap space.)

Swap is one of the choices, but the dumps are optional.

> If I'm wildly off-base, please advise.

I'm a bit fuzzy on the threat.  Not like a normal user can read blocks from 
the swap device.   Not like linux doesn't zero fill pages you ask the OS for. 
  You are trying to protect against root user?  From someone injecting errors 
into the kernel and then stealing the disk drive?   Or just satisfying some 
arbitrary piece of bureaucrat security policy?  Disabling kernel dumps seems 
rather straight forward and depending on your OS/Distro might even be disabled 
by default.

Swap has similar problems BTW.  You could encrypt a filesystem or device if 
you want to protect from someone stealing your machine and then reading the 
filesystem/block device.

More information about the vox-tech mailing list