aboutsummaryrefslogtreecommitdiffstats
path: root/sbin/decryptcore
diff options
context:
space:
mode:
authorKonrad Witaszczyk <def@FreeBSD.org>2016-12-10 16:20:39 +0000
committerKonrad Witaszczyk <def@FreeBSD.org>2016-12-10 16:20:39 +0000
commit480f31c214725f732a6d0e8ef4cd7c56ff98e155 (patch)
tree3333be885c7a29334059f5a66c38dc0a367f3a7f /sbin/decryptcore
parentaced69428c850b869d28355e41a0c4e7495fceaf (diff)
downloadsrc-480f31c214725f732a6d0e8ef4cd7c56ff98e155.tar.gz
src-480f31c214725f732a6d0e8ef4cd7c56ff98e155.zip
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and savecore(8). A new tool called decryptcore(8) was added. A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump configuration in the diocskerneldump_arg structure to the kernel. The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for backward ABI compatibility. dumpon(8) generates an one-time random symmetric key and encrypts it using an RSA public key in capability mode. Currently only AES-256-CBC is supported but EKCD was designed to implement support for other algorithms in the future. The public key is chosen using the -k flag. The dumpon rc(8) script can do this automatically during startup using the dumppubkey rc.conf(5) variable. Once the keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O control. When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random IV and sets up the key schedule for the specified algorithm. Each time the kernel tries to write a crash dump to the dump device, the IV is replaced by a SHA-256 hash of the previous value. This is intended to make a possible differential cryptanalysis harder since it is possible to write multiple crash dumps without reboot by repeating the following commands: # sysctl debug.kdb.enter=1 db> call doadump(0) db> continue # savecore A kernel dump key consists of an algorithm identifier, an IV and an encrypted symmetric key. The kernel dump key size is included in a kernel dump header. The size is an unsigned 32-bit integer and it is aligned to a block size. The header structure has 512 bytes to match the block size so it was required to make a panic string 4 bytes shorter to add a new field to the header structure. If the kernel dump key size in the header is nonzero it is assumed that the kernel dump key is placed after the first header on the dump device and the core dump is encrypted. Separate functions were implemented to write the kernel dump header and the kernel dump key as they need to be unencrypted. The dump_write function encrypts data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps are not supported due to the way they are constructed which makes it impossible to use the CBC mode for encryption. It should be also noted that textdumps don't contain sensitive data by design as a user decides what information should be dumped. savecore(8) writes the kernel dump key to a key.# file if its size in the header is nonzero. # is the number of the current core dump. decryptcore(8) decrypts the core dump using a private RSA key and the kernel dump key. This is performed by a child process in capability mode. If the decryption was not successful the parent process removes a partially decrypted core dump. Description on how to encrypt crash dumps was added to the decryptcore(8), dumpon(8), rc.conf(5) and savecore(8) manual pages. EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU. The feature still has to be tested on arm and arm64 as it wasn't possible to run FreeBSD due to the problems with QEMU emulation and lack of hardware. Designed by: def, pjd Reviewed by: cem, oshogbo, pjd Partial review: delphij, emaste, jhb, kib Approved by: pjd (mentor) Differential Revision: https://reviews.freebsd.org/D4712
Notes
Notes: svn path=/head/; revision=309818
Diffstat (limited to 'sbin/decryptcore')
-rw-r--r--sbin/decryptcore/Makefile13
-rw-r--r--sbin/decryptcore/decryptcore.8114
-rw-r--r--sbin/decryptcore/decryptcore.c373
3 files changed, 500 insertions, 0 deletions
diff --git a/sbin/decryptcore/Makefile b/sbin/decryptcore/Makefile
new file mode 100644
index 000000000000..be8b6d1c5934
--- /dev/null
+++ b/sbin/decryptcore/Makefile
@@ -0,0 +1,13 @@
+# $FreeBSD$
+
+PROG= decryptcore
+
+LIBADD= crypto pjdlog
+
+MAN= decryptcore.8
+
+CFLAGS+=-I${.CURDIR}/../../lib/libpjdlog
+
+WARNS?= 6
+
+.include <bsd.prog.mk>
diff --git a/sbin/decryptcore/decryptcore.8 b/sbin/decryptcore/decryptcore.8
new file mode 100644
index 000000000000..d21667c0784f
--- /dev/null
+++ b/sbin/decryptcore/decryptcore.8
@@ -0,0 +1,114 @@
+.\" Copyright (c) 2016 Konrad Witaszczyk <def@FreeBSD.org>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd December 10, 2016
+.Dt DECRYPTCORE 8
+.Os
+.Sh NAME
+.Nm decryptcore
+.Nd "decrypt a core dump of the operating system"
+.Sh SYNOPSIS
+.Nm
+.Op Fl Lv
+.Fl p Ar privatekeyfile
+.Fl k Ar keyfile
+.Fl e Ar encryptedcore
+.Fl c Ar core
+.Nm
+.Op Fl Lv
+.Op Fl d Ar crashdir
+.Fl p Ar privatekeyfile
+.Fl n Ar dumpnr
+.Sh DESCRIPTION
+The
+.Nm
+first decrypts
+.Ar keyfile
+using
+.Ar privatekeyfile
+and then uses the resulting key to decrypt
+.Ar encryptedcore
+saved by
+.Xr savecore 8 .
+Result is saved in
+.Ar core .
+.Pp
+Alternatively a user can decrypt a core dump numbered
+.Ar dumpnr
+from the
+.Ar crashdir
+directory.
+In this case a dump key from the
+.Pa key.#
+file is used and the result is saved in the
+.Pa vmcore.#
+file where
+.Dq #
+corresponds to
+.Ar dumpnr .
+.Pp
+The
+.Nm
+utility can be started with the following command line arguments:
+.Bl -tag -width ".Fl e Ar encryptedcore"
+.It Fl L
+Write log messages to
+.Xr syslogd 8 .
+.It Fl v
+Print or log verbose/debugging information.
+This option can be specified multiple times to raise the verbosity
+level.
+.It Fl p Ar privatekeyfile
+Specify location of a private key file which will be used to decrypt a dump key
+file.
+.It Fl k Ar keyfile
+Specify location of a dump key file.
+.It Fl e Ar encrytpedcore
+Specify location of an encrypted core.
+.It Fl c Ar core
+Specify location of a resulting decrypted core dump.
+.It Fl d Ar crashdir
+Specify an alternative crash dump directory. The default crash dump directory is
+.Pa /var/crash .
+.It Fl n Ar dumpnr
+Specify a number of a crash dump to be decrypted.
+.El
+.Sh EXIT STATUS
+The
+.Nm
+utility exits 0 on success, and >0 if an error occurs.
+.Sh SEE ALSO
+.Xr capsicum 4 ,
+.Xr dumpon 8 ,
+.Xr kgdb 1 ,
+.Xr savecore 8 ,
+.Xr syslogd 8
+.Sh AUTHORS
+The
+.Nm
+was implemented by
+.An -nosplit
+.An Konrad Witaszczyk Aq Mt def@FreeBSD.org .
diff --git a/sbin/decryptcore/decryptcore.c b/sbin/decryptcore/decryptcore.c
new file mode 100644
index 000000000000..758e4c8c0fea
--- /dev/null
+++ b/sbin/decryptcore/decryptcore.c
@@ -0,0 +1,373 @@
+/*-
+ * Copyright (c) 2016 Konrad Witaszczyk <def@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/capsicum.h>
+#include <sys/endian.h>
+#include <sys/kerneldump.h>
+#include <sys/stat.h>
+#include <sys/sysctl.h>
+#include <sys/wait.h>
+
+#include <ctype.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/rsa.h>
+#include <openssl/engine.h>
+
+#include "pjdlog.h"
+
+#define DECRYPTCORE_CRASHDIR "/var/crash"
+
+static void
+usage(void)
+{
+
+ pjdlog_exitx(1,
+ "usage: decryptcore [-Lv] -p privatekeyfile -k keyfile -e encryptedcore -c core\n"
+ " decryptcore [-Lv] [-d crashdir] -p privatekeyfile -n dumpnr");
+}
+
+static int
+wait_for_process(pid_t pid)
+{
+ int status;
+
+ if (waitpid(pid, &status, WUNTRACED | WEXITED) == -1) {
+ pjdlog_errno(LOG_ERR, "Unable to wait for a child process");
+ return (1);
+ }
+
+ if (WIFEXITED(status))
+ return (WEXITSTATUS(status));
+
+ return (1);
+}
+
+static struct kerneldumpkey *
+read_key(int kfd)
+{
+ struct kerneldumpkey *kdk;
+ ssize_t size;
+ size_t kdksize;
+
+ PJDLOG_ASSERT(kfd >= 0);
+
+ kdksize = sizeof(*kdk);
+ kdk = calloc(1, kdksize);
+ if (kdk == NULL) {
+ pjdlog_errno(LOG_ERR, "Unable to allocate kernel dump key");
+ goto failed;
+ }
+
+ size = read(kfd, kdk, kdksize);
+ if (size == (ssize_t)kdksize) {
+ kdk->kdk_encryptedkeysize = dtoh32(kdk->kdk_encryptedkeysize);
+ kdksize += (size_t)kdk->kdk_encryptedkeysize;
+ kdk = realloc(kdk, kdksize);
+ if (kdk == NULL) {
+ pjdlog_errno(LOG_ERR, "Unable to reallocate kernel dump key");
+ goto failed;
+ }
+ size += read(kfd, &kdk->kdk_encryptedkey,
+ kdk->kdk_encryptedkeysize);
+ }
+ if (size != (ssize_t)kdksize) {
+ pjdlog_errno(LOG_ERR, "Unable to read key");
+ goto failed;
+ }
+
+ return (kdk);
+failed:
+ free(kdk);
+ return (NULL);
+}
+
+static bool
+decrypt(const char *privkeyfile, const char *keyfile, const char *input,
+ const char *output)
+{
+ uint8_t buf[KERNELDUMP_BUFFER_SIZE], key[KERNELDUMP_KEY_MAX_SIZE];
+ EVP_CIPHER_CTX ctx;
+ const EVP_CIPHER *cipher;
+ FILE *fp;
+ struct kerneldumpkey *kdk;
+ RSA *privkey;
+ int ifd, kfd, ofd, olen, privkeysize;
+ ssize_t bytes;
+ pid_t pid;
+
+ PJDLOG_ASSERT(privkeyfile != NULL);
+ PJDLOG_ASSERT(keyfile != NULL);
+ PJDLOG_ASSERT(input != NULL);
+ PJDLOG_ASSERT(output != NULL);
+
+ privkey = NULL;
+
+ /*
+ * Decrypt a core dump in a child process so we can unlink a partially
+ * decrypted core if the child process fails.
+ */
+ pid = fork();
+ if (pid == -1) {
+ pjdlog_errno(LOG_ERR, "Unable to create child process");
+ return (false);
+ }
+
+ if (pid > 0)
+ return (wait_for_process(pid) == 0);
+
+ kfd = open(keyfile, O_RDONLY);
+ if (kfd == -1) {
+ pjdlog_errno(LOG_ERR, "Unable to open %s", keyfile);
+ goto failed;
+ }
+ ifd = open(input, O_RDONLY);
+ if (ifd == -1) {
+ pjdlog_errno(LOG_ERR, "Unable to open %s", input);
+ goto failed;
+ }
+ ofd = open(output, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ if (ofd == -1) {
+ pjdlog_errno(LOG_ERR, "Unable to open %s", output);
+ goto failed;
+ }
+ fp = fopen(privkeyfile, "r");
+ if (fp == NULL) {
+ pjdlog_errno(LOG_ERR, "Unable to open %s", privkeyfile);
+ goto failed;
+ }
+
+ if (cap_enter() < 0 && errno != ENOSYS) {
+ pjdlog_errno(LOG_ERR, "Unable to enter capability mode");
+ goto failed;
+ }
+
+ privkey = RSA_new();
+ if (privkey == NULL) {
+ pjdlog_error("Unable to allocate an RSA structure: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ goto failed;
+ }
+ EVP_CIPHER_CTX_init(&ctx);
+
+ kdk = read_key(kfd);
+ close(kfd);
+ if (kdk == NULL)
+ goto failed;
+
+ privkey = PEM_read_RSAPrivateKey(fp, &privkey, NULL, NULL);
+ fclose(fp);
+ if (privkey == NULL) {
+ pjdlog_error("Unable to read data from %s.", privkeyfile);
+ goto failed;
+ }
+
+ privkeysize = RSA_size(privkey);
+ if (privkeysize != (int)kdk->kdk_encryptedkeysize) {
+ pjdlog_error("RSA modulus size mismatch: equals %db and should be %ub.",
+ 8 * privkeysize, 8 * kdk->kdk_encryptedkeysize);
+ goto failed;
+ }
+
+ switch (kdk->kdk_encryption) {
+ case KERNELDUMP_ENC_AES_256_CBC:
+ cipher = EVP_aes_256_cbc();
+ break;
+ default:
+ pjdlog_error("Invalid encryption algorithm.");
+ goto failed;
+ }
+
+ if (RSA_private_decrypt(kdk->kdk_encryptedkeysize,
+ kdk->kdk_encryptedkey, key, privkey,
+ RSA_PKCS1_PADDING) != sizeof(key)) {
+ pjdlog_error("Unable to decrypt key: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ goto failed;
+ }
+ RSA_free(privkey);
+ privkey = NULL;
+
+ EVP_DecryptInit_ex(&ctx, cipher, NULL, key, kdk->kdk_iv);
+ EVP_CIPHER_CTX_set_padding(&ctx, 0);
+
+ explicit_bzero(key, sizeof(key));
+
+ do {
+ bytes = read(ifd, buf, sizeof(buf));
+ if (bytes < 0) {
+ pjdlog_errno(LOG_ERR, "Unable to read data from %s",
+ input);
+ goto failed;
+ } else if (bytes == 0) {
+ break;
+ }
+
+ if (bytes > 0) {
+ if (EVP_DecryptUpdate(&ctx, buf, &olen, buf,
+ bytes) == 0) {
+ pjdlog_error("Unable to decrypt core.");
+ goto failed;
+ }
+ } else {
+ if (EVP_DecryptFinal_ex(&ctx, buf, &olen) == 0) {
+ pjdlog_error("Unable to decrypt core.");
+ goto failed;
+ }
+ }
+
+ if (olen == 0)
+ continue;
+
+ if (write(ofd, buf, olen) != olen) {
+ pjdlog_errno(LOG_ERR, "Unable to write data to %s",
+ output);
+ goto failed;
+ }
+ } while (bytes > 0);
+
+ explicit_bzero(buf, sizeof(buf));
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ exit(0);
+failed:
+ explicit_bzero(key, sizeof(key));
+ explicit_bzero(buf, sizeof(buf));
+ RSA_free(privkey);
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+ char core[PATH_MAX], encryptedcore[PATH_MAX], keyfile[PATH_MAX];
+ struct stat sb;
+ const char *crashdir, *dumpnr, *privatekey;
+ int ch, debug;
+ size_t ii;
+ bool usesyslog;
+
+ pjdlog_init(PJDLOG_MODE_STD);
+ pjdlog_prefix_set("(decryptcore) ");
+
+ debug = 0;
+ *core = '\0';
+ crashdir = NULL;
+ dumpnr = NULL;
+ *encryptedcore = '\0';
+ *keyfile = '\0';
+ privatekey = NULL;
+ usesyslog = false;
+ while ((ch = getopt(argc, argv, "Lc:d:e:k:n:p:v")) != -1) {
+ switch (ch) {
+ case 'L':
+ usesyslog = true;
+ break;
+ case 'c':
+ strncpy(core, optarg, sizeof(core));
+ break;
+ case 'd':
+ crashdir = optarg;
+ break;
+ case 'e':
+ strncpy(encryptedcore, optarg, sizeof(encryptedcore));
+ break;
+ case 'k':
+ strncpy(keyfile, optarg, sizeof(keyfile));
+ break;
+ case 'n':
+ dumpnr = optarg;
+ break;
+ case 'p':
+ privatekey = optarg;
+ break;
+ case 'v':
+ debug++;
+ break;
+ default:
+ usage();
+ }
+ }
+ argc -= optind;
+ argv += optind;
+
+ if (argc != 0)
+ usage();
+
+ /* Verify mutually exclusive options. */
+ if ((crashdir != NULL || dumpnr != NULL) &&
+ (*keyfile != '\0' || *encryptedcore != '\0' || *core != '\0')) {
+ usage();
+ }
+
+ /*
+ * Set key, encryptedcore and core file names using crashdir and dumpnr.
+ */
+ if (dumpnr != NULL) {
+ for (ii = 0; ii < strnlen(dumpnr, PATH_MAX); ii++) {
+ if (isdigit((int)dumpnr[ii]) == 0)
+ usage();
+ }
+
+ if (crashdir == NULL)
+ crashdir = DECRYPTCORE_CRASHDIR;
+ PJDLOG_VERIFY(snprintf(keyfile, sizeof(keyfile),
+ "%s/key.%s", crashdir, dumpnr) > 0);
+ PJDLOG_VERIFY(snprintf(core, sizeof(core),
+ "%s/vmcore.%s", crashdir, dumpnr) > 0);
+ PJDLOG_VERIFY(snprintf(encryptedcore, sizeof(encryptedcore),
+ "%s/vmcore_encrypted.%s", crashdir, dumpnr) > 0);
+ }
+
+ if (privatekey == NULL || *keyfile == '\0' || *encryptedcore == '\0' ||
+ *core == '\0') {
+ usage();
+ }
+
+ if (usesyslog)
+ pjdlog_mode_set(PJDLOG_MODE_SYSLOG);
+ pjdlog_debug_set(debug);
+
+ if (!decrypt(privatekey, keyfile, encryptedcore, core)) {
+ if (stat(core, &sb) == 0 && unlink(core) != 0)
+ pjdlog_exit(1, "Unable to remove core");
+ exit(1);
+ }
+
+ pjdlog_fini();
+
+ exit(0);
+}