Support dumping to a LUKS-encrypted target

Based on the new kernel feature that dm-crypt keys can persist for the
kdump kernel [1][2], this patch which is adapted from [3]
1) ask the 1st kernel to save a copy of the LUKS volume keys
2) ask the kdump kernel to add the copy of the LUKS volume keys to
   specified keyring and then use --volume-key-keyring the unlock the
   LUKS device.

Users need to set up the link-volume-key option in /etc/crypttab (man
crypttab) so kdumpctl can read the key from @U::%logon:cryptsetup:UUID
and instruct the kernel to save it to kdump-reserved memory.

[1] https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/kdump/kdump.rst#write-the-dump-file-to-encrypted-disk-volume
[2] torvalds/linux@180cf31
[3] https://lists.fedorahosted.org/archives/list/[email protected]/message/Y3KUSJQPN3JHUUC2FPIK7H4HTSX2TUCX/

Signed-off-by: Coiby Xu <[email protected]>

Author: coiby

dracut/99kdumpbase/kexec-crypt-setup.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+#
+echo true > /sys/kernel/config/crash_dm_crypt_keys/restore

dracut/99kdumpbase/module-setup.sh

@@ -1094,6 +1094,50 @@ ForwardToConsole=yes
 EOF
 }
 
+kdump_check_crypt_targets() {
+    local _luks_dev _devuuid _key_desc
+    declare -a _luks_devs
+
+    mapfile -t _luks_devs < <(get_all_kdump_crypt_dev)
+
+    if [[ ${#_luks_devs[@]} -lt 1 ]]; then
+        return
+    fi
+
+    if [[ ! -d $LUKS_CONFIGFS ]]; then
+        dwarn "$LUKS_CONFIGFS not available"
+        return 1
+    fi
+
+    # This overrides behaviour of 90crypt
+    inst cryptsetup
+    instmods dm_crypt
+
+    echo > "$initdir/etc/cmdline.d/90crypt.conf"
+    echo > "$initdir/etc/crypttab"
+    echo > "${initdir}/sbin/crypt-run-generator"
+
+    # configfs is mounted after dracut pre-udev hook
+    # shellcheck disable=SC2154
+    inst_hook initqueue 20 "$moddir/kexec-crypt-setup.sh"
+
+    # shellcheck disable=SC2154
+    mkdir -p "$hookdir/initqueue/finished"
+    CRYPTSETUP_PATH=$(command -v cryptsetup)
+    for _luks_dev in "${_luks_devs[@]}"; do
+        _devuuid=$(maj_min_to_uuid "$_luks_dev")
+        _key_desc=$LUKS_KEY_PRFIX$_devuuid
+        cat << EOF >> "${initdir}/etc/udev/rules.d/70-luks-kdump.rules"
+ENV{ID_FS_UUID}=="$_devuuid", \
+RUN+="/sbin/initqueue  --settled --unique --onetime --name kdump-crypt-target-%k \
+$CRYPTSETUP_PATH luksOpen --volume-key-keyring \
+%%user:$_key_desc \$env{DEVNAME} luks-$_devuuid"
+EOF
+    done
+
+    dracut_need_initqueue
+}
+
 install() {
     declare -A unique_netifs ovs_unique_netifs ipv4_usage ipv6_usage
     local is_nvmf
@@ -1146,6 +1190,8 @@ install() {
 
     kdump_check_nvmf_target
 
+    kdump_check_crypt_targets
+
     kdump_install_systemd_conf
 
     # nfs/ssh dump will need to get host ip in second kernel and need to call 'ip' tool, see get_host_ip for more detail

kdump-lib-initramfs.sh

@@ -11,6 +11,10 @@ KDUMP_CONFIG_FILE="/etc/kdump.conf"
 FENCE_KDUMP_SEND="/usr/libexec/fence_kdump_send"
 # shellcheck disable=SC2034
 LVM_CONF="/etc/lvm/lvm.conf"
+# shellcheck disable=SC2034
+LUKS_CONFIGFS=/sys/kernel/config/crash_dm_crypt_keys
+# shellcheck disable=SC2034
+LUKS_KEY_PRFIX="systemd-cryptsetup:vk-"
 
 # Read kdump config in well formated style
 kdump_read_conf()

kdumpctl

@@ -52,6 +52,7 @@ trap '
     ret=$?;
     is_mounted $TMPMNT && umount -f $TMPMNT;
     rm -rf "$KDUMP_TMPDIR"
+    [[ -d $LUKS_CONFIGFS ]] && find $LUKS_CONFIGFS/ -mindepth 1 -type d -delete
     exit $ret;
     ' EXIT
 
@@ -731,6 +732,11 @@ load_kdump()
 	args+=("--initrd=$TARGET_INITRD")
 	args+=("$KDUMP_KERNEL")
 
+	if ! prepare_luks; then
+		derror "kexec: failed to prepare for a LUKS target"
+		return 1
+	fi
+
 	ddebug "$KEXEC ${args[*]}"
 	if $KEXEC "${args[@]}"; then
 		dinfo "kexec: loaded kdump kernel"
@@ -1050,6 +1056,36 @@ check_final_action_config()
 	esac
 }
 
+prepare_luks()
+{
+	local _luks_dev _key_id _key_des
+	declare -a _luks_devs
+
+	mapfile -t _luks_devs < <(get_all_kdump_crypt_dev)
+
+	if [[ ${#_luks_devs[@]} -lt 1 ]]; then
+		return
+	fi
+
+	if [[ ! -d $LUKS_CONFIGFS ]]; then
+		dwarn "$LUKS_CONFIGFS not available, please use a newer kernel."
+		return 1
+	fi
+
+	for _luks_dev in "${_luks_devs[@]}"; do
+		_devuuid=$(maj_min_to_uuid "$_luks_dev")
+		_key_dir=$LUKS_CONFIGFS/$_devuuid
+		_key_des=$LUKS_KEY_PRFIX$_devuuid
+		if _key_id=$(keyctl request logon "$_key_des" 2> /dev/null); then
+			mkdir "$_key_dir"
+			printf "%s" "$_key_des" > "$_key_dir"/description
+		else
+			derror "Failed to get logon key $_key_des. Ensure the link-volume-key option is correctly set up in /etc/crypttab (see man crypttab) and that the key is available."
+			return 1
+		fi
+	done
+}
+
 start()
 {
 	check_dump_feasibility || return

mkdumprd

@@ -318,21 +318,6 @@ handle_default_dump_target()
 	check_size fs "$_target"
 }
 
-check_crypt()
-{
-	local _dev
-
-	for _dev in $(get_kdump_targets); do
-		if [[ -n $(get_luks_crypt_dev "$(get_maj_min "$_dev")") ]]; then
-			derror "Device $_dev is encrypted." && return 1
-		fi
-	done
-}
-
-if ! check_crypt; then
-	dwarn "Warning: Encrypted device is in dump path, which is not recommended, see kexec-kdump-howto.txt for more details."
-fi
-
 # firstly get right SSH_KEY_LOCATION
 keyfile=$(kdump_get_conf_val sshkey)
 if [[ -f $keyfile ]]; then

supported-kdump-targets.txt

@@ -49,6 +49,7 @@ storage:
         NVMe-FC (qla2xxx, lpfc)
         NVMe/TCP configured by NVMe Boot Firmware Table (users may need to
             increase the crashkernel value)
+        LUKS-encrypted volume
 
 network:
         Hardware using kernel modules: (igb, ixgbe, ice, i40e, e1000e, igc,