Re: how to (really) cleanly shutdown the system when root is on multiple stacked block devices

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Christoph Anton Mitterer

Subject: Re: how to (really) cleanly shutdown the system when root is on multiple stacked block devices

Date: Saturday, June 26, 2010 - 9:44 am

On Sat, 2010-06-26 at 18:17 +0200, Milan Broz wrote:
quoted text> For the device-mapper device (and this applies to other type devices too),
> you cannot remove device (unload mapping table) when device is still open.
You just mean I cannot remove/close it, until something above (e.g.
filesystem) is still open/mounted? Yeah that was clear (and that's good,
isn't it?!)


quoted text> This applies even for active stacked mapping of devices (LVM over LUKS)
> - you cannot remove LUKS device while LVs are active on top of it.
> (even unmounted)
clear clear ... :)


quoted text> remount RO will not help here - it still keeps the device open.
of course :)


quoted text> With recent kernel and flush (issuing barrier internally) device-mapper
> properly propagates barrier request.
a) What is recent? ;)
b) The barrier thingy,... does it have to be supported by the thing
(e.g. filesystem, LV, etc.) on top? Or is this something generically
implemented for flushing?


quoted text> But note that you are running shutdown scripts from device itself
> if it is root-fs script itself produces reads to the device.
> ...
Uhm what exactly do you mean?


quoted text> btw block device flush is implemented using barrier too.
So I understand,.. this means it is something "separate"... and
regardless of whether the filesystem on top supports barriers itself,...
I'll have everything flushed out to disk when doing the remount,ro...
even if the block layer devices below are not yet closed.


quoted text> From the data integrity point of view, remounting to RO should probably
> be enough (correct me please if I am wrong:-).
Great :) And I guess you can speak for both lvm and dm-crypt ?! :)
And it should probably also flush through md,... as it's also dm?


quoted text> But from the security point of view dm-crypt encryption key remains in memory
> because you cannot properly remove LUKS device thus wipe the key.
> 
> Anyone with proper boot image can recover such key from RAM memory using
> so called cold-boot attack.
How long is this about staying in the RAM (after poweroff)?
And after reboot.... isn't everything set to 0x0? Otherwise,... booting
e.g. another OS or a compromised Linux could leak the key...


quoted text> You have several options how to solve this, but I am afraid all require
> some kind of ramdisk, where are the basic tools are copied before unmounting
> root-fs and unmapping devices and reboot.
I've already feared that... so we need de-initramfs? ;)


quoted text> (For non-root devices it is easy, you can even call luksSuspend to wipe
> key on still active device as workaround before reboot.
I guess non-root devices should be cleanly closed, with luksClose, or
not?


quoted text> After luksSuspend
> device is frozen - until the key is provided back using luksResume.
> So only some e.g. page cache leaks of plaintext data are possible -
> but not encryption key itself.)
Isn't it possible to patch the kernel,.. that always when halting or
rebooting,.. it "simply" wipes _ALL_ dm-cryptkeys available,...
And why/how are plaintext leaks possible?


quoted text> I mean something like this on shutdown:
> 
> - create ramdisk containing basic utilities
>    (mount, sync, lvm, cryptsetup, halt, etc)
> - remount device read-only, iow sync and flush write IO
> - switch to ramdisk, all command now must run from there
> - try to cleanly unmout root-fs, deactivate underlying LV, deactivate LUKS
>    - if deactivation fails, fallback to wipe LUKS device key in memory
>      using luksSuspend
>    (more options here, like trying to dmsetup remove -f do remap to error target,
>     which disconnects underlying devices and allows deactivate them,
>     but it is quite dangerous)
> - reboot
> 
> (sounds like we need shutdownramfs but initramfs can be probably reused here:-)
Already thought about that before,... but it seems impossible to me,...
to convice distros to do that...
And it's quite complex I guess,... given the fact that there are
basically arbitrary ways to stack your block devices...


Right now when I shutdown,... I get errors for lvm/dm-crypt/md,... as
they all can't close there devices,... as the root-fs is just ro-mounted
(ok the Debian cryptsetup package seems to not display that error,.. but
it's probably there).
Nevertheless,... what should "we" do now?
- Always seeing a "failed" is rather ugly
- One could simply not call the appropriate initscripts for stopping in
rc0 and rc6.
This would however affect all such devices,... not only those where the
root-fs is on top.
But I guess it's rather complex to find out the correct ones and skip
the error-message only for them...
And it does not solve the crypto-leak issue :(



Cheers,
Chris.

--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

how to (really) cleanly shutdown the system when root is o ..., Christoph Anton Mitterer, (Sat Jun 26, 4:44 am)

Re: how to (really) cleanly shutdown the system when root ..., Milan Broz, (Sat Jun 26, 9:17 am)

Re: how to (really) cleanly shutdown the system when root ..., Christoph Anton Mitterer, (Sat Jun 26, 9:44 am)

Re: how to (really) cleanly shutdown the system when root ..., Milan Broz, (Sat Jun 26, 12:17 pm)

Re: how to (really) cleanly shutdown the system when root ..., Christoph Anton Mitterer, (Sat Jun 26, 4:10 pm)

Re: how to (really) cleanly shutdown the system when root ..., Christoph Anton Mitterer, (Sat Jun 26, 7:34 pm)

Re: how to (really) cleanly shutdown the system when root ..., Christoph Anton Mitterer, (Sat Jun 26, 7:38 pm)

Navigation

Popular discussions


linux-kernel:
Christoph Lameter	[PATCH 1/2] Make page->private usable in compound pages V1
Luben Tuikov	Re: Integration of SCST in the mainstream Linux kernel
Alexey Dobriyan	Re: [2.6.22.2 review 09/84] Fix rfkill IRQ flags.
Michal Nazarewicz	Re: [PATCH] USB: Gadget: g_multi: added INF file for gadget with multiple configur...
Jesse Barnes	Re: PCI probing changes
git:
Jakub Narebski	Re: GSoC 2008 - Mentors Wanted!
Jan Harkes	Re: git-svn and huge data and modifying the git-svn-HEAD branch directly
Andy Parkins	git-fetch fails with error code 128
Marcus Griep	Re: [PATCH 1/3] Git.pm: Add faculties to allow temp files to be cached
Junio C Hamano	Re: [JGIT PATCH 2/2] Decrease the fetch pack client buffer to the lower minimum
git-commits-head:
Linux Kernel Mailing List	ARM: 5970/1: nomadik-gpio: fix spinlock usage
Linux Kernel Mailing List	sh-sci: update receive error handling for muxed irqs
Linux Kernel Mailing List	No need to do lock_super() for exclusion in generic_shutdown_super()
Linux Kernel Mailing List	x86, msr: Export the register-setting MSR functions via /dev/*/msr
Linux Kernel Mailing List	Input: gpio-keys - add support for disabling gpios through sysfs
linux-netdev:
Eric Dumazet	[PATCH] net: ALIGN/PTR_ALIGN cleanup in alloc_netdev_mq()/netdev_priv()
Patrick McHardy	[NET_SCHED]: sch_ingress: remove netfilter support
Rose, Gregory V	RE: __bad_udelay in network driver breaks build
Patrick McHardy	Re: no reassembly for outgoing packets on RAW socket
Frans Pop	svc: failed to register lockdv1 RPC service (errno 97).
openbsd-misc:
ropers	Re: Real men don't attack straw men
elitdostlar	Seks partneri arayan bayanlar bu adreste - 8878xs706x6438
Marcus Andree	Re: This is what Linus Torvalds calls openBSD crowd
Lars D. Noodén	Re: sshd.config and AllowUsers
Henning Brauer	Re: Sun Blade 1000?

Colocation donated by:

Syndicate