lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 7 Jun 2024 20:26:22 +0800
From: Coiby Xu <coxu@...hat.com>
To: Baoquan He <bhe@...hat.com>
Cc: kexec@...ts.infradead.org, Ondrej Kozina <okozina@...hat.com>, 
	Milan Broz <gmazyland@...il.com>, Thomas Staudt <tstaudt@...ibm.com>, 
	Daniel P . Berrangé <berrange@...hat.com>, Kairui Song <ryncsn@...il.com>, 
	Jan Pazdziora <jpazdziora@...hat.com>, Pingfan Liu <kernelfans@...il.com>, 
	Dave Young <dyoung@...hat.com>, linux-kernel@...r.kernel.org, x86@...nel.org, 
	Dave Hansen <dave.hansen@...el.com>, Vitaly Kuznetsov <vkuznets@...hat.com>
Subject: Re: [PATCH v4 0/7] Support kdump with LUKS encryption by reusing
 LUKS volume keys

Hi Baoquan,

On Fri, Jun 07, 2024 at 06:06:18PM +0800, Baoquan He wrote:
>Hi Coiby,
>
>On 05/23/24 at 01:04pm, Coiby Xu wrote:
>> LUKS is the standard for Linux disk encryption. Many users choose LUKS
>> and in some use cases like Confidential VM it's mandated. With kdump
>> enabled, when the 1st kernel crashes, the system could boot into the
>> kdump/crash kernel and dump the memory image i.e. /proc/vmcore to a
>> specified target. Currently, when dumping vmcore to a LUKS
>> encrypted device, there are two problems,
>
>I am done with this round of reviewing. The overall approach looks good
>to me, while there are places to improve or fix. I have added comment on
>all things I am concerned about, please check. Thanks for the effort.

Thanks for taking time on thoroughly reviewing the patches and
suggesting various improvements! I believe all comments have been
addressed now except for testing sme/tdx:)

>
>By the way, do you get confirmation on the solution from encryption/keys
>developer of redhat internally or upstream? With my understanding, it
>looks good. It may need their confirmation or approval in some ways.

Yes, actually cryptsetup's maintainer Milan pointed me to
libcryptsetup's new API and suggested me to reach out to Ondrej for
help. And Ondrej has already finished the major work in upstream
cryptsetup and systemd. But it will be good for them to have further
confirmation and I'll ask for their help. Thanks for the reminder!

>
>Thanks
>Baoquan
>

-- 
Best regards,
Coiby

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ