1 .\" Copyright (c) 1980, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" From: @(#)swapon.8 8.1 (Berkeley) 6/5/93
35 .Nd "specify a device for crash dumps"
67 utility is used to configure where the kernel can save a crash dump in the case
70 System administrators should typically configure
72 in a persistent fashion using the
78 For more information on this usage, see
84 can configure a series of fallback dump devices.
85 For example, an administrator may prefer
87 by default, but if the
89 service cannot be reached or some other failure occurs, they might choose a
90 local disk dump as a second choice option.
92 .Bl -tag -width _k_pubkey
94 Insert the specified dump configuration into the prioritized fallback dump
95 device list at the specified index, starting at zero.
99 is not specified, the configured dump device is appended to the prioritized
102 Remove the specified dump device configuration or configurations from the
103 fallback dump device list rather than inserting or appending it.
109 removes all configured devices.
113 Configure encrypted kernel dumps.
115 A random, one-time symmetric key is automatically generated for bulk kernel
116 dump encryption every time
121 is used to encrypt a copy of the symmetric key.
122 The encrypted dump contents consist of a standard dump header, the
123 pubkey-encrypted symmetric key contents, and the symmetric key encrypted core
126 As a result, only someone with the corresponding private key can decrypt the symmetric key.
127 The symmetric key is necessary to decrypt the kernel core.
128 The goal of the mechanism is to provide confidentiality.
132 file should be a PEM-formatted RSA key of at least 2048 bits.
134 Select the symmetric algorithm used for encrypted kernel crash dump.
140 (AES256-CBC mode does not work in conjunction with compression.)
142 List the currently configured dump device(s), or /dev/null if no devices are
147 Enable compression (Zstandard).
149 Enable compression (gzip).
150 Only one compression method may be enabled at a time, so
155 Zstandard provides superior compression ratio and performance.
159 may also configure the kernel to dump to a remote
164 server is available in ports.)
166 eliminates the need to reserve space for crash dumps.
167 It is especially useful in diskless environments.
170 is used to configure netdump, the
174 parameter should specify a network interface (e.g.,
176 The specified NIC must be up (online) to configure netdump.
179 specific options include:
180 .Bl -tag -width _g_gateway
182 The local IP address of the
186 The first-hop router between
192 option is not specified and the system has a default route, the default
193 router is used as the
198 option is not specified and the system does not have a default route,
200 is assumed to be on the same link as
203 The IP address of the
208 All of these options can be specified in the
213 The default type of kernel crash dump is the mini crash dump.
214 Mini crash dumps hold only memory pages in use by the kernel.
215 Alternatively, full memory dumps can be enabled by setting the
220 For systems using full memory dumps, the size of the specified dump
221 device must be at least the size of physical memory.
222 Even though an additional 64 kB header is added to the dump, the BIOS for a
223 platform typically holds back some memory, so it is not usually
224 necessary to size the dump device larger than the actual amount of RAM
225 available in the machine.
226 Also, when using full memory dumps, the
228 utility will refuse to enable a dump device which is smaller than the
229 total amount of physical memory as reported by the
233 .Sh IMPLEMENTATION NOTES
234 Because the file system layer is already dead by the time a crash dump
235 is taken, it is not possible to send crash dumps directly to a file.
241 may be used to enable early kernel core dumps for system panics which occur
242 before userspace starts.
244 In order to generate an RSA private key, a user can use the
248 .Dl # openssl genrsa -out private.pem 4096
250 A public key can be extracted from the private key using the
254 .Dl # openssl rsa -in private.pem -out public.pem -pubout
256 Once the RSA keys are created in a safe place, the public key may be moved to
257 the untrusted netdump client machine.
262 to configure encrypted kernel crash dumps:
264 .Dl # dumpon -k public.pem /dev/ada0s1b
266 It is recommended to test if the kernel saves encrypted crash dumps using the
267 current configuration.
268 The easiest way to do that is to cause a kernel panic using the
272 .Dl # sysctl debug.kdb.panic=1
274 In the debugger the following commands should be typed to write a core dump and
282 should be able to save the core dump in the
288 .Dl # savecore /dev/ada0s1b
290 Three files should be created in the core directory:
294 .Pa vmcore_encrypted.#
297 is the number of the last core dump saved by
300 .Pa vmcore_encrypted.#
301 can be decrypted using the
305 .Dl # decryptcore -p private.pem -k key.# -e vmcore_encrypted.# -c vmcore.#
309 .Dl # decryptcore -p private.pem -n #
313 can be now examined using
314 .Xr kgdb 1 Pq Pa ports/devel/gdb :
316 .Dl # kgdb /boot/kernel/kernel vmcore.#
322 The core was decrypted properly if
323 .Xr kgdb 1 Pq Pa ports/devel/gdb
324 does not print any errors.
325 Note that the live kernel might be at a different path
326 which can be examined by looking at the
333 script runs early during boot, typically before networking is configured.
334 This makes it unsuitable for configuring
336 when the client address is dynamic.
342 .Xr dhclient-script 8
345 For example, to automatically configure
347 on the vtnet0 interface, add the following to
348 .Pa /etc/dhclient-exit-hooks .
351 BOUND|REBIND|REBOOT|RENEW)
352 if [ "$interface" != vtnet0 ] || [ -n "$old_ip_address" -a \\
353 "$old_ip_address" = "$new_ip_address" ]; then
356 if [ -n "$new_routers" ]; then
357 # Take the first router in the list.
358 gateway_flag="-g ${new_routers%% *}"
360 # Configure as the highest-priority dump device.
361 dumpon -i 0 -c $new_ip_address -s $server $gateway_flag vtnet0
366 Be sure to fill in the server IP address and change the interface name if
370 .Xr kgdb 1 Pq Pa ports/devel/gdb ,
390 Support for encrypted kernel core dumps and netdump was added in
395 manual page was written by
396 .An Mark Johnston Aq Mt markj@FreeBSD.org ,
397 .An Conrad Meyer Aq Mt cem@FreeBSD.org ,
398 .An Konrad Witaszczyk Aq Mt def@FreeBSD.org ,
399 and countless others.
401 To configure encrypted kernel core dumps, the running kernel must have been
406 Netdump does not automatically update the configured
408 if routing topology changes.
410 The size of a compressed dump or a minidump is not a fixed function of RAM
412 Therefore, when at least one of these options is enabled, the
414 utility cannot verify that the
416 has sufficient space for a dump.
418 is also unable to verify that a configured
420 server has sufficient space for a dump.
423 requires a kernel compiled with the
432 Netdump only supports IPv4 at this time.
433 .Sh SECURITY CONSIDERATIONS
434 The current encrypted kernel core dump scheme does not provide integrity nor
436 That is, the recipient of an encrypted kernel core dump cannot know if they
437 received an intact core dump, nor can they verify the provenance of the dump.
439 RSA keys smaller than 1024 bits are practical to factor and therefore weak.
440 Even 1024 bit keys may not be large enough to ensure privacy for many
441 years, so NIST recommends a minimum of 2048 bit RSA keys.
444 prevents users from configuring encrypted kernel dumps with extremely weak RSA
446 If you do not care for cryptographic privacy guarantees, just use
452 This process is sandboxed using