Use kexec to display kernel panic messages
Originally created by @cypherpunks on #14856 (Redmine)
When a kernel panic occurs, it is displayed using printk()
, which is
only visible in the Linux console. If a user is in an X session, a panic
simply causes the system to appear to lock up. Given that the kernel
will panic in many situations where an unreliable exploit is used, it’s
vital that that information be available to be communicated, otherwise
even unreliable exploits can be used against Tails systems with next to
no fear that they will burn their 0day. This is especially important now
that Zerodium has put a bug bounty on Tails in order to provide various
governments with live exploits.
The solution to the panic issue is to have the system kexec into a fresh kernel upon panic, and display, either via a framebuffer or Xorg, a message telling the user that the computer has crashed. It can either simply display the panic, or a friendly message saying Tails has crashed, and giving the option to reboot, view technical information (the panic log itself), or open a debugging shell (kgdb, for the more experienced users). It could additionally recommend that the panic information be written down and sent to the Tails team, or sent interactively, as the new kernel will be capable of connecting to the network.
The motivation for this change is threefold. Firstly, it raises the bar for attackers, as unstable 0days and other exploits can no longer be guaranteed to leave no trace. Secondly, it makes fatal errors more user-friendly. It’s not very encouraging when a security-focused operating system just stops responding, but if a message is displayed saying that it crashed, users tend to be more forgiving. Lastly, the new kernel can initiate a memory wipe immediately or before shutting down, allowing users with older DDR2 RAM to reduce the life of volatile secrets.
Implementation is simple. Kexec supports running upon panic, and the new
kernel will be given a file, /proc/vmcore
, which contains debugging
information (simple to parse with tools) from the crashed kernel. Like
any kernel, it will first start an init script, which can contain
anything from a simple, ncurses-based dialog to a more complex
environment with Xorg, or even a complete and working Tails system,
allowing the user experience to simply be “something bad happened and
you have been logged out”, followed by the early administration dialog
with a possible new option involving reading and sending the panic
report.