Skip to content

Use kexec to display kernel panic messages

When a kernel panic occurs, it is displayed using printk(), which is only visible in the Linux console. If a user is in an X session, a panic simply causes the system to appear to lock up. Given that the kernel will panic in many situations where an unreliable exploit is used, it’s vital that that information be available to be communicated, otherwise even unreliable exploits can be used against Tails systems with next to no fear that they will burn their 0day. This is especially important now that Zerodium has put a bug bounty on Tails in order to provide various governments with live exploits.

The solution to the panic issue is to have the system kexec into a fresh kernel upon panic, and display, either via a framebuffer or Xorg, a message telling the user that the computer has crashed. It can either simply display the panic, or a friendly message saying Tails has crashed, and giving the option to reboot, view technical information (the panic log itself), or open a debugging shell (kgdb, for the more experienced users). It could additionally recommend that the panic information be written down and sent to the Tails team, or sent interactively, as the new kernel will be capable of connecting to the network.

The motivation for this change is threefold. Firstly, it raises the bar for attackers, as unstable 0days and other exploits can no longer be guaranteed to leave no trace. Secondly, it makes fatal errors more user-friendly. It’s not very encouraging when a security-focused operating system just stops responding, but if a message is displayed saying that it crashed, users tend to be more forgiving. Lastly, the new kernel can initiate a memory wipe immediately or before shutting down, allowing users with older DDR2 RAM to reduce the life of volatile secrets.

Implementation is simple. Kexec supports running upon panic, and the new kernel will be given a file, /proc/vmcore, which contains debugging information (simple to parse with tools) from the crashed kernel. Like any kernel, it will first start an init script, which can contain anything from a simple, ncurses-based dialog to a more complex environment with Xorg, or even a complete and working Tails system, allowing the user experience to simply be “something bad happened and you have been logged out”, followed by the early administration dialog with a possible new option involving reading and sending the panic report.

Original created by @cypherpunks on 14856 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information