Actions

System Recovery using SysRq Key

From Whonix



Use Cases[edit]

The SysRq or "Security Keys" (SAK [archive] key) function in Linux is equivalent to the well known Control-Alt-Delete (Ctrl+Alt+Del) function in Windows, otherwise referred to as the "three-finger salute". Debian documentation notes that SysRq combinations are useful for bypassing bad situations and gaining usable keyboard access, without stopping the system. [1] In effect this provides insurance against system malfunctions due to support compiled in the Linux kernel -- pressing SysRq followed by the required key for a specific command "rescues" the system.

System Recovery[edit]

Wikipedia [archive] notes:

The magic SysRq key is a key combination understood by the Linux kernel [archive], which allows the user to perform various low-level commands regardless of the system's state. It is often used to recover from freezes [archive], or to reboot [archive] a computer without corrupting the filesystem [archive]. Its effect is similar to the computer's hardware reset button [archive] (or power switch) but with many more options and much more control.

This key combination provides access to powerful features for software development and disaster recovery. In this sense, it can be considered a form of escape sequence [archive]. Principal among the offered commands are means to forcibly unmount file systems, kill processes, recover keyboard state, and write unwritten data to disk. With respect to these tasks, this feature serves as a tool of last resort.

The magic SysRq key cannot work under certain conditions, such as a kernel panic [archive] or a hardware failure preventing the kernel from running properly.

In the Whonix ™ case, magic SysRq keys are useful when the guest is unresponsive, especially in cases where VMs are running headless and a GUI console is not available for forcing them to shut off on the host.

Malware[edit]

This supposes an advanced threat model; for instance a system where a limited user ("user") is utilizing a graphical X Window System session that is different from the user with root/sudo permissions. The limited user account may be compromised by malware. Under many threat models this is already considered catastrophic, since running malware:

  • has full access to all user-accessible files
  • can view all keyboard inputs and take over login sessions
  • may present false information on the screen
  • can perform other malicious actions - see: The Importance of a Malware Free System

However, when using multiple (virtual) machines for compartmentalization the harmful impact of malware might not be catastrophic. In that case another goal is to prevent root compromise to help to protect the virtualizer and avoid host compromise, and similarly to avoid hardware compromise. See also: Prevent Malware from Sniffing the Root Password.

A broken X Window System can block switching to a virtual console. It logically follows that malware which compromised the X Window System could similarly do that. In this case the SysRq + r combination can take away control from the X Window System. This is a safer procedure, otherwise a compromised X Window System could just be simulating a virtual console login prompt in order to sniff the root password (login spoofing [archive]).

SysRq + r (unraw) can be used in this case to make sure the keyboard is disconnected from the X Window System.

Enable SysRq[edit]

SysRq can be enabled temporarily or permanently.

For temporary functionality, run.

echo "1" | sudo tee /proc/sys/kernel/sysrq

To permanently enable SysRq, run.

echo "kernel.sysrq = 1" | sudo tee -a /etc/sysctl.d/50_sysrq.conf

After completing the temporary or permanent change, check that SysRq has been properly set.

cat /proc/sys/kernel/sysrq

The output should show.

1

Overview of Commands[edit]

SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)

  • loglevel(0-9)s
  • reboot(b)
  • crash(c)
  • terminate-all-tasks(e)
  • memory-full-oom-kill(f)
  • kill-all-tasks(i)
  • thaw-filesystems(j)
  • sak(k)
  • show-backtrace-all-active-cpus(l)
  • show-memory-usage(m)
  • nice-all-RT-tasks(n)
  • poweroff(o)
  • show-registers(p)
  • show-all-timers(q)
  • unraw(r)
  • sync(s)
  • show-task-states(t)
  • unmount(u)
  • force-fb(V)
  • show-blocked-tasks(w)
  • dump-ftrace-buffer(z)

Usage[edit]

SysRq can also be used by writing to /proc/sysrq-trigger.

sudo -u root bash

echo h > /proc/sysrq-trigger

Development Discussion[edit]

https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 [archive]

See Also[edit]

Footnotes[edit]



Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

There are five different options [archive] for subscribing to Whonix source code changes.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.