Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp3752594rdh; Tue, 28 Nov 2023 03:01:03 -0800 (PST) X-Google-Smtp-Source: AGHT+IFerG2rMxdmJ8a4hFZGlAI4b5PMLGAb1lpIG2Ox2+K1LS/Xet6s661OFUN0ddOJko7KupSx X-Received: by 2002:a05:6871:e803:b0:1fa:2cee:bb1f with SMTP id qd3-20020a056871e80300b001fa2ceebb1fmr5097944oac.20.1701169263006; Tue, 28 Nov 2023 03:01:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701169262; cv=none; d=google.com; s=arc-20160816; b=GkghylHIsBXTWNmd6J/zilGAqXo6v6CRGhqFrFnedVG1mgTMAEaMSJ5RuCydpO+O3J BFB6CGX8KxmFgEaK5AM4PDwhQiZQB4MMYYccG5shYFW/gzy4S7Zc2WABNyCBdDllTDL+ H4+RG5Qgo0kzUvIvrx1ChW75aMO7D8060rUtbLimAMm6g5H2r2Iw0U7NBzYUfSJGPHLg O0AGHDVEoEDSp6n+dMj054FIvkX6qUuc7niJH2zCk3OabW8sgmxPqCc3rrAE/uIxKmnE vNnbbmTCfr8wAO5gVKsP/2tZ8VsFYX6yr/Who+os6M/CDri0VlKIvsdh9+5c+1dxOvop 3VVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:mime-version:date :dkim-signature:message-id; bh=yvcyg4szTb7G/K461C+40gz8EkgFmlMmQb3ja5PYzBA=; fh=TEBirrMs2sFcLwYJXcQ8h3UMBDzWxIGRSD/xYMyv8Xo=; b=z5QpBeehPwx9UOSvjzFRzSfI77io2qdSRBm94JddkM80BdWGz76uGD4+c6zPppmgiB vsDUowAEoMnaSxtA2arNC7orgQ+CKgaS+v5ogbBBLCE8oXN9WXWUj7xHq8aVS/46d+gq MDJVnkVFnB7OfCCH3gVEarOrhT2KmL6AZrL0eS3hbrNkBDllxGZVpZBjxzWGXzu4ImzB fCBc4A+612VIUZXoX/UPmR4fCOMUYnu/A1rZpwBHuwGq+sMHFYLPEyiRsALY2edYEQ2i XdO9kGzvK2dTeiWSBMKg2Xn11mftxs1Ial62d7QjCzp6Z4EyV3HI9/9X1rYBdeuw7hg3 CAww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=XDONWV8N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id a33-20020a056870a1a100b001efb8f282c1si1672550oaf.278.2023.11.28.03.00.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 03:01:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=XDONWV8N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 3E37B8079B26; Tue, 28 Nov 2023 03:00:47 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344504AbjK1LAY (ORCPT + 99 others); Tue, 28 Nov 2023 06:00:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45904 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344464AbjK1LAV (ORCPT ); Tue, 28 Nov 2023 06:00:21 -0500 Received: from out-188.mta0.migadu.com (out-188.mta0.migadu.com [IPv6:2001:41d0:1004:224b::bc]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 454EBD4B for ; Tue, 28 Nov 2023 03:00:22 -0800 (PST) Message-ID: <6cabaa42-c366-4928-8294-ad261dae0043@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1701169221; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yvcyg4szTb7G/K461C+40gz8EkgFmlMmQb3ja5PYzBA=; b=XDONWV8NJC+c5v7IbeGMStXtx1LoYSM5QxxpY48OJsae5eo2InuIzp1RXvU0yd/DZgtNyU /VzjNlWo4AUClHh0KCXt6HcVI1dqQr+3/kR42NmS/Yg3qI4nUE9chbSfCzU8Gyzn9wy2ik 1PDd1dt5thYDxIQXcnKc4EtCZ/Fupt4= Date: Tue, 28 Nov 2023 12:00:17 +0100 MIME-Version: 1.0 Subject: Re: [PATCH v6 11/11] blksnap: prevents using devices with data integrity or inline encryption Content-Language: en-US To: Eric Biggers Cc: axboe@kernel.dk, hch@infradead.org, corbet@lwn.net, snitzer@kernel.org, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, viro@zeniv.linux.org.uk, brauner@kernel.org, linux-block@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Sergei Shtepa References: <20231124165933.27580-1-sergei.shtepa@linux.dev> <20231124165933.27580-12-sergei.shtepa@linux.dev> <20231127224719.GD1463@sol.localdomain> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Sergei Shtepa In-Reply-To: <20231127224719.GD1463@sol.localdomain> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Tue, 28 Nov 2023 03:00:47 -0800 (PST) On 11/27/23 23:47, Eric Biggers wrote: > On Fri, Nov 24, 2023 at 05:59:33PM +0100, Sergei Shtepa wrote: >> There is an opinion that the use of the blksnap module may violate the >> security of encrypted data. The difference storage file may be located >> on an unreliable disk or even network storage. > I think this misses the point slightly. The main problem is that blksnap writes > data in plaintext that is supposed to be encrypted, as indicated by the bio > having an encryption context. That's just what it does, at least based on the > last patchset; it's not just "an opinion". See > https://lore.kernel.org/linux-block/20a5802d-424d-588a-c497-1d1236c52880@veeam.com/ Thanks Eric. Perhaps I formulated the thought inaccurately. The point is that blksnap should not be compatible with blk-crypto. Changes in version 6 do not allow to take a snapshot with a device on which the encryption context is detected. Additionally, protection is implemented in the bio handling code. For bio with bi_crypt_context, the COW algorithm is not executed. > >> +#ifdef CONFIG_BLK_INLINE_ENCRYPTION >> + if (bio->bi_crypt_context) { >> + pr_err_once("Hardware inline encryption is not supported\n"); >> + diff_area_set_corrupted(tracker->diff_area, -EPERM); >> + return false; >> + } >> +#endif > The error message for ->bi_crypt_context being set should say > "Inline encryption", not "Hardware inline encryption". The submitter of the bio > may have intended to use blk-crypto-fallback. I was looking at the blk-crypto-fallback code. I tested the work in this case. Encryption is performed before the bio gets to the block layer. So, the filter receives cloned bios with already encrypted data. Therefore, the text of the message is correct. But I haven't tested the code on a device where hardware inline encryption is available. I would be glad if anyone could help with this. > > Anyway, this patch is better than ignoring the problem. It's worth noting, > though, that this patch does not prevent blksnap from being set up on a block > device on which blk-crypto-fallback is already being used (or will be used). > When that happens, I/O will suddenly start failing. For usability reasons, > ideally that would be prevented somehow. I didn't observe any failures during testing. It's just that the snapshot image shows files with encrypted names and data. Backup in this case is useless. Unfortunately, there is no way to detect a blk-crypto-fallback on the block device filter level. Maybe my tests aren't enough. The next step I think would be great to add new tests to xfstests.