Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4660359rdh; Wed, 29 Nov 2023 07:22:55 -0800 (PST) X-Google-Smtp-Source: AGHT+IG5w6BE4XttKqAUg+YZXosNp30WDNoAGCO03uW1z9aF5Xabezf2clTev6H1F3rXybQgsvKl X-Received: by 2002:a17:90b:224a:b0:285:e32d:d2eb with SMTP id hk10-20020a17090b224a00b00285e32dd2ebmr10438679pjb.16.1701271374863; Wed, 29 Nov 2023 07:22:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701271374; cv=none; d=google.com; s=arc-20160816; b=qfg6olrRD67dCB13ToTQrTsmFfKb1217ZGNtyT7qvK6VhcNZGGax5+340Q2RzsX7Rj 82rWHUFOJVuwnD9ldyC2Dgk5s4BPL9uRE1HU54E6ViaX41Z4jMdPgrf0frSFeJSMZMjv lqtCMoMomk8FcBuN+bBsGthXWbtFNF7czF+EpCAarXj5ZWl0g+D8mt5QEQWjjB9TyNpT 3RuzPNH6XK+fZscVQpbrEw28aqjqmIWZwzWPNgzm3ld35bWeGYoHEjCbiBb7G9RepAQ2 sLw+Xj057y2AknnKToLLe6s15IiZzsYlXX7X0bjaIqOeAvyV1lZwDrqbwFesKveNmKfr Gm3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :dkim-signature:message-id; bh=qlMx2Flg5DmeD4yt+MqEfHfVk9utOQgr1QwsR6mQL1c=; fh=TEBirrMs2sFcLwYJXcQ8h3UMBDzWxIGRSD/xYMyv8Xo=; b=B1fmQf+p7y48PEmYcnHNowA9fNHJBsnDt3+TSSBuWQlhKiAHur8GrN6P2EylItbpJ6 RifsnUsoD8WSFFoWogNrDlf2lrNXdjVJUourVQkyKlrrRulFgL4M3yLOk47gnL53/K0f 4jTmKxcSD2tJarJ1PUthumvyGxYpyDvsRXzTKh27gblRyTH5fGBYk9+yymBTSPbEmQZY 6Mo4s+Poge94aTLE6BSGcABYiRKkVzuPp4BrcZZzAcPGEK21lfBVpKczz2/VhlrLo+6D hoCiD2Kd/ZJSFQw0uPYz9UnfAF1R6XGILklUS983JEnSaFQ1USCwaCbKDdnAP8PM51rH 06Ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=F6RfF2Iv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id kb8-20020a17090ae7c800b00280072b397csi1580508pjb.30.2023.11.29.07.22.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 07:22:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=F6RfF2Iv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id EAC1D8057E79; Wed, 29 Nov 2023 07:22:46 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234850AbjK2PW1 (ORCPT + 99 others); Wed, 29 Nov 2023 10:22:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234629AbjK2PW0 (ORCPT ); Wed, 29 Nov 2023 10:22:26 -0500 X-Greylist: delayed 412 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 29 Nov 2023 07:22:31 PST Received: from out-175.mta1.migadu.com (out-175.mta1.migadu.com [IPv6:2001:41d0:203:375::af]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65DE0D66 for ; Wed, 29 Nov 2023 07:22:31 -0800 (PST) Message-ID: <41cf7793-0816-461f-b8c6-82b3eb1cfeba@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1701270936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qlMx2Flg5DmeD4yt+MqEfHfVk9utOQgr1QwsR6mQL1c=; b=F6RfF2IvG3WN3WPVfDoTbREVTJz7pTYKfDT6EEtzddlxGE+y+cGvbqILYhDXcyknmTHpkA eZT4FwRKGajVqXpoJgLpcCy/G2njcfe4vLIWyWZlvtM1A5rn25+bNhmxs10SStbPEC14Ge 4xKO38UwjVArPYCNz01YmQjTgJradMc= Date: Wed, 29 Nov 2023 16:15:33 +0100 MIME-Version: 1.0 Subject: Re: [PATCH v6 11/11] blksnap: prevents using devices with data integrity or inline encryption To: Eric Biggers Cc: axboe@kernel.dk, hch@infradead.org, corbet@lwn.net, snitzer@kernel.org, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, viro@zeniv.linux.org.uk, brauner@kernel.org, linux-block@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Sergei Shtepa References: <20231124165933.27580-1-sergei.shtepa@linux.dev> <20231124165933.27580-12-sergei.shtepa@linux.dev> <20231127224719.GD1463@sol.localdomain> <6cabaa42-c366-4928-8294-ad261dae0043@linux.dev> <20231128171823.GA1148@sol.localdomain> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Sergei Shtepa In-Reply-To: <20231128171823.GA1148@sol.localdomain> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 29 Nov 2023 07:22:47 -0800 (PST) On 11/28/23 18:18, Eric Biggers wrote: > On Tue, Nov 28, 2023 at 12:00:17PM +0100, Sergei Shtepa wrote: >> But I haven't tested the code on a device where hardware inline encryption is >> available. I would be glad if anyone could help with this. >>> Anyway, this patch is better than ignoring the problem. It's worth noting, >>> though, that this patch does not prevent blksnap from being set up on a block >>> device on which blk-crypto-fallback is already being used (or will be used). >>> When that happens, I/O will suddenly start failing. For usability reasons, >>> ideally that would be prevented somehow. >> I didn't observe any failures during testing. It's just that the snapshot >> image shows files with encrypted names and data. Backup in this case is >> useless. Unfortunately, there is no way to detect a blk-crypto-fallback on >> the block device filter level. > Huh, I thought that this patch is supposed to exclude blk-crypto-fallback too. > __submit_bio() calls bio->bi_bdev->bd_filter->ops->submit_bio(bio) before > blk_crypto_bio_prep(), so doesn't your check of ->bi_crypt_context exclude > blk-crypto-fallback? Thank you, Eric. You're right. The filter handle unencrypted data when using blk-crypto-fallback. Indeed, the I/O unit has an encryption context. And yes, the word "Hardware" is not necessary. - pr_err_once("Hardware inline encryption is not supported\n"); + pr_err_once("Inline encryption is not supported\n"); > > I think you're right that it might actually be fine to use blksnap with > blk-crypto-fallback, provided that the encryption is done first. I would like > to see a proper explanation of that, though. And we still have this patch which > claims that it doesn't work, which is confusing. I found a bug in my test. I was let down by the cache. I redid the test and posted it. Link: https://github.com/veeam/blksnap/blob/stable-v2.0/tests/8000-inline-encryption.sh When the bi_crypt_context is detected in the write I/O unit, the snapshot image is marked as corrupted. The COW algorithm is not executed. The blksnap code does not allow data leakage. For a disk with hardware encryption, a block device cannot be added to the snapshot since the encryption context for the disk will be detected for it. Unfortunately, it is impossible to detect the presence of a blk-crypto-fallback when adding a block device to the snapshot. So, I think that the patch fully ensures the confidentiality of data when using inline encryption. However, it does not allow to perform a backup for this case. If we make a filter handling point in the __submit_bio() function after calling blk_crypto_bio_prep(), then this will not change the situation for the case of hardware encryption. But the filter will never know what the blk-crypto-fallback is being used. I have no opinion whether it will be better.