From patchwork Tue Dec 29 08:55:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Satya Tangirala X-Patchwork-Id: 11997427 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5BB87C433E0 for ; Mon, 4 Jan 2021 19:03:57 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DAF0F2068D for ; Mon, 4 Jan 2021 19:03:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DAF0F2068D Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-532-RG09a7FnOeWZfxp_uvaXAQ-1; Mon, 04 Jan 2021 14:03:47 -0500 X-MC-Unique: RG09a7FnOeWZfxp_uvaXAQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B4C51801AB1; Mon, 4 Jan 2021 19:03:38 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7F86E60C04; Mon, 4 Jan 2021 19:03:38 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4ABF450033; Mon, 4 Jan 2021 19:03:38 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0BT8tdi9010768 for ; Tue, 29 Dec 2020 03:55:39 -0500 Received: by smtp.corp.redhat.com (Postfix) id 805BA111286F; Tue, 29 Dec 2020 08:55:39 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7C4A9111286D for ; Tue, 29 Dec 2020 08:55:37 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 09E33185A794 for ; Tue, 29 Dec 2020 08:55:37 +0000 (UTC) Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-214-GzOw4xE9OESttYZghba71g-1; Tue, 29 Dec 2020 03:55:31 -0500 X-MC-Unique: GzOw4xE9OESttYZghba71g-1 Received: by mail-yb1-f201.google.com with SMTP id j1so22783281ybj.11 for ; Tue, 29 Dec 2020 00:55:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=nINvkj7xQmHV3l4zgYQQKWCc+dYml9+Tq+RFchIuJGw=; b=Eeq6d5Cp4X3WRxJ8bXcRkHrLWx0CPu+GkZnhIxVlw6EeKLwcu3cnzVXUXSvxjXwetF 82zb4IV9MSV15/rHnCpTt+I0x4XPPl7U0nlQIfzQ438+yGIoDPZwYt0XL/mJYRLIm7ce +YT/uV7mR7JPu9iNjyPnhsxH0XdFdQ7/FJWISxAx4KpfhxX13IpMjrYQy9Yh93r+boiJ PJ2eAfj2LVZAKS1srbEehTXQE6qwYvMQmG809pQcw5n9OtBg3Wl+e9cMT+TGrM1kjoZO aobDXy9HdniIhnbwgwuY9qdteUalXYhzTVFZAQZAyvh3XipcI1XJW5Ex84cZSS/2zOR7 SSjw== X-Gm-Message-State: AOAM53108ryv6rkvkfpkOSeXCeUFU5dL/wPJqoMEGenL7qh+QOFJAcWL 2Z3gazPgIcMvt+gIuymhfW0x8cOGyNM= X-Google-Smtp-Source: ABdhPJxwsYdpKcT2mmdMyHo0vo/Kn+HW8jaFKNkt+9WZdufx64WkCtTrB6gg4x2l8R4HU19Dt8AAXIh9Ugs= X-Received: from satyaprateek.c.googlers.com ([fda3:e722:ac3:10:24:72f4:c0a8:1092]) (user=satyat job=sendgmr) by 2002:a25:bccc:: with SMTP id l12mr69868142ybm.295.1609232131046; Tue, 29 Dec 2020 00:55:31 -0800 (PST) Date: Tue, 29 Dec 2020 08:55:19 +0000 In-Reply-To: <20201229085524.2795331-1-satyat@google.com> Message-Id: <20201229085524.2795331-2-satyat@google.com> Mime-Version: 1.0 References: <20201229085524.2795331-1-satyat@google.com> From: Satya Tangirala To: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Mimecast-Bulk-Signature: yes X-Mimecast-Spam-Signature: bulk X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Mon, 04 Jan 2021 14:03:12 -0500 Cc: Jens Axboe , Satya Tangirala , Mike Snitzer , Alasdair Kergon , Eric Biggers Subject: [dm-devel] [PATCH v3 1/6] block: keyslot-manager: Introduce passthrough keyslot manager X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com The device mapper may map over devices that have inline encryption capabilities, and to make use of those capabilities, the DM device must itself advertise those inline encryption capabilities. One way to do this would be to have the DM device set up a keyslot manager with a "sufficiently large" number of keyslots, but that would use a lot of memory. Also, the DM device itself has no "keyslots", and it doesn't make much sense to talk about "programming a key into a DM device's keyslot manager", so all that extra memory used to represent those keyslots is just wasted. All a DM device really needs to be able to do is advertise the crypto capabilities of the underlying devices in a coherent manner and expose a way to evict keys from the underlying devices. There are also devices with inline encryption hardware that do not have a limited number of keyslots. One can send a raw encryption key along with a bio to these devices (as opposed to typical inline encryption hardware that require users to first program a raw encryption key into a keyslot, and send the index of that keyslot along with the bio). These devices also only need the same things from the keyslot manager that DM devices need - a way to advertise crypto capabilities and potentially a way to expose a function to evict keys from hardware. So we introduce a "passthrough" keyslot manager that provides a way to represent a keyslot manager that doesn't have just a limited number of keyslots, and for which do not require keys to be programmed into keyslots. DM devices can set up a passthrough keyslot manager in their request queues, and advertise appropriate crypto capabilities based on those of the underlying devices. Blk-crypto does not attempt to program keys into any keyslots in the passthrough keyslot manager. Instead, if/when the bio is resubmitted to the underlying device, blk-crypto will try to program the key into the underlying device's keyslot manager. Signed-off-by: Satya Tangirala Reviewed-by: Eric Biggers --- block/keyslot-manager.c | 39 +++++++++++++++++++++++++++++++++ include/linux/keyslot-manager.h | 2 ++ 2 files changed, 41 insertions(+) diff --git a/block/keyslot-manager.c b/block/keyslot-manager.c index 86f8195d8039..ac7ce83a76e8 100644 --- a/block/keyslot-manager.c +++ b/block/keyslot-manager.c @@ -62,6 +62,11 @@ static inline void blk_ksm_hw_exit(struct blk_keyslot_manager *ksm) pm_runtime_put_sync(ksm->dev); } +static inline bool blk_ksm_is_passthrough(struct blk_keyslot_manager *ksm) +{ + return ksm->num_slots == 0; +} + /** * blk_ksm_init() - Initialize a keyslot manager * @ksm: The keyslot_manager to initialize. @@ -205,6 +210,10 @@ blk_status_t blk_ksm_get_slot_for_key(struct blk_keyslot_manager *ksm, int err; *slot_ptr = NULL; + + if (blk_ksm_is_passthrough(ksm)) + return BLK_STS_OK; + down_read(&ksm->lock); slot = blk_ksm_find_and_grab_keyslot(ksm, key); up_read(&ksm->lock); @@ -325,6 +334,16 @@ int blk_ksm_evict_key(struct blk_keyslot_manager *ksm, struct blk_ksm_keyslot *slot; int err = 0; + if (blk_ksm_is_passthrough(ksm)) { + if (ksm->ksm_ll_ops.keyslot_evict) { + blk_ksm_hw_enter(ksm); + err = ksm->ksm_ll_ops.keyslot_evict(ksm, key, -1); + blk_ksm_hw_exit(ksm); + return err; + } + return 0; + } + blk_ksm_hw_enter(ksm); slot = blk_ksm_find_keyslot(ksm, key); if (!slot) @@ -360,6 +379,9 @@ void blk_ksm_reprogram_all_keys(struct blk_keyslot_manager *ksm) { unsigned int slot; + if (blk_ksm_is_passthrough(ksm)) + return; + /* This is for device initialization, so don't resume the device */ down_write(&ksm->lock); for (slot = 0; slot < ksm->num_slots; slot++) { @@ -401,3 +423,20 @@ void blk_ksm_unregister(struct request_queue *q) { q->ksm = NULL; } + +/** + * blk_ksm_init_passthrough() - Init a passthrough keyslot manager + * @ksm: The keyslot manager to init + * + * Initialize a passthrough keyslot manager. + * Called by e.g. storage drivers to set up a keyslot manager in their + * request_queue, when the storage driver wants to manage its keys by itself. + * This is useful for inline encryption hardware that doesn't have the concept + * of keyslots, and for layered devices. + */ +void blk_ksm_init_passthrough(struct blk_keyslot_manager *ksm) +{ + memset(ksm, 0, sizeof(*ksm)); + init_rwsem(&ksm->lock); +} +EXPORT_SYMBOL_GPL(blk_ksm_init_passthrough); diff --git a/include/linux/keyslot-manager.h b/include/linux/keyslot-manager.h index 18f3f5346843..323e15dd6fa7 100644 --- a/include/linux/keyslot-manager.h +++ b/include/linux/keyslot-manager.h @@ -103,4 +103,6 @@ void blk_ksm_reprogram_all_keys(struct blk_keyslot_manager *ksm); void blk_ksm_destroy(struct blk_keyslot_manager *ksm); +void blk_ksm_init_passthrough(struct blk_keyslot_manager *ksm); + #endif /* __LINUX_KEYSLOT_MANAGER_H */ From patchwork Tue Dec 29 08:55:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Satya Tangirala X-Patchwork-Id: 11997467 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B92FEC433E0 for ; Mon, 4 Jan 2021 19:04:30 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3AAFF22225 for ; Mon, 4 Jan 2021 19:04:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3AAFF22225 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-489-gZV1lm2oP5Gqlk1TXMwsBA-1; Mon, 04 Jan 2021 14:04:19 -0500 X-MC-Unique: gZV1lm2oP5Gqlk1TXMwsBA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C1299800469; Mon, 4 Jan 2021 19:04:11 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A0E5B1001281; Mon, 4 Jan 2021 19:04:11 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 74CE71809CA1; Mon, 4 Jan 2021 19:04:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0BT8tdQt010767 for ; Tue, 29 Dec 2020 03:55:39 -0500 Received: by smtp.corp.redhat.com (Postfix) id 3207E2166B2B; Tue, 29 Dec 2020 08:55:39 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2CCE22166B29 for ; Tue, 29 Dec 2020 08:55:36 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A60A0101A560 for ; Tue, 29 Dec 2020 08:55:36 +0000 (UTC) Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-260-U6_PX6irNweRu4IxttuQgA-1; Tue, 29 Dec 2020 03:55:34 -0500 X-MC-Unique: U6_PX6irNweRu4IxttuQgA-1 Received: by mail-pf1-f201.google.com with SMTP id e126so4257477pfh.15 for ; Tue, 29 Dec 2020 00:55:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=oQsgXW2m3Lmb+1g8leuyI0Rqgmihl04oDOtjZgFILuI=; b=hyceUEN3YxAZlcM1OG791owSZnVipwR8gBagCnuvYfDz7BtT5DUAEc5z/iuJkjQPEp lVX1oLEzYQ+oPuWgYtHGKeTr7iCjtHzq8okW7jZEJxJy4Y6W8zU0ooNhfsKMkMHlI887 obpv6LZzakCeU42ZHRIvUDJWXUvsmamNVcl50IQ//siVq4KBvTQuhJXVEbZ+aws6e66p FSAHpUmHF0Th1UKc1JqqDW33Fb/+H3p5oe3ADsoWXlQdgQy8NPAUKlRe50IiLwzZNxHp c1ojZQvulV59PZxslwDlX4Rvk3DYq7eEH5o6/aqhz4xngouvhbVS8IIQCB1D7Hnrhxa3 ENkw== X-Gm-Message-State: AOAM531hDjnbrrUrLvBFLwOsLMfMNLsuTY70W6FTEuJ7kphsfGHpHfTB NtML9c89TB4d7Dt1bapT9VphXmkuQmE= X-Google-Smtp-Source: ABdhPJzmLLIYwSw6PZyRw+ISTt9Qf+Y58eAw1eYKXw/8D8joWkNR7O6foCuOQAFTP3qWqk2KVWjbSGcUX0A= X-Received: from satyaprateek.c.googlers.com ([fda3:e722:ac3:10:24:72f4:c0a8:1092]) (user=satyat job=sendgmr) by 2002:a17:902:5997:b029:da:a1cd:3cc2 with SMTP id p23-20020a1709025997b02900daa1cd3cc2mr25543598pli.80.1609232133020; Tue, 29 Dec 2020 00:55:33 -0800 (PST) Date: Tue, 29 Dec 2020 08:55:20 +0000 In-Reply-To: <20201229085524.2795331-1-satyat@google.com> Message-Id: <20201229085524.2795331-3-satyat@google.com> Mime-Version: 1.0 References: <20201229085524.2795331-1-satyat@google.com> From: Satya Tangirala To: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Mimecast-Bulk-Signature: yes X-Mimecast-Spam-Signature: bulk X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Mon, 04 Jan 2021 14:03:12 -0500 Cc: Jens Axboe , Satya Tangirala , Mike Snitzer , Alasdair Kergon , Eric Biggers Subject: [dm-devel] [PATCH v3 2/6] block: keyslot-manager: Introduce functions for device mapper support X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Introduce blk_ksm_update_capabilities() to update the capabilities of a keyslot manager (ksm) in-place. The pointer to a ksm in a device's request queue may not be easily replaced, because upper layers like the filesystem might access it (e.g. for programming keys/checking capabilities) at the same time the device wants to replace that request queue's ksm (and free the old ksm's memory). This function allows the device to update the capabilities of the ksm in its request queue directly. Also introduce blk_ksm_is_superset() which checks whether one ksm's capabilities are a (not necessarily strict) superset of another ksm's. The blk-crypto framework requires that crypto capabilities that were advertised when a bio was created continue to be supported by the device until that bio is ended - in practice this probably means that a device's advertised crypto capabilities can *never* "shrink" (since there's no synchronization between bio creation and when a device may want to change its advertised capabilities) - so a previously advertised crypto capability must always continue to be supported. This function can be used to check that a new ksm is a valid replacement for an old ksm. Signed-off-by: Satya Tangirala --- block/keyslot-manager.c | 91 +++++++++++++++++++++++++++++++++ include/linux/keyslot-manager.h | 9 ++++ 2 files changed, 100 insertions(+) diff --git a/block/keyslot-manager.c b/block/keyslot-manager.c index ac7ce83a76e8..f13ab7410eca 100644 --- a/block/keyslot-manager.c +++ b/block/keyslot-manager.c @@ -424,6 +424,97 @@ void blk_ksm_unregister(struct request_queue *q) q->ksm = NULL; } +/** + * blk_ksm_intersect_modes() - restrict supported modes by child device + * @parent: The keyslot manager for parent device + * @child: The keyslot manager for child device, or NULL + * + * Clear any crypto mode support bits in @parent that aren't set in @child. + * If @child is NULL, then all parent bits are cleared. + * + * Only use this when setting up the keyslot manager for a layered device, + * before it's been exposed yet. + */ +void blk_ksm_intersect_modes(struct blk_keyslot_manager *parent, + const struct blk_keyslot_manager *child) +{ + if (child) { + unsigned int i; + + parent->max_dun_bytes_supported = + min(parent->max_dun_bytes_supported, + child->max_dun_bytes_supported); + for (i = 0; i < ARRAY_SIZE(child->crypto_modes_supported); + i++) { + parent->crypto_modes_supported[i] &= + child->crypto_modes_supported[i]; + } + } else { + parent->max_dun_bytes_supported = 0; + memset(parent->crypto_modes_supported, 0, + sizeof(parent->crypto_modes_supported)); + } +} +EXPORT_SYMBOL_GPL(blk_ksm_intersect_modes); + +/** + * blk_ksm_is_superset() - Check if a KSM supports a superset of crypto modes + * and DUN bytes that another KSM supports. Here, + * "superset" refers to the mathematical meaning of the + * word - i.e. if two KSMs have the *same* capabilities, + * they *are* considered supersets of each other. + * @ksm_superset: The KSM that we want to verify is a superset + * @ksm_subset: The KSM that we want to verify is a subset + * + * Return: True if @ksm_superset supports a superset of the crypto modes and DUN + * bytes that @ksm_subset supports. + */ +bool blk_ksm_is_superset(struct blk_keyslot_manager *ksm_superset, + struct blk_keyslot_manager *ksm_subset) +{ + int i; + + if (!ksm_subset) + return true; + + if (!ksm_superset) + return false; + + for (i = 0; i < ARRAY_SIZE(ksm_superset->crypto_modes_supported); i++) { + if (ksm_subset->crypto_modes_supported[i] & + (~ksm_superset->crypto_modes_supported[i])) { + return false; + } + } + + if (ksm_subset->max_dun_bytes_supported > + ksm_superset->max_dun_bytes_supported) { + return false; + } + + return true; +} +EXPORT_SYMBOL_GPL(blk_ksm_is_superset); + +/** + * blk_ksm_update_capabilities() - Update the restrictions of a KSM to those of + * another KSM + * @target_ksm: The KSM whose restrictions to update. + * @reference_ksm: The KSM to whose restrictions this function will update + * @target_ksm's restrictions to, + */ +void blk_ksm_update_capabilities(struct blk_keyslot_manager *target_ksm, + struct blk_keyslot_manager *reference_ksm) +{ + memcpy(target_ksm->crypto_modes_supported, + reference_ksm->crypto_modes_supported, + sizeof(target_ksm->crypto_modes_supported)); + + target_ksm->max_dun_bytes_supported = + reference_ksm->max_dun_bytes_supported; +} +EXPORT_SYMBOL_GPL(blk_ksm_update_capabilities); + /** * blk_ksm_init_passthrough() - Init a passthrough keyslot manager * @ksm: The keyslot manager to init diff --git a/include/linux/keyslot-manager.h b/include/linux/keyslot-manager.h index 323e15dd6fa7..164568f52be7 100644 --- a/include/linux/keyslot-manager.h +++ b/include/linux/keyslot-manager.h @@ -103,6 +103,15 @@ void blk_ksm_reprogram_all_keys(struct blk_keyslot_manager *ksm); void blk_ksm_destroy(struct blk_keyslot_manager *ksm); +void blk_ksm_intersect_modes(struct blk_keyslot_manager *parent, + const struct blk_keyslot_manager *child); + void blk_ksm_init_passthrough(struct blk_keyslot_manager *ksm); +bool blk_ksm_is_superset(struct blk_keyslot_manager *ksm_superset, + struct blk_keyslot_manager *ksm_subset); + +void blk_ksm_update_capabilities(struct blk_keyslot_manager *target_ksm, + struct blk_keyslot_manager *reference_ksm); + #endif /* __LINUX_KEYSLOT_MANAGER_H */ From patchwork Tue Dec 29 08:55:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Satya Tangirala X-Patchwork-Id: 11997465 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D024BC433E0 for ; Mon, 4 Jan 2021 19:04:26 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4DB782226A for ; Mon, 4 Jan 2021 19:04:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4DB782226A Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-303-7d__e3hoMUuRt6b1w3iv8w-1; Mon, 04 Jan 2021 14:04:22 -0500 X-MC-Unique: 7d__e3hoMUuRt6b1w3iv8w-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id ADBED802E7E; Mon, 4 Jan 2021 19:04:13 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8F61F5D9DD; Mon, 4 Jan 2021 19:04:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 64AF25002F; Mon, 4 Jan 2021 19:04:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0BT8tdDr010777 for ; Tue, 29 Dec 2020 03:55:40 -0500 Received: by smtp.corp.redhat.com (Postfix) id CEFFC2166B28; Tue, 29 Dec 2020 08:55:39 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C8C292166B2A for ; Tue, 29 Dec 2020 08:55:38 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2095C101A562 for ; Tue, 29 Dec 2020 08:55:38 +0000 (UTC) Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-182-KOa6zGrPM5CxmZ5Qkp9UHQ-1; Tue, 29 Dec 2020 03:55:35 -0500 X-MC-Unique: KOa6zGrPM5CxmZ5Qkp9UHQ-1 Received: by mail-yb1-f202.google.com with SMTP id x17so22466978ybs.12 for ; Tue, 29 Dec 2020 00:55:35 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=AHsPHV5g9RiEHoBH6SgrbuZwM40nn1MQir4HViM7xto=; b=FR+a1AQrVLT/2EyHtD7EHZNyRXjh4MRd3R2moWc3lzLN5FoN2T0v4sw+sEGsfl9EK4 zHLSkHUxrW3TTY/3gU0Sis11M1RUfIoJkgi1lXHCH63veaoR0Dw70MiwB3kleXcWbraJ U18D/81vJHJAMt6U2Kmuo1IFtW9j+nnA4q6EzoRDxF+AWWTbDtUMt51b06Z9hAzQXqM1 0P9Ehsmp+WK6XD7cUniWTqY2iVPBDYouio8MR5+AWIi8WTGqCGDKQAP3AfPPTbGw2bv4 2/x00+cd4uXpUZNkMAAJ1cIq5Qy7geVpT5/4jEBb2oQ9vQopJ54qS30FYeCjNJ0Bs4Rw nJbw== X-Gm-Message-State: AOAM532aGj/RzvXZ9uzNhePcZgMoGiRNGMauPJjURVlLjwQI/sW6XFyC DdhDDv9gOY6SA5aN3AwxHv+61d5sr7M= X-Google-Smtp-Source: ABdhPJwIU2/+76JfZ0atQI7PL99ZSXBC19tXBqc2dV0+l4PnayNyqylFZ8JBldRK5exI+pBQZrNvkQdIREA= X-Received: from satyaprateek.c.googlers.com ([fda3:e722:ac3:10:24:72f4:c0a8:1092]) (user=satyat job=sendgmr) by 2002:a25:aea8:: with SMTP id b40mr71477368ybj.347.1609232134987; Tue, 29 Dec 2020 00:55:34 -0800 (PST) Date: Tue, 29 Dec 2020 08:55:21 +0000 In-Reply-To: <20201229085524.2795331-1-satyat@google.com> Message-Id: <20201229085524.2795331-4-satyat@google.com> Mime-Version: 1.0 References: <20201229085524.2795331-1-satyat@google.com> From: Satya Tangirala To: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Mon, 04 Jan 2021 14:03:12 -0500 Cc: Jens Axboe , Satya Tangirala , Mike Snitzer , Alasdair Kergon , Eric Biggers Subject: [dm-devel] [PATCH v3 3/6] dm: add support for passing through inline crypto support X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Update the device-mapper core to support exposing the inline crypto support of the underlying device(s) through the device-mapper device. This works by creating a "passthrough keyslot manager" for the dm device, which declares support for encryption settings which all underlying devices support. When a supported setting is used, the bio cloning code handles cloning the crypto context to the bios for all the underlying devices. When an unsupported setting is used, the blk-crypto fallback is used as usual. Crypto support on each underlying device is ignored unless the corresponding dm target opts into exposing it. This is needed because for inline crypto to semantically operate on the original bio, the data must not be transformed by the dm target. Thus, targets like dm-linear can expose crypto support of the underlying device, but targets like dm-crypt can't. (dm-crypt could use inline crypto itself, though.) A DM device's table can only be changed if the "new" inline encryption capabilities are a (*not* necessarily strict) superset of the "old" inline encryption capabilities. Attempts to make changes to the table that result in some inline encryption capability becoming no longer supported will be rejected. For the sake of clarity, key eviction from underlying devices will be handled in a future patch. Co-developed-by: Eric Biggers Signed-off-by: Eric Biggers Signed-off-by: Satya Tangirala --- drivers/md/dm.c | 164 +++++++++++++++++++++++++++++++- include/linux/device-mapper.h | 6 ++ include/linux/keyslot-manager.h | 8 ++ 3 files changed, 177 insertions(+), 1 deletion(-) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index b3c3c8b4cb42..13b9c8e2e21b 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -28,6 +28,7 @@ #include #include #include +#include #define DM_MSG_PREFIX "core" @@ -1718,6 +1719,8 @@ static const struct dax_operations dm_dax_ops; static void dm_wq_work(struct work_struct *work); +static void dm_destroy_inline_encryption(struct request_queue *q); + static void cleanup_mapped_device(struct mapped_device *md) { if (md->wq) @@ -1739,8 +1742,10 @@ static void cleanup_mapped_device(struct mapped_device *md) put_disk(md->disk); } - if (md->queue) + if (md->queue) { + dm_destroy_inline_encryption(md->queue); blk_cleanup_queue(md->queue); + } cleanup_srcu_struct(&md->io_barrier); @@ -1937,6 +1942,150 @@ static void event_callback(void *context) dm_issue_global_event(); } +#ifdef CONFIG_BLK_INLINE_ENCRYPTION + +struct dm_keyslot_manager { + struct blk_keyslot_manager ksm; + struct mapped_device *md; +}; + +static int device_intersect_crypto_modes(struct dm_target *ti, + struct dm_dev *dev, sector_t start, + sector_t len, void *data) +{ + struct blk_keyslot_manager *parent = data; + struct blk_keyslot_manager *child = bdev_get_queue(dev->bdev)->ksm; + + blk_ksm_intersect_modes(parent, child); + return 0; +} + +static void dm_destroy_keyslot_manager(struct blk_keyslot_manager *ksm) +{ + struct dm_keyslot_manager *dksm = container_of(ksm, + struct dm_keyslot_manager, + ksm); + + if (!ksm) + return; + + blk_ksm_destroy(ksm); + kfree(dksm); +} + +/* + * Constructs and returns a keyslot manager that represents the crypto + * capabilities of the devices described by the dm_table. However, if the + * constructed keyslot manager does not support a superset of the crypto + * capabilities supported by the current keyslot manager of the mapped_device, + * it returns an error instead, since we don't support restricting crypto + * capabilities on table changes. Finally, if the constructed keyslot manager + * doesn't actually support any crypto modes at all, it just returns NULL. + */ +static struct blk_keyslot_manager * +dm_construct_keyslot_manager(struct mapped_device *md, struct dm_table *t) +{ + struct dm_keyslot_manager *dksm; + struct blk_keyslot_manager *ksm; + struct dm_target *ti; + unsigned int i; + bool ksm_is_empty = true; + + dksm = kmalloc(sizeof(*dksm), GFP_KERNEL); + if (!dksm) + return ERR_PTR(-ENOMEM); + dksm->md = md; + + ksm = &dksm->ksm; + blk_ksm_init_passthrough(ksm); + ksm->max_dun_bytes_supported = UINT_MAX; + memset(ksm->crypto_modes_supported, 0xFF, + sizeof(ksm->crypto_modes_supported)); + + for (i = 0; i < dm_table_get_num_targets(t); i++) { + ti = dm_table_get_target(t, i); + + if (!dm_target_passes_crypto(ti->type)) { + blk_ksm_intersect_modes(ksm, NULL); + break; + } + if (!ti->type->iterate_devices) + continue; + ti->type->iterate_devices(ti, device_intersect_crypto_modes, + ksm); + } + + if (!blk_ksm_is_superset(ksm, md->queue->ksm)) { + DMWARN("Inline encryption capabilities of new DM table were more restrictive than the old table's. This is not supported!"); + dm_destroy_keyslot_manager(ksm); + return ERR_PTR(-EINVAL); + } + + /* + * If the new KSM doesn't actually support any crypto modes, we may as + * well represent it with a NULL ksm. + */ + ksm_is_empty = true; + for (i = 0; i < ARRAY_SIZE(ksm->crypto_modes_supported); i++) { + if (ksm->crypto_modes_supported[i]) { + ksm_is_empty = false; + break; + } + } + + if (ksm_is_empty) { + dm_destroy_keyslot_manager(ksm); + ksm = NULL; + } + + return ksm; +} + +static void dm_update_keyslot_manager(struct request_queue *q, + struct blk_keyslot_manager *ksm) +{ + if (!ksm) + return; + + /* Make the ksm less restrictive */ + if (!q->ksm) { + blk_ksm_register(ksm, q); + } else { + blk_ksm_update_capabilities(q->ksm, ksm); + dm_destroy_keyslot_manager(ksm); + } +} + +static void dm_destroy_inline_encryption(struct request_queue *q) +{ + if (!q->ksm) + return; + dm_destroy_keyslot_manager(q->ksm); +} + +#else /* CONFIG_BLK_INLINE_ENCRYPTION */ + +static inline struct blk_keyslot_manager * +dm_construct_keyslot_manager(struct mapped_device *md, struct dm_table *t) +{ + return NULL; +} + +static void dm_update_keyslot_manager(struct request_queue *q, + struct blk_keyslot_manager *ksm) +{ +} + +static void dm_destroy_keyslot_manager(struct blk_keyslot_manager *ksm) +{ +} + +static inline void dm_destroy_inline_encryption(struct request_queue *q) +{ +} + +#endif /* !CONFIG_BLK_INLINE_ENCRYPTION */ + /* * Returns old map, which caller must destroy. */ @@ -2332,6 +2481,7 @@ struct dm_table *dm_swap_table(struct mapped_device *md, struct dm_table *table) { struct dm_table *live_map = NULL, *map = ERR_PTR(-EINVAL); struct queue_limits limits; + struct blk_keyslot_manager *ksm; int r; mutex_lock(&md->suspend_lock); @@ -2361,7 +2511,19 @@ struct dm_table *dm_swap_table(struct mapped_device *md, struct dm_table *table) } } + ksm = dm_construct_keyslot_manager(md, table); + if (IS_ERR(ksm)) { + map = ERR_CAST(ksm); + goto out; + } + map = __bind(md, table, &limits); + + if (IS_ERR(map)) + dm_destroy_keyslot_manager(ksm); + else + dm_update_keyslot_manager(md->queue, ksm); + dm_issue_global_event(); out: diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h index 61a66fb8ebb3..0d5794a0a89a 100644 --- a/include/linux/device-mapper.h +++ b/include/linux/device-mapper.h @@ -257,6 +257,12 @@ struct target_type { #define DM_TARGET_NOWAIT 0x00000080 #define dm_target_supports_nowait(type) ((type)->features & DM_TARGET_NOWAIT) +/* + * + */ +#define DM_TARGET_PASSES_CRYPTO 0x00000100 +#define dm_target_passes_crypto(type) ((type)->features & DM_TARGET_PASSES_CRYPTO) + struct dm_target { struct dm_table *table; struct target_type *type; diff --git a/include/linux/keyslot-manager.h b/include/linux/keyslot-manager.h index 164568f52be7..9164c1c72288 100644 --- a/include/linux/keyslot-manager.h +++ b/include/linux/keyslot-manager.h @@ -11,6 +11,8 @@ struct blk_keyslot_manager; +#ifdef CONFIG_BLK_INLINE_ENCRYPTION + /** * struct blk_ksm_ll_ops - functions to manage keyslots in hardware * @keyslot_program: Program the specified key into the specified slot in the @@ -114,4 +116,10 @@ bool blk_ksm_is_superset(struct blk_keyslot_manager *ksm_superset, void blk_ksm_update_capabilities(struct blk_keyslot_manager *target_ksm, struct blk_keyslot_manager *reference_ksm); +#else /* CONFIG_BLK_INLINE_ENCRYPTION */ + +static inline void blk_ksm_destroy(struct blk_keyslot_manager *ksm) { } + +#endif /* CONFIG_BLK_INLINE_ENCRYPTION */ + #endif /* __LINUX_KEYSLOT_MANAGER_H */ From patchwork Tue Dec 29 08:55:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Satya Tangirala X-Patchwork-Id: 11997457 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA800C433E0 for ; Mon, 4 Jan 2021 19:04:18 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 48AAD2068D for ; Mon, 4 Jan 2021 19:04:18 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 48AAD2068D Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-125-CVIFHEKZOMOnrMLOaArxBQ-1; Mon, 04 Jan 2021 14:04:05 -0500 X-MC-Unique: CVIFHEKZOMOnrMLOaArxBQ-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4D11E801ADF; Mon, 4 Jan 2021 19:03:50 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2EA816F92F; Mon, 4 Jan 2021 19:03:50 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 02D6F1809CB1; Mon, 4 Jan 2021 19:03:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0BT8tg4A010786 for ; Tue, 29 Dec 2020 03:55:42 -0500 Received: by smtp.corp.redhat.com (Postfix) id 08AD31112870; Tue, 29 Dec 2020 08:55:42 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 050DE111286E for ; Tue, 29 Dec 2020 08:55:40 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 54B0E811E78 for ; Tue, 29 Dec 2020 08:55:40 +0000 (UTC) Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-158-Lae0XeHDNCy97ZyToeRp1A-1; Tue, 29 Dec 2020 03:55:38 -0500 X-MC-Unique: Lae0XeHDNCy97ZyToeRp1A-1 Received: by mail-yb1-f201.google.com with SMTP id a206so22802955ybg.0 for ; Tue, 29 Dec 2020 00:55:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=r1uNbK6vumQ2S39nZ29dwK/wuBEGW5LyLS9BAyhIDUk=; b=p3B3ZCqvV3oRmY1TZnwRcKwrWO3p7MaYNgiWbCqbqUGbLHBDq983V9yasevLq5I/gJ Suh6FDSVDe/eIR/eqzXZ+DGPDmvi+lgKX+1UxC2rO1sDEDpHsWdOrMj3kgruGq6KZBej mEzwfG+Nhcku0ywgBKM8lA11JIJmOx8m6RNcfQ+hBxiDhkIF9WmQfK/Y6kVVe3K2esbL 7YwuSTEjXne39PRu4Z58i8Y3ntY0vIOhOMuJkg9cPbzNctGOrzqgh9l8Y2RVO8Xts1pK Ojrplft0rl0y6MaqswY8rIXH+GZEmhaj7jCLBOLpwlTmokqAGwY+pswW4mD2Rc7EvtG4 nHKA== X-Gm-Message-State: AOAM533LWcwHyylcE7j4dOqE/l9MF6n9inVI9ELPZUbMlTHcU7nyhy1Q VpdWhA5Z+dyk081bpqL6q9QtFXyhmo0= X-Google-Smtp-Source: ABdhPJwAOebr5YmlpPKNLl4A1ee+wOmB1Pjbxc5UpF9vjNQ+t39UJhcZfwlSIs9MpPG+YVcV9uIsQgPy5Q0= X-Received: from satyaprateek.c.googlers.com ([fda3:e722:ac3:10:24:72f4:c0a8:1092]) (user=satyat job=sendgmr) by 2002:a25:aa91:: with SMTP id t17mr63938387ybi.394.1609232137422; Tue, 29 Dec 2020 00:55:37 -0800 (PST) Date: Tue, 29 Dec 2020 08:55:22 +0000 In-Reply-To: <20201229085524.2795331-1-satyat@google.com> Message-Id: <20201229085524.2795331-5-satyat@google.com> Mime-Version: 1.0 References: <20201229085524.2795331-1-satyat@google.com> From: Satya Tangirala To: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Mon, 04 Jan 2021 14:03:12 -0500 Cc: Jens Axboe , Satya Tangirala , Mike Snitzer , Alasdair Kergon , Eric Biggers Subject: [dm-devel] [PATCH v3 4/6] dm: Support key eviction from keyslot managers of underlying devices X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Now that device mapper supports inline encryption, add the ability to evict keys from all underlying devices. When an upper layer requests a key eviction, we simply iterate through all underlying devices and evict that key from each device. Co-developed-by: Eric Biggers Signed-off-by: Eric Biggers Signed-off-by: Satya Tangirala --- block/blk-crypto.c | 1 + drivers/md/dm.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/block/blk-crypto.c b/block/blk-crypto.c index 5da43f0973b4..c2be8f15006c 100644 --- a/block/blk-crypto.c +++ b/block/blk-crypto.c @@ -409,3 +409,4 @@ int blk_crypto_evict_key(struct request_queue *q, */ return blk_crypto_fallback_evict_key(key); } +EXPORT_SYMBOL_GPL(blk_crypto_evict_key); diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 13b9c8e2e21b..b8844171d8e4 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -1949,6 +1949,58 @@ struct dm_keyslot_manager { struct mapped_device *md; }; +struct dm_keyslot_evict_args { + const struct blk_crypto_key *key; + int err; +}; + +static int dm_keyslot_evict_callback(struct dm_target *ti, struct dm_dev *dev, + sector_t start, sector_t len, void *data) +{ + struct dm_keyslot_evict_args *args = data; + int err; + + err = blk_crypto_evict_key(bdev_get_queue(dev->bdev), args->key); + if (!args->err) + args->err = err; + /* Always try to evict the key from all devices. */ + return 0; +} + +/* + * When an inline encryption key is evicted from a device-mapper device, evict + * it from all the underlying devices. + */ +static int dm_keyslot_evict(struct blk_keyslot_manager *ksm, + const struct blk_crypto_key *key, unsigned int slot) +{ + struct dm_keyslot_manager *dksm = container_of(ksm, + struct dm_keyslot_manager, + ksm); + struct mapped_device *md = dksm->md; + struct dm_keyslot_evict_args args = { key }; + struct dm_table *t; + int srcu_idx; + int i; + struct dm_target *ti; + + t = dm_get_live_table(md, &srcu_idx); + if (!t) + return 0; + for (i = 0; i < dm_table_get_num_targets(t); i++) { + ti = dm_table_get_target(t, i); + if (!ti->type->iterate_devices) + continue; + ti->type->iterate_devices(ti, dm_keyslot_evict_callback, &args); + } + dm_put_live_table(md, srcu_idx); + return args.err; +} + +static struct blk_ksm_ll_ops dm_ksm_ll_ops = { + .keyslot_evict = dm_keyslot_evict, +}; + static int device_intersect_crypto_modes(struct dm_target *ti, struct dm_dev *dev, sector_t start, sector_t len, void *data) @@ -1998,6 +2050,7 @@ dm_construct_keyslot_manager(struct mapped_device *md, struct dm_table *t) ksm = &dksm->ksm; blk_ksm_init_passthrough(ksm); + ksm->ksm_ll_ops = dm_ksm_ll_ops; ksm->max_dun_bytes_supported = UINT_MAX; memset(ksm->crypto_modes_supported, 0xFF, sizeof(ksm->crypto_modes_supported)); From patchwork Tue Dec 29 08:55:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Satya Tangirala X-Patchwork-Id: 11997439 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2E8AC433DB for ; Mon, 4 Jan 2021 19:04:05 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4812A206A4 for ; Mon, 4 Jan 2021 19:04:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4812A206A4 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-44-V3KA48jUO9i9XIoCwwvBZA-1; Mon, 04 Jan 2021 14:04:02 -0500 X-MC-Unique: V3KA48jUO9i9XIoCwwvBZA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 395C5107ACFE; Mon, 4 Jan 2021 19:03:52 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1A3621001E73; Mon, 4 Jan 2021 19:03:52 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E44265003B; Mon, 4 Jan 2021 19:03:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0BT8tiDH010797 for ; Tue, 29 Dec 2020 03:55:44 -0500 Received: by smtp.corp.redhat.com (Postfix) id 5F23C2026D49; Tue, 29 Dec 2020 08:55:44 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5A77D2026D47 for ; Tue, 29 Dec 2020 08:55:44 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 465DB101A560 for ; Tue, 29 Dec 2020 08:55:44 +0000 (UTC) Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-456-NAkjc2XmPT2-DtPeFu8ULg-1; Tue, 29 Dec 2020 03:55:40 -0500 X-MC-Unique: NAkjc2XmPT2-DtPeFu8ULg-1 Received: by mail-pf1-f201.google.com with SMTP id 22so4274155pfv.22 for ; Tue, 29 Dec 2020 00:55:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=2LL28w8HYDB56TY4Xorb2dz9gBz+2+A0z3a585XX/NA=; b=bKf/3JEHItykqAvRN8stWPXZ11jUxJSgrrP3lP9KPsI5G9X/+U3JDRBPIOfuX1zUPb 2B8FeTRrbv+gTDvMYjSVS1aUlru10v9CLsE7RJfqTUKjuiuAmZLlpccb2q4NTsK0Gu5r /Lka6Yb6hlD09vlZRMtJPFjLYGEWNl+BNOdN40hr3R++ZVzLMi96ngw+944X+Ic4UiiK rFj5F6ZFBUmiq+rbfK9wus/Uo5kTy3ethvDuh9/SV3cfkHVi3ftsE7z3wKW6ya0xAyp2 bOH0+5ZDfzeAabQoofWhm7VhbKVug+mSdGQADYst06nUP2Re+yvX5mJ7DySxap0B4L88 3IAw== X-Gm-Message-State: AOAM533EwWti0kCrFguf+40VWS7boO3qAw1pGfouE2QgtgLk8lUkF1JD pfXIXcNCmNaI+JdJAYNWt2CRP00A3iw= X-Google-Smtp-Source: ABdhPJy6RhyhTBX3auLabsBxWya+RNuNUROjMBZdQZOWghOMiLaEGenNF5fpXuLFLtCdUUfLnFSYw+uPxJE= X-Received: from satyaprateek.c.googlers.com ([fda3:e722:ac3:10:24:72f4:c0a8:1092]) (user=satyat job=sendgmr) by 2002:a17:902:a585:b029:db:feae:425c with SMTP id az5-20020a170902a585b02900dbfeae425cmr48031963plb.25.1609232138954; Tue, 29 Dec 2020 00:55:38 -0800 (PST) Date: Tue, 29 Dec 2020 08:55:23 +0000 In-Reply-To: <20201229085524.2795331-1-satyat@google.com> Message-Id: <20201229085524.2795331-6-satyat@google.com> Mime-Version: 1.0 References: <20201229085524.2795331-1-satyat@google.com> From: Satya Tangirala To: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Mon, 04 Jan 2021 14:03:12 -0500 Cc: Jens Axboe , Satya Tangirala , Mike Snitzer , Alasdair Kergon , Eric Biggers Subject: [dm-devel] [PATCH v3 5/6] dm: Verify inline encryption capabilities of new table when it is loaded X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com DM only allows the table to be swapped if the new table's inline encryption capabilities are a superset of the old table's. We only check that this constraint is true when the table is actually swapped in (in dm_swap_table()). But this allows a user to load an unacceptable table without any complaint from DM, only for DM to throw an error when the device is resumed, and the table is swapped in. This patch makes DM verify the inline encryption capabilities of the new table when the table is loaded. DM continues to verify and use the capabilities at the time of table swap, since the capabilities of underlying child devices can expand during the time between the table load and table swap (which in turn can cause the capabilities of this parent device to expand as well). Signed-off-by: Satya Tangirala --- drivers/md/dm-ioctl.c | 8 ++++++++ drivers/md/dm.c | 25 +++++++++++++++++++++++++ drivers/md/dm.h | 19 +++++++++++++++++++ 3 files changed, 52 insertions(+) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 5e306bba4375..055a3c745243 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1358,6 +1358,10 @@ static int table_load(struct file *filp, struct dm_ioctl *param, size_t param_si goto err_unlock_md_type; } + r = dm_verify_inline_encryption(md, t); + if (r) + goto err_unlock_md_type; + if (dm_get_md_type(md) == DM_TYPE_NONE) { /* Initial table load: acquire type of table. */ dm_set_md_type(md, dm_table_get_type(t)); @@ -2115,6 +2119,10 @@ int __init dm_early_create(struct dm_ioctl *dmi, if (r) goto err_destroy_table; + r = dm_verify_inline_encryption(md, t); + if (r) + goto err_destroy_table; + md->type = dm_table_get_type(t); /* setup md->queue to reflect md's type (may block) */ r = dm_setup_md_queue(md, t); diff --git a/drivers/md/dm.c b/drivers/md/dm.c index b8844171d8e4..04322de34d29 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2094,6 +2094,31 @@ dm_construct_keyslot_manager(struct mapped_device *md, struct dm_table *t) return ksm; } +/** + * dm_verify_inline_encryption() - Verifies that the current keyslot manager of + * the mapped_device can be replaced by the + * keyslot manager of a given dm_table. + * @md: The mapped_device + * @t: The dm_table + * + * In particular, this function checks that the keyslot manager that will be + * constructed for the dm_table will support a superset of the capabilities that + * the current keyslot manager of the mapped_device supports. + * + * Return: 0 if the table's keyslot_manager can replace the current keyslot + * manager of the mapped_device. Negative value otherwise. + */ +int dm_verify_inline_encryption(struct mapped_device *md, struct dm_table *t) +{ + struct blk_keyslot_manager *ksm = dm_construct_keyslot_manager(md, t); + + if (IS_ERR(ksm)) + return PTR_ERR(ksm); + dm_destroy_keyslot_manager(ksm); + + return 0; +} + static void dm_update_keyslot_manager(struct request_queue *q, struct blk_keyslot_manager *ksm) { diff --git a/drivers/md/dm.h b/drivers/md/dm.h index fffe1e289c53..eaf92e4cbe70 100644 --- a/drivers/md/dm.h +++ b/drivers/md/dm.h @@ -208,4 +208,23 @@ void dm_free_md_mempools(struct dm_md_mempools *pools); */ unsigned dm_get_reserved_bio_based_ios(void); +/* + * Inline Encryption + */ +struct blk_keyslot_manager; + +#ifdef CONFIG_BLK_INLINE_ENCRYPTION + +int dm_verify_inline_encryption(struct mapped_device *md, struct dm_table *t); + +#else /* !CONFIG_BLK_INLINE_ENCRYPTION */ + +static inline int dm_verify_inline_encryption(struct mapped_device *md, + struct dm_table *t) +{ + return 0; +} + +#endif /* !CONFIG_BLK_INLINE_ENCRYPTION */ + #endif From patchwork Tue Dec 29 08:55:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Satya Tangirala X-Patchwork-Id: 11997453 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56AE1C433E9 for ; Mon, 4 Jan 2021 19:04:16 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D7C042068D for ; Mon, 4 Jan 2021 19:04:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D7C042068D Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-304-1-5hct6iO_mw8uCK3Rfx6g-1; Mon, 04 Jan 2021 14:04:10 -0500 X-MC-Unique: 1-5hct6iO_mw8uCK3Rfx6g-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6C91A9CC24; Mon, 4 Jan 2021 19:04:03 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 48E5C71C88; Mon, 4 Jan 2021 19:04:03 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1EB1B1809CB9; Mon, 4 Jan 2021 19:04:03 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0BT8txSJ010842 for ; Tue, 29 Dec 2020 03:55:59 -0500 Received: by smtp.corp.redhat.com (Postfix) id AB6332166B2C; Tue, 29 Dec 2020 08:55:59 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A552E2166B2A for ; Tue, 29 Dec 2020 08:55:57 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3C366800198 for ; Tue, 29 Dec 2020 08:55:57 +0000 (UTC) Received: from mail-qt1-f202.google.com (mail-qt1-f202.google.com [209.85.160.202]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-472-kRuP1EyKOO-2rH53JtCRAw-1; Tue, 29 Dec 2020 03:55:54 -0500 X-MC-Unique: kRuP1EyKOO-2rH53JtCRAw-1 Received: by mail-qt1-f202.google.com with SMTP id c14so7275525qtn.5 for ; Tue, 29 Dec 2020 00:55:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=3bO6YItz9vvTQJgokX465W6GGn8iDP/PMw/J2QDO/So=; b=LvzdZjB+UnSzsnGQIXtk95goH2Haa98it42nbKlYzUsWgUmygizF7xtGi/lN4B30vv 6iGnLrxEoDVGt9x9ZoqCf1ZLmb+m/lMdhXYllXyWSBmZ4tJmBLEOfU6Wwey4nlEeLrTH 7Wkjf0p/xr21f9jg467mn6IumMrPv+3o43NwdegoLXW2foWQLBBzSTjaOST2gRf/Cb7x UdR8sN2SA6AaMWxMAh63bcc4ognq97ZpNPFV7ebgAut7Vy1jkG48EDnxsSKodSYPhrkY WtBErfagWQX0HlwxIg1yyWIM7hv53mf086Houum4fw1ZjqUDQdFFEoe4gyXKMkDTjK/J Mb0Q== X-Gm-Message-State: AOAM530CPYN94KiGUrEvvw/l/0HMEVUEr33KWmpa3UdaVTBKd96OHHN8 TRay3Ym9zkrKnj0AZe9eFFflQpma+ks= X-Google-Smtp-Source: ABdhPJxhU4q7GN5C1Z1AyzKVyRUGN5znZ+v3G/MJUPuiA4RVAhWGOcFupFszWQEI8exuXS9BJFU+l6WmdIw= X-Received: from satyaprateek.c.googlers.com ([fda3:e722:ac3:10:24:72f4:c0a8:1092]) (user=satyat job=sendgmr) by 2002:a0c:99c8:: with SMTP id y8mr50020306qve.35.1609232154123; Tue, 29 Dec 2020 00:55:54 -0800 (PST) Date: Tue, 29 Dec 2020 08:55:24 +0000 In-Reply-To: <20201229085524.2795331-1-satyat@google.com> Message-Id: <20201229085524.2795331-7-satyat@google.com> Mime-Version: 1.0 References: <20201229085524.2795331-1-satyat@google.com> From: Satya Tangirala To: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Mon, 04 Jan 2021 14:03:12 -0500 Cc: Jens Axboe , Satya Tangirala , Mike Snitzer , Alasdair Kergon , Eric Biggers Subject: [dm-devel] [PATCH v3 6/6] dm: set DM_TARGET_PASSES_CRYPTO feature for some targets X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com dm-linear and dm-flakey obviously can pass through inline crypto support. Co-developed-by: Eric Biggers Signed-off-by: Eric Biggers Signed-off-by: Satya Tangirala --- drivers/md/dm-flakey.c | 4 +++- drivers/md/dm-linear.c | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c index a2cc9e45cbba..30c6bc151213 100644 --- a/drivers/md/dm-flakey.c +++ b/drivers/md/dm-flakey.c @@ -482,8 +482,10 @@ static struct target_type flakey_target = { .name = "flakey", .version = {1, 5, 0}, #ifdef CONFIG_BLK_DEV_ZONED - .features = DM_TARGET_ZONED_HM, + .features = DM_TARGET_ZONED_HM | DM_TARGET_PASSES_CRYPTO, .report_zones = flakey_report_zones, +#else + .features = DM_TARGET_PASSES_CRYPTO, #endif .module = THIS_MODULE, .ctr = flakey_ctr, diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c index 00774b5d7668..fc9c4272c10d 100644 --- a/drivers/md/dm-linear.c +++ b/drivers/md/dm-linear.c @@ -229,10 +229,11 @@ static struct target_type linear_target = { .version = {1, 4, 0}, #ifdef CONFIG_BLK_DEV_ZONED .features = DM_TARGET_PASSES_INTEGRITY | DM_TARGET_NOWAIT | - DM_TARGET_ZONED_HM, + DM_TARGET_ZONED_HM | DM_TARGET_PASSES_CRYPTO, .report_zones = linear_report_zones, #else - .features = DM_TARGET_PASSES_INTEGRITY | DM_TARGET_NOWAIT, + .features = DM_TARGET_PASSES_INTEGRITY | DM_TARGET_NOWAIT | + DM_TARGET_PASSES_CRYPTO, #endif .module = THIS_MODULE, .ctr = linear_ctr,