1. And in this (
https://kernel.googlesource.com/pub/scm/linux/kernel/git/kasatkin/linux-digsig/+/2dfa67a1a4c049fd33fcc6abcb1c8ca57b17a268/Documentation/device-mapper/dm-integrity.txt
) implementation gives variant to use external device for metadata and
journal. It really affect perfomance, I think. Do you plan do analogue
functions?
2. And other question: in your implementation tags write rarery after
data (eg. data[512b], tag[32b], data [512b], tag[32b]) or data stores in
one "half" of disk and tags in another (in end of disk, example)? Second
variant gives VERY HUGE penalty on hdd's.
3. And can, as I see there many options (as journal, buffers and other).
Can you give me example of parameters configuration, that fully
correctly work in production (KVMs- VMs -> raw -> EXT4 -> LVM -> MD ->
multiple dm-integrity on multiple phisical disks )?
04.07.2017 02:57, Renesanso пишет:
Big thanks for reply and update example! Now all works, that I
expected, but not internal key .
/integritysetup open /dev/loop7 integra --integrity sha256:276348274682
device-mapper: reload ioctl on failed: Function not implemented
dmesg: [176470.496481] device-mapper: table: 251:14: integrity: Error
setting internal hash key
[176470.496487] device-mapper: ioctl: error adding target to table
uname -a
Linux localhost 4.12.0-rc6 #1 SMP PREEMPT Sun Jun 25 21:30:55 MSK 2017
x86_64 x86_64 x86_64 GNU/Linux
I did tomethinkg wrong?
And can, as I see there many options (as journal, buffers and other).
Can you give me example of parameters configuration, that fully
correctly work in production (KVMs- VMs -> raw -> EXT4 -> LVM -> MD ->
multiple dm-integrity on multiple phisical disks )?
Big big thanks. :)
03.07.2017 18:05, Milan Broz пишет:
On 07/03/2017 06:44 AM, Renesanso wrote:
Hi for all.
Dmitry Kasatkin's fork of linux.git write dm-integrity patch for linux
...
yes, unfortunately we named the target the same (and I realized it
too late).
It is doing something similar but definitely it is not the same.
I try to use dmsetup to setup dm-integrity in ecc mode (but if change
block on backend device dm-integrity gives not reaction and give
another
md5sum to upper level. but non error), for dm-crypt I cannot understand
how to use AEAD mode.
You probably configured it in mode when it only provide tag space,
but does not calculate and verify internal hash.
(ECC means error correction, this target do not provide error
correction,
only detection of error (such a tool could be written on top of
dm-integrity though).
Please, give full instrustion to use dm-integrity in ecc mode and with
dm-crypt (with kernel keychain creation)..
dm-integrity can work in standalone mode or together with dm-crypt.
For the standalone mode, it is the best to use integritysetup tool
(for now in master branch of cryptsetup project).
https://gitlab.com/cryptsetup/cryptsetup
There is some simple documentation in man page and on this page
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity
(You can setup HMAC integrity protection in standalone mode as well.)
I will update it soon with some more info and prepare some better
examples
(the whole userspace is still not finished though but should work.)
For the combination with dm-crypt and AEAD - this is part of LUKS2
branch
in the same repository but it is really only for experiments.
Once we will have some testing build, I'll write more here, sorry, it
takes
longer than I expected.
Milan
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
