On Fri, Jan 17, 2020 at 12:32:21AM -0800, Christoph Hellwig wrote:
>
> File systems don't move data around all that often (saying that with my
> fs developer hat on). In traditional file systems only defragmentation
> will move data around, with extent refcounting it can also happen for
> dedup, and for file systems that write out of place data gets moved
> when parts of a block are rewritten, but in that case a read modify
> write cycle is perfomed in the Linux code anyway, so it will go through
> the inline encryption engined on the way and the way out.
>
> So in other words - specifying an IV would be useful for some use cases,
> but I don't think it is a deal blocker. Even without that is is useful
> for block device level encryption, and could have some usefulness for
> file system encryption usage.
>
> I think that adding an IV would eventually be useful, but fitting that
> into NVMe won't be easy, as you'd need to find a way to specify the IV
> for each submission queue entry, which requires growing it, or finding
> some way to extend it out of band.
Sure, people have even done inline crypto on ext4 before (downstream), using the
LBA for the IV. But log-structured filesystems like f2fs move data blocks
around *without the encryption key*; and at least for fscrypt, f2fs support is
essential. In any case it's also awkward having the physical on-disk location
determine the ciphertext on-disk, as then the result isn't fully controlled by
the encryption settings you set, but also based on where your filesystem is
located on-disk (with extra fun occurring if there's any sort of remapping layer
in between). But sure, it's not *useless* to not be able to specify the IV,
it's just annoying and less useful.
[I was also a bit surprised to see that NVMe won't actually allow specify the
IV, as I thought you had objected to the naming of the INLINE_CRYPT_OPTIMIZED
fscrypt policy flag partly on the grounds that NVMe would support IVs longer
than the 64 bits that UFS is limited to. Perhaps I misunderstood though.]
> > So let's not over-engineer this kernel patchset to support some broken
> > vaporware, please.
>
> Not sharing bio fields for integrity and encryption actually keeps
> the patchset simpler (although uses more memory if both options are
> enabled). So my main point here is to not over engineer it for broken
> premise that won't be true soon.
Well there are 3 options:
(a) Separate fields for bi_crypt_context and bi_integrity
(b) bi_crypt_context and bi_integrity in union
(c) One pointer that can support both features,
e.g. linked list of tagged structs.
It sounds like you're advocating for (a), but I had misunderstood and thought
you're advocating for (c). We'd of course be fine with (a) as it's the
simplest, but other people are saying they prefer (b).
Satya, to resolve this I think you should check how hard (b) is to implement --
i.e. is it easy, or is it really tricky to ensure the features are never used
together? (Considering that it's probably not just a matter of whether any
hardware supports both features, as dm-integrity supports blk-integrity in
software and blk-crypto-fallback supports blk-crypto in software.)
- Eric
