On 17/04/2021 04:33, Damien Le Moal wrote: > Zone append BIOs (REQ_OP_ZONE_APPEND) always specify the start sector of > the zone to be written instead of the actual location sector to write. > The write location is determined by the device and returned to the host > upon completion of the operation. This interface, while simple and > efficient for writing into sequential zones of a zoned block device, is > incompatible with the use of sector values to calculate a cypher block > IV. All data written in a zone end up using the same IV values > corresponding to the first sectors of the zone, but read operation will > specify any sector within the zone, resulting in an IV mismatch between > encryption and decryption. > > Using a single sector value (e.g. the zone start sector) for all read > and writes into a zone can solve this problem, but at the cost of > weakening the cypher chosen by the user. Reusing IV breaks the basic principle in disk encryption that block (sector) must not be decrypted to correct plaintext if it is relocated. (IOW, you must not use the same IV with the same key for another sector location.) Please note that dm-crypt allows being configured to use such insecure ciphers/IV to provide compatibility with older/foreign encryption systems only. That said, IV is not the only place in dm-crypt that depends on position (sector offset). Dm-crypt allows using AEAD (authenticated encryption). For now, it requires stacking over dm-integrity, but the idea was to use devices that can store per-sector metadata natively. In AEAD, offset (sector) is part of authenticated data (so decryption of relocated sector fails). For AEAD, we use random IV. So your patch is not complete. I think the proper solution would be to disable zone append for the dm-crypt target completely, just set a flag for the whole target. (Or somehow emulate that global sector offset). Please do not introduce such complexity as you tried in this patchset. I am sure this will backfire on us later. If you want to use encryption with zoned devices properly, it must be designed for it. FDE is not. In this case, probably btrfs fs encryption layer is the proper place that allows configuring different keys or tweak zones IV to allow block-based encryption. Allowing to stack over dm-crypt in the meantime is OK, but disable these incompatible zoning features completely, please. We often use online reencryption - which can switch arbitrary encryption parameters for active devices expecting sector offset is invariant. I am not sure if this can even work with zone append and provide expected security. Also, this brings the question if dm-integrity has the same issue... Thanks, Milan Instead, to solve this > problem, explicitly disable support for zone append operations using > the zone_append_not_supported field of struct dm_target if the IV mode > used is sector-based, that is for all IVs modes except null and random. > > The cypher flag CRYPT_IV_NO_SECTORS iis introduced to indicate that the > cypher does not use sector values. This flag is set in > crypt_ctr_ivmode() for the null and random IV modes and checked in > crypt_ctr() to set to true zone_append_not_supported if > CRYPT_IV_NO_SECTORS is not set for the chosen cypher. > > Reported-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@xxxxxxx> > Fixes: 8e225f04d2dd ("dm crypt: Enable zoned block device support") > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Damien Le Moal <damien.lemoal@xxxxxxx> > --- > drivers/md/dm-crypt.c | 49 +++++++++++++++++++++++++++++++++++-------- > 1 file changed, 40 insertions(+), 9 deletions(-) > > diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c > index b0ab080f2567..6ef35bb29ce5 100644 > --- a/drivers/md/dm-crypt.c > +++ b/drivers/md/dm-crypt.c > @@ -137,6 +137,7 @@ enum cipher_flags { > CRYPT_MODE_INTEGRITY_AEAD, /* Use authenticated mode for cipher */ > CRYPT_IV_LARGE_SECTORS, /* Calculate IV from sector_size, not 512B sectors */ > CRYPT_ENCRYPT_PREPROCESS, /* Must preprocess data for encryption (elephant) */ > + CRYPT_IV_ZONE_APPEND, /* IV mode supports zone append operations */ > }; > > /* > @@ -2750,9 +2751,10 @@ static int crypt_ctr_ivmode(struct dm_target *ti, const char *ivmode) > } > > /* Choose ivmode, see comments at iv code. */ > - if (ivmode == NULL) > + if (ivmode == NULL) { > cc->iv_gen_ops = NULL; > - else if (strcmp(ivmode, "plain") == 0) > + set_bit(CRYPT_IV_ZONE_APPEND, &cc->cipher_flags); > + } else if (strcmp(ivmode, "plain") == 0) > cc->iv_gen_ops = &crypt_iv_plain_ops; > else if (strcmp(ivmode, "plain64") == 0) > cc->iv_gen_ops = &crypt_iv_plain64_ops; > @@ -2762,9 +2764,10 @@ static int crypt_ctr_ivmode(struct dm_target *ti, const char *ivmode) > cc->iv_gen_ops = &crypt_iv_essiv_ops; > else if (strcmp(ivmode, "benbi") == 0) > cc->iv_gen_ops = &crypt_iv_benbi_ops; > - else if (strcmp(ivmode, "null") == 0) > + else if (strcmp(ivmode, "null") == 0) { > cc->iv_gen_ops = &crypt_iv_null_ops; > - else if (strcmp(ivmode, "eboiv") == 0) > + set_bit(CRYPT_IV_ZONE_APPEND, &cc->cipher_flags); > + } else if (strcmp(ivmode, "eboiv") == 0) > cc->iv_gen_ops = &crypt_iv_eboiv_ops; > else if (strcmp(ivmode, "elephant") == 0) { > cc->iv_gen_ops = &crypt_iv_elephant_ops; > @@ -2791,6 +2794,7 @@ static int crypt_ctr_ivmode(struct dm_target *ti, const char *ivmode) > cc->key_extra_size = cc->iv_size + TCW_WHITENING_SIZE; > } else if (strcmp(ivmode, "random") == 0) { > cc->iv_gen_ops = &crypt_iv_random_ops; > + set_bit(CRYPT_IV_ZONE_APPEND, &cc->cipher_flags); > /* Need storage space in integrity fields. */ > cc->integrity_iv_size = cc->iv_size; > } else { > @@ -3281,14 +3285,32 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv) > } > cc->start = tmpll; > > - /* > - * For zoned block devices, we need to preserve the issuer write > - * ordering. To do so, disable write workqueues and force inline > - * encryption completion. > - */ > if (bdev_is_zoned(cc->dev->bdev)) { > + /* > + * For zoned block devices, we need to preserve the issuer write > + * ordering. To do so, disable write workqueues and force inline > + * encryption completion. > + */ > set_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags); > set_bit(DM_CRYPT_WRITE_INLINE, &cc->flags); > + > + /* > + * All zone append writes to a zone of a zoned block device will > + * have the same BIO sector (the start of the zone). When the > + * cypher IV mode uses sector values, all data targeting a > + * zone will be encrypted using the first sector numbers of the > + * zone. This will not result in write errors but will > + * cause most reads to fail as reads will use the sector values > + * for the actual data locations, resulting in IV mismatch. > + * To avoid this problem, allow zone append operations only when > + * the selected IV mode indicated that zone append operations > + * are supported, that is, IV modes that do not use sector > + * values (null and random IVs). > + */ > + if (!test_bit(CRYPT_IV_ZONE_APPEND, &cc->cipher_flags)) { > + DMWARN("Zone append is not supported with the selected IV mode"); > + ti->zone_append_not_supported = true; > + } > } > > if (crypt_integrity_aead(cc) || cc->integrity_iv_size) { > @@ -3356,6 +3378,15 @@ static int crypt_map(struct dm_target *ti, struct bio *bio) > struct dm_crypt_io *io; > struct crypt_config *cc = ti->private; > > + /* > + * For zoned targets, we should not see any zone append operation if > + * the cypher IV mode selected does not support them. In the unlikely > + * case we do see one such operation, warn and fail the request. > + */ > + if (WARN_ON_ONCE(bio_op(bio) == REQ_OP_ZONE_APPEND && > + !test_bit(CRYPT_IV_ZONE_APPEND, &cc->cipher_flags))) > + return DM_MAPIO_KILL; > + > /* > * If bio is REQ_PREFLUSH or REQ_OP_DISCARD, just bypass crypt queues. > * - for REQ_PREFLUSH device-mapper core ensures that no IO is in-flight >