From: James Simmons <jsimmons@infradead.org>
To: lustre-devel@lists.lustre.org
Subject: [lustre-devel] [PATCH 08/23] lustre: sec: encryption support for DoM files
Date: Tue, 11 Aug 2020 08:20:04 -0400 [thread overview]
Message-ID: <1597148419-20629-9-git-send-email-jsimmons@infradead.org> (raw)
In-Reply-To: <1597148419-20629-1-git-send-email-jsimmons@infradead.org>
From: Sebastien Buisson <sbuisson@ddn.com>
On client side, data read from DoM files do not go through the OSC
layer. So implement file decryption in ll_dom_finish_open() right
after file data has been put in cache pages.
On server side, DoM file size needs to be properly set on MDT when
content is encrypted. Pages are full of encrypted data, but inode size
must be apparent, clear text object size.
For reads of DoM encrypted files to work proprely, we also need to
make sure we send whole encryption units to client side.
Also add sanity-sec test_50 to exercise encryption of DoM files.
WC-bug-id: https://jira.whamcloud.com/browse/LU-12275
Lustre-commit: a71586d4ee8d6 ("LU-12275 sec: encryption support for DoM files")
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-on: https://review.whamcloud.com/38702
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Mike Pershin <mpershin@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Signed-off-by: James Simmons <jsimmons@infradead.org>
---
fs/lustre/llite/crypto.c | 10 +++-------
fs/lustre/llite/file.c | 20 +++++++++++++++++--
fs/lustre/llite/namei.c | 52 ++++++++++++++++++++++++++++--------------------
3 files changed, 51 insertions(+), 31 deletions(-)
diff --git a/fs/lustre/llite/crypto.c b/fs/lustre/llite/crypto.c
index 83ed316..d37f0a9 100644
--- a/fs/lustre/llite/crypto.c
+++ b/fs/lustre/llite/crypto.c
@@ -31,17 +31,13 @@
static int ll_get_context(struct inode *inode, void *ctx, size_t len)
{
- struct dentry *dentry;
+ struct dentry *dentry = d_find_any_alias(inode);
int rc;
- if (hlist_empty(&inode->i_dentry))
- return -ENODATA;
-
- hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias)
- break;
-
rc = __vfs_getxattr(dentry, inode, LL_XATTR_NAME_ENCRYPTION_CONTEXT,
ctx, len);
+ if (dentry)
+ dput(dentry);
/* used as encryption unit size */
if (S_ISREG(inode->i_mode))
diff --git a/fs/lustre/llite/file.c b/fs/lustre/llite/file.c
index 757950f..7d00728 100644
--- a/fs/lustre/llite/file.c
+++ b/fs/lustre/llite/file.c
@@ -429,8 +429,10 @@ int ll_file_release(struct inode *inode, struct file *file)
static inline int ll_dom_readpage(void *data, struct page *page)
{
+ struct inode *inode = page2inode(page);
struct niobuf_local *lnb = data;
void *kaddr;
+ int rc = 0;
kaddr = kmap_atomic(page);
memcpy(kaddr, lnb->lnb_data, lnb->lnb_len);
@@ -440,9 +442,22 @@ static inline int ll_dom_readpage(void *data, struct page *page)
flush_dcache_page(page);
SetPageUptodate(page);
kunmap_atomic(kaddr);
+
+ if (inode && IS_ENCRYPTED(inode) && S_ISREG(inode->i_mode)) {
+ if (!llcrypt_has_encryption_key(inode))
+ CDEBUG(D_SEC, "no enc key for " DFID "\n",
+ PFID(ll_inode2fid(inode)));
+ /* decrypt only if page is not empty */
+ else if (memcmp(page_address(page),
+ page_address(ZERO_PAGE(0)),
+ PAGE_SIZE) != 0)
+ rc = llcrypt_decrypt_pagecache_blocks(page,
+ PAGE_SIZE,
+ 0);
+ }
unlock_page(page);
- return 0;
+ return rc;
}
void ll_dom_finish_open(struct inode *inode, struct ptlrpc_request *req,
@@ -481,7 +496,8 @@ void ll_dom_finish_open(struct inode *inode, struct ptlrpc_request *req,
* buffer, in both cases total size should be equal to the file size.
*/
body = req_capsule_server_get(&req->rq_pill, &RMF_MDT_BODY);
- if (rnb->rnb_offset + rnb->rnb_len != body->mbo_dom_size) {
+ if (rnb->rnb_offset + rnb->rnb_len != body->mbo_dom_size &&
+ !(inode && IS_ENCRYPTED(inode))) {
CERROR("%s: server returns off/len %llu/%u but size %llu\n",
ll_i2sbi(inode)->ll_fsname, rnb->rnb_offset,
rnb->rnb_len, body->mbo_dom_size);
diff --git a/fs/lustre/llite/namei.c b/fs/lustre/llite/namei.c
index 3fbcbbd..a268c93 100644
--- a/fs/lustre/llite/namei.c
+++ b/fs/lustre/llite/namei.c
@@ -629,6 +629,36 @@ static int ll_lookup_it_finish(struct ptlrpc_request *request,
if (rc)
return rc;
+ /* If encryption context was returned by MDT, put it in
+ * inode now to save an extra getxattr and avoid deadlock.
+ */
+ if (body->mbo_valid & OBD_MD_ENCCTX) {
+ encctx = req_capsule_server_get(pill, &RMF_FILE_ENCCTX);
+ encctxlen = req_capsule_get_size(pill,
+ &RMF_FILE_ENCCTX,
+ RCL_SERVER);
+
+ if (encctxlen) {
+ CDEBUG(D_SEC,
+ "server returned encryption ctx for " DFID "\n",
+ PFID(ll_inode2fid(inode)));
+ rc = ll_xattr_cache_insert(inode,
+ LL_XATTR_NAME_ENCRYPTION_CONTEXT,
+ encctx, encctxlen);
+ if (rc) {
+ CWARN("%s: cannot set enc ctx for " DFID ": rc = %d\n",
+ ll_i2sbi(inode)->ll_fsname,
+ PFID(ll_inode2fid(inode)), rc);
+ } else if (encrypt) {
+ rc = llcrypt_get_encryption_info(inode);
+ if (rc)
+ CDEBUG(D_SEC,
+ "cannot get enc info for " DFID ": rc = %d\n",
+ PFID(ll_inode2fid(inode)), rc);
+ }
+ }
+ }
+
if (it->it_op & IT_OPEN)
ll_dom_finish_open(inode, request, it);
@@ -674,28 +704,6 @@ static int ll_lookup_it_finish(struct ptlrpc_request *request,
rc);
}
- /* If encryption context was returned by MDT, put it in
- * inode now to save an extra getxattr and avoid deadlock.
- */
- if (body->mbo_valid & OBD_MD_ENCCTX) {
- encctx = req_capsule_server_get(pill, &RMF_FILE_ENCCTX);
- encctxlen = req_capsule_get_size(pill,
- &RMF_FILE_ENCCTX,
- RCL_SERVER);
-
- if (encctxlen) {
- CDEBUG(D_SEC,
- "server returned encryption ctx for " DFID "\n",
- PFID(ll_inode2fid(inode)));
- rc = ll_xattr_cache_insert(inode,
- LL_XATTR_NAME_ENCRYPTION_CONTEXT,
- encctx, encctxlen);
- if (rc)
- CWARN("%s: cannot set enc ctx for " DFID ": rc = %d\n",
- ll_i2sbi(inode)->ll_fsname,
- PFID(ll_inode2fid(inode)), rc);
- }
- }
}
alias = ll_splice_alias(inode, *de);
--
1.8.3.1
next prev parent reply other threads:[~2020-08-11 12:20 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-11 12:19 [lustre-devel] [PATCH 00/23] lustre: latest patches landed to OpenSFS 08/11/2020 James Simmons
2020-08-11 12:19 ` [lustre-devel] [PATCH 01/23] lustre: lov: one more fix to write_intent end for trunc James Simmons
2020-08-11 12:19 ` [lustre-devel] [PATCH 02/23] lustre: lov: annotate nested locking of obd_dev_mutex James Simmons
2020-08-11 12:19 ` [lustre-devel] [PATCH 03/23] lustre: ptlrpc: make ptlrpc_connection_put() static inline James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 04/23] lustre: mdc: create mdc_acl.c James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 05/23] lustre: llite: Remove mutex on dio read James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 06/23] lustre: obd: rename lprocfs_ / LPROC_SEQ_ to debugfs name James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 07/23] lustre: sec: atomicity of encryption context getting/setting James Simmons
2020-08-11 12:20 ` James Simmons [this message]
2020-08-11 12:20 ` [lustre-devel] [PATCH 09/23] lustre: sec: check if page is empty with ZERO_PAGE James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 10/23] lustre: uapi: add OBD_CONNECT2_GETATTR_PFID James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 11/23] lustre: update version to 2.13.55 James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 12/23] lustre: sysfs: error-check value stored in jobid_var James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 13/23] lnet: Add param to control response tracking James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 14/23] lnet: Ensure LNet pings and pushes are always tracked James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 15/23] lnet: Preferred NI logic breaks MR routing James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 16/23] lnet: socklnd: remove declarations of missing functions James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 17/23] lnet: discard unused lnet_print_hdr() James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 18/23] lnet: clarify initialization of lpni_refcount James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 19/23] lnet: Allow duplicate nets in ip2nets syntax James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 20/23] lustre: llite: pack parent FID in getattr James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 21/23] lnet: Clear lp_dc_error when discovery completes James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 22/23] lnet: Have LNet routers monitor the ni_fatal flag James Simmons
2020-08-11 12:20 ` [lustre-devel] [PATCH 23/23] lnet: socklnd: NID to interface mapping issues James Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1597148419-20629-9-git-send-email-jsimmons@infradead.org \
--to=jsimmons@infradead.org \
--cc=lustre-devel@lists.lustre.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.