From: Eric Biggers <ebiggers@kernel.org>
To: Satya Tangirala <satyat@google.com>
Cc: linux-block@vger.kernel.org, linux-scsi@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
Parshuram Raju Thombare <pthombar@cadence.com>,
Ladvine D Almeida <ladvine.dalmeida@synopsys.com>,
Barani Muthukumaran <bmuthuku@qti.qualcomm.com>,
Kuohong Wang <kuohong.wang@mediatek.com>
Subject: Re: [RFC PATCH v2 2/8] block: Add encryption context to struct bio
Date: Wed, 12 Jun 2019 11:10:46 -0700 [thread overview]
Message-ID: <20190612181044.GA18795@gmail.com> (raw)
In-Reply-To: <20190605232837.31545-3-satyat@google.com>
Hi Satya,
On Wed, Jun 05, 2019 at 04:28:31PM -0700, Satya Tangirala wrote:
> We must have some way of letting a storage device driver know what
> encryption context it should use for en/decrypting a request. However,
> it's the filesystem/fscrypt that knows about and manages encryption
> contexts. As such, when the filesystem layer submits a bio to the block
> layer, and this bio eventually reaches a device driver with support for
> inline encryption, the device driver will need to have been told the
> encryption context for that bio.
>
> We want to communicate the encryption context from the filesystem layer
> to the storage device along with the bio, when the bio is submitted to the
> block layer. To do this, we add a struct bio_crypt_ctx to struct bio, which
> can represent an encryption context (note that we can't use the bi_private
> field in struct bio to do this because that field does not function to pass
> information across layers in the storage stack). We also introduce various
> functions to manipulate the bio_crypt_ctx and make the bio/request merging
> logic aware of the bio_crypt_ctx.
>
> Signed-off-by: Satya Tangirala <satyat@google.com>
> ---
> block/bio.c | 12 ++-
> block/blk-crypt-ctx.c | 90 +++++++++++++++++++
> block/blk-merge.c | 34 ++++++-
> block/bounce.c | 9 +-
> drivers/md/dm.c | 15 ++--
> include/linux/bio.h | 180 ++++++++++++++++++++++++++++++++++++++
> include/linux/blk_types.h | 28 ++++++
> 7 files changed, 355 insertions(+), 13 deletions(-)
> create mode 100644 block/blk-crypt-ctx.c
>
> diff --git a/block/bio.c b/block/bio.c
> index 683cbb40f051..87aa87288b39 100644
> --- a/block/bio.c
> +++ b/block/bio.c
> @@ -16,6 +16,7 @@
> #include <linux/workqueue.h>
> #include <linux/cgroup.h>
> #include <linux/blk-cgroup.h>
> +#include <linux/keyslot-manager.h>
No need to include keyslot-manager.h here.
> @@ -1019,6 +1026,7 @@ void bio_advance(struct bio *bio, unsigned bytes)
> bio_integrity_advance(bio, bytes);
>
> bio_advance_iter(bio, &bio->bi_iter, bytes);
> + bio_crypt_advance(bio, bytes);
> }
> EXPORT_SYMBOL(bio_advance);
It would be more logical to do bio_crypt_advance() before bio_advance_iter(), so
that the special features (encryption and integrity) are grouped together.
>
> diff --git a/block/blk-crypt-ctx.c b/block/blk-crypt-ctx.c
> new file mode 100644
> index 000000000000..174c058ab0c6
> --- /dev/null
> +++ b/block/blk-crypt-ctx.c
It would be more logical for this file to be named "bio-crypt-ctx.c", as that
would match 'struct bio_crypt_ctx' and help distinguish it from "blk-crypto".
> @@ -0,0 +1,90 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright 2019 Google LLC
> + */
> +
> +#include <linux/bio.h>
> +#include <linux/blkdev.h>
> +#include <linux/slab.h>
> +#include <linux/keyslot-manager.h>
> +
> +struct bio_crypt_ctx *bio_crypt_alloc_ctx(gfp_t gfp_mask)
> +{
> + return kzalloc(sizeof(struct bio_crypt_ctx), gfp_mask);
> +}
This needs EXPORT_SYMBOL(), since it's called by bio_crypt_set_ctx() which is an
inline function that will be called by places that submit bios.
> +
> +void bio_crypt_free_ctx(struct bio *bio)
> +{
> + kzfree(bio->bi_crypt_context);
> + bio->bi_crypt_context = NULL;
> +}
> +
> +int bio_clone_crypt_context(struct bio *dst, struct bio *src, gfp_t gfp_mask)
> +{
How about naming this function bio_crypt_clone(), for consistency with
bio_integrity_clone()?
> + if (!bio_is_encrypted(src) || bio_crypt_swhandled(src))
> + return 0;
Why isn't cloning needed when bio_crypt_swhandled(src)?
> +
> + dst->bi_crypt_context = bio_crypt_alloc_ctx(gfp_mask);
> + if (!dst->bi_crypt_context)
> + return -ENOMEM;
> +
> + *dst->bi_crypt_context = *src->bi_crypt_context;
> +
> + if (!bio_crypt_has_keyslot(src))
> + return 0;
> +
> + keyslot_manager_get_slot(src->bi_crypt_context->processing_ksm,
> + src->bi_crypt_context->keyslot);
> +
> + return 0;
> +}
Nit: a conditional get would be cleaner than an early return here.
if (bio_crypt_has_keyslot(src))
keyslot_manager_get_slot(src->bi_crypt_context->processing_ksm,
src->bi_crypt_context->keyslot);
Also, this function needs EXPORT_SYMBOL(), since it's called by drivers/md/dm.c,
which can be a loadable module.
> +/*
> + * Checks that two bio crypt contexts are compatible - i.e. that
> + * they are mergeable except for data_unit_num continuity.
> + */
> +bool bio_crypt_ctx_compatible(struct bio *b_1, struct bio *b_2)
> +{
> + struct bio_crypt_ctx *bc1 = b_1->bi_crypt_context;
> + struct bio_crypt_ctx *bc2 = b_2->bi_crypt_context;
> +
> + if (bio_is_encrypted(b_1) != bio_is_encrypted(b_2))
> + return false;
> +
> + if (!bio_is_encrypted(b_1))
> + return true;
> +
> + return bc1->keyslot != bc2->keyslot &&
> + bc1->data_unit_size_bits == bc2->data_unit_size_bits;
> +}
It needs to be 'bc1->keyslot == bc2->keyslot'.
> +
> +/*
> + * Checks that two bio crypt contexts are compatible, and also
> + * that their data_unit_nums are continuous (and can hence be merged)
> + */
> +bool bio_crypt_ctx_back_mergeable(struct bio *b_1,
> + unsigned int b1_sectors,
> + struct bio *b_2)
> +{
> + struct bio_crypt_ctx *bc1 = b_1->bi_crypt_context;
> + struct bio_crypt_ctx *bc2 = b_2->bi_crypt_context;
> +
> + if (!bio_crypt_ctx_compatible(b_1, b_2))
> + return false;
> +
> + return !bio_is_encrypted(b_1) ||
> + (bc1->data_unit_num +
> + (b1_sectors >> (bc1->data_unit_size_bits - 9)) ==
> + bc2->data_unit_num);
> +}
> +
Unnecessary blank line at end of file.
> diff --git a/include/linux/bio.h b/include/linux/bio.h
> index 0f23b5682640..ba9552932571 100644
> --- a/include/linux/bio.h
> +++ b/include/linux/bio.h
> @@ -561,6 +561,186 @@ static inline void bvec_kunmap_irq(char *buffer, unsigned long *flags)
> }
> #endif
>
> +#ifdef CONFIG_BLK_INLINE_ENCRYPTION
> +extern int bio_clone_crypt_context(struct bio *dst, struct bio *src,
> + gfp_t gfp_mask);
> +
> +static inline bool bio_is_encrypted(struct bio *bio)
> +{
> + return bio && bio->bi_crypt_context;
> +}
Is the 'bio != NULL' check actually needed? Most bio helper functions don't
check for NULL, as it's not a meaningful case.
> +
> +static inline bool bio_crypt_has_keyslot(struct bio *bio)
> +{
> + return bio_is_encrypted(bio) &&
> + bio->bi_crypt_context->keyslot >= 0;
> +}
> +
I think the bio_is_encrypted() check here should be dropped, since all callers
check it beforehand anyway. It doesn't really make sense for someone to call
functions that are meant to access fields of the bio_crypt_ctx, before verifying
that there actually is a bio_crypt_ctx. Other bio_crypt_* functions don't check
for NULL, so it seems inconsistent that this one does.
> +
> +static inline int bio_crypt_get_slot(struct bio *bio)
> +{
> + return bio->bi_crypt_context->keyslot;
> +}
For consistency this should be named *_get_keyslot(), not *_get_slot().
> +
> +static inline void bio_crypt_set_keyslot(struct bio *bio,
> + unsigned int keyslot,
> + struct keyslot_manager *ksm)
> +{
> + bio->bi_crypt_context->keyslot = keyslot;
> + bio->bi_crypt_context->processing_ksm = ksm;
> +
> + bio->bi_crypt_context->crypt_iter = bio->bi_iter;
> + bio->bi_crypt_context->sw_data_unit_num =
> + bio->bi_crypt_context->data_unit_num;
> +}
> +
> +static inline void bio_crypt_unset_keyslot(struct bio *bio)
> +{
> + bio->bi_crypt_context->processing_ksm = NULL;
> + bio->bi_crypt_context->keyslot = -1;
> +}
> +
> +static inline u8 *bio_crypt_raw_key(struct bio *bio)
> +{
> + return bio->bi_crypt_context->raw_key;
> +}
> +
> +static inline enum blk_crypt_mode_num bio_crypt_mode(struct bio *bio)
> +{
> + return bio->bi_crypt_context->crypt_mode;
> +}
bio_crypt_unset_keyslot(), bio_crypt_raw_key(), and bio_crypt_mode() are only
used in blk-crypto.c. Is there any reason for block users or drivers to need to
call them? If not, these fields should really just be accessed directly in
blk-crypto.c. It's not needed to provide these functions in bio.h where they
are available to everyone.
> diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h
> index aafa96839f95..c111b1ce8d24 100644
> --- a/include/linux/blk_types.h
> +++ b/include/linux/blk_types.h
> @@ -148,6 +148,29 @@ enum blk_crypt_mode_num {
> */
> };
>
> +struct bio_crypt_ctx {
> + int keyslot;
> + u8 *raw_key;
> + enum blk_crypt_mode_num crypt_mode;
> + u64 data_unit_num;
> + unsigned int data_unit_size_bits;
> +
> + /*
> + * The keyslot manager where the key has been programmed
> + * with keyslot.
> + */
> + struct keyslot_manager *processing_ksm;
> +
> + /*
> + * Copy of the bvec_iter when this bio was submitted.
> + * We only want to en/decrypt the part of the bio
> + * as described by the bvec_iter upon submission because
> + * bio might be split before being resubmitted
> + */
> + struct bvec_iter crypt_iter;
> + u64 sw_data_unit_num;
> +};
> +
How about making this struct definition conditional on
CONFIG_BLK_INLINE_ENCRYPTION? When !CONFIG_BLK_INLINE_ENCRYPTION, no code is
compiled that dereferences any pointer to this struct.
For consistency with bio_integrity_payload and to avoid an extra #ifdef, I think
this should also be moved to bio.h.
blk_crypt_mode_num can be moved to bio.h too, but it will need to be
unconditional since it's used as a parameter to bio_crypt_set_ctx().
> /*
> * main unit of I/O for the block layer and lower layers (ie drivers and
> * stacking drivers)
> @@ -186,6 +209,11 @@ struct bio {
> struct blkcg_gq *bi_blkg;
> struct bio_issue bi_issue;
> #endif
> +
> +#ifdef CONFIG_BLK_INLINE_ENCRYPTION
> + struct bio_crypt_ctx *bi_crypt_context;
> +#endif
> +
> union {
> #if defined(CONFIG_BLK_DEV_INTEGRITY)
> struct bio_integrity_payload *bi_integrity; /* data integrity */
> --
> 2.22.0.rc1.311.g5d7573a151-goog
>
Is it actually meaningful to use the blk_integrity feature in combination with
inline encryption? How might this be tested? If the features actually conflict
anyway, bi_crypt_context and bi_integrity could share the same union.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Satya Tangirala <satyat@google.com>
Cc: Ladvine D Almeida <ladvine.dalmeida@synopsys.com>,
linux-scsi@vger.kernel.org,
Parshuram Raju Thombare <pthombar@cadence.com>,
Kuohong Wang <kuohong.wang@mediatek.com>,
Barani Muthukumaran <bmuthuku@qti.qualcomm.com>,
linux-f2fs-devel@lists.sourceforge.net,
linux-block@vger.kernel.org, linux-fscrypt@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [RFC PATCH v2 2/8] block: Add encryption context to struct bio
Date: Wed, 12 Jun 2019 11:10:46 -0700 [thread overview]
Message-ID: <20190612181044.GA18795@gmail.com> (raw)
In-Reply-To: <20190605232837.31545-3-satyat@google.com>
Hi Satya,
On Wed, Jun 05, 2019 at 04:28:31PM -0700, Satya Tangirala wrote:
> We must have some way of letting a storage device driver know what
> encryption context it should use for en/decrypting a request. However,
> it's the filesystem/fscrypt that knows about and manages encryption
> contexts. As such, when the filesystem layer submits a bio to the block
> layer, and this bio eventually reaches a device driver with support for
> inline encryption, the device driver will need to have been told the
> encryption context for that bio.
>
> We want to communicate the encryption context from the filesystem layer
> to the storage device along with the bio, when the bio is submitted to the
> block layer. To do this, we add a struct bio_crypt_ctx to struct bio, which
> can represent an encryption context (note that we can't use the bi_private
> field in struct bio to do this because that field does not function to pass
> information across layers in the storage stack). We also introduce various
> functions to manipulate the bio_crypt_ctx and make the bio/request merging
> logic aware of the bio_crypt_ctx.
>
> Signed-off-by: Satya Tangirala <satyat@google.com>
> ---
> block/bio.c | 12 ++-
> block/blk-crypt-ctx.c | 90 +++++++++++++++++++
> block/blk-merge.c | 34 ++++++-
> block/bounce.c | 9 +-
> drivers/md/dm.c | 15 ++--
> include/linux/bio.h | 180 ++++++++++++++++++++++++++++++++++++++
> include/linux/blk_types.h | 28 ++++++
> 7 files changed, 355 insertions(+), 13 deletions(-)
> create mode 100644 block/blk-crypt-ctx.c
>
> diff --git a/block/bio.c b/block/bio.c
> index 683cbb40f051..87aa87288b39 100644
> --- a/block/bio.c
> +++ b/block/bio.c
> @@ -16,6 +16,7 @@
> #include <linux/workqueue.h>
> #include <linux/cgroup.h>
> #include <linux/blk-cgroup.h>
> +#include <linux/keyslot-manager.h>
No need to include keyslot-manager.h here.
> @@ -1019,6 +1026,7 @@ void bio_advance(struct bio *bio, unsigned bytes)
> bio_integrity_advance(bio, bytes);
>
> bio_advance_iter(bio, &bio->bi_iter, bytes);
> + bio_crypt_advance(bio, bytes);
> }
> EXPORT_SYMBOL(bio_advance);
It would be more logical to do bio_crypt_advance() before bio_advance_iter(), so
that the special features (encryption and integrity) are grouped together.
>
> diff --git a/block/blk-crypt-ctx.c b/block/blk-crypt-ctx.c
> new file mode 100644
> index 000000000000..174c058ab0c6
> --- /dev/null
> +++ b/block/blk-crypt-ctx.c
It would be more logical for this file to be named "bio-crypt-ctx.c", as that
would match 'struct bio_crypt_ctx' and help distinguish it from "blk-crypto".
> @@ -0,0 +1,90 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright 2019 Google LLC
> + */
> +
> +#include <linux/bio.h>
> +#include <linux/blkdev.h>
> +#include <linux/slab.h>
> +#include <linux/keyslot-manager.h>
> +
> +struct bio_crypt_ctx *bio_crypt_alloc_ctx(gfp_t gfp_mask)
> +{
> + return kzalloc(sizeof(struct bio_crypt_ctx), gfp_mask);
> +}
This needs EXPORT_SYMBOL(), since it's called by bio_crypt_set_ctx() which is an
inline function that will be called by places that submit bios.
> +
> +void bio_crypt_free_ctx(struct bio *bio)
> +{
> + kzfree(bio->bi_crypt_context);
> + bio->bi_crypt_context = NULL;
> +}
> +
> +int bio_clone_crypt_context(struct bio *dst, struct bio *src, gfp_t gfp_mask)
> +{
How about naming this function bio_crypt_clone(), for consistency with
bio_integrity_clone()?
> + if (!bio_is_encrypted(src) || bio_crypt_swhandled(src))
> + return 0;
Why isn't cloning needed when bio_crypt_swhandled(src)?
> +
> + dst->bi_crypt_context = bio_crypt_alloc_ctx(gfp_mask);
> + if (!dst->bi_crypt_context)
> + return -ENOMEM;
> +
> + *dst->bi_crypt_context = *src->bi_crypt_context;
> +
> + if (!bio_crypt_has_keyslot(src))
> + return 0;
> +
> + keyslot_manager_get_slot(src->bi_crypt_context->processing_ksm,
> + src->bi_crypt_context->keyslot);
> +
> + return 0;
> +}
Nit: a conditional get would be cleaner than an early return here.
if (bio_crypt_has_keyslot(src))
keyslot_manager_get_slot(src->bi_crypt_context->processing_ksm,
src->bi_crypt_context->keyslot);
Also, this function needs EXPORT_SYMBOL(), since it's called by drivers/md/dm.c,
which can be a loadable module.
> +/*
> + * Checks that two bio crypt contexts are compatible - i.e. that
> + * they are mergeable except for data_unit_num continuity.
> + */
> +bool bio_crypt_ctx_compatible(struct bio *b_1, struct bio *b_2)
> +{
> + struct bio_crypt_ctx *bc1 = b_1->bi_crypt_context;
> + struct bio_crypt_ctx *bc2 = b_2->bi_crypt_context;
> +
> + if (bio_is_encrypted(b_1) != bio_is_encrypted(b_2))
> + return false;
> +
> + if (!bio_is_encrypted(b_1))
> + return true;
> +
> + return bc1->keyslot != bc2->keyslot &&
> + bc1->data_unit_size_bits == bc2->data_unit_size_bits;
> +}
It needs to be 'bc1->keyslot == bc2->keyslot'.
> +
> +/*
> + * Checks that two bio crypt contexts are compatible, and also
> + * that their data_unit_nums are continuous (and can hence be merged)
> + */
> +bool bio_crypt_ctx_back_mergeable(struct bio *b_1,
> + unsigned int b1_sectors,
> + struct bio *b_2)
> +{
> + struct bio_crypt_ctx *bc1 = b_1->bi_crypt_context;
> + struct bio_crypt_ctx *bc2 = b_2->bi_crypt_context;
> +
> + if (!bio_crypt_ctx_compatible(b_1, b_2))
> + return false;
> +
> + return !bio_is_encrypted(b_1) ||
> + (bc1->data_unit_num +
> + (b1_sectors >> (bc1->data_unit_size_bits - 9)) ==
> + bc2->data_unit_num);
> +}
> +
Unnecessary blank line at end of file.
> diff --git a/include/linux/bio.h b/include/linux/bio.h
> index 0f23b5682640..ba9552932571 100644
> --- a/include/linux/bio.h
> +++ b/include/linux/bio.h
> @@ -561,6 +561,186 @@ static inline void bvec_kunmap_irq(char *buffer, unsigned long *flags)
> }
> #endif
>
> +#ifdef CONFIG_BLK_INLINE_ENCRYPTION
> +extern int bio_clone_crypt_context(struct bio *dst, struct bio *src,
> + gfp_t gfp_mask);
> +
> +static inline bool bio_is_encrypted(struct bio *bio)
> +{
> + return bio && bio->bi_crypt_context;
> +}
Is the 'bio != NULL' check actually needed? Most bio helper functions don't
check for NULL, as it's not a meaningful case.
> +
> +static inline bool bio_crypt_has_keyslot(struct bio *bio)
> +{
> + return bio_is_encrypted(bio) &&
> + bio->bi_crypt_context->keyslot >= 0;
> +}
> +
I think the bio_is_encrypted() check here should be dropped, since all callers
check it beforehand anyway. It doesn't really make sense for someone to call
functions that are meant to access fields of the bio_crypt_ctx, before verifying
that there actually is a bio_crypt_ctx. Other bio_crypt_* functions don't check
for NULL, so it seems inconsistent that this one does.
> +
> +static inline int bio_crypt_get_slot(struct bio *bio)
> +{
> + return bio->bi_crypt_context->keyslot;
> +}
For consistency this should be named *_get_keyslot(), not *_get_slot().
> +
> +static inline void bio_crypt_set_keyslot(struct bio *bio,
> + unsigned int keyslot,
> + struct keyslot_manager *ksm)
> +{
> + bio->bi_crypt_context->keyslot = keyslot;
> + bio->bi_crypt_context->processing_ksm = ksm;
> +
> + bio->bi_crypt_context->crypt_iter = bio->bi_iter;
> + bio->bi_crypt_context->sw_data_unit_num =
> + bio->bi_crypt_context->data_unit_num;
> +}
> +
> +static inline void bio_crypt_unset_keyslot(struct bio *bio)
> +{
> + bio->bi_crypt_context->processing_ksm = NULL;
> + bio->bi_crypt_context->keyslot = -1;
> +}
> +
> +static inline u8 *bio_crypt_raw_key(struct bio *bio)
> +{
> + return bio->bi_crypt_context->raw_key;
> +}
> +
> +static inline enum blk_crypt_mode_num bio_crypt_mode(struct bio *bio)
> +{
> + return bio->bi_crypt_context->crypt_mode;
> +}
bio_crypt_unset_keyslot(), bio_crypt_raw_key(), and bio_crypt_mode() are only
used in blk-crypto.c. Is there any reason for block users or drivers to need to
call them? If not, these fields should really just be accessed directly in
blk-crypto.c. It's not needed to provide these functions in bio.h where they
are available to everyone.
> diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h
> index aafa96839f95..c111b1ce8d24 100644
> --- a/include/linux/blk_types.h
> +++ b/include/linux/blk_types.h
> @@ -148,6 +148,29 @@ enum blk_crypt_mode_num {
> */
> };
>
> +struct bio_crypt_ctx {
> + int keyslot;
> + u8 *raw_key;
> + enum blk_crypt_mode_num crypt_mode;
> + u64 data_unit_num;
> + unsigned int data_unit_size_bits;
> +
> + /*
> + * The keyslot manager where the key has been programmed
> + * with keyslot.
> + */
> + struct keyslot_manager *processing_ksm;
> +
> + /*
> + * Copy of the bvec_iter when this bio was submitted.
> + * We only want to en/decrypt the part of the bio
> + * as described by the bvec_iter upon submission because
> + * bio might be split before being resubmitted
> + */
> + struct bvec_iter crypt_iter;
> + u64 sw_data_unit_num;
> +};
> +
How about making this struct definition conditional on
CONFIG_BLK_INLINE_ENCRYPTION? When !CONFIG_BLK_INLINE_ENCRYPTION, no code is
compiled that dereferences any pointer to this struct.
For consistency with bio_integrity_payload and to avoid an extra #ifdef, I think
this should also be moved to bio.h.
blk_crypt_mode_num can be moved to bio.h too, but it will need to be
unconditional since it's used as a parameter to bio_crypt_set_ctx().
> /*
> * main unit of I/O for the block layer and lower layers (ie drivers and
> * stacking drivers)
> @@ -186,6 +209,11 @@ struct bio {
> struct blkcg_gq *bi_blkg;
> struct bio_issue bi_issue;
> #endif
> +
> +#ifdef CONFIG_BLK_INLINE_ENCRYPTION
> + struct bio_crypt_ctx *bi_crypt_context;
> +#endif
> +
> union {
> #if defined(CONFIG_BLK_DEV_INTEGRITY)
> struct bio_integrity_payload *bi_integrity; /* data integrity */
> --
> 2.22.0.rc1.311.g5d7573a151-goog
>
Is it actually meaningful to use the blk_integrity feature in combination with
inline encryption? How might this be tested? If the features actually conflict
anyway, bi_crypt_context and bi_integrity could share the same union.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Satya Tangirala <satyat@google.com>
Cc: Ladvine D Almeida <ladvine.dalmeida@synopsys.com>,
linux-scsi@vger.kernel.org,
Parshuram Raju Thombare <pthombar@cadence.com>,
Kuohong Wang <kuohong.wang@mediatek.com>,
Barani Muthukumaran <bmuthuku@qti.qualcomm.com>,
linux-f2fs-devel@lists.sourceforge.net,
linux-block@vger.kernel.org, linux-fscrypt@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [f2fs-dev] [RFC PATCH v2 2/8] block: Add encryption context to struct bio
Date: Wed, 12 Jun 2019 11:10:46 -0700 [thread overview]
Message-ID: <20190612181044.GA18795@gmail.com> (raw)
Message-ID: <20190612181046.EUeYczZxIae9IzXVT8Odp7Pes7l9gsRo86i3iL4XUZA@z> (raw)
In-Reply-To: <20190605232837.31545-3-satyat@google.com>
Hi Satya,
On Wed, Jun 05, 2019 at 04:28:31PM -0700, Satya Tangirala wrote:
> We must have some way of letting a storage device driver know what
> encryption context it should use for en/decrypting a request. However,
> it's the filesystem/fscrypt that knows about and manages encryption
> contexts. As such, when the filesystem layer submits a bio to the block
> layer, and this bio eventually reaches a device driver with support for
> inline encryption, the device driver will need to have been told the
> encryption context for that bio.
>
> We want to communicate the encryption context from the filesystem layer
> to the storage device along with the bio, when the bio is submitted to the
> block layer. To do this, we add a struct bio_crypt_ctx to struct bio, which
> can represent an encryption context (note that we can't use the bi_private
> field in struct bio to do this because that field does not function to pass
> information across layers in the storage stack). We also introduce various
> functions to manipulate the bio_crypt_ctx and make the bio/request merging
> logic aware of the bio_crypt_ctx.
>
> Signed-off-by: Satya Tangirala <satyat@google.com>
> ---
> block/bio.c | 12 ++-
> block/blk-crypt-ctx.c | 90 +++++++++++++++++++
> block/blk-merge.c | 34 ++++++-
> block/bounce.c | 9 +-
> drivers/md/dm.c | 15 ++--
> include/linux/bio.h | 180 ++++++++++++++++++++++++++++++++++++++
> include/linux/blk_types.h | 28 ++++++
> 7 files changed, 355 insertions(+), 13 deletions(-)
> create mode 100644 block/blk-crypt-ctx.c
>
> diff --git a/block/bio.c b/block/bio.c
> index 683cbb40f051..87aa87288b39 100644
> --- a/block/bio.c
> +++ b/block/bio.c
> @@ -16,6 +16,7 @@
> #include <linux/workqueue.h>
> #include <linux/cgroup.h>
> #include <linux/blk-cgroup.h>
> +#include <linux/keyslot-manager.h>
No need to include keyslot-manager.h here.
> @@ -1019,6 +1026,7 @@ void bio_advance(struct bio *bio, unsigned bytes)
> bio_integrity_advance(bio, bytes);
>
> bio_advance_iter(bio, &bio->bi_iter, bytes);
> + bio_crypt_advance(bio, bytes);
> }
> EXPORT_SYMBOL(bio_advance);
It would be more logical to do bio_crypt_advance() before bio_advance_iter(), so
that the special features (encryption and integrity) are grouped together.
>
> diff --git a/block/blk-crypt-ctx.c b/block/blk-crypt-ctx.c
> new file mode 100644
> index 000000000000..174c058ab0c6
> --- /dev/null
> +++ b/block/blk-crypt-ctx.c
It would be more logical for this file to be named "bio-crypt-ctx.c", as that
would match 'struct bio_crypt_ctx' and help distinguish it from "blk-crypto".
> @@ -0,0 +1,90 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright 2019 Google LLC
> + */
> +
> +#include <linux/bio.h>
> +#include <linux/blkdev.h>
> +#include <linux/slab.h>
> +#include <linux/keyslot-manager.h>
> +
> +struct bio_crypt_ctx *bio_crypt_alloc_ctx(gfp_t gfp_mask)
> +{
> + return kzalloc(sizeof(struct bio_crypt_ctx), gfp_mask);
> +}
This needs EXPORT_SYMBOL(), since it's called by bio_crypt_set_ctx() which is an
inline function that will be called by places that submit bios.
> +
> +void bio_crypt_free_ctx(struct bio *bio)
> +{
> + kzfree(bio->bi_crypt_context);
> + bio->bi_crypt_context = NULL;
> +}
> +
> +int bio_clone_crypt_context(struct bio *dst, struct bio *src, gfp_t gfp_mask)
> +{
How about naming this function bio_crypt_clone(), for consistency with
bio_integrity_clone()?
> + if (!bio_is_encrypted(src) || bio_crypt_swhandled(src))
> + return 0;
Why isn't cloning needed when bio_crypt_swhandled(src)?
> +
> + dst->bi_crypt_context = bio_crypt_alloc_ctx(gfp_mask);
> + if (!dst->bi_crypt_context)
> + return -ENOMEM;
> +
> + *dst->bi_crypt_context = *src->bi_crypt_context;
> +
> + if (!bio_crypt_has_keyslot(src))
> + return 0;
> +
> + keyslot_manager_get_slot(src->bi_crypt_context->processing_ksm,
> + src->bi_crypt_context->keyslot);
> +
> + return 0;
> +}
Nit: a conditional get would be cleaner than an early return here.
if (bio_crypt_has_keyslot(src))
keyslot_manager_get_slot(src->bi_crypt_context->processing_ksm,
src->bi_crypt_context->keyslot);
Also, this function needs EXPORT_SYMBOL(), since it's called by drivers/md/dm.c,
which can be a loadable module.
> +/*
> + * Checks that two bio crypt contexts are compatible - i.e. that
> + * they are mergeable except for data_unit_num continuity.
> + */
> +bool bio_crypt_ctx_compatible(struct bio *b_1, struct bio *b_2)
> +{
> + struct bio_crypt_ctx *bc1 = b_1->bi_crypt_context;
> + struct bio_crypt_ctx *bc2 = b_2->bi_crypt_context;
> +
> + if (bio_is_encrypted(b_1) != bio_is_encrypted(b_2))
> + return false;
> +
> + if (!bio_is_encrypted(b_1))
> + return true;
> +
> + return bc1->keyslot != bc2->keyslot &&
> + bc1->data_unit_size_bits == bc2->data_unit_size_bits;
> +}
It needs to be 'bc1->keyslot == bc2->keyslot'.
> +
> +/*
> + * Checks that two bio crypt contexts are compatible, and also
> + * that their data_unit_nums are continuous (and can hence be merged)
> + */
> +bool bio_crypt_ctx_back_mergeable(struct bio *b_1,
> + unsigned int b1_sectors,
> + struct bio *b_2)
> +{
> + struct bio_crypt_ctx *bc1 = b_1->bi_crypt_context;
> + struct bio_crypt_ctx *bc2 = b_2->bi_crypt_context;
> +
> + if (!bio_crypt_ctx_compatible(b_1, b_2))
> + return false;
> +
> + return !bio_is_encrypted(b_1) ||
> + (bc1->data_unit_num +
> + (b1_sectors >> (bc1->data_unit_size_bits - 9)) ==
> + bc2->data_unit_num);
> +}
> +
Unnecessary blank line at end of file.
> diff --git a/include/linux/bio.h b/include/linux/bio.h
> index 0f23b5682640..ba9552932571 100644
> --- a/include/linux/bio.h
> +++ b/include/linux/bio.h
> @@ -561,6 +561,186 @@ static inline void bvec_kunmap_irq(char *buffer, unsigned long *flags)
> }
> #endif
>
> +#ifdef CONFIG_BLK_INLINE_ENCRYPTION
> +extern int bio_clone_crypt_context(struct bio *dst, struct bio *src,
> + gfp_t gfp_mask);
> +
> +static inline bool bio_is_encrypted(struct bio *bio)
> +{
> + return bio && bio->bi_crypt_context;
> +}
Is the 'bio != NULL' check actually needed? Most bio helper functions don't
check for NULL, as it's not a meaningful case.
> +
> +static inline bool bio_crypt_has_keyslot(struct bio *bio)
> +{
> + return bio_is_encrypted(bio) &&
> + bio->bi_crypt_context->keyslot >= 0;
> +}
> +
I think the bio_is_encrypted() check here should be dropped, since all callers
check it beforehand anyway. It doesn't really make sense for someone to call
functions that are meant to access fields of the bio_crypt_ctx, before verifying
that there actually is a bio_crypt_ctx. Other bio_crypt_* functions don't check
for NULL, so it seems inconsistent that this one does.
> +
> +static inline int bio_crypt_get_slot(struct bio *bio)
> +{
> + return bio->bi_crypt_context->keyslot;
> +}
For consistency this should be named *_get_keyslot(), not *_get_slot().
> +
> +static inline void bio_crypt_set_keyslot(struct bio *bio,
> + unsigned int keyslot,
> + struct keyslot_manager *ksm)
> +{
> + bio->bi_crypt_context->keyslot = keyslot;
> + bio->bi_crypt_context->processing_ksm = ksm;
> +
> + bio->bi_crypt_context->crypt_iter = bio->bi_iter;
> + bio->bi_crypt_context->sw_data_unit_num =
> + bio->bi_crypt_context->data_unit_num;
> +}
> +
> +static inline void bio_crypt_unset_keyslot(struct bio *bio)
> +{
> + bio->bi_crypt_context->processing_ksm = NULL;
> + bio->bi_crypt_context->keyslot = -1;
> +}
> +
> +static inline u8 *bio_crypt_raw_key(struct bio *bio)
> +{
> + return bio->bi_crypt_context->raw_key;
> +}
> +
> +static inline enum blk_crypt_mode_num bio_crypt_mode(struct bio *bio)
> +{
> + return bio->bi_crypt_context->crypt_mode;
> +}
bio_crypt_unset_keyslot(), bio_crypt_raw_key(), and bio_crypt_mode() are only
used in blk-crypto.c. Is there any reason for block users or drivers to need to
call them? If not, these fields should really just be accessed directly in
blk-crypto.c. It's not needed to provide these functions in bio.h where they
are available to everyone.
> diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h
> index aafa96839f95..c111b1ce8d24 100644
> --- a/include/linux/blk_types.h
> +++ b/include/linux/blk_types.h
> @@ -148,6 +148,29 @@ enum blk_crypt_mode_num {
> */
> };
>
> +struct bio_crypt_ctx {
> + int keyslot;
> + u8 *raw_key;
> + enum blk_crypt_mode_num crypt_mode;
> + u64 data_unit_num;
> + unsigned int data_unit_size_bits;
> +
> + /*
> + * The keyslot manager where the key has been programmed
> + * with keyslot.
> + */
> + struct keyslot_manager *processing_ksm;
> +
> + /*
> + * Copy of the bvec_iter when this bio was submitted.
> + * We only want to en/decrypt the part of the bio
> + * as described by the bvec_iter upon submission because
> + * bio might be split before being resubmitted
> + */
> + struct bvec_iter crypt_iter;
> + u64 sw_data_unit_num;
> +};
> +
How about making this struct definition conditional on
CONFIG_BLK_INLINE_ENCRYPTION? When !CONFIG_BLK_INLINE_ENCRYPTION, no code is
compiled that dereferences any pointer to this struct.
For consistency with bio_integrity_payload and to avoid an extra #ifdef, I think
this should also be moved to bio.h.
blk_crypt_mode_num can be moved to bio.h too, but it will need to be
unconditional since it's used as a parameter to bio_crypt_set_ctx().
> /*
> * main unit of I/O for the block layer and lower layers (ie drivers and
> * stacking drivers)
> @@ -186,6 +209,11 @@ struct bio {
> struct blkcg_gq *bi_blkg;
> struct bio_issue bi_issue;
> #endif
> +
> +#ifdef CONFIG_BLK_INLINE_ENCRYPTION
> + struct bio_crypt_ctx *bi_crypt_context;
> +#endif
> +
> union {
> #if defined(CONFIG_BLK_DEV_INTEGRITY)
> struct bio_integrity_payload *bi_integrity; /* data integrity */
> --
> 2.22.0.rc1.311.g5d7573a151-goog
>
Is it actually meaningful to use the blk_integrity feature in combination with
inline encryption? How might this be tested? If the features actually conflict
anyway, bi_crypt_context and bi_integrity could share the same union.
- Eric
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next prev parent reply other threads:[~2019-06-12 18:10 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-05 23:28 [RFC PATCH v2 0/8] Inline Encryption Support Satya Tangirala
2019-06-05 23:28 ` Satya Tangirala via Linux-f2fs-devel
2019-06-05 23:28 ` [RFC PATCH v2 1/8] block: Keyslot Manager for Inline Encryption Satya Tangirala
2019-06-05 23:28 ` Satya Tangirala via Linux-f2fs-devel
2019-06-07 22:28 ` [f2fs-dev] " Eric Biggers
2019-06-07 22:28 ` Eric Biggers
2019-06-07 22:28 ` Eric Biggers
2019-06-12 18:26 ` Eric Biggers
2019-06-12 18:26 ` [f2fs-dev] " Eric Biggers
2019-06-12 18:26 ` Eric Biggers
2019-06-05 23:28 ` [RFC PATCH v2 2/8] block: Add encryption context to struct bio Satya Tangirala
2019-06-05 23:28 ` Satya Tangirala via Linux-f2fs-devel
2019-06-12 18:10 ` Eric Biggers [this message]
2019-06-12 18:10 ` [f2fs-dev] " Eric Biggers
2019-06-12 18:10 ` Eric Biggers
2019-06-05 23:28 ` [RFC PATCH v2 3/8] block: blk-crypto for Inline Encryption Satya Tangirala
2019-06-05 23:28 ` Satya Tangirala via Linux-f2fs-devel
2019-06-12 23:34 ` [f2fs-dev] " Eric Biggers
2019-06-12 23:34 ` Eric Biggers
2019-06-12 23:34 ` Eric Biggers
2019-06-05 23:28 ` [RFC PATCH v2 4/8] scsi: ufs: UFS driver v2.1 spec crypto additions Satya Tangirala
2019-06-05 23:28 ` Satya Tangirala via Linux-f2fs-devel
2019-06-05 23:28 ` [RFC PATCH v2 5/8] scsi: ufs: UFS crypto API Satya Tangirala
2019-06-05 23:28 ` Satya Tangirala via Linux-f2fs-devel
2019-06-13 17:11 ` Eric Biggers
2019-06-13 17:11 ` [f2fs-dev] " Eric Biggers
2019-06-13 17:11 ` Eric Biggers
2019-06-05 23:28 ` [RFC PATCH v2 6/8] scsi: ufs: Add inline encryption support to UFS Satya Tangirala
2019-06-05 23:28 ` Satya Tangirala via Linux-f2fs-devel
2019-06-13 17:22 ` [f2fs-dev] " Eric Biggers
2019-06-13 17:22 ` Eric Biggers
2019-06-13 17:22 ` Eric Biggers
2019-06-05 23:28 ` [RFC PATCH v2 7/8] fscrypt: wire up fscrypt to use blk-crypto Satya Tangirala
2019-06-05 23:28 ` Satya Tangirala via Linux-f2fs-devel
2019-06-13 18:55 ` Eric Biggers
2019-06-13 18:55 ` [f2fs-dev] " Eric Biggers
2019-06-13 18:55 ` Eric Biggers
2019-06-13 21:30 ` Andreas Dilger
2019-06-13 21:48 ` Eric Biggers
2019-06-05 23:28 ` [RFC PATCH v2 8/8] f2fs: Wire up f2fs to use inline encryption via fscrypt Satya Tangirala
2019-06-05 23:28 ` Satya Tangirala via Linux-f2fs-devel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190612181044.GA18795@gmail.com \
--to=ebiggers@kernel.org \
--cc=bmuthuku@qti.qualcomm.com \
--cc=kuohong.wang@mediatek.com \
--cc=ladvine.dalmeida@synopsys.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=pthombar@cadence.com \
--cc=satyat@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.