linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers@kernel.org>
To: Satya Tangirala <satyat@google.com>
Cc: linux-block@vger.kernel.org, linux-scsi@vger.kernel.org,
	linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-f2fs-devel@lists.sourceforge.net,
	Barani Muthukumaran <bmuthuku@qti.qualcomm.com>,
	Kuohong Wang <kuohong.wang@mediatek.com>,
	Kim Boojin <boojin.kim@samsung.com>
Subject: Re: [PATCH v6 3/9] block: blk-crypto for Inline Encryption
Date: Thu, 19 Dec 2019 21:10:36 -0800	[thread overview]
Message-ID: <20191220051036.GE718@sol.localdomain> (raw)
In-Reply-To: <20191218145136.172774-4-satyat@google.com>

On Wed, Dec 18, 2019 at 06:51:30AM -0800, Satya Tangirala wrote:
> diff --git a/Documentation/block/inline-encryption.rst b/Documentation/block/inline-encryption.rst
> new file mode 100644
> index 000000000000..330106b23c09
> --- /dev/null
> +++ b/Documentation/block/inline-encryption.rst
> @@ -0,0 +1,183 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +=================
> +Inline Encryption
> +=================
> +
> +Objective
> +=========
> +
> +We want to support inline encryption (IE) in the kernel.
> +To allow for testing, we also want a crypto API fallback when actual
> +IE hardware is absent. We also want IE to work with layered devices
> +like dm and loopback (i.e. we want to be able to use the IE hardware
> +of the underlying devices if present, or else fall back to crypto API
> +en/decryption).
> +
> +
> +Constraints and notes
> +=====================
> +
> +- IE hardware have a limited number of "keyslots" that can be programmed
> +  with an encryption context (key, algorithm, data unit size, etc.) at any time.
> +  One can specify a keyslot in a data request made to the device, and the
> +  device will en/decrypt the data using the encryption context programmed into
> +  that specified keyslot. When possible, we want to make multiple requests with
> +  the same encryption context share the same keyslot.
> +
> +- We need a way for filesystems to specify an encryption context to use for
> +  en/decrypting a struct bio, and a device driver (like UFS) needs to be able
> +  to use that encryption context when it processes the bio.
> +
> +- We need a way for device drivers to expose their capabilities in a unified
> +  way to the upper layers.
> +

Can you add an explicit explanation about how inline encryption is different
from "self-encrypting drives", like ones based on the TCG Opal or ATA Security
standards?  That seems to be a common point of confusion.

Also, this documentation file really ought to start by briefly explaining what
inline encryption is and why it's important.  Then only after that get into the
implementation.  Don't assume the reader has already read a bunch of commit
messages, cover letters, articles, code, etc.

- Eric

  parent reply	other threads:[~2019-12-20  5:10 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-18 14:51 [PATCH v6 0/9] Inline Encryption Support Satya Tangirala
2019-12-18 14:51 ` [PATCH v6 1/9] block: Keyslot Manager for Inline Encryption Satya Tangirala
2019-12-18 20:13   ` Eric Biggers
2020-01-17  9:10   ` Christoph Hellwig
2019-12-18 14:51 ` [PATCH v6 2/9] block: Add encryption context to struct bio Satya Tangirala
2019-12-18 21:10   ` Eric Biggers
2019-12-18 21:21   ` Darrick J. Wong
2019-12-18 21:25     ` Martin K. Petersen
2019-12-18 22:27       ` Eric Biggers
2019-12-19  0:47         ` Martin K. Petersen
2019-12-20  3:52           ` Eric Biggers
2020-01-07  4:35             ` Martin K. Petersen
2020-01-08 14:07           ` Christoph Hellwig
2020-01-08 17:26             ` Eric Biggers
2020-01-17  8:32               ` Christoph Hellwig
2020-01-18  5:11                 ` Eric Biggers
2020-01-21 22:05                   ` Satya Tangirala
2020-01-09  3:40             ` Martin K. Petersen
2020-01-14 21:24   ` Eric Biggers
2019-12-18 14:51 ` [PATCH v6 3/9] block: blk-crypto for Inline Encryption Satya Tangirala
2019-12-20  3:14   ` Eric Biggers
2019-12-20  5:10   ` Eric Biggers [this message]
2020-01-14 21:22   ` Eric Biggers
2019-12-18 14:51 ` [PATCH v6 4/9] scsi: ufs: UFS driver v2.1 spec crypto additions Satya Tangirala
2020-01-17 12:31   ` Christoph Hellwig
2019-12-18 14:51 ` [PATCH v6 5/9] scsi: ufs: UFS crypto API Satya Tangirala
2019-12-20  4:48   ` Eric Biggers
2020-01-14 21:16     ` Eric Biggers
2020-01-17 13:51   ` Christoph Hellwig
2019-12-18 14:51 ` [PATCH v6 6/9] scsi: ufs: Add inline encryption support to UFS Satya Tangirala
2019-12-20  5:44   ` Eric Biggers
2020-01-17 13:58   ` Christoph Hellwig
2020-01-18  5:27     ` Eric Biggers
2020-02-05 18:07       ` Christoph Hellwig
2020-01-18  3:58   ` Eric Biggers
2020-02-05 20:47   ` Eric Biggers
2019-12-18 14:51 ` [PATCH v6 7/9] fscrypt: add inline encryption support Satya Tangirala
2020-01-14 21:12   ` Eric Biggers
2019-12-18 14:51 ` [PATCH v6 8/9] f2fs: " Satya Tangirala
2019-12-20  4:23   ` Eric Biggers
2019-12-18 14:51 ` [PATCH v6 9/9] ext4: " Satya Tangirala
2019-12-19  0:12   ` Eric Biggers
2019-12-19  0:31     ` Satya Tangirala
2019-12-22  0:16   ` Eric Biggers
2020-01-08 14:05 ` [PATCH v6 0/9] Inline Encryption Support Christoph Hellwig
2020-01-08 18:43   ` Satya Tangirala
2020-01-17  8:52     ` Christoph Hellwig
2020-02-01  0:53       ` Satya Tangirala
2020-02-03  9:15         ` Christoph Hellwig
2020-02-04  3:39           ` Satya Tangirala
2020-02-04 14:58             ` Christoph Hellwig
2020-02-04 21:21               ` Eric Biggers
2020-02-05  7:36                 ` Eric Biggers
2020-02-05 18:05                   ` Christoph Hellwig
2020-02-21 12:30                     ` Satya Tangirala
2020-02-21 14:20                       ` Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191220051036.GE718@sol.localdomain \
    --to=ebiggers@kernel.org \
    --cc=bmuthuku@qti.qualcomm.com \
    --cc=boojin.kim@samsung.com \
    --cc=kuohong.wang@mediatek.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-f2fs-devel@lists.sourceforge.net \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=satyat@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).