[dm-devel] dm-integrity

Renesanso renesanso at yandex.ru
Wed Jul 5 16:45:54 UTC 2017 

1. And in this ( 
https://kernel.googlesource.com/pub/scm/linux/kernel/git/kasatkin/linux-digsig/+/2dfa67a1a4c049fd33fcc6abcb1c8ca57b17a268/Documentation/device-mapper/dm-integrity.txt 
) implementation gives variant to use external device for metadata and 
journal. It really affect perfomance, I think. Do you plan do analogue 
functions?

2. And other question: in your implementation tags write rarery after 
data (eg. data[512b], tag[32b], data [512b], tag[32b]) or data stores in 
one "half" of disk and tags in another (in end of disk, example)? Second 
variant gives VERY HUGE penalty on hdd's.

3. And can, as I see there many options (as journal, buffers and other). 
Can you give me example of parameters configuration, that fully 
correctly work in production (KVMs- VMs -> raw -> EXT4 -> LVM -> MD -> 
multiple dm-integrity on multiple phisical disks )?

04.07.2017 02:57, Renesanso пишет:
> Big thanks for reply and update example! Now all works, that I 
> expected, but not  internal key .
>
> /integritysetup open /dev/loop7 integra --integrity sha256:276348274682
> device-mapper: reload ioctl on  failed: Function not implemented
>
> dmesg: [176470.496481] device-mapper: table: 251:14: integrity: Error 
> setting internal hash key
> [176470.496487] device-mapper: ioctl: error adding target to table
>
> uname -a
> Linux localhost 4.12.0-rc6 #1 SMP PREEMPT Sun Jun 25 21:30:55 MSK 2017 
> x86_64 x86_64 x86_64 GNU/Linux
>
> I did tomethinkg wrong?
>
> And can, as I see there many options (as journal, buffers and other). 
> Can you give me example of parameters configuration, that fully 
> correctly work in production (KVMs- VMs -> raw -> EXT4 -> LVM -> MD -> 
> multiple dm-integrity on multiple phisical disks )?
>
> Big big thanks. :)
>
> 03.07.2017 18:05, Milan Broz пишет:
>> On 07/03/2017 06:44 AM, Renesanso wrote:
>>> Hi for all.
>>>
>>> Dmitry Kasatkin's fork of linux.git write dm-integrity patch for linux
>> ...
>>
>> yes, unfortunately we named the target the same (and I realized it 
>> too late).
>>
>> It is doing something similar but definitely it is not the same.
>>
>>> I try to use dmsetup to setup dm-integrity in ecc mode (but if change
>>> block on backend device dm-integrity gives not reaction and give 
>>> another
>>> md5sum to upper level. but non error), for dm-crypt I cannot understand
>>> how to use AEAD mode.
>> You probably configured it in mode when it only provide tag space,
>> but does not calculate and verify internal hash.
>>
>> (ECC means error correction, this target do not provide error 
>> correction,
>> only detection of error (such a tool could be written on top of 
>> dm-integrity though).
>>
>>> Please, give full instrustion to use dm-integrity in ecc mode and with
>>> dm-crypt  (with kernel keychain creation)..
>> dm-integrity can work in standalone mode or together with dm-crypt.
>>
>> For the standalone mode, it is the best to use integritysetup tool
>> (for now in master branch of cryptsetup project).
>> https://gitlab.com/cryptsetup/cryptsetup
>>
>> There is some simple documentation in man page and on this page
>> https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity
>>
>> (You can setup HMAC integrity protection in standalone mode as well.)
>> I will update it soon with some more info and prepare some better 
>> examples
>> (the whole userspace is still not finished though but should work.)
>>
>> For the combination with dm-crypt and AEAD - this is part of LUKS2 
>> branch
>> in the same repository but it is really only for experiments.
>> Once we will have some testing build, I'll write more here, sorry, it 
>> takes
>> longer than I expected.
>>
>> Milan
>
>

More information about the dm-devel mailing list