[dm-devel] dm-integrity
Renesanso
renesanso at yandex.ru
Wed Jul 5 16:45:54 UTC 2017
1. And in this (
https://kernel.googlesource.com/pub/scm/linux/kernel/git/kasatkin/linux-digsig/+/2dfa67a1a4c049fd33fcc6abcb1c8ca57b17a268/Documentation/device-mapper/dm-integrity.txt
) implementation gives variant to use external device for metadata and
journal. It really affect perfomance, I think. Do you plan do analogue
functions?
2. And other question: in your implementation tags write rarery after
data (eg. data[512b], tag[32b], data [512b], tag[32b]) or data stores in
one "half" of disk and tags in another (in end of disk, example)? Second
variant gives VERY HUGE penalty on hdd's.
3. And can, as I see there many options (as journal, buffers and other).
Can you give me example of parameters configuration, that fully
correctly work in production (KVMs- VMs -> raw -> EXT4 -> LVM -> MD ->
multiple dm-integrity on multiple phisical disks )?
04.07.2017 02:57, Renesanso пишет:
> Big thanks for reply and update example! Now all works, that I
> expected, but not internal key .
>
> /integritysetup open /dev/loop7 integra --integrity sha256:276348274682
> device-mapper: reload ioctl on failed: Function not implemented
>
> dmesg: [176470.496481] device-mapper: table: 251:14: integrity: Error
> setting internal hash key
> [176470.496487] device-mapper: ioctl: error adding target to table
>
> uname -a
> Linux localhost 4.12.0-rc6 #1 SMP PREEMPT Sun Jun 25 21:30:55 MSK 2017
> x86_64 x86_64 x86_64 GNU/Linux
>
> I did tomethinkg wrong?
>
> And can, as I see there many options (as journal, buffers and other).
> Can you give me example of parameters configuration, that fully
> correctly work in production (KVMs- VMs -> raw -> EXT4 -> LVM -> MD ->
> multiple dm-integrity on multiple phisical disks )?
>
> Big big thanks. :)
>
> 03.07.2017 18:05, Milan Broz пишет:
>> On 07/03/2017 06:44 AM, Renesanso wrote:
>>> Hi for all.
>>>
>>> Dmitry Kasatkin's fork of linux.git write dm-integrity patch for linux
>> ...
>>
>> yes, unfortunately we named the target the same (and I realized it
>> too late).
>>
>> It is doing something similar but definitely it is not the same.
>>
>>> I try to use dmsetup to setup dm-integrity in ecc mode (but if change
>>> block on backend device dm-integrity gives not reaction and give
>>> another
>>> md5sum to upper level. but non error), for dm-crypt I cannot understand
>>> how to use AEAD mode.
>> You probably configured it in mode when it only provide tag space,
>> but does not calculate and verify internal hash.
>>
>> (ECC means error correction, this target do not provide error
>> correction,
>> only detection of error (such a tool could be written on top of
>> dm-integrity though).
>>
>>> Please, give full instrustion to use dm-integrity in ecc mode and with
>>> dm-crypt (with kernel keychain creation)..
>> dm-integrity can work in standalone mode or together with dm-crypt.
>>
>> For the standalone mode, it is the best to use integritysetup tool
>> (for now in master branch of cryptsetup project).
>> https://gitlab.com/cryptsetup/cryptsetup
>>
>> There is some simple documentation in man page and on this page
>> https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity
>>
>> (You can setup HMAC integrity protection in standalone mode as well.)
>> I will update it soon with some more info and prepare some better
>> examples
>> (the whole userspace is still not finished though but should work.)
>>
>> For the combination with dm-crypt and AEAD - this is part of LUKS2
>> branch
>> in the same repository but it is really only for experiments.
>> Once we will have some testing build, I'll write more here, sorry, it
>> takes
>> longer than I expected.
>>
>> Milan
>
>
More information about the dm-devel
mailing list