[dm-devel] [dm-crypt] dm-integrity standalone - lack of metadata
Harald Braumann
harry at unheit.net
Tue Jun 26 12:30:09 UTC 2018
On 24 June 2018 13:01:06 CEST, Milan Broz <gmazyland at gmail.com> wrote:
>(added cc to dm-devel annd Mikulas)
>On 06/24/2018 11:53 AM, Harald Braumann wrote:
>> However, the superblock lacks some crucial information:
>yes, I agree. The reason is that dm-integrity was in the first
>place designed for authenticated encryption (to store auth tags).
>Then additional metadata ia stored in LUKS2 header.
I understand.
>For the rest I just I have not enough energy (and real-world use cases)
>to convince Mikulas that we need attributes below in superblock (as the
>dm-integrity
>code is written mostly by him).
>At least for the algorithm I mention this idea several times ;-)
OK, good. I was just afraid that there might be some technical reason and this was out of the question.
>> integritysetup format /dev/sdb2 -v --integrity crc32c --sector-size
>> 4096
>> => 39.6 MiB/s
>>
>> Format with --no-wipe, open the target and use dd:
>> dd if=/dev/zero of=/dev/mapper/int bs=1M
>> => 63 MiB/s
>>
>> Same as above, but opening without journal (which really isn't
>> required for that step, even if the final target should be journaled):
>> => 135 MiB/s
>Internal wipe also uses activation without journal, it is slow probably
>because we use direct-io (can you add oflag=direct to your dd command?
>Is it the same speed as integritysetup wipe?)
Sorry, I haven't gotten around to it, yet.
>> /etc/udev/rules.d/70-dm-integrity.rules:
>>
>> ACTION!="add", GOTO="dm_integrity_end"
>> SUBSYSTEM!="block", GOTO="dm_integrity_end"
>> ENV{ID_FS_TYPE}!="DM_integrity", GOTO="dm_integrity_end"
>>
>> RUN+="/sbin/integritysetup open $devnode $kernel-integrity
>--integrity crc32c --integrity-no-journal"
>>
>> LABEL="dm_integrity_end"
>This is not the best way - integritysetup itself need udev
>synchronization, so it will
>race here with udev.
Could you elaborate on that? How does it need udev and could I add anything to the rules to ensure proper synchronization?
>I think we need similar system like /etc/crypttab (or extend crypttab
>of integrity targets).
Thats what I wanted to avoid. I would like it to work like LVM where volumes can be set up automatically with just metadata stored on the device itself.
Best regards
harry
More information about the dm-devel
mailing list