| Message ID | 20210114154723.2495814-1-satyat@google.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | ensure bios aren't split in middle of crypto data unit | expand |
On Thu, Jan 14, 2021 at 03:47:16PM +0000, Satya Tangirala wrote: > When a bio has an encryption context, its size must be aligned to its > crypto data unit size. A bio must not be split in the middle of a data > unit. Currently, bios are split at logical block boundaries, but a crypto > data unit size might be larger than the logical block size - e.g. a machine > could be using fscrypt (which uses 4K crypto data units) with an eMMC block > device with inline encryption hardware that has a logical block size of > 512 bytes. So we need to support cases where the data unit size is larger > than the logical block size. I think this model is rather broken. Instead of creating an -EIO path we can't handle anywhere make sure that the size limits exposed by the driver that wants to split always align to the crypto data units to avoid this issue to start with.
On Thu, Jan 21, 2021 at 05:11:29PM +0000, Christoph Hellwig wrote: > On Thu, Jan 14, 2021 at 03:47:16PM +0000, Satya Tangirala wrote: > > When a bio has an encryption context, its size must be aligned to its > > crypto data unit size. A bio must not be split in the middle of a data > > unit. Currently, bios are split at logical block boundaries, but a crypto > > data unit size might be larger than the logical block size - e.g. a machine > > could be using fscrypt (which uses 4K crypto data units) with an eMMC block > > device with inline encryption hardware that has a logical block size of > > 512 bytes. So we need to support cases where the data unit size is larger > > than the logical block size. > > I think this model is rather broken. Instead of creating an -EIO path > we can't handle anywhere make sure that the size limits exposed by the > driver that wants to split always align to the crypto data units to > avoid this issue to start with. Hey Christoph, Thanks for the suggestion. I finally sent out v2 for this patch at https://lore.kernel.org/linux-block/20210325212609.492188-1-satyat@google.com/ I tried doing something similar to what you suggested to avoid creating an -EIO path, but instead of changing the size limits exposed by the driver, I changed the allowed data unit sizes based on the exposed size limits. I did it that way because the limits that interfere with inline encryption happen to be "hard limits" a driver can't lie about, like having support for SG gaps or not requiring chunk sectors. Another reason for doing it this way is so that we don't interfere with regular unencrypted I/O by changing driver exposed limits unconditionally (and I didn't think it was straightforward to expose two different sets of limits of encrypted and unencrypted I/O respectively). Please take a look at the new patch series if you're able to. Thanks!
When a bio has an encryption context, its size must be aligned to its crypto data unit size. A bio must not be split in the middle of a data unit. Currently, bios are split at logical block boundaries, but a crypto data unit size might be larger than the logical block size - e.g. a machine could be using fscrypt (which uses 4K crypto data units) with an eMMC block device with inline encryption hardware that has a logical block size of 512 bytes. So we need to support cases where the data unit size is larger than the logical block size. Patch 1 allows blk_bio_segment_split() in blk-merge.c to fail and return an error code. This functionality is used by later patches in this series. Patch 1 also updates all callers to handle/propagate any returned error. Patch 2 introduces blk_crypto_bio_sectors_alignment() which returns the required alignment for the number of sectors in any bio. Patches 3, 4 and 5 update bounce.c, blk-crypto-fallback.c and blk-merge.c respectively to respect blk_crypto_bio_sectors_alignment() when calling bio_split(), so that any split bio's size has the required alignment. Patch 5 (the patch updating blk-merge.c) updates blk_bio_segment_split() by rounding down the number of sectors to the required alignment (aligned sectors) just before the call to bio_split(). It may be the case that due to the other restrictions on aligned sectors by blk_bio_segment_split(), aligned sectors ends up being rounded down to 0. An error is returned in that case, using the functionality introduced in Patch 1. Since all callers to bio_split() should have been updated by the previous patches, Patch 6 adds a WARN_ON() to bio_split() when sectors isn't aligned to blk_crypto_bio_sectors_alignment(). As a result of the simplistic rounding down in Patch 5, it might also be the case that nsegs in blk_bio_segment_split() is overestimated. Patch 7 calculates nsegs accurately, while being a lot more complicated than Patch 5. If the accuracy isn't really necessary, Patch 7 can be dropped completely. This patch series was tested by running android xfstests on the SDM630 chipset (which has eMMC inline encryption hardware with logical block size 512 bytes) with test_dummy_encryption with and without the 'inlinecrypt' mount option. Satya Tangirala (7): block: make blk_bio_segment_split() able to fail and return error block: blk-crypto: Introduce blk_crypto_bio_sectors_alignment() block: respect blk_crypto_bio_sectors_alignment() in bounce.c block: respect blk_crypto_bio_sectors_alignment() in blk-crypto-fallback block: respect blk_crypto_bio_sectors_alignment() in blk-merge block: add WARN() in bio_split() for sector alignment block: compute nsegs more accurately in blk_bio_segment_split() block/bio.c | 1 + block/blk-crypto-fallback.c | 2 + block/blk-crypto-internal.h | 18 +++++ block/blk-merge.c | 132 +++++++++++++++++++++++++++------- block/blk-mq.c | 5 +- block/blk.h | 2 +- block/bounce.c | 3 + drivers/block/drbd/drbd_req.c | 5 +- drivers/block/pktcdvd.c | 3 +- drivers/block/ps3vram.c | 5 +- drivers/block/rsxx/dev.c | 3 +- drivers/block/umem.c | 5 +- drivers/lightnvm/pblk-init.c | 13 +++- drivers/md/dm.c | 8 ++- drivers/md/md.c | 5 +- drivers/nvme/host/multipath.c | 5 +- drivers/s390/block/dcssblk.c | 3 +- drivers/s390/block/xpram.c | 3 +- include/linux/blkdev.h | 2 +- 19 files changed, 182 insertions(+), 41 deletions(-)