diff mbox series

[v2,7/7] block: implement async secure erase

Message ID 5ee52b6cc60fb3d4ecc3d689a3b30eabf4359dba.1724297388.git.asml.silence@gmail.com (mailing list archive)
State New, archived
Headers show
Series implement async block discards/etc. via io_uring | expand

Commit Message

Pavel Begunkov Aug. 22, 2024, 3:35 a.m. UTC
Add yet another io_uring cmd implementing async secure erases.
It has same page cache races as async discards and write zeroes and
reuses the common paths in general.

Suggested-by: Conrad Meyer <conradmeyer@meta.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 block/ioctl.c           | 15 +++++++++++++++
 include/uapi/linux/fs.h |  1 +
 2 files changed, 16 insertions(+)

Comments

Christoph Hellwig Aug. 22, 2024, 6:36 a.m. UTC | #1
On Thu, Aug 22, 2024 at 04:35:57AM +0100, Pavel Begunkov wrote:
> Add yet another io_uring cmd implementing async secure erases.
> It has same page cache races as async discards and write zeroes and
> reuses the common paths in general.

How did you test this?  Asking because my interruption fix for secure
discard is still pending because I could not find a test environment
for it.  And also because for a "secure" [1] erase proper invalidation
of the page cache actually matters, as otherwise you can still leak
data to the device.

[2] LBA based "secure" erase can't actually be secure on any storage
device that can write out of place.  Which is all of flash, but also
modern HDDs when encountering error.  It's a really bad interface
we should never have have started to support.
Pavel Begunkov Aug. 22, 2024, 12:36 p.m. UTC | #2
On 8/22/24 07:36, Christoph Hellwig wrote:
> On Thu, Aug 22, 2024 at 04:35:57AM +0100, Pavel Begunkov wrote:
>> Add yet another io_uring cmd implementing async secure erases.
>> It has same page cache races as async discards and write zeroes and
>> reuses the common paths in general.
> 
> How did you test this?  Asking because my interruption fix for secure

In short I didn't, exactly because it's a challenge finding
anything that supports it. At least the change here is minimal,
but ...

> discard is still pending because I could not find a test environment
> for it.  And also because for a "secure" [1] erase proper invalidation
> of the page cache actually matters, as otherwise you can still leak
> data to the device.
> 
> [2] LBA based "secure" erase can't actually be secure on any storage
> device that can write out of place.  Which is all of flash, but also
> modern HDDs when encountering error.  It's a really bad interface
> we should never have have started to support.

... I should just drop it, not like async support makes much
sense.
diff mbox series

Patch

diff --git a/block/ioctl.c b/block/ioctl.c
index 6f0676f21e7b..ab8bab6ee806 100644
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -841,6 +841,18 @@  static int blkdev_cmd_write_zeroes(struct io_uring_cmd *cmd,
 				bdev_write_zeroes_sectors(bdev), opf);
 }
 
+static int blkdev_cmd_secure_erase(struct io_uring_cmd *cmd,
+				   struct block_device *bdev,
+				   uint64_t start, uint64_t len, bool nowait)
+{
+	blk_opf_t opf = REQ_OP_SECURE_ERASE;
+
+	if (nowait)
+		opf |= REQ_NOWAIT;
+	return blkdev_queue_cmd(cmd, bdev, start, len,
+				bdev_max_secure_erase_sectors(bdev), opf);
+}
+
 static int blkdev_cmd_discard(struct io_uring_cmd *cmd,
 			      struct block_device *bdev,
 			      uint64_t start, uint64_t len, bool nowait)
@@ -911,6 +923,9 @@  int blkdev_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags)
 	case BLOCK_URING_CMD_WRITE_ZEROES:
 		return blkdev_cmd_write_zeroes(cmd, bdev, start, len,
 					       bc->nowait);
+	case BLOCK_URING_CMD_SECURE_ERASE:
+		return blkdev_cmd_secure_erase(cmd, bdev, start, len,
+					       bc->nowait);
 	}
 	return -EINVAL;
 }
diff --git a/include/uapi/linux/fs.h b/include/uapi/linux/fs.h
index b9e20ce57a28..425957589bdf 100644
--- a/include/uapi/linux/fs.h
+++ b/include/uapi/linux/fs.h
@@ -210,6 +210,7 @@  struct fsxattr {
 
 #define BLOCK_URING_CMD_DISCARD			0
 #define BLOCK_URING_CMD_WRITE_ZEROES		1
+#define BLOCK_URING_CMD_SECURE_ERASE		2
 
 #define BMAP_IOCTL 1		/* obsolete - kept for compatibility */
 #define FIBMAP	   _IO(0x00,1)	/* bmap access */