[v6,11/11] blksnap: prevents using devices with data integrity or inline encryption
| Message ID | 20231124165933.27580-12-sergei.shtepa@linux.dev |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:ce62:0:b0:403:3b70:6f57 with SMTP id o2csp1371231vqx;
Fri, 24 Nov 2023 09:02:33 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IHvpQZikikJkAE+0cCiNiXTDuUr28gRpb0NtOU7Di3gxIR3PaquPUeTo06rfBVklu2JN0yc
X-Received: by 2002:a05:6e02:20c7:b0:358:141:8584 with SMTP id
7-20020a056e0220c700b0035801418584mr4934764ilq.17.1700845353450;
Fri, 24 Nov 2023 09:02:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1700845353; cv=none;
d=google.com; s=arc-20160816;
b=uj2lu8J7gV2/Dn2cj5HR+p2FTVHKhjPp1GAfNL3tecenxnI40ERA/hi+XpsH7iZd4V
Pt2sPXeKeri1432nMjB8T4UTqceB6FHOFSdnlP17iKAb7i8Z6/qCNMvoQPA9nwpqqXGv
rfNx5/zfK0bgfq71TXw7149IoBfRUP0DoZbh2UV8VIPLwKKeYrof1EjtfmoTZZOkhCYa
fFYVvADI0Q2YDsXEMFqOliqDLoKepIAJgQLfzp1SJHlihDSbEfxgfRQtYkKY5pKZDCso
YWDYJFPk9Vm84T0mPIktpoCz8YoKf0Dduydstq74N51fNLwzIRqR7mjssiqqilrmuYJo
jO+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=QWk7YTMvB3DTfZc9sNUwNxdg+CAbRo1hOQbqO2wSQ6A=;
fh=lPjKKhlWGDRjdXlpc1pR+zlTQWWXClUGj0ay55zHgiQ=;
b=k2JZU7rNWQAxXSEHVay8bNWc/R4M96r5yhfzsJW+Af5X/zRHJSZtYKbgmThjv7nkUO
7pzk4Pfj/xZBKEe4TwB0WqPIbnOomJFFz3nX9H7joxdI3Z+w5fXQGcHpImVuG4sn2hsA
BTOIgE3r4+1/7dMJNYt+gskQknqAcBJWqQWxxiLHy7qN3Hb5GwRasFxME6HTxQiFiVI7
75dX4gOKywYITc+n/mrGaJpxwdMHo08Xjo++4AVu4jR/oOnArDcBYmFWGtCEFGPUJ6VA
KDYZlR+feDk+8Ye1/9DYZL20t1sLxgvr3P262ytwIBKyoNhuCAwZmaH7lByGNFV9DPAa
KrEA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@linux.dev header.s=key1 header.b="YS/3MDkQ";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:5 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5])
by mx.google.com with ESMTPS id
a19-20020a056638165300b004667a7ba3f6si2286266jat.126.2023.11.24.09.02.29
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 24 Nov 2023 09:02:33 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:5 as permitted sender)
client-ip=2620:137:e000::3:5;
Authentication-Results: mx.google.com;
dkim=pass header.i=@linux.dev header.s=key1 header.b="YS/3MDkQ";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:5 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by groat.vger.email (Postfix) with ESMTP id 34A1A83D1554;
Fri, 24 Nov 2023 09:01:52 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S235084AbjKXRBP (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others);
Fri, 24 Nov 2023 12:01:15 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49362 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1345801AbjKXRA3 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 24 Nov 2023 12:00:29 -0500
Received: from out-185.mta0.migadu.com (out-185.mta0.migadu.com
[91.218.175.185])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A4D161BC8
for <linux-kernel@vger.kernel.org>;
Fri, 24 Nov 2023 09:00:30 -0800 (PST)
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
t=1700845228;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=QWk7YTMvB3DTfZc9sNUwNxdg+CAbRo1hOQbqO2wSQ6A=;
b=YS/3MDkQDJLZ1KOe1iNDAZDteB/JflqObZ/sxnSGYirEVXMmWDGjQitpPoxMWbwITRRGcK
lCaiEJ8jACRUkhE5INGw8DLQ17uYGYUcBA+kCBAPjM3CKQX83iJY0AdVDX5aUYv45OjLes
yYiDU6Zy3ApLCGmeU0KMq1smX6MXIK4=
From: Sergei Shtepa <sergei.shtepa@linux.dev>
To: axboe@kernel.dk, hch@infradead.org, corbet@lwn.net,
snitzer@kernel.org
Cc: mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com,
viro@zeniv.linux.org.uk, brauner@kernel.org,
linux-block@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Sergei Shtepa <sergei.shtepa@veeam.com>,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH v6 11/11] blksnap: prevents using devices with data integrity
or inline encryption
Date: Fri, 24 Nov 2023 17:59:33 +0100
Message-Id: <20231124165933.27580-12-sergei.shtepa@linux.dev>
In-Reply-To: <20231124165933.27580-1-sergei.shtepa@linux.dev>
References: <20231124165933.27580-1-sergei.shtepa@linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Migadu-Flow: FLOW_OUT
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]);
Fri, 24 Nov 2023 09:01:53 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1783465617276094491
X-GMAIL-MSGID: 1783465617276094491
|
| Series |
blksnap - block devices snapshots module
|
|
Commit Message
Sergei Shtepa
Nov. 24, 2023, 4:59 p.m. UTC
From: Sergei Shtepa <sergei.shtepa@veeam.com> There is an opinion that the use of the blksnap module may violate the security of encrypted data. The difference storage file may be located on an unreliable disk or even network storage. To implement secure compatibility with hardware inline encrypted devices will require discussion of algorithms and restrictions. For example, a restriction on the location of the difference storage only in virtual memory might help. Currently, there is no need for compatibility of the blksnap module and hardware inline encryption. I see no obstacles to ensuring the compatibility of the blksnap module and block devices with data integrity. However, this functionality was not planned or tested. Perhaps in the future this compatibility can be implemented. Theoretically possible that the block device was added to the snapshot before crypto_profile and integrity.profile were initialized. Checking the values of bi_crypt_context and bi_integrity ensures that the blksnap will not perform any actions with I/O units with which it is not compatible. Reported-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Sergei Shtepa <sergei.shtepa@veeam.com> --- drivers/block/blksnap/snapshot.c | 17 +++++++++++++++++ drivers/block/blksnap/tracker.c | 14 ++++++++++++++ 2 files changed, 31 insertions(+)
Comments
On Fri, Nov 24, 2023 at 05:59:33PM +0100, Sergei Shtepa wrote: > There is an opinion that the use of the blksnap module may violate the > security of encrypted data. The difference storage file may be located > on an unreliable disk or even network storage. I think this misses the point slightly. The main problem is that blksnap writes data in plaintext that is supposed to be encrypted, as indicated by the bio having an encryption context. That's just what it does, at least based on the last patchset; it's not just "an opinion". See https://lore.kernel.org/linux-block/20a5802d-424d-588a-c497-1d1236c52880@veeam.com/ > +#ifdef CONFIG_BLK_INLINE_ENCRYPTION > + if (bio->bi_crypt_context) { > + pr_err_once("Hardware inline encryption is not supported\n"); > + diff_area_set_corrupted(tracker->diff_area, -EPERM); > + return false; > + } > +#endif The error message for ->bi_crypt_context being set should say "Inline encryption", not "Hardware inline encryption". The submitter of the bio may have intended to use blk-crypto-fallback. Anyway, this patch is better than ignoring the problem. It's worth noting, though, that this patch does not prevent blksnap from being set up on a block device on which blk-crypto-fallback is already being used (or will be used). When that happens, I/O will suddenly start failing. For usability reasons, ideally that would be prevented somehow. - Eric
On 11/27/23 23:47, Eric Biggers wrote: > On Fri, Nov 24, 2023 at 05:59:33PM +0100, Sergei Shtepa wrote: >> There is an opinion that the use of the blksnap module may violate the >> security of encrypted data. The difference storage file may be located >> on an unreliable disk or even network storage. > I think this misses the point slightly. The main problem is that blksnap writes > data in plaintext that is supposed to be encrypted, as indicated by the bio > having an encryption context. That's just what it does, at least based on the > last patchset; it's not just "an opinion". See > https://lore.kernel.org/linux-block/20a5802d-424d-588a-c497-1d1236c52880@veeam.com/ Thanks Eric. Perhaps I formulated the thought inaccurately. The point is that blksnap should not be compatible with blk-crypto. Changes in version 6 do not allow to take a snapshot with a device on which the encryption context is detected. Additionally, protection is implemented in the bio handling code. For bio with bi_crypt_context, the COW algorithm is not executed. > >> +#ifdef CONFIG_BLK_INLINE_ENCRYPTION >> + if (bio->bi_crypt_context) { >> + pr_err_once("Hardware inline encryption is not supported\n"); >> + diff_area_set_corrupted(tracker->diff_area, -EPERM); >> + return false; >> + } >> +#endif > The error message for ->bi_crypt_context being set should say > "Inline encryption", not "Hardware inline encryption". The submitter of the bio > may have intended to use blk-crypto-fallback. I was looking at the blk-crypto-fallback code. I tested the work in this case. Encryption is performed before the bio gets to the block layer. So, the filter receives cloned bios with already encrypted data. Therefore, the text of the message is correct. But I haven't tested the code on a device where hardware inline encryption is available. I would be glad if anyone could help with this. > > Anyway, this patch is better than ignoring the problem. It's worth noting, > though, that this patch does not prevent blksnap from being set up on a block > device on which blk-crypto-fallback is already being used (or will be used). > When that happens, I/O will suddenly start failing. For usability reasons, > ideally that would be prevented somehow. I didn't observe any failures during testing. It's just that the snapshot image shows files with encrypted names and data. Backup in this case is useless. Unfortunately, there is no way to detect a blk-crypto-fallback on the block device filter level. Maybe my tests aren't enough. The next step I think would be great to add new tests to xfstests.
On Tue, Nov 28, 2023 at 12:00:17PM +0100, Sergei Shtepa wrote: > But I haven't tested the code on a device where hardware inline encryption is > available. I would be glad if anyone could help with this. > > > > Anyway, this patch is better than ignoring the problem. It's worth noting, > > though, that this patch does not prevent blksnap from being set up on a block > > device on which blk-crypto-fallback is already being used (or will be used). > > When that happens, I/O will suddenly start failing. For usability reasons, > > ideally that would be prevented somehow. > > I didn't observe any failures during testing. It's just that the snapshot > image shows files with encrypted names and data. Backup in this case is > useless. Unfortunately, there is no way to detect a blk-crypto-fallback on > the block device filter level. Huh, I thought that this patch is supposed to exclude blk-crypto-fallback too. __submit_bio() calls bio->bi_bdev->bd_filter->ops->submit_bio(bio) before blk_crypto_bio_prep(), so doesn't your check of ->bi_crypt_context exclude blk-crypto-fallback? I think you're right that it might actually be fine to use blksnap with blk-crypto-fallback, provided that the encryption is done first. I would like to see a proper explanation of that, though. And we still have this patch which claims that it doesn't work, which is confusing. - Eric
On 11/28/23 18:18, Eric Biggers wrote: > On Tue, Nov 28, 2023 at 12:00:17PM +0100, Sergei Shtepa wrote: >> But I haven't tested the code on a device where hardware inline encryption is >> available. I would be glad if anyone could help with this. >>> Anyway, this patch is better than ignoring the problem. It's worth noting, >>> though, that this patch does not prevent blksnap from being set up on a block >>> device on which blk-crypto-fallback is already being used (or will be used). >>> When that happens, I/O will suddenly start failing. For usability reasons, >>> ideally that would be prevented somehow. >> I didn't observe any failures during testing. It's just that the snapshot >> image shows files with encrypted names and data. Backup in this case is >> useless. Unfortunately, there is no way to detect a blk-crypto-fallback on >> the block device filter level. > Huh, I thought that this patch is supposed to exclude blk-crypto-fallback too. > __submit_bio() calls bio->bi_bdev->bd_filter->ops->submit_bio(bio) before > blk_crypto_bio_prep(), so doesn't your check of ->bi_crypt_context exclude > blk-crypto-fallback? Thank you, Eric. You're right. The filter handle unencrypted data when using blk-crypto-fallback. Indeed, the I/O unit has an encryption context. And yes, the word "Hardware" is not necessary. - pr_err_once("Hardware inline encryption is not supported\n"); + pr_err_once("Inline encryption is not supported\n"); > > I think you're right that it might actually be fine to use blksnap with > blk-crypto-fallback, provided that the encryption is done first. I would like > to see a proper explanation of that, though. And we still have this patch which > claims that it doesn't work, which is confusing. I found a bug in my test. I was let down by the cache. I redid the test and posted it. Link: https://github.com/veeam/blksnap/blob/stable-v2.0/tests/8000-inline-encryption.sh When the bi_crypt_context is detected in the write I/O unit, the snapshot image is marked as corrupted. The COW algorithm is not executed. The blksnap code does not allow data leakage. For a disk with hardware encryption, a block device cannot be added to the snapshot since the encryption context for the disk will be detected for it. Unfortunately, it is impossible to detect the presence of a blk-crypto-fallback when adding a block device to the snapshot. So, I think that the patch fully ensures the confidentiality of data when using inline encryption. However, it does not allow to perform a backup for this case. If we make a filter handling point in the __submit_bio() function after calling blk_crypto_bio_prep(), then this will not change the situation for the case of hardware encryption. But the filter will never know what the blk-crypto-fallback is being used. I have no opinion whether it will be better.
diff --git a/drivers/block/blksnap/snapshot.c b/drivers/block/blksnap/snapshot.c index 21d94f12b5fc..a7675fdcf359 100644 --- a/drivers/block/blksnap/snapshot.c +++ b/drivers/block/blksnap/snapshot.c @@ -149,6 +149,23 @@ int snapshot_add_device(const uuid_t *id, struct tracker *tracker) int ret = 0; struct snapshot *snapshot = NULL; +#ifdef CONFIG_BLK_DEV_INTEGRITY + if (tracker->orig_bdev->bd_disk->queue->integrity.profile) { + pr_err("Blksnap is not compatible with data integrity\n"); + ret = -EPERM; + goto out_up; + } else + pr_debug("Data integrity not found\n"); +#endif + +#ifdef CONFIG_BLK_INLINE_ENCRYPTION + if (tracker->orig_bdev->bd_disk->queue->crypto_profile) { + pr_err("Blksnap is not compatible with hardware inline encryption\n"); + ret = -EPERM; + goto out_up; + } else + pr_debug("Inline encryption not found\n"); +#endif snapshot = snapshot_get_by_id(id); if (!snapshot) return -ESRCH; diff --git a/drivers/block/blksnap/tracker.c b/drivers/block/blksnap/tracker.c index 2b8978a2f42e..b38ead9afa69 100644 --- a/drivers/block/blksnap/tracker.c +++ b/drivers/block/blksnap/tracker.c @@ -57,6 +57,20 @@ static bool tracker_submit_bio(struct bio *bio) if (diff_area_is_corrupted(tracker->diff_area)) return false; +#ifdef CONFIG_BLK_INLINE_ENCRYPTION + if (bio->bi_crypt_context) { + pr_err_once("Hardware inline encryption is not supported\n"); + diff_area_set_corrupted(tracker->diff_area, -EPERM); + return false; + } +#endif +#ifdef CONFIG_BLK_DEV_INTEGRITY + if (bio->bi_integrity) { + pr_err_once("Data integrity is not supported\n"); + diff_area_set_corrupted(tracker->diff_area, -EPERM); + return false; + } +#endif return diff_area_cow(bio, tracker->diff_area, ©_iter); }