^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) ============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) dm-integrity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) ============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) The dm-integrity target emulates a block device that has additional
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) per-sector tags that can be used for storing integrity information.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) A general problem with storing integrity tags with every sector is that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) writing the sector and the integrity tag must be atomic - i.e. in case of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) crash, either both sector and integrity tag or none of them is written.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) To guarantee write atomicity, the dm-integrity target uses journal, it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) writes sector data and integrity tags into a journal, commits the journal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) and then copies the data and integrity tags to their respective location.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) The dm-integrity target can be used with the dm-crypt target - in this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) situation the dm-crypt target creates the integrity data and passes them
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) to the dm-integrity target via bio_integrity_payload attached to the bio.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) In this mode, the dm-crypt and dm-integrity targets provide authenticated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) disk encryption - if the attacker modifies the encrypted device, an I/O
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) error is returned instead of random data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) The dm-integrity target can also be used as a standalone target, in this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) mode it calculates and verifies the integrity tag internally. In this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) mode, the dm-integrity target can be used to detect silent data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) corruption on the disk or in the I/O path.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) There's an alternate mode of operation where dm-integrity uses bitmap
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) instead of a journal. If a bit in the bitmap is 1, the corresponding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) region's data and integrity tags are not synchronized - if the machine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) crashes, the unsynchronized regions will be recalculated. The bitmap mode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) is faster than the journal mode, because we don't have to write the data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) twice, but it is also less reliable, because if data corruption happens
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) when the machine crashes, it may not be detected.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) When loading the target for the first time, the kernel driver will format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) the device. But it will only format the device if the superblock contains
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) zeroes. If the superblock is neither valid nor zeroed, the dm-integrity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) target can't be loaded.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) To use the target for the first time:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) 1. overwrite the superblock with zeroes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) 2. load the dm-integrity target with one-sector size, the kernel driver
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) will format the device
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) 3. unload the dm-integrity target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) 4. read the "provided_data_sectors" value from the superblock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) 5. load the dm-integrity target with the target size
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) "provided_data_sectors"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 6. if you want to use dm-integrity with dm-crypt, load the dm-crypt target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) with the size "provided_data_sectors"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) Target arguments:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) 1. the underlying block device
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) 2. the number of reserved sector at the beginning of the device - the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) dm-integrity won't read of write these sectors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) 3. the size of the integrity tag (if "-" is used, the size is taken from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) the internal-hash algorithm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) 4. mode:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) D - direct writes (without journal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) in this mode, journaling is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) not used and data sectors and integrity tags are written
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) separately. In case of crash, it is possible that the data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) and integrity tag doesn't match.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) J - journaled writes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) data and integrity tags are written to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) journal and atomicity is guaranteed. In case of crash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) either both data and tag or none of them are written. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) journaled mode degrades write throughput twice because the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) data have to be written twice.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) B - bitmap mode - data and metadata are written without any
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) synchronization, the driver maintains a bitmap of dirty
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) regions where data and metadata don't match. This mode can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) only be used with internal hash.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) R - recovery mode - in this mode, journal is not replayed,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) checksums are not checked and writes to the device are not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) allowed. This mode is useful for data recovery if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) device cannot be activated in any of the other standard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) modes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) 5. the number of additional arguments
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) Additional arguments:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) journal_sectors:number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) The size of journal, this argument is used only if formatting the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) device. If the device is already formatted, the value from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) superblock is used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) interleave_sectors:number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) The number of interleaved sectors. This values is rounded down to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) a power of two. If the device is already formatted, the value from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) the superblock is used.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) meta_device:device
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) Don't interleave the data and metadata on the device. Use a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) separate device for metadata.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) buffer_sectors:number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) The number of sectors in one buffer. The value is rounded down to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) a power of two.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) The tag area is accessed using buffers, the buffer size is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) configurable. The large buffer size means that the I/O size will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) be larger, but there could be less I/Os issued.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) journal_watermark:number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) The journal watermark in percents. When the size of the journal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) exceeds this watermark, the thread that flushes the journal will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) be started.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) commit_time:number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) Commit time in milliseconds. When this time passes, the journal is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) written. The journal is also written immediatelly if the FLUSH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) request is received.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) internal_hash:algorithm(:key) (the key is optional)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) Use internal hash or crc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) When this argument is used, the dm-integrity target won't accept
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) integrity tags from the upper target, but it will automatically
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) generate and verify the integrity tags.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) You can use a crc algorithm (such as crc32), then integrity target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) will protect the data against accidental corruption.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) You can also use a hmac algorithm (for example
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) "hmac(sha256):0123456789abcdef"), in this mode it will provide
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) cryptographic authentication of the data without encryption.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) When this argument is not used, the integrity tags are accepted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) from an upper layer target, such as dm-crypt. The upper layer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) target should check the validity of the integrity tags.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) recalculate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) Recalculate the integrity tags automatically. It is only valid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) when using internal hash.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) journal_crypt:algorithm(:key) (the key is optional)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) Encrypt the journal using given algorithm to make sure that the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) attacker can't read the journal. You can use a block cipher here
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) (such as "cbc(aes)") or a stream cipher (for example "chacha20",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) "salsa20" or "ctr(aes)").
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) The journal contains history of last writes to the block device,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) an attacker reading the journal could see the last sector nubmers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) that were written. From the sector numbers, the attacker can infer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) the size of files that were written. To protect against this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) situation, you can encrypt the journal.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) journal_mac:algorithm(:key) (the key is optional)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) Protect sector numbers in the journal from accidental or malicious
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) modification. To protect against accidental modification, use a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) crc algorithm, to protect against malicious modification, use a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) hmac algorithm with a key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) This option is not needed when using internal-hash because in this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) mode, the integrity of journal entries is checked when replaying
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) the journal. Thus, modified sector number would be detected at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) this stage.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) block_size:number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) The size of a data block in bytes. The larger the block size the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) less overhead there is for per-block integrity metadata.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) Supported values are 512, 1024, 2048 and 4096 bytes. If not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) specified the default block size is 512 bytes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) sectors_per_bit:number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) In the bitmap mode, this parameter specifies the number of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) 512-byte sectors that corresponds to one bitmap bit.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) bitmap_flush_interval:number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) The bitmap flush interval in milliseconds. The metadata buffers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) are synchronized when this interval expires.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) allow_discards
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) Allow block discard requests (a.k.a. TRIM) for the integrity device.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) Discards are only allowed to devices using internal hash.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) fix_padding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) Use a smaller padding of the tag area that is more
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) space-efficient. If this option is not present, large padding is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) used - that is for compatibility with older kernels.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) legacy_recalculate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) Allow recalculating of volumes with HMAC keys. This is disabled by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) default for security reasons - an attacker could modify the volume,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) set recalc_sector to zero, and the kernel would not detect the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) modification.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) The journal mode (D/J), buffer_sectors, journal_watermark, commit_time and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) allow_discards can be changed when reloading the target (load an inactive
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) table and swap the tables with suspend and resume). The other arguments
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) should not be changed when reloading the target because the layout of disk
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) data depend on them and the reloaded target would be non-functional.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) Status line:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 1. the number of integrity mismatches
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 2. provided data sectors - that is the number of sectors that the user
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) could use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) 3. the current recalculating position (or '-' if we didn't recalculate)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) The layout of the formatted block device:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) * reserved sectors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) (they are not used by this target, they can be used for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) storing LUKS metadata or for other purpose), the size of the reserved
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) area is specified in the target arguments
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) * superblock (4kiB)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) * magic string - identifies that the device was formatted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) * version
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) * log2(interleave sectors)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) * integrity tag size
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) * the number of journal sections
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) * provided data sectors - the number of sectors that this target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) provides (i.e. the size of the device minus the size of all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) metadata and padding). The user of this target should not send
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) bios that access data beyond the "provided data sectors" limit.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) * flags
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) SB_FLAG_HAVE_JOURNAL_MAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) - a flag is set if journal_mac is used
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) SB_FLAG_RECALCULATING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) - recalculating is in progress
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) SB_FLAG_DIRTY_BITMAP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) - journal area contains the bitmap of dirty
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) blocks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) * log2(sectors per block)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) * a position where recalculating finished
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) * journal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) The journal is divided into sections, each section contains:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) * metadata area (4kiB), it contains journal entries
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) - every journal entry contains:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) * logical sector (specifies where the data and tag should
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) be written)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) * last 8 bytes of data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) * integrity tag (the size is specified in the superblock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) - every metadata sector ends with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) * mac (8-bytes), all the macs in 8 metadata sectors form a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) 64-byte value. It is used to store hmac of sector
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) numbers in the journal section, to protect against a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) possibility that the attacker tampers with sector
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) numbers in the journal.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) * commit id
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) * data area (the size is variable; it depends on how many journal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) entries fit into the metadata area)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) - every sector in the data area contains:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) * data (504 bytes of data, the last 8 bytes are stored in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) the journal entry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) * commit id
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) To test if the whole journal section was written correctly, every
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) 512-byte sector of the journal ends with 8-byte commit id. If the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) commit id matches on all sectors in a journal section, then it is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) assumed that the section was written correctly. If the commit id
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) doesn't match, the section was written partially and it should not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) be replayed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) * one or more runs of interleaved tags and data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) Each run contains:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) * tag area - it contains integrity tags. There is one tag for each
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) sector in the data area
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) * data area - it contains data sectors. The number of data sectors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) in one run must be a power of two. log2 of this value is stored
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) in the superblock.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags