[dm-crypt] The future of disk encryption with LUKS2

Sven Eschenberg sven at whgl.uni-frankfurt.de
Mon Feb 8 23:04:34 CET 2016


In the discussion a completely different situation is described.

I pointed out, that if no data made it to the drive (not even in it's 
internal cache) the transaction never started and we are at the old 
state. Failure or garbled write leaves us with an inconsistent/damaged 
header, we can easily recover from this by using the secondary header. 
If the primary header was written successfully, we are done.

And yes, we ask the drive to flush dirty pages before the header update, 
do the update, ask to flush dirty pages again, reread and check 
consistency, at this point if the header is consistent we should be 
okay. That is, if the drive is not purposefully lying to us.

Additionally I pointed out, that transactional semantics better be 
used...which in turn leads to more complexity in header updating and 
especially online resizing.

But, afterall, you can only die one way ....

Reagrds

-Sven


Am 08.02.2016 um 22:43 schrieb f-dm-c at media.mit.edu:
>      > Date: Mon, 8 Feb 2016 21:51:34 +0100
>      > From: Sven Eschenberg <sven at whgl.uni-frankfurt.de>
>
>      > If the data hasn't made it to the drive (or rather is not in transit)
>      > then the change is just discarded leaving us in a stable state.
>
> Please read the first part of discussion below---in particular, Ted's
> description of the difference between SGI hardware of the day and
> typical PC-class hardware of the day.  If we're analyzing the
> consistency of the various headers in the event that power is failing
> as we write them, it's not just about whether the write happened or
> not or whether the hardware sector is corrupted from the drive's
> perspective---it's also whether we can trust a sector the drive
> thinks is okay but turns out not to be from our standpoint.
>
>      > > http://zork.net/~nick/mail/why-reiserfs-is-teh-sukc
>
> It is entirely possible that you could ask the drive to write garbage
> and it would succeed.  It really isn't safe to make any assumptions
> about how an entire machine -might- work as power is failing; in
> general, the manufacturer (of any piece, much less the whole) has
> not guaranteed you anything about its behavior, and it could do
> anything.  Just because -your- machine does something doesn't mean
> all users' machines out there will do the same thing.
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>


More information about the dm-crypt mailing list