| ============ |
| dm-integrity |
| ============ |
| |
| The dm-integrity target emulates a block device that has additional |
| per-sector tags that can be used for storing integrity information. |
| |
| A general problem with storing integrity tags with every sector is that |
| writing the sector and the integrity tag must be atomic - i.e. in case of |
| crash, either both sector and integrity tag or none of them is written. |
| |
| To guarantee write atomicity, the dm-integrity target uses journal, it |
| writes sector data and integrity tags into a journal, commits the journal |
| and then copies the data and integrity tags to their respective location. |
| |
| The dm-integrity target can be used with the dm-crypt target - in this |
| situation the dm-crypt target creates the integrity data and passes them |
| to the dm-integrity target via bio_integrity_payload attached to the bio. |
| In this mode, the dm-crypt and dm-integrity targets provide authenticated |
| disk encryption - if the attacker modifies the encrypted device, an I/O |
| error is returned instead of random data. |
| |
| The dm-integrity target can also be used as a standalone target, in this |
| mode it calculates and verifies the integrity tag internally. In this |
| mode, the dm-integrity target can be used to detect silent data |
| corruption on the disk or in the I/O path. |
| |
| There's an alternate mode of operation where dm-integrity uses bitmap |
| instead of a journal. If a bit in the bitmap is 1, the corresponding |
| region's data and integrity tags are not synchronized - if the machine |
| crashes, the unsynchronized regions will be recalculated. The bitmap mode |
| is faster than the journal mode, because we don't have to write the data |
| twice, but it is also less reliable, because if data corruption happens |
| when the machine crashes, it may not be detected. |
| |
| When loading the target for the first time, the kernel driver will format |
| the device. But it will only format the device if the superblock contains |
| zeroes. If the superblock is neither valid nor zeroed, the dm-integrity |
| target can't be loaded. |
| |
| To use the target for the first time: |
| |
| 1. overwrite the superblock with zeroes |
| 2. load the dm-integrity target with one-sector size, the kernel driver |
| will format the device |
| 3. unload the dm-integrity target |
| 4. read the "provided_data_sectors" value from the superblock |
| 5. load the dm-integrity target with the target size |
| "provided_data_sectors" |
| 6. if you want to use dm-integrity with dm-crypt, load the dm-crypt target |
| with the size "provided_data_sectors" |
| |
| |
| Target arguments: |
| |
| 1. the underlying block device |
| |
| 2. the number of reserved sector at the beginning of the device - the |
| dm-integrity won't read of write these sectors |
| |
| 3. the size of the integrity tag (if "-" is used, the size is taken from |
| the internal-hash algorithm) |
| |
| 4. mode: |
| |
| D - direct writes (without journal) |
| in this mode, journaling is |
| not used and data sectors and integrity tags are written |
| separately. In case of crash, it is possible that the data |
| and integrity tag doesn't match. |
| J - journaled writes |
| data and integrity tags are written to the |
| journal and atomicity is guaranteed. In case of crash, |
| either both data and tag or none of them are written. The |
| journaled mode degrades write throughput twice because the |
| data have to be written twice. |
| B - bitmap mode - data and metadata are written without any |
| synchronization, the driver maintains a bitmap of dirty |
| regions where data and metadata don't match. This mode can |
| only be used with internal hash. |
| R - recovery mode - in this mode, journal is not replayed, |
| checksums are not checked and writes to the device are not |
| allowed. This mode is useful for data recovery if the |
| device cannot be activated in any of the other standard |
| modes. |
| |
| 5. the number of additional arguments |
| |
| Additional arguments: |
| |
| journal_sectors:number |
| The size of journal, this argument is used only if formatting the |
| device. If the device is already formatted, the value from the |
| superblock is used. |
| |
| interleave_sectors:number |
| The number of interleaved sectors. This values is rounded down to |
| a power of two. If the device is already formatted, the value from |
| the superblock is used. |
| |
| meta_device:device |
| Don't interleave the data and metadata on the device. Use a |
| separate device for metadata. |
| |
| buffer_sectors:number |
| The number of sectors in one buffer. The value is rounded down to |
| a power of two. |
| |
| The tag area is accessed using buffers, the buffer size is |
| configurable. The large buffer size means that the I/O size will |
| be larger, but there could be less I/Os issued. |
| |
| journal_watermark:number |
| The journal watermark in percents. When the size of the journal |
| exceeds this watermark, the thread that flushes the journal will |
| be started. |
| |
| commit_time:number |
| Commit time in milliseconds. When this time passes, the journal is |
| written. The journal is also written immediately if the FLUSH |
| request is received. |
| |
| internal_hash:algorithm(:key) (the key is optional) |
| Use internal hash or crc. |
| When this argument is used, the dm-integrity target won't accept |
| integrity tags from the upper target, but it will automatically |
| generate and verify the integrity tags. |
| |
| You can use a crc algorithm (such as crc32), then integrity target |
| will protect the data against accidental corruption. |
| You can also use a hmac algorithm (for example |
| "hmac(sha256):0123456789abcdef"), in this mode it will provide |
| cryptographic authentication of the data without encryption. |
| |
| When this argument is not used, the integrity tags are accepted |
| from an upper layer target, such as dm-crypt. The upper layer |
| target should check the validity of the integrity tags. |
| |
| recalculate |
| Recalculate the integrity tags automatically. It is only valid |
| when using internal hash. |
| |
| journal_crypt:algorithm(:key) (the key is optional) |
| Encrypt the journal using given algorithm to make sure that the |
| attacker can't read the journal. You can use a block cipher here |
| (such as "cbc(aes)") or a stream cipher (for example "chacha20" |
| or "ctr(aes)"). |
| |
| The journal contains history of last writes to the block device, |
| an attacker reading the journal could see the last sector numbers |
| that were written. From the sector numbers, the attacker can infer |
| the size of files that were written. To protect against this |
| situation, you can encrypt the journal. |
| |
| journal_mac:algorithm(:key) (the key is optional) |
| Protect sector numbers in the journal from accidental or malicious |
| modification. To protect against accidental modification, use a |
| crc algorithm, to protect against malicious modification, use a |
| hmac algorithm with a key. |
| |
| This option is not needed when using internal-hash because in this |
| mode, the integrity of journal entries is checked when replaying |
| the journal. Thus, modified sector number would be detected at |
| this stage. |
| |
| block_size:number |
| The size of a data block in bytes. The larger the block size the |
| less overhead there is for per-block integrity metadata. |
| Supported values are 512, 1024, 2048 and 4096 bytes. If not |
| specified the default block size is 512 bytes. |
| |
| sectors_per_bit:number |
| In the bitmap mode, this parameter specifies the number of |
| 512-byte sectors that corresponds to one bitmap bit. |
| |
| bitmap_flush_interval:number |
| The bitmap flush interval in milliseconds. The metadata buffers |
| are synchronized when this interval expires. |
| |
| allow_discards |
| Allow block discard requests (a.k.a. TRIM) for the integrity device. |
| Discards are only allowed to devices using internal hash. |
| |
| fix_padding |
| Use a smaller padding of the tag area that is more |
| space-efficient. If this option is not present, large padding is |
| used - that is for compatibility with older kernels. |
| |
| fix_hmac |
| Improve security of internal_hash and journal_mac: |
| |
| - the section number is mixed to the mac, so that an attacker can't |
| copy sectors from one journal section to another journal section |
| - the superblock is protected by journal_mac |
| - a 16-byte salt stored in the superblock is mixed to the mac, so |
| that the attacker can't detect that two disks have the same hmac |
| key and also to disallow the attacker to move sectors from one |
| disk to another |
| |
| legacy_recalculate |
| Allow recalculating of volumes with HMAC keys. This is disabled by |
| default for security reasons - an attacker could modify the volume, |
| set recalc_sector to zero, and the kernel would not detect the |
| modification. |
| |
| The journal mode (D/J), buffer_sectors, journal_watermark, commit_time and |
| allow_discards can be changed when reloading the target (load an inactive |
| table and swap the tables with suspend and resume). The other arguments |
| should not be changed when reloading the target because the layout of disk |
| data depend on them and the reloaded target would be non-functional. |
| |
| |
| Status line: |
| |
| 1. the number of integrity mismatches |
| 2. provided data sectors - that is the number of sectors that the user |
| could use |
| 3. the current recalculating position (or '-' if we didn't recalculate) |
| |
| |
| The layout of the formatted block device: |
| |
| * reserved sectors |
| (they are not used by this target, they can be used for |
| storing LUKS metadata or for other purpose), the size of the reserved |
| area is specified in the target arguments |
| |
| * superblock (4kiB) |
| * magic string - identifies that the device was formatted |
| * version |
| * log2(interleave sectors) |
| * integrity tag size |
| * the number of journal sections |
| * provided data sectors - the number of sectors that this target |
| provides (i.e. the size of the device minus the size of all |
| metadata and padding). The user of this target should not send |
| bios that access data beyond the "provided data sectors" limit. |
| * flags |
| SB_FLAG_HAVE_JOURNAL_MAC |
| - a flag is set if journal_mac is used |
| SB_FLAG_RECALCULATING |
| - recalculating is in progress |
| SB_FLAG_DIRTY_BITMAP |
| - journal area contains the bitmap of dirty |
| blocks |
| * log2(sectors per block) |
| * a position where recalculating finished |
| * journal |
| The journal is divided into sections, each section contains: |
| |
| * metadata area (4kiB), it contains journal entries |
| |
| - every journal entry contains: |
| |
| * logical sector (specifies where the data and tag should |
| be written) |
| * last 8 bytes of data |
| * integrity tag (the size is specified in the superblock) |
| |
| - every metadata sector ends with |
| |
| * mac (8-bytes), all the macs in 8 metadata sectors form a |
| 64-byte value. It is used to store hmac of sector |
| numbers in the journal section, to protect against a |
| possibility that the attacker tampers with sector |
| numbers in the journal. |
| * commit id |
| |
| * data area (the size is variable; it depends on how many journal |
| entries fit into the metadata area) |
| |
| - every sector in the data area contains: |
| |
| * data (504 bytes of data, the last 8 bytes are stored in |
| the journal entry) |
| * commit id |
| |
| To test if the whole journal section was written correctly, every |
| 512-byte sector of the journal ends with 8-byte commit id. If the |
| commit id matches on all sectors in a journal section, then it is |
| assumed that the section was written correctly. If the commit id |
| doesn't match, the section was written partially and it should not |
| be replayed. |
| |
| * one or more runs of interleaved tags and data. |
| Each run contains: |
| |
| * tag area - it contains integrity tags. There is one tag for each |
| sector in the data area |
| * data area - it contains data sectors. The number of data sectors |
| in one run must be a power of two. log2 of this value is stored |
| in the superblock. |
