On 7/30/2025 8:27 PM, Mikulas Patocka wrote:


On Wed, 30 Jul 2025, LongPing Wei wrote:

On 7/30/2025 6:46 PM, Mikulas Patocka wrote:


On Wed, 30 Jul 2025, LongPing Wei wrote:

dm-thin obviously can pass through inline crypto support.

Hi

I'm not sure about it. What if dm-thin performs copy-on-write? How would
that interact with inline crypto?

Mikulas

Hi, Mikulas

dm-thin's encryption behavior is the same as dm-bow's when COW occurs, and
DM_TARGET_PASSES_CRYPTO has already been set to dm-bow.

The key and iv of inline crypto are passed in by the upper layer, which is not
affected by the specific location of data blocks in thin-pool.

LongPing Wei>> Signed-off-by: LongPing Wei <weilongp...@oppo.com>

How is it supposed to work during provisioning? Suppose that you have 64k
chunk with no mapping. dm-thin returns zero for it. Then, you write 4k
somewhere to this chunk. dm-thin allocates the chunk, writes zeroes to it
and then writes 4k data into it (and only this 4k block will be
encrypted). When you attempt to read this chunk, the 4k block will be
deciphered correctly, but the zero data around it will be deciphered too
and garbage will be returned to the application.

Mikulas

Hi, Mikulas

For example:

F2FS/EXT4
----
dm-thin
----
dm-thin-pool
----
pool data

1. There is a block of testfile in F2FS/EXT4.
2. The offset of this block is n.
3. The position in the dm-thin device is m.
4. The position in the pool data is x.

The IV is only be affectted by offset in file and the ino of this file.

Even if we change m by defrag or change x by COW, IV won't changed.

The upper layer will only read the decrypted blocks with the same key and continous IV in one bio.

If the upper layer read the full chunk with mixed blocks for GC purpose, key and IV won't be passed in. Then the upper layer just get the encrypted blocks.

LongPing Wei

Reply via email to