[RFC PATCH 0/2] dm-crypt support for per-sector NVMe metadata
Mikulas Patocka
mpatocka at redhat.com
Tue May 28 04:16:05 PDT 2024
On Mon, 27 May 2024, Eric Wheeler wrote:
> On Wed, 15 May 2024, Mikulas Patocka wrote:
> > Hi
> >
> > Some NVMe devices may be formatted with extra 64 bytes of metadata per
> > sector.
> >
> > Here I'm submitting for review dm-crypt patches that make it possible to
> > use per-sector metadata for authenticated encryption. With these patches,
> > dm-crypt can run directly on the top of a NVMe device, without using
> > dm-integrity. These patches increase write throughput twice, because there
> > is no write to the dm-integrity journal.
> >
> > An example how to use it (so far, there is no support in the userspace
> > cryptsetup tool):
> >
> > # nvme format /dev/nvme1 -n 1 -lbaf=4
> > # dmsetup create cr --table '0 1048576 crypt
> > capi:authenc(hmac(sha256),cbc(aes))-essiv:sha256
> > 01b11af6b55f76424fd53fb66667c301466b2eeaf0f39fd36d26e7fc4f52ade2de4228e996f5ae2fe817ce178e77079d28e4baaebffbcd3e16ae4f36ef217298
> > 0 /dev/nvme1n1 0 2 integrity:32:aead sector_size:4096'
>
> Thats really an amazing feature, and I think your implementation is simple
> and elegant. Somehow reminds me of 520/528-byte sectors that big
> commercial filers use, but in a way the Linux could use.
>
> Questions:
>
> - I see you are using 32-bytes of AEAD data (out of 64). Is AEAD always
> 32-bytes, or can it vary by crypto mechanism?
It varies. I.e. if you use hmac(sha512), full 64 bytes will be used.
> - What drive are you using?
Western Digital SN840
WUS4BA119DSP3X3
> I am curious what your `nvme id-ns` output
> looks like. Do you have 64 in the `ms` value?
>
> # nvme id-ns /dev/nvme0n1 | grep lbaf
> nlbaf : 0
> nulbaf : 0
> lbaf 0 : ms:0 lbads:9 rp:0 (in use)
> ^ ^512b
Yes, I have this:
lbaf 0 : ms:0 lbads:9 rp:0
lbaf 1 : ms:8 lbads:9 rp:0
lbaf 2 : ms:0 lbads:12 rp:0
lbaf 3 : ms:8 lbads:12 rp:0
lbaf 4 : ms:64 lbads:12 rp:0 (in use)
Mikulas
> --
> Eric Wheeler
More information about the Linux-nvme
mailing list