Merge pull request #3745 from jbaublitz/token-slot-area

Increase token slot area for V2 pools
stratis-storage · Jan 27, 2025 · 8e3a807 · 8e3a807
2 parents 404891e + f97c13d
commit 8e3a807
Show file tree

Hide file tree

Showing 11 changed files with 116 additions and 122 deletions.
diff --git a/src/bin/utils/predict_usage.rs b/src/bin/utils/predict_usage.rs
@@ -14,7 +14,8 @@ use serde_json::{json, Value};
 use devicemapper::{Bytes, Sectors};
 
 use stratisd::engine::{
-    crypt_metadata_size, integrity_meta_space, ThinPoolSizeParams, ValidatedIntegritySpec, BDA,
+    integrity_meta_space, ThinPoolSizeParams, ValidatedIntegritySpec, BDA,
+    DEFAULT_CRYPT_DATA_OFFSET_V2,
 };
 
 // 2^FS_SIZE_START_POWER is the logical size of the smallest Stratis
@@ -195,12 +196,8 @@ fn predict_pool_metadata_usage(
         })
         .collect::<Result<Vec<_>, _>>()?;
 
-    let crypt_metadata_size = crypt_metadata_size();
-    let crypt_metadata_size_sectors = crypt_metadata_size.sectors();
-    // verify that crypt metadata size is divisible by sector size
-    assert_eq!(crypt_metadata_size_sectors.bytes(), crypt_metadata_size);
-
-    Ok(stratis_avail_sizes.iter().cloned().sum::<Sectors>() - crypt_metadata_size_sectors)
+    let crypt_metadata_size = DEFAULT_CRYPT_DATA_OFFSET_V2;
+    Ok(stratis_avail_sizes.iter().cloned().sum::<Sectors>() - crypt_metadata_size)
 }
 
 // Predict usage for a newly created pool given information about whether

diff --git a/src/engine/mod.rs b/src/engine/mod.rs
@@ -13,9 +13,9 @@ pub use self::{
     shared::{total_allocated, total_used},
     sim_engine::SimEngine,
     strat_engine::{
-        crypt_metadata_size, get_dm, get_dm_init, integrity_meta_space, register_clevis_token,
-        set_up_crypt_logging, unshare_mount_namespace, StaticHeader, StaticHeaderResult,
-        StratEngine, StratKeyActions, ThinPoolSizeParams, BDA, CLEVIS_TANG_TRUST_URL,
+        get_dm, get_dm_init, integrity_meta_space, register_clevis_token, set_up_crypt_logging,
+        unshare_mount_namespace, StaticHeader, StaticHeaderResult, StratEngine, StratKeyActions,
+        ThinPoolSizeParams, BDA, CLEVIS_TANG_TRUST_URL, DEFAULT_CRYPT_DATA_OFFSET_V2,
     },
     structures::{AllLockReadGuard, ExclusiveGuard, SharedGuard, Table},
     types::{

diff --git a/src/engine/strat_engine/backstore/backstore/v2.rs b/src/engine/strat_engine/backstore/backstore/v2.rs
@@ -23,7 +23,7 @@ use crate::{
                 blockdevmgr::BlockDevMgr, cache_tier::CacheTier, data_tier::DataTier,
                 devices::UnownedDevices, shared::BlockSizeSummary,
             },
-            crypt::{crypt_metadata_size, handle::v2::CryptHandle},
+            crypt::{handle::v2::CryptHandle, DEFAULT_CRYPT_DATA_OFFSET_V2},
             dm::{get_dm, list_of_backstore_devices, remove_optional_devices, DEVICEMAPPER_PATH},
             metadata::{MDADataSize, BDA},
             names::{format_backstore_ids, CacheRole},
@@ -455,7 +455,7 @@ impl Backstore {
             crypt_meta_allocs: Vec::new(),
         };
 
-        let size = crypt_metadata_size().sectors();
+        let size = DEFAULT_CRYPT_DATA_OFFSET_V2;
         if !backstore.meta_alloc_cache(&[size])? {
             return Err(StratisError::Msg(format!(
                 "Failed to satisfy request in backstore for {size}"
@@ -1174,7 +1174,6 @@ mod tests {
         strat_engine::{
             backstore::devices::{ProcessedPathInfos, UnownedDevices},
             cmd,
-            crypt::crypt_metadata_size,
             metadata::device_identifiers,
             ns::{unshare_mount_namespace, MemoryFilesystem},
             tests::{crypt, loopbacked, real},
@@ -1202,7 +1201,7 @@ mod tests {
         assert_eq!(
             backstore.data_tier.allocated(),
             match (&backstore.origin, &backstore.cache) {
-                (None, None) => crypt_metadata_size().sectors(),
+                (None, None) => DEFAULT_CRYPT_DATA_OFFSET_V2,
                 (&None, Some(cache)) => cache.size(),
                 (Some(linear), &None) => linear.size(),
                 _ => panic!("impossible; see first assertion"),
@@ -1500,7 +1499,7 @@ mod tests {
 
             // Allocate space from the backstore so that the cap device is made.
             backstore
-                .alloc(pool_uuid, &[2u64 * crypt_metadata_size().sectors()])
+                .alloc(pool_uuid, &[2u64 * DEFAULT_CRYPT_DATA_OFFSET_V2])
                 .unwrap()
                 .unwrap();
 

diff --git a/src/engine/strat_engine/backstore/blockdev/v1.rs b/src/engine/strat_engine/backstore/blockdev/v1.rs
@@ -18,15 +18,14 @@ use devicemapper::{Device, Sectors};
 
 use crate::{
     engine::{
-        crypt_metadata_size,
         engine::{BlockDev, DumpState},
         strat_engine::{
             backstore::{
                 blockdev::{InternalBlockDev, StratSectorSizes},
                 devices::BlockSizes,
                 range_alloc::{PerDevSegments, RangeAllocator},
             },
-            crypt::handle::v1::CryptHandle,
+            crypt::{crypt_metadata_size, handle::v1::CryptHandle},
             device::blkdev_size,
             metadata::{
                 disown_device, static_header, BlockdevSize, MDADataSize, MetadataLocation,

diff --git a/src/engine/strat_engine/crypt/consts.rs b/src/engine/strat_engine/crypt/consts.rs
@@ -4,7 +4,7 @@
 
 use libc::c_uint;
 
-use devicemapper::{Bytes, IEC};
+use devicemapper::{Bytes, Sectors, IEC};
 
 // Stratis token JSON keys
 pub const TOKEN_TYPE_KEY: &str = "type";
@@ -32,8 +32,10 @@ pub const LUKS2_SECTOR_SIZE: Bytes = Bytes(4096);
 /// tang server does not need to be verified.
 pub const CLEVIS_TANG_TRUST_URL: &str = "stratis:tang:trust_url";
 
-pub const DEFAULT_CRYPT_METADATA_SIZE: Bytes = Bytes(16 * IEC::Ki as u128);
+pub const DEFAULT_CRYPT_METADATA_SIZE_V1: Bytes = Bytes(16 * IEC::Ki as u128);
+pub const DEFAULT_CRYPT_METADATA_SIZE_V2: Bytes = Bytes(64 * IEC::Ki as u128);
 pub const DEFAULT_CRYPT_KEYSLOTS_SIZE: Bytes = Bytes(16352 * IEC::Ki as u128);
+pub const DEFAULT_CRYPT_DATA_OFFSET_V2: Sectors = Sectors(34816);
 
 pub const CLEVIS_TOKEN_NAME: &str = "clevis\0";
 

diff --git a/src/engine/strat_engine/crypt/handle/v1.rs b/src/engine/strat_engine/crypt/handle/v1.rs
@@ -16,7 +16,7 @@ use serde::{
 };
 use serde_json::{from_value, to_value, Value};
 
-use devicemapper::{Device, DmName, DmNameBuf, Sectors};
+use devicemapper::{Bytes, Device, DmName, DmNameBuf, Sectors};
 use libcryptsetup_rs::{
     c_uint,
     consts::{
@@ -34,11 +34,11 @@ use crate::{
             cmd::{clevis_decrypt, clevis_luks_bind, clevis_luks_regen, clevis_luks_unbind},
             crypt::{
                 consts::{
-                    CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_KEYSLOTS_SIZE, DEFAULT_CRYPT_METADATA_SIZE,
-                    LUKS2_TOKEN_ID, STRATIS_MEK_SIZE, STRATIS_TOKEN_DEVNAME_KEY,
-                    STRATIS_TOKEN_DEV_UUID_KEY, STRATIS_TOKEN_ID, STRATIS_TOKEN_POOLNAME_KEY,
-                    STRATIS_TOKEN_POOL_UUID_KEY, STRATIS_TOKEN_TYPE, TOKEN_KEYSLOTS_KEY,
-                    TOKEN_TYPE_KEY,
+                    CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_KEYSLOTS_SIZE,
+                    DEFAULT_CRYPT_METADATA_SIZE_V1, LUKS2_SECTOR_SIZE, LUKS2_TOKEN_ID,
+                    STRATIS_MEK_SIZE, STRATIS_TOKEN_DEVNAME_KEY, STRATIS_TOKEN_DEV_UUID_KEY,
+                    STRATIS_TOKEN_ID, STRATIS_TOKEN_POOLNAME_KEY, STRATIS_TOKEN_POOL_UUID_KEY,
+                    STRATIS_TOKEN_TYPE, TOKEN_KEYSLOTS_KEY, TOKEN_TYPE_KEY,
                 },
                 shared::{
                     acquire_crypt_device, activate, activate_by_token, add_keyring_keyslot,
@@ -60,6 +60,19 @@ use crate::{
     stratis::{StratisError, StratisResult},
 };
 
+/// Align the number of bytes to the nearest multiple of `LUKS2_SECTOR_SIZE`
+/// above the current value.
+fn ceiling_sector_size_alignment(bytes: Bytes) -> Bytes {
+    let round = *LUKS2_SECTOR_SIZE - 1;
+    Bytes::from((*bytes + round) & !round)
+}
+
+// Bytes occupied by crypt metadata
+pub fn crypt_metadata_size() -> Bytes {
+    2u64 * DEFAULT_CRYPT_METADATA_SIZE_V1
+        + ceiling_sector_size_alignment(DEFAULT_CRYPT_KEYSLOTS_SIZE)
+}
+
 pub struct StratisLuks2Token {
     pub devname: DmNameBuf,
     pub identifiers: StratisIdentifiers,
@@ -573,7 +586,7 @@ impl CryptHandle {
             physical_path.display()
         );
         device.settings_handle().set_metadata_size(
-            MetadataSize::try_from(convert_int!(*DEFAULT_CRYPT_METADATA_SIZE, u128, u64)?)?,
+            MetadataSize::try_from(convert_int!(*DEFAULT_CRYPT_METADATA_SIZE_V1, u128, u64)?)?,
             KeyslotsSize::try_from(convert_int!(*DEFAULT_CRYPT_KEYSLOTS_SIZE, u128, u64)?)?,
         )?;
         Self::initialize_with_err(&mut device, physical_path, pool_uuid, dev_uuid, &pool_name, encryption_info, luks2_params.as_ref())
@@ -663,7 +676,11 @@ impl CryptHandle {
             .context_handle()
             .load::<()>(Some(EncryptionFormat::Luks2), None)
         {
-            return Err(wipe_fallback(physical_path, StratisError::from(e)));
+            return Err(wipe_fallback(
+                physical_path,
+                crypt_metadata_size(),
+                StratisError::from(e),
+            ));
         }
 
         device.keyslot_handle().destroy(keyslot)?;
@@ -695,7 +712,11 @@ impl CryptHandle {
             .context_handle()
             .load::<()>(Some(EncryptionFormat::Luks2), None)
         {
-            return Err(wipe_fallback(physical_path, StratisError::from(e)));
+            return Err(wipe_fallback(
+                physical_path,
+                crypt_metadata_size(),
+                StratisError::from(e),
+            ));
         }
 
         Ok(())
@@ -725,6 +746,11 @@ impl CryptHandle {
             physical_path.display()
         );
 
+        assert_eq!(
+            *crypt_metadata_size().sectors(),
+            device.status_handle().get_data_offset()
+        );
+
         match encryption_info {
             EncryptionInfo::Both(kd, (pin, config)) => {
                 let mut parsed_config = config.clone();
@@ -1143,8 +1169,8 @@ mod tests {
         strat_engine::{
             crypt::{
                 consts::{
-                    CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_KEYSLOTS_SIZE, DEFAULT_CRYPT_METADATA_SIZE,
-                    LUKS2_TOKEN_ID, STRATIS_MEK_SIZE,
+                    CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_KEYSLOTS_SIZE,
+                    DEFAULT_CRYPT_METADATA_SIZE_V1, LUKS2_TOKEN_ID, STRATIS_MEK_SIZE,
                 },
                 shared::acquire_crypt_device,
             },
@@ -1421,7 +1447,7 @@ mod tests {
                 )
                 .unwrap();
             let (metadata, keyslot) = context.settings_handle().get_metadata_size().unwrap();
-            assert_eq!(DEFAULT_CRYPT_METADATA_SIZE, Bytes::from(*metadata));
+            assert_eq!(DEFAULT_CRYPT_METADATA_SIZE_V1, Bytes::from(*metadata));
             assert_eq!(DEFAULT_CRYPT_KEYSLOTS_SIZE, Bytes::from(*keyslot));
         }
 

diff --git a/src/engine/strat_engine/crypt/handle/v2.rs b/src/engine/strat_engine/crypt/handle/v2.rs
@@ -33,8 +33,9 @@ use crate::{
             cmd::{clevis_decrypt, clevis_luks_bind, clevis_luks_regen, clevis_luks_unbind},
             crypt::{
                 consts::{
-                    CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_KEYSLOTS_SIZE, DEFAULT_CRYPT_METADATA_SIZE,
-                    LUKS2_TOKEN_ID, STRATIS_MEK_SIZE,
+                    CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_DATA_OFFSET_V2,
+                    DEFAULT_CRYPT_KEYSLOTS_SIZE, DEFAULT_CRYPT_METADATA_SIZE_V2, LUKS2_TOKEN_ID,
+                    STRATIS_MEK_SIZE,
                 },
                 shared::{
                     acquire_crypt_device, activate, activate_by_token, add_keyring_keyslot,
@@ -275,10 +276,6 @@ impl CryptHandle {
             nothing to clean up",
             physical_path.display()
         );
-        device.settings_handle().set_metadata_size(
-            MetadataSize::try_from(convert_int!(*DEFAULT_CRYPT_METADATA_SIZE, u128, u64)?)?,
-            KeyslotsSize::try_from(convert_int!(*DEFAULT_CRYPT_KEYSLOTS_SIZE, u128, u64)?)?,
-        )?;
         Self::initialize_with_err(&mut device, physical_path, pool_uuid, encryption_info, luks2_params.as_ref())
             .and_then(|path| clevis_info_from_metadata(&mut device).map(|ci| (path, ci)))
             .and_then(|(_, clevis_info)| {
@@ -366,7 +363,11 @@ impl CryptHandle {
             .context_handle()
             .load::<()>(Some(EncryptionFormat::Luks2), None)
         {
-            return Err(wipe_fallback(physical_path, StratisError::from(e)));
+            return Err(wipe_fallback(
+                physical_path,
+                DEFAULT_CRYPT_DATA_OFFSET_V2.bytes(),
+                StratisError::from(e),
+            ));
         }
 
         device.keyslot_handle().destroy(keyslot)?;
@@ -398,7 +399,11 @@ impl CryptHandle {
             .context_handle()
             .load::<()>(Some(EncryptionFormat::Luks2), None)
         {
-            return Err(wipe_fallback(physical_path, StratisError::from(e)));
+            return Err(wipe_fallback(
+                physical_path,
+                DEFAULT_CRYPT_DATA_OFFSET_V2.bytes(),
+                StratisError::from(e),
+            ));
         }
 
         Ok(())
@@ -414,6 +419,12 @@ impl CryptHandle {
         let mut luks2_params_ref: Option<CryptParamsLuks2Ref<'_>> =
             luks2_params.map(|lp| lp.try_into()).transpose()?;
 
+        device.settings_handle().set_metadata_size(
+            MetadataSize::try_from(convert_int!(*DEFAULT_CRYPT_METADATA_SIZE_V2, u128, u64)?)?,
+            KeyslotsSize::try_from(convert_int!(*DEFAULT_CRYPT_KEYSLOTS_SIZE, u128, u64)?)?,
+        )?;
+        device.set_data_offset(*DEFAULT_CRYPT_DATA_OFFSET_V2)?;
+
         log_on_failure!(
             device.context_handle().format::<CryptParamsLuks2Ref<'_>>(
                 EncryptionFormat::Luks2,
@@ -426,6 +437,11 @@ impl CryptHandle {
             physical_path.display()
         );
 
+        assert_eq!(
+            *DEFAULT_CRYPT_DATA_OFFSET_V2,
+            device.status_handle().get_data_offset()
+        );
+
         match encryption_info {
             EncryptionInfo::Both(kd, (pin, config)) => {
                 let mut parsed_config = config.clone();
@@ -780,17 +796,14 @@ mod tests {
     };
 
     use devicemapper::{Bytes, Sectors, IEC};
-    use libcryptsetup_rs::{
-        consts::vals::{CryptStatusInfo, EncryptionFormat},
-        CryptInit, Either,
-    };
+    use libcryptsetup_rs::consts::vals::CryptStatusInfo;
 
     use crate::engine::{
         strat_engine::{
             crypt::{
                 consts::{
-                    CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_KEYSLOTS_SIZE, DEFAULT_CRYPT_METADATA_SIZE,
-                    LUKS2_TOKEN_ID, STRATIS_MEK_SIZE,
+                    CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_KEYSLOTS_SIZE,
+                    DEFAULT_CRYPT_METADATA_SIZE_V2, LUKS2_TOKEN_ID,
                 },
                 shared::acquire_crypt_device,
             },
@@ -977,28 +990,6 @@ mod tests {
         );
     }
 
-    #[test]
-    fn loop_test_crypt_metadata_defaults() {
-        fn test_defaults(paths: &[&Path]) {
-            let mut context = CryptInit::init(paths[0]).unwrap();
-            context
-                .context_handle()
-                .format::<()>(
-                    EncryptionFormat::Luks2,
-                    ("aes", "xts-plain64"),
-                    None,
-                    Either::Right(STRATIS_MEK_SIZE),
-                    None,
-                )
-                .unwrap();
-            let (metadata, keyslot) = context.settings_handle().get_metadata_size().unwrap();
-            assert_eq!(DEFAULT_CRYPT_METADATA_SIZE, Bytes::from(*metadata));
-            assert_eq!(DEFAULT_CRYPT_KEYSLOTS_SIZE, Bytes::from(*keyslot));
-        }
-
-        loopbacked::test_with_spec(&loopbacked::DeviceLimits::Exactly(1, None), test_defaults);
-    }
-
     #[test]
     // Test passing an unusual, larger sector size for cryptsetup. 4096 should
     // be no smaller than the physical sector size of the loop device, and
@@ -1114,6 +1105,10 @@ mod tests {
         .unwrap();
 
         let mut device = acquire_crypt_device(handle.luks2_device_path()).unwrap();
+        let (metadata, keyslot) = device.settings_handle().get_metadata_size().unwrap();
+        assert_eq!(DEFAULT_CRYPT_METADATA_SIZE_V2, Bytes::from(*metadata));
+        assert_eq!(DEFAULT_CRYPT_KEYSLOTS_SIZE, Bytes::from(*keyslot));
+
         assert!(device.token_handle().json_get(CLEVIS_LUKS_TOKEN_ID).is_ok());
         assert!(device.token_handle().json_get(LUKS2_TOKEN_ID).is_err());
     }

diff --git a/src/engine/strat_engine/crypt/mod.rs b/src/engine/strat_engine/crypt/mod.rs
@@ -10,9 +10,9 @@ pub mod handle;
 mod shared;
 
 pub use self::{
-    consts::CLEVIS_TANG_TRUST_URL,
+    consts::{CLEVIS_TANG_TRUST_URL, DEFAULT_CRYPT_DATA_OFFSET_V2},
+    handle::v1::crypt_metadata_size,
     shared::{
-        back_up_luks_header, crypt_metadata_size, register_clevis_token, restore_luks_header,
-        set_up_crypt_logging,
+        back_up_luks_header, register_clevis_token, restore_luks_header, set_up_crypt_logging,
     },
 };