Commit a739ff3f authored by Sami Tolvanen's avatar Sami Tolvanen Committed by Mike Snitzer

dm verity: add support for forward error correction

Add support for correcting corrupted blocks using Reed-Solomon.

This code uses RS(255, N) interleaved across data and hash
blocks. Each error-correcting block covers N bytes evenly
distributed across the combined total data, so that each byte is a
maximum distance away from the others. This makes it possible to
recover from several consecutive corrupted blocks with relatively
small space overhead.

In addition, using verity hashes to locate erasures nearly doubles
the effectiveness of error correction. Being able to detect
corrupted blocks also improves performance, because only corrupted
blocks need to corrected.

For a 2 GiB partition, RS(255, 253) (two parity bytes for each
253-byte block) can correct up to 16 MiB of consecutive corrupted
blocks if erasures can be located, and 8 MiB if they cannot, with
16 MiB space overhead.
Signed-off-by: default avatarSami Tolvanen <samitolvanen@google.com>
Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
parent bb4d73ac
...@@ -18,11 +18,11 @@ Construction Parameters ...@@ -18,11 +18,11 @@ Construction Parameters
0 is the original format used in the Chromium OS. 0 is the original format used in the Chromium OS.
The salt is appended when hashing, digests are stored continuously and The salt is appended when hashing, digests are stored continuously and
the rest of the block is padded with zeros. the rest of the block is padded with zeroes.
1 is the current format that should be used for new devices. 1 is the current format that should be used for new devices.
The salt is prepended when hashing and each digest is The salt is prepended when hashing and each digest is
padded with zeros to the power of two. padded with zeroes to the power of two.
<dev> <dev>
This is the device containing data, the integrity of which needs to be This is the device containing data, the integrity of which needs to be
...@@ -79,6 +79,32 @@ restart_on_corruption ...@@ -79,6 +79,32 @@ restart_on_corruption
not compatible with ignore_corruption and requires user space support to not compatible with ignore_corruption and requires user space support to
avoid restart loops. avoid restart loops.
use_fec_from_device <fec_dev>
Use forward error correction (FEC) to recover from corruption if hash
verification fails. Use encoding data from the specified device. This
may be the same device where data and hash blocks reside, in which case
fec_start must be outside data and hash areas.
If the encoding data covers additional metadata, it must be accessible
on the hash device after the hash blocks.
Note: block sizes for data and hash devices must match. Also, if the
verity <dev> is encrypted the <fec_dev> should be too.
fec_roots <num>
Number of generator roots. This equals to the number of parity bytes in
the encoding data. For example, in RS(M, N) encoding, the number of roots
is M-N.
fec_blocks <num>
The number of encoding data blocks on the FEC device. The block size for
the FEC device is <data_block_size>.
fec_start <offset>
This is the offset, in <data_block_size> blocks, from the start of the
FEC device to the beginning of the encoding data.
Theory of operation Theory of operation
=================== ===================
...@@ -98,6 +124,11 @@ per-block basis. This allows for a lightweight hash computation on first read ...@@ -98,6 +124,11 @@ per-block basis. This allows for a lightweight hash computation on first read
into the page cache. Block hashes are stored linearly, aligned to the nearest into the page cache. Block hashes are stored linearly, aligned to the nearest
block size. block size.
If forward error correction (FEC) support is enabled any recovery of
corrupted data will be verified using the cryptographic hash of the
corresponding data. This is why combining error correction with
integrity checking is essential.
Hash Tree Hash Tree
--------- ---------
......
...@@ -467,6 +467,18 @@ config DM_VERITY ...@@ -467,6 +467,18 @@ config DM_VERITY
If unsure, say N. If unsure, say N.
config DM_VERITY_FEC
bool "Verity forward error correction support"
depends on DM_VERITY
select REED_SOLOMON
select REED_SOLOMON_DEC8
---help---
Add forward error correction support to dm-verity. This option
makes it possible to use pre-generated error correction data to
recover from corrupted blocks.
If unsure, say N.
config DM_SWITCH config DM_SWITCH
tristate "Switch target support (EXPERIMENTAL)" tristate "Switch target support (EXPERIMENTAL)"
depends on BLK_DEV_DM depends on BLK_DEV_DM
......
...@@ -64,3 +64,7 @@ obj-$(CONFIG_DM_LOG_WRITES) += dm-log-writes.o ...@@ -64,3 +64,7 @@ obj-$(CONFIG_DM_LOG_WRITES) += dm-log-writes.o
ifeq ($(CONFIG_DM_UEVENT),y) ifeq ($(CONFIG_DM_UEVENT),y)
dm-mod-objs += dm-uevent.o dm-mod-objs += dm-uevent.o
endif endif
ifeq ($(CONFIG_DM_VERITY_FEC),y)
dm-verity-objs += dm-verity-fec.o
endif
This diff is collapsed.
/*
* Copyright (C) 2015 Google, Inc.
*
* Author: Sami Tolvanen <samitolvanen@google.com>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at your option)
* any later version.
*/
#ifndef DM_VERITY_FEC_H
#define DM_VERITY_FEC_H
#include "dm-verity.h"
#include <linux/rslib.h>
/* Reed-Solomon(M, N) parameters */
#define DM_VERITY_FEC_RSM 255
#define DM_VERITY_FEC_MAX_RSN 253
#define DM_VERITY_FEC_MIN_RSN 231 /* ~10% space overhead */
/* buffers for deinterleaving and decoding */
#define DM_VERITY_FEC_BUF_PREALLOC 1 /* buffers to preallocate */
#define DM_VERITY_FEC_BUF_RS_BITS 4 /* 1 << RS blocks per buffer */
/* we need buffers for at most 1 << block size RS blocks */
#define DM_VERITY_FEC_BUF_MAX \
(1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS))
#define DM_VERITY_OPT_FEC_DEV "use_fec_from_device"
#define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks"
#define DM_VERITY_OPT_FEC_START "fec_start"
#define DM_VERITY_OPT_FEC_ROOTS "fec_roots"
/* configuration */
struct dm_verity_fec {
struct dm_dev *dev; /* parity data device */
struct dm_bufio_client *data_bufio; /* for data dev access */
struct dm_bufio_client *bufio; /* for parity data access */
sector_t start; /* parity data start in blocks */
sector_t blocks; /* number of blocks covered */
sector_t rounds; /* number of interleaving rounds */
sector_t hash_blocks; /* blocks covered after v->hash_start */
unsigned char roots; /* number of parity bytes, M-N of RS(M, N) */
unsigned char rsn; /* N of RS(M, N) */
mempool_t *rs_pool; /* mempool for fio->rs */
mempool_t *prealloc_pool; /* mempool for preallocated buffers */
mempool_t *extra_pool; /* mempool for extra buffers */
mempool_t *output_pool; /* mempool for output */
struct kmem_cache *cache; /* cache for buffers */
};
/* per-bio data */
struct dm_verity_fec_io {
struct rs_control *rs; /* Reed-Solomon state */
int erasures[DM_VERITY_FEC_MAX_RSN]; /* erasures for decode_rs8 */
u8 *bufs[DM_VERITY_FEC_BUF_MAX]; /* bufs for deinterleaving */
unsigned nbufs; /* number of buffers allocated */
u8 *output; /* buffer for corrected output */
size_t output_pos;
};
#ifdef CONFIG_DM_VERITY_FEC
/* each feature parameter requires a value */
#define DM_VERITY_OPTS_FEC 8
extern bool verity_fec_is_enabled(struct dm_verity *v);
extern int verity_fec_decode(struct dm_verity *v, struct dm_verity_io *io,
enum verity_block_type type, sector_t block,
u8 *dest, struct bvec_iter *iter);
extern unsigned verity_fec_status_table(struct dm_verity *v, unsigned sz,
char *result, unsigned maxlen);
extern void verity_fec_finish_io(struct dm_verity_io *io);
extern void verity_fec_init_io(struct dm_verity_io *io);
extern bool verity_is_fec_opt_arg(const char *arg_name);
extern int verity_fec_parse_opt_args(struct dm_arg_set *as,
struct dm_verity *v, unsigned *argc,
const char *arg_name);
extern void verity_fec_dtr(struct dm_verity *v);
extern int verity_fec_ctr_alloc(struct dm_verity *v);
extern int verity_fec_ctr(struct dm_verity *v);
#else /* !CONFIG_DM_VERITY_FEC */
#define DM_VERITY_OPTS_FEC 0
static inline bool verity_fec_is_enabled(struct dm_verity *v)
{
return false;
}
static inline int verity_fec_decode(struct dm_verity *v,
struct dm_verity_io *io,
enum verity_block_type type,
sector_t block, u8 *dest,
struct bvec_iter *iter)
{
return -EOPNOTSUPP;
}
static inline unsigned verity_fec_status_table(struct dm_verity *v,
unsigned sz, char *result,
unsigned maxlen)
{
return sz;
}
static inline void verity_fec_finish_io(struct dm_verity_io *io)
{
}
static inline void verity_fec_init_io(struct dm_verity_io *io)
{
}
static inline bool verity_is_fec_opt_arg(const char *arg_name)
{
return false;
}
static inline int verity_fec_parse_opt_args(struct dm_arg_set *as,
struct dm_verity *v,
unsigned *argc,
const char *arg_name)
{
return -EINVAL;
}
static inline void verity_fec_dtr(struct dm_verity *v)
{
}
static inline int verity_fec_ctr_alloc(struct dm_verity *v)
{
return 0;
}
static inline int verity_fec_ctr(struct dm_verity *v)
{
return 0;
}
#endif /* CONFIG_DM_VERITY_FEC */
#endif /* DM_VERITY_FEC_H */
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
*/ */
#include "dm-verity.h" #include "dm-verity.h"
#include "dm-verity-fec.h"
#include <linux/module.h> #include <linux/module.h>
#include <linux/reboot.h> #include <linux/reboot.h>
...@@ -31,7 +32,7 @@ ...@@ -31,7 +32,7 @@
#define DM_VERITY_OPT_LOGGING "ignore_corruption" #define DM_VERITY_OPT_LOGGING "ignore_corruption"
#define DM_VERITY_OPT_RESTART "restart_on_corruption" #define DM_VERITY_OPT_RESTART "restart_on_corruption"
#define DM_VERITY_OPTS_MAX 1 #define DM_VERITY_OPTS_MAX (1 + DM_VERITY_OPTS_FEC)
static unsigned dm_verity_prefetch_cluster = DM_VERITY_DEFAULT_PREFETCH_SIZE; static unsigned dm_verity_prefetch_cluster = DM_VERITY_DEFAULT_PREFETCH_SIZE;
...@@ -282,6 +283,10 @@ static int verity_verify_level(struct dm_verity *v, struct dm_verity_io *io, ...@@ -282,6 +283,10 @@ static int verity_verify_level(struct dm_verity *v, struct dm_verity_io *io,
if (likely(memcmp(verity_io_real_digest(v, io), want_digest, if (likely(memcmp(verity_io_real_digest(v, io), want_digest,
v->digest_size) == 0)) v->digest_size) == 0))
aux->hash_verified = 1; aux->hash_verified = 1;
else if (verity_fec_decode(v, io,
DM_VERITY_BLOCK_TYPE_METADATA,
hash_block, data, NULL) == 0)
aux->hash_verified = 1;
else if (verity_handle_err(v, else if (verity_handle_err(v,
DM_VERITY_BLOCK_TYPE_METADATA, DM_VERITY_BLOCK_TYPE_METADATA,
hash_block)) { hash_block)) {
...@@ -411,6 +416,9 @@ static int verity_verify_io(struct dm_verity_io *io) ...@@ -411,6 +416,9 @@ static int verity_verify_io(struct dm_verity_io *io)
if (likely(memcmp(verity_io_real_digest(v, io), if (likely(memcmp(verity_io_real_digest(v, io),
verity_io_want_digest(v, io), v->digest_size) == 0)) verity_io_want_digest(v, io), v->digest_size) == 0))
continue; continue;
else if (verity_fec_decode(v, io, DM_VERITY_BLOCK_TYPE_DATA,
io->block + b, NULL, &start) == 0)
continue;
else if (verity_handle_err(v, DM_VERITY_BLOCK_TYPE_DATA, else if (verity_handle_err(v, DM_VERITY_BLOCK_TYPE_DATA,
io->block + b)) io->block + b))
return -EIO; return -EIO;
...@@ -430,6 +438,8 @@ static void verity_finish_io(struct dm_verity_io *io, int error) ...@@ -430,6 +438,8 @@ static void verity_finish_io(struct dm_verity_io *io, int error)
bio->bi_end_io = io->orig_bi_end_io; bio->bi_end_io = io->orig_bi_end_io;
bio->bi_error = error; bio->bi_error = error;
verity_fec_finish_io(io);
bio_endio(bio); bio_endio(bio);
} }
...@@ -444,7 +454,7 @@ static void verity_end_io(struct bio *bio) ...@@ -444,7 +454,7 @@ static void verity_end_io(struct bio *bio)
{ {
struct dm_verity_io *io = bio->bi_private; struct dm_verity_io *io = bio->bi_private;
if (bio->bi_error) { if (bio->bi_error && !verity_fec_is_enabled(io->v)) {
verity_finish_io(io, bio->bi_error); verity_finish_io(io, bio->bi_error);
return; return;
} }
...@@ -547,6 +557,8 @@ static int verity_map(struct dm_target *ti, struct bio *bio) ...@@ -547,6 +557,8 @@ static int verity_map(struct dm_target *ti, struct bio *bio)
bio->bi_private = io; bio->bi_private = io;
io->iter = bio->bi_iter; io->iter = bio->bi_iter;
verity_fec_init_io(io);
verity_submit_prefetch(v, io); verity_submit_prefetch(v, io);
generic_make_request(bio); generic_make_request(bio);
...@@ -561,6 +573,7 @@ static void verity_status(struct dm_target *ti, status_type_t type, ...@@ -561,6 +573,7 @@ static void verity_status(struct dm_target *ti, status_type_t type,
unsigned status_flags, char *result, unsigned maxlen) unsigned status_flags, char *result, unsigned maxlen)
{ {
struct dm_verity *v = ti->private; struct dm_verity *v = ti->private;
unsigned args = 0;
unsigned sz = 0; unsigned sz = 0;
unsigned x; unsigned x;
...@@ -587,8 +600,15 @@ static void verity_status(struct dm_target *ti, status_type_t type, ...@@ -587,8 +600,15 @@ static void verity_status(struct dm_target *ti, status_type_t type,
else else
for (x = 0; x < v->salt_size; x++) for (x = 0; x < v->salt_size; x++)
DMEMIT("%02x", v->salt[x]); DMEMIT("%02x", v->salt[x]);
if (v->mode != DM_VERITY_MODE_EIO)
args++;
if (verity_fec_is_enabled(v))
args += DM_VERITY_OPTS_FEC;
if (!args)
return;
DMEMIT(" %u", args);
if (v->mode != DM_VERITY_MODE_EIO) { if (v->mode != DM_VERITY_MODE_EIO) {
DMEMIT(" 1 "); DMEMIT(" ");
switch (v->mode) { switch (v->mode) {
case DM_VERITY_MODE_LOGGING: case DM_VERITY_MODE_LOGGING:
DMEMIT(DM_VERITY_OPT_LOGGING); DMEMIT(DM_VERITY_OPT_LOGGING);
...@@ -600,6 +620,7 @@ static void verity_status(struct dm_target *ti, status_type_t type, ...@@ -600,6 +620,7 @@ static void verity_status(struct dm_target *ti, status_type_t type,
BUG(); BUG();
} }
} }
sz = verity_fec_status_table(v, sz, result, maxlen);
break; break;
} }
} }
...@@ -662,6 +683,8 @@ static void verity_dtr(struct dm_target *ti) ...@@ -662,6 +683,8 @@ static void verity_dtr(struct dm_target *ti)
if (v->data_dev) if (v->data_dev)
dm_put_device(ti, v->data_dev); dm_put_device(ti, v->data_dev);
verity_fec_dtr(v);
kfree(v); kfree(v);
} }
...@@ -694,6 +717,12 @@ static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v) ...@@ -694,6 +717,12 @@ static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v)
} else if (!strcasecmp(arg_name, DM_VERITY_OPT_RESTART)) { } else if (!strcasecmp(arg_name, DM_VERITY_OPT_RESTART)) {
v->mode = DM_VERITY_MODE_RESTART; v->mode = DM_VERITY_MODE_RESTART;
continue; continue;
} else if (verity_is_fec_opt_arg(arg_name)) {
r = verity_fec_parse_opt_args(as, v, &argc, arg_name);
if (r)
return r;
continue;
} }
ti->error = "Unrecognized verity feature request"; ti->error = "Unrecognized verity feature request";
...@@ -736,6 +765,10 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv) ...@@ -736,6 +765,10 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
ti->private = v; ti->private = v;
v->ti = ti; v->ti = ti;
r = verity_fec_ctr_alloc(v);
if (r)
goto bad;
if ((dm_table_get_mode(ti->table) & ~FMODE_READ)) { if ((dm_table_get_mode(ti->table) & ~FMODE_READ)) {
ti->error = "Device must be readonly"; ti->error = "Device must be readonly";
r = -EINVAL; r = -EINVAL;
...@@ -924,8 +957,6 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv) ...@@ -924,8 +957,6 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
goto bad; goto bad;
} }
ti->per_bio_data_size = roundup(sizeof(struct dm_verity_io) + v->shash_descsize + v->digest_size * 2, __alignof__(struct dm_verity_io));
/* WQ_UNBOUND greatly improves performance when running on ramdisk */ /* WQ_UNBOUND greatly improves performance when running on ramdisk */
v->verify_wq = alloc_workqueue("kverityd", WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM | WQ_UNBOUND, num_online_cpus()); v->verify_wq = alloc_workqueue("kverityd", WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM | WQ_UNBOUND, num_online_cpus());
if (!v->verify_wq) { if (!v->verify_wq) {
...@@ -934,6 +965,16 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv) ...@@ -934,6 +965,16 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
goto bad; goto bad;
} }
ti->per_bio_data_size = sizeof(struct dm_verity_io) +
v->shash_descsize + v->digest_size * 2;
r = verity_fec_ctr(v);
if (r)
goto bad;
ti->per_bio_data_size = roundup(ti->per_bio_data_size,
__alignof__(struct dm_verity_io));
return 0; return 0;
bad: bad:
...@@ -944,7 +985,7 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv) ...@@ -944,7 +985,7 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
static struct target_type verity_target = { static struct target_type verity_target = {
.name = "verity", .name = "verity",
.version = {1, 2, 0}, .version = {1, 3, 0},
.module = THIS_MODULE, .module = THIS_MODULE,
.ctr = verity_ctr, .ctr = verity_ctr,
.dtr = verity_dtr, .dtr = verity_dtr,
......
...@@ -29,6 +29,8 @@ enum verity_block_type { ...@@ -29,6 +29,8 @@ enum verity_block_type {
DM_VERITY_BLOCK_TYPE_METADATA DM_VERITY_BLOCK_TYPE_METADATA
}; };
struct dm_verity_fec;
struct dm_verity { struct dm_verity {
struct dm_dev *data_dev; struct dm_dev *data_dev;
struct dm_dev *hash_dev; struct dm_dev *hash_dev;
...@@ -58,6 +60,8 @@ struct dm_verity { ...@@ -58,6 +60,8 @@ struct dm_verity {
/* starting blocks for each tree level. 0 is the lowest level. */ /* starting blocks for each tree level. 0 is the lowest level. */
sector_t hash_level_block[DM_VERITY_MAX_LEVELS]; sector_t hash_level_block[DM_VERITY_MAX_LEVELS];
struct dm_verity_fec *fec; /* forward error correction */
}; };
struct dm_verity_io { struct dm_verity_io {
...@@ -103,6 +107,12 @@ static inline u8 *verity_io_want_digest(struct dm_verity *v, ...@@ -103,6 +107,12 @@ static inline u8 *verity_io_want_digest(struct dm_verity *v,
return (u8 *)(io + 1) + v->shash_descsize + v->digest_size; return (u8 *)(io + 1) + v->shash_descsize + v->digest_size;
} }
static inline u8 *verity_io_digest_end(struct dm_verity *v,
struct dm_verity_io *io)
{
return verity_io_want_digest(v, io) + v->digest_size;
}
extern int verity_for_bv_block(struct dm_verity *v, struct dm_verity_io *io, extern int verity_for_bv_block(struct dm_verity *v, struct dm_verity_io *io,
struct bvec_iter *iter, struct bvec_iter *iter,
int (*process)(struct dm_verity *v, int (*process)(struct dm_verity *v,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment