Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support

[PATCH rdma-next 00/13] Add RDMA inline crypto support · Leon Romanovsky <leon@kernel.org> · 2023-01-16
[PATCH mlx5-next 01/13] net/mlx5: Introduce crypto IFC bits and structures · Leon Romanovsky <leon@kernel.org> · 2023-01-16
[PATCH rdma-next 03/13] RDMA: Split kernel-only create QP flags from uverbs create QP flags · Leon Romanovsky <leon@kernel.org> · 2023-01-16
Re: [PATCH rdma-next 03/13] RDMA: Split kernel-only create QP flags from uverbs create QP flags · Jason Gunthorpe <jgg@nvidia.com> · 2023-01-16
Re: [PATCH rdma-next 03/13] RDMA: Split kernel-only create QP flags from uverbs create QP flags · Leon Romanovsky <leon@kernel.org> · 2023-01-17
Re: [PATCH rdma-next 03/13] RDMA: Split kernel-only create QP flags from uverbs create QP flags · Jason Gunthorpe <jgg@nvidia.com> · 2023-01-17
Re: [PATCH rdma-next 03/13] RDMA: Split kernel-only create QP flags from uverbs create QP flags · Leon Romanovsky <leon@kernel.org> · 2023-01-17
Re: [PATCH rdma-next 03/13] RDMA: Split kernel-only create QP flags from uverbs create QP flags · Jason Gunthorpe <jgg@nvidia.com> · 2023-01-17
Re: [PATCH rdma-next 03/13] RDMA: Split kernel-only create QP flags from uverbs create QP flags · Leon Romanovsky <leon@kernel.org> · 2023-01-17
[PATCH rdma-next 04/13] RDMA/core: Add cryptographic device capabilities · Leon Romanovsky <leon@kernel.org> · 2023-01-16
[PATCH rdma-next 06/13] RDMA/core: Introduce MR type for crypto operations · Leon Romanovsky <leon@kernel.org> · 2023-01-16
Re: [PATCH rdma-next 06/13] RDMA/core: Introduce MR type for crypto operations · Steven Rostedt <rostedt@goodmis.org> · 2023-01-17
[PATCH rdma-next 07/13] RDMA/core: Add support for creating crypto enabled QPs · Leon Romanovsky <leon@kernel.org> · 2023-01-16
[PATCH rdma-next 11/13] nvme: Introduce a local variable · Leon Romanovsky <leon@kernel.org> · 2023-01-16
Re: [PATCH rdma-next 11/13] nvme: Introduce a local variable · Chaitanya Kulkarni <hidden> · 2023-01-17
Re: [PATCH rdma-next 11/13] nvme: Introduce a local variable · Leon Romanovsky <leon@kernel.org> · 2023-01-17
[PATCH rdma-next 12/13] nvme: Add crypto profile at nvme controller · Leon Romanovsky <leon@kernel.org> · 2023-01-16
Re: [PATCH rdma-next 12/13] nvme: Add crypto profile at nvme controller · Chaitanya Kulkarni <hidden> · 2023-01-17
Re: [PATCH rdma-next 12/13] nvme: Add crypto profile at nvme controller · Leon Romanovsky <leon@kernel.org> · 2023-01-17
[PATCH rdma-next 13/13] nvme-rdma: Add inline encryption support · Leon Romanovsky <leon@kernel.org> · 2023-01-16
[PATCH rdma-next 08/13] RDMA/mlx5: Add cryptographic device capabilities · Leon Romanovsky <leon@kernel.org> · 2023-01-16
[PATCH rdma-next 10/13] RDMA/mlx5: Add AES-XTS crypto support · Leon Romanovsky <leon@kernel.org> · 2023-01-16
[PATCH rdma-next 09/13] RDMA/mlx5: Add DEK management API · Leon Romanovsky <leon@kernel.org> · 2023-01-16
[PATCH mlx5-next 02/13] net/mlx5: Introduce crypto capabilities macro · Leon Romanovsky <leon@kernel.org> · 2023-01-16
[PATCH rdma-next 05/13] RDMA/core: Add DEK management API · Leon Romanovsky <leon@kernel.org> · 2023-01-16
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Eric Biggers <ebiggers@kernel.org> · 2023-01-18
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Chaitanya Kulkarni <hidden> · 2023-01-18
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Eric Biggers <ebiggers@kernel.org> · 2023-01-18
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Leon Romanovsky <leon@kernel.org> · 2023-01-18
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Israel Rukshin <hidden> · 2023-01-18
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Christoph Hellwig <hch@lst.de> · 2023-01-18
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Max Gurtovoy <mgurtovoy@nvidia.com> · 2023-01-18
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Christoph Hellwig <hch@lst.de> · 2023-01-30
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Max Gurtovoy <mgurtovoy@nvidia.com> · 2023-01-30
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Sagi Grimberg <sagi@grimberg.me> · 2023-02-14
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Sagi Grimberg <sagi@grimberg.me> · 2023-01-23
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Israel Rukshin <hidden> · 2023-01-23
Re: [PATCH rdma-next 00/13] Add RDMA inline crypto support · Christoph Hellwig <hch@lst.de> · 2023-01-30

From: Israel Rukshin <hidden>
Date: 2023-01-23 12:57:58
Also in: linux-nvme, linux-rdma, lkml, netdev

Hi Sagi,

On 1/23/2023 1:27 PM, Sagi Grimberg wrote:

quoted

 From Israel,

The purpose of this patchset is to add support for inline
encryption/decryption of the data at storage protocols like nvmf over
RDMA (at a similar way like integrity is used via unique mkey).

This patchset adds support for plaintext keys. The patches were tested
on BF-3 HW with fscrypt tool to test this feature, which showed reduce
in CPU utilization when comparing at 64k or more IO size. The CPU 
utilization
was improved by more than 50% comparing to the SW only solution at 
this case.

How to configure fscrypt to enable plaintext keys:
  # mkfs.ext4 -O encrypt /dev/nvme0n1
  # mount /dev/nvme0n1 /mnt/crypto -o inlinecrypt
  # head -c 64 /dev/urandom > /tmp/master_key
  # fscryptctl add_key /mnt/crypto/ < /tmp/master_key
  # mkdir /mnt/crypto/test1
  # fscryptctl set_policy 152c41b2ea39fa3d90ea06448456e7fb 
/mnt/crypto/test1
    ** “152c41b2ea39fa3d90ea06448456e7fb” is the output of the
       “fscryptctl add_key” command.
  # echo foo > /mnt/crypto/test1/foo

Notes:
  - At plaintext mode only, the user set a master key and the fscrypt
    driver derived from it the DEK and the key identifier.
  - 152c41b2ea39fa3d90ea06448456e7fb is the derived key identifier
  - Only on the first IO, nvme-rdma gets a callback to load the 
derived DEK.

There is no special configuration to support crypto at nvme modules.

Hey, this looks sane to me in a very first glance.

Few high level questions:
- what happens with multipathing? when if not all devices are
capable. SW fallback?

SW fallback happens every time the device doesn't support the specific 
crypto request (which include data-unit-size, mode and dun_bytes).
So with multipathing, one path uses the HW crypto offload and the other 
one uses the SW fallback.

- Does the crypt stuff stay intact when bio is requeued?

Yes, the crypto ctx is copied when cloning the bio.

I'm assuming you tested this with multipathing? This is not very
useful if it is incompatible with it.

Yes, sure.
You can see the call to  blk_crypto_reprogram_all_keys(), which is 
called when the controller was reconnected after port toggling.

- Israel

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help