Allow discards for SSDs in cryptsetup
tbart opened this issue · comments
When using SSDs/NVMs, --allow-discards can prove to be useful during the cryptsetup step.
There are security implications, so the man page excerpt is provided here. This should probably also be noted in the man page of mkinitramfs-ll
--allow-discards
Allow the use of discard (TRIM) requests for device. This option is only relevant
for open action.
WARNING: This command can have a negative security impact because it can make
filesystem-level operations visible on the physical device. For example, information
leaking filesystem type, used space, etc. may be extractable from the physical device
if the discarded blocks can be located later. If in doubt, do not use it.
A kernel version of 3.1 or later is needed. For earlier kernels this option is
ignored.
The user should be able to pass this parameter to cryptsetup.
I solved it by providing an environment variable/cmdline parameter discards=yes|true|whatever in the config file like so (using LVM on LUKS with password here):
env=(
${MIR_EXTRA_ENV}
# Disable applets/binaries checking
'CHECK_ENV=false'
'root=vg00-root'
'lvm=vg00-nvme0n1p5'
'rootflags=user_xattr'
'luks=pwd'
'discards=yes'
)
and the following patch:
--- /usr/share/mkinitramfs-ll/usr/lib/mkinitramfs-ll/functions.org 2018-01-01 23:25:38.443257852 +0100
+++ /usr/share/mkinitramfs-ll/usr/lib/mkinitramfs-ll/functions 2018-02-09 23:10:11.252510811 +0100
@@ -293,7 +293,7 @@
debug -d losetup "$_ld" "$1"
loopback_dev="$_ld $loopback_dev"
fi
- debug cryptsetup luksOpen "$_ld" "$_fn" && loopback_key="$_fn $loopback_key"
+ debug cryptsetup luksOpen "$_ld" "$_fn" "$(get_discards)" && loopback_key="$_fn $loopback_key"
}
# @FUNCTION: Key[file/mode] handler
@@ -359,6 +359,11 @@
eval "${_name:-REPLY}='${_typ:+$_typ:}$DEV${_sig:+:$_sig}'"
}
+# @FUNCTION: Determine if discards should be allowed
+get_discards() {
+ yesno ${discards:-no} && echo "--allow-discards"
+}
+
# @FUNCTION: Close dm-crypt mapping
# @ARG: <map>
dmclose() {
@@ -412,7 +417,7 @@
fi
;;
esac
- _arg="open $_dev $_map ${_header:+--header} $_header"
+ _arg="open $_dev $_map ${_header:+--header} $_header $(get_discards)"
case "$keymode" in
(gpg)
As I don't use the detached header function (nor any other scenario) I cannot say whether this works for all use cases. I am however able to issue "fstrim" after doing the above.
Please adapt to your coding standards.
This could most likely be generalized into allowing arbitrary options to cryptsetup with cryptsetup=--allow-discards:--some-option:--some-other-option but I have no test setup here to develop and test this efficiently, the above is more or less a quick hack on my one and only production system ;-)
I hope you can include this into the master branch!
Thanks a lot in advance!
Interim fix for this and #51 for those that need an updated ebuild:
mkinitramfs-ll-0.22.10-r1.tar.gz
Thanks. I will add a new environment variable to allow arbitrary options for cryptsetup for power users. This could be generalised for other tools.