Allow discards for SSDs in cryptsetup

Question

Allow discards for SSDs in cryptsetup

tbart opened this issue 6 years ago · comments

When using SSDs/NVMs, --allow-discards can prove to be useful during the cryptsetup step.

There are security implications, so the man page excerpt is provided here. This should probably also be noted in the man page of mkinitramfs-ll

      --allow-discards
              Allow  the  use  of discard (TRIM) requests for device.  This option is only relevant
              for open action.

              WARNING: This command can have  a  negative  security  impact  because  it  can  make
              filesystem-level  operations visible on the physical device. For example, information
              leaking filesystem type, used space, etc. may be extractable from the physical device
              if the discarded blocks can be located later. If in doubt, do not use it.

              A  kernel  version  of  3.1  or  later  is needed. For earlier kernels this option is
              ignored.

The user should be able to pass this parameter to cryptsetup.

I solved it by providing an environment variable/cmdline parameter discards=yes|true|whatever in the config file like so (using LVM on LUKS with password here):

env=(
        ${MIR_EXTRA_ENV}
        # Disable applets/binaries checking
        'CHECK_ENV=false'
        'root=vg00-root'
        'lvm=vg00-nvme0n1p5'
        'rootflags=user_xattr'
        'luks=pwd'
        'discards=yes'
)

and the following patch:

--- /usr/share/mkinitramfs-ll/usr/lib/mkinitramfs-ll/functions.org	2018-01-01 23:25:38.443257852 +0100
+++ /usr/share/mkinitramfs-ll/usr/lib/mkinitramfs-ll/functions	2018-02-09 23:10:11.252510811 +0100
@@ -293,7 +293,7 @@
 		debug -d losetup "$_ld" "$1"
 		loopback_dev="$_ld $loopback_dev"
 	fi
-	debug cryptsetup luksOpen "$_ld" "$_fn" && loopback_key="$_fn $loopback_key"
+	debug cryptsetup luksOpen "$_ld" "$_fn" "$(get_discards)" && loopback_key="$_fn $loopback_key"
 }
 
 # @FUNCTION: Key[file/mode] handler
@@ -359,6 +359,11 @@
 	eval "${_name:-REPLY}='${_typ:+$_typ:}$DEV${_sig:+:$_sig}'"
 }
 
+# @FUNCTION: Determine if discards should be allowed
+get_discards() {
+	yesno ${discards:-no} && echo "--allow-discards"	
+}
+
 # @FUNCTION: Close dm-crypt mapping
 # @ARG: <map>
 dmclose() {
@@ -412,7 +417,7 @@
 		fi
 		;;
 	esac
-	_arg="open $_dev $_map ${_header:+--header} $_header"
+	_arg="open $_dev $_map ${_header:+--header} $_header $(get_discards)"
 
 	case "$keymode" in
 		(gpg)

As I don't use the detached header function (nor any other scenario) I cannot say whether this works for all use cases. I am however able to issue "fstrim" after doing the above.
Please adapt to your coding standards.
This could most likely be generalized into allowing arbitrary options to cryptsetup with cryptsetup=--allow-discards:--some-option:--some-other-option but I have no test setup here to develop and test this efficiently, the above is more or less a quick hack on my one and only production system ;-)

I hope you can include this into the master branch!

Thanks a lot in advance!

tbart · Answer 1 · Sat Feb 17 2018 07:13:59 GMT+0800 (China Standard Time)

Interim fix for this and #51 for those that need an updated ebuild:
mkinitramfs-ll-0.22.10-r1.tar.gz

tokiclover · Answer 2 · Tue May 01 2018 03:17:06 GMT+0800 (China Standard Time)

Thanks. I will add a new environment variable to allow arbitrary options for cryptsetup for power users. This could be generalised for other tools.