[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v7 04/10] qcow2: Support BDRV_REQ_ZERO_WRITE for truncate
From: |
Kevin Wolf |
Subject: |
Re: [PATCH v7 04/10] qcow2: Support BDRV_REQ_ZERO_WRITE for truncate |
Date: |
Tue, 28 Apr 2020 20:45:14 +0200 |
Am 28.04.2020 um 18:28 hat Eric Blake geschrieben:
> On 4/24/20 7:54 AM, Kevin Wolf wrote:
> > If BDRV_REQ_ZERO_WRITE is set and we're extending the image, calling
> > qcow2_cluster_zeroize() with flags=0 does the right thing: It doesn't
> > undo any previous preallocation, but just adds the zero flag to all
> > relevant L2 entries. If an external data file is in use, a write_zeroes
> > request to the data file is made instead.
> >
> > Signed-off-by: Kevin Wolf <address@hidden>
> > ---
> > block/qcow2-cluster.c | 2 +-
> > block/qcow2.c | 34 ++++++++++++++++++++++++++++++++++
> > 2 files changed, 35 insertions(+), 1 deletion(-)
> >
>
> > +++ b/block/qcow2.c
> > @@ -1726,6 +1726,7 @@ static int coroutine_fn
> > qcow2_do_open(BlockDriverState *bs, QDict *options,
> > bs->supported_zero_flags = header.version >= 3 ?
> > BDRV_REQ_MAY_UNMAP | BDRV_REQ_NO_FALLBACK
> > : 0;
> > + bs->supported_truncate_flags = BDRV_REQ_ZERO_WRITE;
>
> Is this really what we want for encrypted files, or would it be better as:
>
> if (bs->encrypted) {
> bs->supported_truncate_flags = 0;
> } else {
> bs->supported_truncate_flags = BDRV_REQ_ZERO_WRITE;
> }
>
> At the qcow2 level, we can guarantee a read of 0 even for an encrypted
> image, but is that really what we want? Is setting the qcow2 zero flag on
> the cluster done at the decrypted level (at which point we may be leaking
> information about guest contents via anyone that can read the qcow2
> metadata) or at the encrypted level (at which point it's useless
> information, because knowing the underlying file reads as zero still
> decrypts into garbage)?
The zero flag means that the guest reads zeros, even with encrypted
files. I'm not sure if it's worse than exposing the information which
clusters are allocated and which are unallocated, which we have always
been doing and which is hard to avoid without encrypting all the
metadata, too. But it does reveal some information.
If we think that exposing zero flags is worse than exposing the
allocation status, I would still not use your solution above. In that
case, the full fix would be returning -ENOTSUP from
.bdrv_co_pwrite_zeroes() to cover all other callers, too.
If we think that allocation status and zero flags are of comparable
importance, then we need to fix either both or nothing. Hiding all of
this information probably means encrypting at least the L2 tables and
potentially all of the metadata apart from the header. This would
obviously require an incompatible feature flag (and some effort to
implement it).
Kevin
- [PATCH v7 00/10] block: Fix resize (extending) of short overlays, Kevin Wolf, 2020/04/24
- [PATCH v7 07/10] block: truncate: Don't make backing file data visible, Kevin Wolf, 2020/04/24
- [PATCH v7 02/10] block: Add flags to bdrv(_co)_truncate(), Kevin Wolf, 2020/04/24
- [PATCH v7 05/10] raw-format: Support BDRV_REQ_ZERO_WRITE for truncate, Kevin Wolf, 2020/04/24
- [PATCH v7 01/10] block: Add flags to BlockDriver.bdrv_co_truncate(), Kevin Wolf, 2020/04/24
- [PATCH v7 08/10] iotests: Filter testfiles out in filter_img_info(), Kevin Wolf, 2020/04/24
- [PATCH v7 09/10] iotests: Test committing to short backing file, Kevin Wolf, 2020/04/24