From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 1533D1FF15C for ; Fri, 11 Jul 2025 12:09:36 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D9953D8CF; Fri, 11 Jul 2025 12:10:21 +0200 (CEST) Message-ID: <708356b1-2b01-40b5-abbd-2a9f5bbd34f7@proxmox.com> Date: Fri, 11 Jul 2025 12:09:47 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta From: Dominik Csapak To: pbs-devel@lists.proxmox.com References: <20250416070703.493585-1-d.csapak@proxmox.com> Content-Language: en-US In-Reply-To: <20250416070703.493585-1-d.csapak@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.021 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [encryption.rs, proxmox.com, mod.rs] Subject: Re: [pbs-devel] [PATCH proxmox-backup v2] tape: skip setting encryption if we can't and don't want to X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" ping, should still apply as is, but we got an additional user running into this problem: https://forum.proxmox.com/threads/fips-mode-on-tape-library-pbs-errors-out-on-labeling.164941/#post-782914 On 4/16/25 09:07, Dominik Csapak wrote: > Some settings on changers prevents changing the encryption parameters > via the application, e.g. some libraries have a 'encryption disabled' or > 'encryption is library managed' option. While the former situation can > be fixed by setting the library to 'application managed', the latter is > sometimes necessary for FIPS compliance (to ensure the tape data is > encrypted). > > When libraries are configured this way, the code currently fails with > 'drive does not support AES-GCM encryption'. Instead of failing, check > on first call to set_encryption if we could set it, and save that > result. > > Only fail when encryption is to be enabled but it is not allowed, but > ignore the error when the backup should be done unencrypted. > > `assert_encryption_mode` must also check if it's possible, and skip any > error if it's not possible and we wanted no encryption. > > With these changes, it should be possible to use such configured libraries > when there is no encryption configured on the PBS side. (We currently > don't have a library with such capabilities to test.) > > Note that in contrast to normal operation, the tape label will also be > encrypted then and will not be readable in case the encryption key is > lost or changed. > > Additionally, return an error for 'drive_set_encryption' in case the > drive reports that it does not support hardware encryption, because this > is now already caught one level above in 'set_encryption'. > > Also, slightly change the error message to make it clear that the drive > does not support *setting* encryption, not that it does not support > it at all. > > This was reported in the community forum: > > https://forum.proxmox.com/threads/107383/ > https://forum.proxmox.com/threads/164941/ > > Signed-off-by: Dominik Csapak > --- > changes from v1: > * adapted error message to make it clear what is not supported > * also adapt `assert_encryption_mode`, otherwise a backup is not possible > > pbs-tape/src/sg_tape.rs | 30 +++++++++++++++++++++++++++++- > pbs-tape/src/sg_tape/encryption.rs | 12 ++---------- > src/tape/drive/lto/mod.rs | 4 ++++ > 3 files changed, 35 insertions(+), 11 deletions(-) > > diff --git a/pbs-tape/src/sg_tape.rs b/pbs-tape/src/sg_tape.rs > index 39e6a2f94..9c7a254d5 100644 > --- a/pbs-tape/src/sg_tape.rs > +++ b/pbs-tape/src/sg_tape.rs > @@ -136,6 +136,8 @@ pub struct SgTape { > file: File, > locate_offset: Option, > info: InquiryInfo, > + // auto-detect if we can set the encryption mode > + encryption_possible: Option, > } > > impl SgTape { > @@ -158,6 +160,7 @@ impl SgTape { > file, > info, > locate_offset: None, > + encryption_possible: None, > }) > } > > @@ -690,6 +693,14 @@ impl SgTape { > } > > pub fn set_encryption(&mut self, key_data: Option<([u8; 32], Uuid)>) -> Result<(), Error> { > + if self.encryption_possible == Some(false) { > + if key_data.is_some() { > + bail!("Drive does not support setting encryption mode"); > + } else { > + // skip trying to set encryption if not supported and don't wanted > + return Ok(()); > + } > + } > let key = if let Some((ref key, ref uuid)) = key_data { > // derive specialized key for each media-set > > @@ -710,7 +721,24 @@ impl SgTape { > None > }; > > - drive_set_encryption(&mut self.file, key) > + match drive_set_encryption(&mut self.file, key) { > + Ok(()) => self.encryption_possible = Some(true), > + Err(err) => { > + self.encryption_possible = Some(false); > + if key.is_some() { > + bail!("could not set encryption mode on drive: {err}"); > + } else { > + log::info!("could not set encryption mode on drive: {err}, ignoring."); > + } > + } > + } > + Ok(()) > + } > + > + /// Returns if encryption is possible. Returns [`None`] if it's unknown, because > + /// no attempt was made to set the mode yet. > + pub fn encryption_possible(&self) -> Option { > + self.encryption_possible > } > > // Note: use alloc_page_aligned_buffer to alloc data transfer buffer > diff --git a/pbs-tape/src/sg_tape/encryption.rs b/pbs-tape/src/sg_tape/encryption.rs > index 7247d257f..c24a6c658 100644 > --- a/pbs-tape/src/sg_tape/encryption.rs > +++ b/pbs-tape/src/sg_tape/encryption.rs > @@ -12,15 +12,7 @@ use crate::sgutils2::{alloc_page_aligned_buffer, SgRaw}; > /// > /// We always use mixed mode, > pub fn drive_set_encryption(file: &mut F, key: Option<[u8; 32]>) -> Result<(), Error> { > - let data = match sg_spin_data_encryption_caps(file) { > - Ok(data) => data, > - Err(_) if key.is_none() => { > - // Assume device does not support HW encryption > - // We can simply ignore the clear key request > - return Ok(()); > - } > - Err(err) => return Err(err), > - }; > + let data = sg_spin_data_encryption_caps(file)?; > > let algorithm_index = decode_spin_data_encryption_caps(&data)?; > > @@ -266,7 +258,7 @@ fn decode_spin_data_encryption_caps(data: &[u8]) -> Result { > > match aes_gcm_index { > Some(index) => Ok(index), > - None => bail!("drive does not support AES-GCM encryption"), > + None => bail!("drive does not support setting AES-GCM encryption"), > } > }) > .map_err(|err: Error| format_err!("decode data encryption caps page failed - {}", err)) > diff --git a/src/tape/drive/lto/mod.rs b/src/tape/drive/lto/mod.rs > index 23e043ce6..bd5ec8ae6 100644 > --- a/src/tape/drive/lto/mod.rs > +++ b/src/tape/drive/lto/mod.rs > @@ -264,6 +264,10 @@ impl TapeDriver for LtoTapeHandle { > } > > fn assert_encryption_mode(&mut self, encryption_wanted: bool) -> Result<(), Error> { > + if Some(false) == self.sg_tape.encryption_possible() && !encryption_wanted { > + // ignore assertion for unencrypted mode, because we can't set it anyway > + return Ok(()); > + } > let encryption_set = drive_get_encryption(self.sg_tape.file_mut())?; > if encryption_wanted != encryption_set { > bail!("Set encryption mode not what was desired (set: {encryption_set}, wanted: {encryption_wanted})"); _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel