From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com, Stefan Reiter <s.reiter@proxmox.com>
Subject: Re: [pve-devel] [PATCH proxmox-backup-qemu 2/2] invalidate bitmap when crypto key changes
Date: Thu, 22 Oct 2020 09:51:51 +0200 [thread overview]
Message-ID: <1603353001.5rl0cqxqid.astroid@nora.none> (raw)
In-Reply-To: <538c080f-25c7-b10c-bc93-8e23ec0a07e8@proxmox.com>
On October 21, 2020 5:17 pm, Stefan Reiter wrote:
> On 10/21/20 1:49 PM, Fabian Grünbichler wrote:
>> by computing and remembering the ID digest of a static string, we can
>> detect when the passed in key has changed without keeping a copy of it
>> around inbetween backup jobs.
>>
>> this is a follow-up/fixup for
>>
>> 104fae9111cd9a4e4dd7779172d39580a393165d fix #2866: invalidate bitmap on crypt_mode change
>>
>> which implemented detection for crypt MODE changes.
>>
>> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
>> ---
>> note: the string is just an implementation detail right now, but once we
>> start sending that along with migration or persisting it together with
>> bitmaps, we probably want a more robust scheme and store the input
>> string + digest
>
> I'm not sure I follow... as long as this string stays the same it
> shouldn't ever be necessary to store it alongside the digest?
yes. but once this is no longer something that's only valid for a single
process and not leaked (in which case, we can just change it between
versions as there is no compatibility concern), I'd make sure we can
change it in case we need to, and the easiest way is to include both
input and output so that the new version can verify the old one :)
> In any case, this works fine:
>
> Reviewed-by: Stefan Reiter <s.reiter@proxmox.com>
thanks!
>
>>
>> src/backup.rs | 1 +
>> src/commands.rs | 36 ++++++++++++++++++++++++++++++++++++
>> 2 files changed, 37 insertions(+)
>>
>> diff --git a/src/backup.rs b/src/backup.rs
>> index 7945575..9f6d176 100644
>> --- a/src/backup.rs
>> +++ b/src/backup.rs
>> @@ -203,6 +203,7 @@ impl BackupTask {
>> Some(ref manifest) => {
>> check_last_incremental_csum(Arc::clone(manifest), &device_name, size)
>> && check_last_encryption_mode(Arc::clone(manifest), &device_name, self.crypt_mode)
>> + && check_last_encryption_key(self.crypt_config.clone())
>> },
>> None => false,
>> }
>> diff --git a/src/commands.rs b/src/commands.rs
>> index b9b0161..f7e0f62 100644
>> --- a/src/commands.rs
>> +++ b/src/commands.rs
>> @@ -19,6 +19,10 @@ lazy_static!{
>> static ref PREVIOUS_CSUMS: Mutex<HashMap<String, [u8;32]>> = {
>> Mutex::new(HashMap::new())
>> };
>> +
>> + static ref PREVIOUS_CRYPT_CONFIG_DIGEST: Mutex<Option<[u8;32]>> = {
>> + Mutex::new(None)
>> + };
>> }
>>
>> pub struct ImageUploadInfo {
>> @@ -82,6 +86,15 @@ fn archive_name(device_name: &str) -> String {
>> format!("{}.img.fidx", device_name)
>> }
>>
>> +const CRYPT_CONFIG_HASH_INPUT:&[u8] = b"this is just a static string to protect against key changes";
>> +
>> +/// Create an identifying digest for the crypt config
>> +pub(crate) fn crypt_config_digest(
>> + config: Arc<CryptConfig>,
>> +) -> [u8;32] {
>> + config.compute_digest(CRYPT_CONFIG_HASH_INPUT)
>> +}
>> +
>> pub(crate) fn check_last_incremental_csum(
>> manifest: Arc<BackupManifest>,
>> device_name: &str,
>> @@ -114,6 +127,19 @@ pub(crate) fn check_last_encryption_mode(
>> }
>> }
>>
>> +pub(crate) fn check_last_encryption_key(
>> + config: Option<Arc<CryptConfig>>,
>> +) -> bool {
>> + let digest_guard = PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
>> + match (*digest_guard, config) {
>> + (Some(last_digest), Some(current_config)) => {
>> + crypt_config_digest(current_config) == last_digest
>> + },
>> + (None, None) => true,
>> + _ => false,
>> + }
>> +}
>> +
>> #[allow(clippy::too_many_arguments)]
>> pub(crate) async fn register_image(
>> client: Arc<BackupWriter>,
>> @@ -393,6 +419,16 @@ pub(crate) async fn finish_backup(
>> .map_err(|err| format_err!("unable to format manifest - {}", err))?
>> };
>>
>> + {
>> + let crypt_config_digest = match crypt_config {
>> + Some(current_config) => Some(crypt_config_digest(current_config)),
>> + None => None,
>> + };
>> +
>> + let mut crypt_config_digest_guard = PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
>> + *crypt_config_digest_guard = crypt_config_digest;
>> + }
>> +
>> client
>> .upload_blob_from_data(manifest.into_bytes(), MANIFEST_BLOB_NAME, true, false)
>> .await?;
>>
>
next prev parent reply other threads:[~2020-10-22 7:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-21 11:49 [pve-devel] [PATCH proxmox-backup-qemu 1/2] update to proxmox-backup 0.9.1 Fabian Grünbichler
2020-10-21 11:49 ` [pve-devel] [PATCH proxmox-backup-qemu 2/2] invalidate bitmap when crypto key changes Fabian Grünbichler
2020-10-21 15:17 ` Stefan Reiter
2020-10-22 7:51 ` Fabian Grünbichler [this message]
2020-10-28 21:51 ` [pve-devel] applied-series: [PATCH proxmox-backup-qemu 1/2] update to proxmox-backup 0.9.1 Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1603353001.5rl0cqxqid.astroid@nora.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=s.reiter@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox