(Created page with "{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To re...") |
m (→Owner) |
||
(11 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}} | <!-- {{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}} | ||
--> | |||
<!-- Self Contained or System Wide Change Proposal? | <!-- Self Contained or System Wide Change Proposal? | ||
Use this guide to determine to which category your proposed change belongs to. | Use this guide to determine to which category your proposed change belongs to. | ||
Line 34: | Line 34: | ||
This should link to your home wiki page so we know who you are. | This should link to your home wiki page so we know who you are. | ||
--> | --> | ||
* Name: Vratislav Podzimek and [[User:Okozina]] | * Name: Vratislav Podzimek and [[User:Okozina|Ondrej Kozina]] | ||
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | ||
* Email: | * Email: | ||
** okozina AT redhat DOT com | ** okozina AT redhat DOT com | ||
** vpodzime AT redhat DOT com | ** vpodzime AT redhat DOT com | ||
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> --> | * Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->[mailto:sclark@fedoraproject.org Simon Clark] ([[User:sclark|sclark]]) | ||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | ||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | ||
Line 49: | Line 49: | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/ | * Targeted release: [[Releases/27]] | ||
* Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | * Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | ||
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | <!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | ||
Line 59: | Line 59: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1421596 #1421596] | ||
== Detailed Description == | == Detailed Description == | ||
Line 106: | Line 106: | ||
* Prerequisites: | * Prerequisites: | ||
** Have a system w/ SSD installed | ** Have a system w/ SSD installed | ||
* Check that newly created encrypted SSD partitions in installer are flagged with '''discard''' option put in ''/etc/crypttab' file. | * Check that newly created encrypted SSD partitions in installer are flagged with '''discard''' option put in ''/etc/crypttab'' file. | ||
* Check the encrypted partition is activated with ''allow_discards'' keyword in respective device-mapper table line. (after cryptsetup open command, dmsetup table <mapping_name> should show table w/ ''allow_discard'' in it) | * Check the encrypted partition is activated with ''allow_discards'' keyword in respective device-mapper table line. (after cryptsetup open command, dmsetup table <mapping_name> should show table w/ ''allow_discard'' in it) | ||
Line 135: | Line 135: | ||
--> | --> | ||
[[Category: | [[Category:ChangeAcceptedF27]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Line 142: | Line 142: | ||
<!-- Select proper category, default is Self Contained Change --> | <!-- Select proper category, default is Self Contained Change --> | ||
[[Category: | [[Category:SystemWideChange]] | ||
<!-- [[Category:SystemWideChange]] --> | <!-- [[Category:SystemWideChange]] --> |
Latest revision as of 10:46, 24 October 2017
Enable TRIM pass down to encrypted disks
Summary
Override kernel default for dm-crypt mappings of LUKS1 encrypted volumes via flag put in /etc/crypttab file. This change should affect only newly created encrypted storage based on LUKS1 format during installation.
Owner
- Name: Vratislav Podzimek and Ondrej Kozina
- Email:
- okozina AT redhat DOT com
- vpodzime AT redhat DOT com
- Release notes owner: Simon Clark (sclark)
Current status
- Targeted release: Releases/27
- Last updated: 2017-10-24
- Tracker bug: #1421596
Detailed Description
User base of Fedora distribution with SSDs grows steadily and while the argument for kernel default setting not to enable the discard is still strong one it doesn't change the fact that vast majority of users (with SSDs) doesn't want to sacrifice better performance of drive with discard/trim enabled for the sake of secrecy.
We're not speaking encrypted data security here and double emphasize on it! Only the fact that blank filesystem on top of dm-crypt device with discard enabled may create well visible patterns in ciphertext device below on SSDs.
For LUKS1 metadata format we don't have a space to store the new default in metadata and therefore we can't flip the default for new LUKS1 devices being formated via libcryptsetup or cryptsetup utility.
Changing the kernel default is of the table due to risk of data corruption with some TrueCrypt configurations involving hidden volumes.
For rotational devices the cost of enabled discard is negligible
Benefit to Fedora
Majority of users will benefit enhanced I/O performance provided they encrypt their SSD storage
Scope
- Proposal owners:
This change despite being system wide change due to overriding legacy default is quite small and easy to manage.
- Other developers:
- Very minor change in python-blivet. Basically we just need to store discard keyword in /etc/crypttab lines related to new partitions created during installation process.
- Release engineering: N/A
- List of deliverables: N/A ???
- Policies and guidelines:
- Add short information in documentation we're changing long term default and copy the reasoning there.
- Trademark approval: N/A
Upgrade/compatibility impact
Not affected.
How To Test
- Prerequisites:
- Have a system w/ SSD installed
- Check that newly created encrypted SSD partitions in installer are flagged with discard option put in /etc/crypttab file.
- Check the encrypted partition is activated with allow_discards keyword in respective device-mapper table line. (after cryptsetup open command, dmsetup table <mapping_name> should show table w/ allow_discard in it)
User Experience
On a long term it's improved I/O performance when using encrypted storage setup on top of SSD.
Dependencies
None.
Contingency Plan
- Contingency mechanism: Revert to current default configuration
- Contingency deadline: devel freeze
- Blocks release? No
- Blocks product? N/A