Enable cryptsetup read/write workqueue bypass (#1150)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2023-02-08 12:01:14 +01:00 committed by GitHub
parent 821f87b7be
commit 68ce23b909
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 22 additions and 4 deletions

View File

@ -18,6 +18,7 @@ import (
"time" "time"
"github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/crypto"
ccryptsetup "github.com/edgelesssys/constellation/v2/internal/cryptsetup"
cryptsetup "github.com/martinjungblut/go-cryptsetup" cryptsetup "github.com/martinjungblut/go-cryptsetup"
mount "k8s.io/mount-utils" mount "k8s.io/mount-utils"
utilexec "k8s.io/utils/exec" utilexec "k8s.io/utils/exec"
@ -296,7 +297,7 @@ func openCryptDevice(ctx context.Context, device DeviceMapper, source, volumeID
} }
} }
if err := device.ActivateByPassphrase(volumeID, 0, string(passphrase), 0); err != nil { if err := device.ActivateByPassphrase(volumeID, 0, string(passphrase), ccryptsetup.ReadWriteQueueBypass); err != nil {
return "", fmt.Errorf("trying to activate dm-crypt volume: %w", err) return "", fmt.Errorf("trying to activate dm-crypt volume: %w", err)
} }
@ -368,8 +369,8 @@ func resizeCryptDevice(ctx context.Context, device DeviceMapper, name string,
return fmt.Errorf("getting key: %w", err) return fmt.Errorf("getting key: %w", err)
} }
if err := device.ActivateByPassphrase("", 0, string(passphrase), cryptsetup.CRYPT_ACTIVATE_KEYRING_KEY); err != nil { if err := device.ActivateByPassphrase("", 0, string(passphrase), cryptsetup.CRYPT_ACTIVATE_KEYRING_KEY|ccryptsetup.ReadWriteQueueBypass); err != nil {
return fmt.Errorf("activating keyrung for crypt device %q with passphrase: %w", name, err) return fmt.Errorf("activating keyring for crypt device %q with passphrase: %w", name, err)
} }
if err := device.Resize(name, 0); err != nil { if err := device.Resize(name, 0); err != nil {

View File

@ -22,6 +22,7 @@ import (
"sync" "sync"
"time" "time"
ccryptsetup "github.com/edgelesssys/constellation/v2/internal/cryptsetup"
"github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/logger"
cryptsetup "github.com/martinjungblut/go-cryptsetup" cryptsetup "github.com/martinjungblut/go-cryptsetup"
"go.uber.org/zap" "go.uber.org/zap"
@ -107,7 +108,7 @@ func (m *Mapper) FormatDisk(passphrase string) error {
// MapDisk maps a crypt device to /dev/mapper/target using the provided passphrase. // MapDisk maps a crypt device to /dev/mapper/target using the provided passphrase.
func (m *Mapper) MapDisk(target, passphrase string) error { func (m *Mapper) MapDisk(target, passphrase string) error {
if err := m.device.ActivateByPassphrase(target, 0, passphrase, 0); err != nil { if err := m.device.ActivateByPassphrase(target, 0, passphrase, ccryptsetup.ReadWriteQueueBypass); err != nil {
return fmt.Errorf("mapping disk as %q: %w", target, err) return fmt.Errorf("mapping disk as %q: %w", target, err)
} }
return nil return nil

View File

@ -0,0 +1,16 @@
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
// Package cryptsetup contains CGO bindings for cryptsetup.
package cryptsetup
// #include <libcryptsetup.h>
import "C"
const (
// ReadWriteQueueBypass is a flag to disable the write and read workqueues for a crypt device.
ReadWriteQueueBypass = C.CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE | C.CRYPT_ACTIVATE_NO_READ_WORKQUEUE
)