From owner-freebsd-stable@freebsd.org Thu Feb 9 15:02:34 2017 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A903CCD6C95 for ; Thu, 9 Feb 2017 15:02:34 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from smtp.vangyzen.net (hotblack.vangyzen.net [199.48.133.146]) by mx1.freebsd.org (Postfix) with ESMTP id 94EB91880 for ; Thu, 9 Feb 2017 15:02:34 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from ford.home.vangyzen.net (unknown [76.164.15.242]) by smtp.vangyzen.net (Postfix) with ESMTPSA id 25EAE564DF; Thu, 9 Feb 2017 09:02:28 -0600 (CST) Subject: Re: GELI with integrity verification on swap To: Mark Martinec , freebsd-stable@freebsd.org References: <76025e5011614a74cffeae62394a7cd4@ijs.si> From: Eric van Gyzen Message-ID: Date: Thu, 9 Feb 2017 09:02:19 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: <76025e5011614a74cffeae62394a7cd4@ijs.si> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2017 15:02:34 -0000 On 02/09/2017 08:51, Mark Martinec wrote: > 2) During boot the log shows a short flurry of messages like: > > kernel: GEOM_ELI: Device gpt/sw1.eli created. > kernel: GEOM_ELI: Encryption: AES-XTS 128 > kernel: GEOM_ELI: Integrity: HMAC/SHA256 > kernel: GEOM_ELI: Crypto: software > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 16384 bytes of data at > offset 11452985344. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data at > offset 11453235200. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data at > offset 11453239296. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data at > offset 11453239296. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data at > offset 11453239296. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data at > offset 11453235200. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data at > offset 4096. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data at > offset 0. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data at > offset 11453239296. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 8192 bytes of data at > offset 65536. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 8192 bytes of data at > offset 8192. > kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 8192 bytes of data at > offset 0. > > which, according to geli(8) man page, could be normal, as these blocks were never > written to beforehand and contain random stuff. As the geli swap device is > supposed to be ephemeral (Flags: ONETIME, W-DETACH, AUTH, W-OPEN), there is > no way to initialize blocks on a swap device on boot. So, are these messages > really safe to be ignored? > > Which brings us another, perhaps more important question: what business does > a kernel has to do READING from a swap device, blocks which never have been > written to before by this incarnation of the kernel??? I can't comment on the rest of your message, but these look like the normal "tasting" of a new provider. Some geom classes are looking for metadata near the beginning and end of the provider to see if they contain a partition scheme, file system, or whatever that class should consume. Eric