Date: Sun, 4 Mar 2012 20:46:45 GMT From: Robert Simmons <rsimmons0@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/165695: Make geli errors on first attachment clearer when using data authentication Message-ID: <201203042046.q24KkjpI009976@red.freebsd.org> Resent-Message-ID: <201203042050.q24KoCG8003160@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 165695
>Category: kern
>Synopsis: Make geli errors on first attachment clearer when using data authentication
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Mar 04 20:50:12 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Robert Simmons
>Release: 9.0-RELEASE
>Organization:
>Environment:
FreeBSD test 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
Immediately after you attach a geli encrypted provider for the first time you get a series of error messages mentioning corrupted data such as the following if you configured that provider to use data authentication.
GEOM_ELI: ada0p4.eli: 4096 bytes corrupted at offset 0.
GEOM_ELI: ada0p4.eli: 4096 bytes corrupted at offset 4096.
As the man page suggests, one must use dd to write to the entire provider to initialize it before its first use. These errors are because this initialization has not happened yet, and the data is failing authentication. These errors are harmless at this point, and can be safely ignored.
I have patched the kernel errors to be more descriptive, and I've patched the man page to include a message about these errors and that they can be safely ignored.
>How-To-Repeat:
Replace the device node in the following with whatever is appropriate for your system. Also, the -a is imperative because that is what is enabling data authentication in the provider.
geli init -b -v -a hmac/sha256 -l 256 -s 4096 /dev/ada0p4
geli attach /dev/ada0p4
After attaching this provider, you get the error messages in question.
>Fix:
I have included a unified diff to fix both the problem with the error messages and the man page to make sure what is happening is more clear.
Patch attached with submission follows:
diff -ur src/sbin/geom/class/eli/geli.8 src.new/sbin/geom/class/eli/geli.8
--- src/sbin/geom/class/eli/geli.8 2012-03-04 13:58:18.000000000 -0500
+++ src.new/sbin/geom/class/eli/geli.8 2012-03-04 14:52:36.000000000 -0500
@@ -925,6 +925,9 @@
It is recommended to write to the whole provider before first use,
in order to make sure that all sectors and their corresponding
checksums are properly initialized into a consistent state.
+Due to this, one can safely ignore data authentication errors that occur
+immediately after the first time a provider is attached and when it is
+initialized by writing to it to set a consistent state.
.Sh SEE ALSO
.Xr crypto 4 ,
.Xr gbde 4 ,
diff -ur src/sys/geom/eli/g_eli_integrity.c src.new/sys/geom/eli/g_eli_integrity.c
--- src/sys/geom/eli/g_eli_integrity.c 2011-05-08 05:17:56.000000000 -0400
+++ src.new/sys/geom/eli/g_eli_integrity.c 2012-03-04 15:12:58.000000000 -0500
@@ -206,7 +206,7 @@
*/
if (coroff != -1) {
G_ELI_DEBUG(0, "%s: %jd bytes "
- "corrupted at offset %jd.",
+ "not authenticated at offset %jd.",
sc->sc_name, (intmax_t)corsize,
(intmax_t)coroff);
coroff = -1;
@@ -221,7 +221,7 @@
}
/* Report previous corruption if there was one. */
if (coroff != -1) {
- G_ELI_DEBUG(0, "%s: %jd bytes corrupted at offset %jd.",
+ G_ELI_DEBUG(0, "%s: %jd bytes not authenticated at offset %jd.",
sc->sc_name, (intmax_t)corsize, (intmax_t)coroff);
}
}
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203042046.q24KkjpI009976>