Re: RFC: swapon(8) vnode-backed md and gbde/geli encryption support

From: Scot Hetzel <swhetzel_at_gmail.com> Date: Sun, 23 Jun 2013 11:58:48 -0500 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:38 UTC

On Sat, Jun 22, 2013 at 1:53 PM, Hiroki Sato <hrs_at_freebsd.org> wrote:
> Hi,
>
>  I created a patchset to add support of automatic generation of
>  vnode-backed md(4) devices and gbde/geli geom providers to swapon(8)
>  via /etc/fstab.  We already have equivalent functionality by using
>  rc.d scripts.  This simplifies rc.d scripts and fixes a race between
>  mdconfig/gbde/geli and swapon/swapoff by using /etc/fstab.
>
>  More specifically, the following specification will be supported:
>
>  /dev/ada1p1.bde        none    swap    sw              0 0
>  /dev/ada1p2.eli        none    swap    sw              0 0
>  md     none    swap    sw,file=/swap.bin               0 0
>  md10   none    swap    sw,file=/swap10.bin             0 0
>  md12   none    swap    sw,file=/usr/swap12.bin,late    0 0
>
>  Currently, rc.d/swap1, rc.d/encswap handles entries with FSTAB_SW and
>  then rc.d/addswap for additional swap space specified in rc.conf.
>  The rc.d/addswap script runs before NETWORKING, so it is difficult to
>  add a swap space by using a file via NFS on a diskless client.  The
>  "late" keyword in /etc/fstab will give more flexibility in such a
>  case.
>
>  So, the changes to rc.d scripts are the following:
>
>   rc.d/encswap -> (removed)
>   rc.d/swap1 -> rc.d/swap
>   rc.d/swaplate -> (added)
>
>  rc.d/addswap is not removed in the patchset, but is it still
>  necessary?  I do not think using combination of rc.d scripts to
>  support md(4) device generation for swap spaces is robust, and I
>  believe /etc/fstab is sufficient for the same functionality.
>
>  Any comments are welcome.  Thank you.
>

The only thing I see is that you are hard coding the geli_swap_flags
(i.e. -e aes -l 256 -s 4096 -d) into swapon.  It would be better to
have swapon read the /etc/fstab file to get these values:

/dev/ada1p2.eli        none    swap
sw,ealgo=aes,keylen=256,sectorsize=4096              0 0
/dev/ada2p2.eli        none    swap    sw              0 0

What you could do is that if no options are specified in the swap
file, swapon would then use default values for ealgo=aes, keylen=256
and sectorsize=4096.

geli onetime [-d] [-a aalgo] [-e ealgo] [-l keylen] [-s sectorsize] prov

The options for the geli encrypted swap file in /etc/fstab would then become:

aalgo
ealgo
keylen
sectorsize

Note: the '-d' option would still be hard coded.

-- 
DISCLAIMER:

No electrons were maimed while sending this message. Only slightly bruised.