After experiencing an unexplained restart on one host (11.0-RELEASE-p7),
which could be tied to a problem with a swap device (swap on a dedicated
gpt partition), I'm investigating options for adding some checksuming
to swap storage.
I understand that swap on ZFS is not a way to go, and that a gmirror
does not provide any checksuming on data, it seems to me the only
option is to use GELI with integrity verification (authentication)
enabled (aalgo).
Following advice in
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html
I ended up with the following in /etc/fstab (on a different host, same
OS):
/dev/gpt/sw1.eli none swap sw,sectorsize=4096,aalgo=HMAC/SHA256 0 0
/dev/gpt/sw2.eli none swap sw,sectorsize=4096,aalgo=HMAC/SHA256 0 0
which seems to work fine, but spawns some questions:
1) On the first manual reboot after adding the above options,
there was a kernel panic. Subsequent reboot(s) were successful.
Is there any known problem with using integrity verification
on GELI for swap?
2) During boot the log shows a short flurry of messages like:
kernel: GEOM_ELI: Device gpt/sw1.eli created.
kernel: GEOM_ELI: Encryption: AES-XTS 128
kernel: GEOM_ELI: Integrity: HMAC/SHA256
kernel: GEOM_ELI: Crypto: software
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 16384 bytes of
data at offset 11452985344.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data
at offset 11453235200.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data
at offset 11453239296.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data
at offset 11453239296.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data
at offset 11453239296.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data
at offset 11453235200.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data
at offset 4096.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data
at offset 0.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 4096 bytes of data
at offset 11453239296.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 8192 bytes of data
at offset 65536.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 8192 bytes of data
at offset 8192.
kernel: GEOM_ELI: gpt/sw1.eli: Failed to authenticate 8192 bytes of data
at offset 0.
which, according to geli(8) man page, could be normal, as these blocks
were never
written to beforehand and contain random stuff. As the geli swap device
is
supposed to be ephemeral (Flags: ONETIME, W-DETACH, AUTH, W-OPEN), there
is
no way to initialize blocks on a swap device on boot. So, are these
messages
really safe to be ignored?
Which brings us another, perhaps more important question: what business
does
a kernel has to do READING from a swap device, blocks which never have
been
written to before by this incarnation of the kernel???
3) Considering that the underlying device is a 4k sectored device, and
that HMAC/SHA256 takes some space (like 11%) on its own, what does it
mean
that the provider (gpt/sw1.eli) as well as the consumer (gpt/sw1)
both show sector size 4096 ? Does that mean that all 4k alignment
efforts
are wasted when one enables integrity verification on GELI?
Geom name: gpt/sw1.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
AuthenticationAlgorithm: HMAC/SHA256
Crypto: software
Version: 7
Flags: ONETIME, W-DETACH, AUTH, W-OPEN
KeysAllocated: 24
KeysTotal: 24
Providers:
1. Name: gpt/sw1.eli
Mediasize: 11453243392 (11G)
Sectorsize: 4096
Mode: r1w1e0
Consumers:
1. Name: gpt/sw1
Mediasize: 12884901888 (12G)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r1w1e1
Mark