data-integrity.txt 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328
  1. ----------------------------------------------------------------------
  2. 1. INTRODUCTION
  3. Modern filesystems feature checksumming of data and metadata to
  4. protect against data corruption. However, the detection of the
  5. corruption is done at read time which could potentially be months
  6. after the data was written. At that point the original data that the
  7. application tried to write is most likely lost.
  8. The solution is to ensure that the disk is actually storing what the
  9. application meant it to. Recent additions to both the SCSI family
  10. protocols (SBC Data Integrity Field, SCC protection proposal) as well
  11. as SATA/T13 (External Path Protection) try to remedy this by adding
  12. support for appending integrity metadata to an I/O. The integrity
  13. metadata (or protection information in SCSI terminology) includes a
  14. checksum for each sector as well as an incrementing counter that
  15. ensures the individual sectors are written in the right order. And
  16. for some protection schemes also that the I/O is written to the right
  17. place on disk.
  18. Current storage controllers and devices implement various protective
  19. measures, for instance checksumming and scrubbing. But these
  20. technologies are working in their own isolated domains or at best
  21. between adjacent nodes in the I/O path. The interesting thing about
  22. DIF and the other integrity extensions is that the protection format
  23. is well defined and every node in the I/O path can verify the
  24. integrity of the I/O and reject it if corruption is detected. This
  25. allows not only corruption prevention but also isolation of the point
  26. of failure.
  27. ----------------------------------------------------------------------
  28. 2. THE DATA INTEGRITY EXTENSIONS
  29. As written, the protocol extensions only protect the path between
  30. controller and storage device. However, many controllers actually
  31. allow the operating system to interact with the integrity metadata
  32. (IMD). We have been working with several FC/SAS HBA vendors to enable
  33. the protection information to be transferred to and from their
  34. controllers.
  35. The SCSI Data Integrity Field works by appending 8 bytes of protection
  36. information to each sector. The data + integrity metadata is stored
  37. in 520 byte sectors on disk. Data + IMD are interleaved when
  38. transferred between the controller and target. The T13 proposal is
  39. similar.
  40. Because it is highly inconvenient for operating systems to deal with
  41. 520 (and 4104) byte sectors, we approached several HBA vendors and
  42. encouraged them to allow separation of the data and integrity metadata
  43. scatter-gather lists.
  44. The controller will interleave the buffers on write and split them on
  45. read. This means that Linux can DMA the data buffers to and from
  46. host memory without changes to the page cache.
  47. Also, the 16-bit CRC checksum mandated by both the SCSI and SATA specs
  48. is somewhat heavy to compute in software. Benchmarks found that
  49. calculating this checksum had a significant impact on system
  50. performance for a number of workloads. Some controllers allow a
  51. lighter-weight checksum to be used when interfacing with the operating
  52. system. Emulex, for instance, supports the TCP/IP checksum instead.
  53. The IP checksum received from the OS is converted to the 16-bit CRC
  54. when writing and vice versa. This allows the integrity metadata to be
  55. generated by Linux or the application at very low cost (comparable to
  56. software RAID5).
  57. The IP checksum is weaker than the CRC in terms of detecting bit
  58. errors. However, the strength is really in the separation of the data
  59. buffers and the integrity metadata. These two distinct buffers must
  60. match up for an I/O to complete.
  61. The separation of the data and integrity metadata buffers as well as
  62. the choice in checksums is referred to as the Data Integrity
  63. Extensions. As these extensions are outside the scope of the protocol
  64. bodies (T10, T13), Oracle and its partners are trying to standardize
  65. them within the Storage Networking Industry Association.
  66. ----------------------------------------------------------------------
  67. 3. KERNEL CHANGES
  68. The data integrity framework in Linux enables protection information
  69. to be pinned to I/Os and sent to/received from controllers that
  70. support it.
  71. The advantage to the integrity extensions in SCSI and SATA is that
  72. they enable us to protect the entire path from application to storage
  73. device. However, at the same time this is also the biggest
  74. disadvantage. It means that the protection information must be in a
  75. format that can be understood by the disk.
  76. Generally Linux/POSIX applications are agnostic to the intricacies of
  77. the storage devices they are accessing. The virtual filesystem switch
  78. and the block layer make things like hardware sector size and
  79. transport protocols completely transparent to the application.
  80. However, this level of detail is required when preparing the
  81. protection information to send to a disk. Consequently, the very
  82. concept of an end-to-end protection scheme is a layering violation.
  83. It is completely unreasonable for an application to be aware whether
  84. it is accessing a SCSI or SATA disk.
  85. The data integrity support implemented in Linux attempts to hide this
  86. from the application. As far as the application (and to some extent
  87. the kernel) is concerned, the integrity metadata is opaque information
  88. that's attached to the I/O.
  89. The current implementation allows the block layer to automatically
  90. generate the protection information for any I/O. Eventually the
  91. intent is to move the integrity metadata calculation to userspace for
  92. user data. Metadata and other I/O that originates within the kernel
  93. will still use the automatic generation interface.
  94. Some storage devices allow each hardware sector to be tagged with a
  95. 16-bit value. The owner of this tag space is the owner of the block
  96. device. I.e. the filesystem in most cases. The filesystem can use
  97. this extra space to tag sectors as they see fit. Because the tag
  98. space is limited, the block interface allows tagging bigger chunks by
  99. way of interleaving. This way, 8*16 bits of information can be
  100. attached to a typical 4KB filesystem block.
  101. This also means that applications such as fsck and mkfs will need
  102. access to manipulate the tags from user space. A passthrough
  103. interface for this is being worked on.
  104. ----------------------------------------------------------------------
  105. 4. BLOCK LAYER IMPLEMENTATION DETAILS
  106. 4.1 BIO
  107. The data integrity patches add a new field to struct bio when
  108. CONFIG_BLK_DEV_INTEGRITY is enabled. bio->bi_integrity is a pointer
  109. to a struct bip which contains the bio integrity payload. Essentially
  110. a bip is a trimmed down struct bio which holds a bio_vec containing
  111. the integrity metadata and the required housekeeping information (bvec
  112. pool, vector count, etc.)
  113. A kernel subsystem can enable data integrity protection on a bio by
  114. calling bio_integrity_alloc(bio). This will allocate and attach the
  115. bip to the bio.
  116. Individual pages containing integrity metadata can subsequently be
  117. attached using bio_integrity_add_page().
  118. bio_free() will automatically free the bip.
  119. 4.2 BLOCK DEVICE
  120. Because the format of the protection data is tied to the physical
  121. disk, each block device has been extended with a block integrity
  122. profile (struct blk_integrity). This optional profile is registered
  123. with the block layer using blk_integrity_register().
  124. The profile contains callback functions for generating and verifying
  125. the protection data, as well as getting and setting application tags.
  126. The profile also contains a few constants to aid in completing,
  127. merging and splitting the integrity metadata.
  128. Layered block devices will need to pick a profile that's appropriate
  129. for all subdevices. blk_integrity_compare() can help with that. DM
  130. and MD linear, RAID0 and RAID1 are currently supported. RAID4/5/6
  131. will require extra work due to the application tag.
  132. ----------------------------------------------------------------------
  133. 5.0 BLOCK LAYER INTEGRITY API
  134. 5.1 NORMAL FILESYSTEM
  135. The normal filesystem is unaware that the underlying block device
  136. is capable of sending/receiving integrity metadata. The IMD will
  137. be automatically generated by the block layer at submit_bio() time
  138. in case of a WRITE. A READ request will cause the I/O integrity
  139. to be verified upon completion.
  140. IMD generation and verification can be toggled using the
  141. /sys/block/<bdev>/integrity/write_generate
  142. and
  143. /sys/block/<bdev>/integrity/read_verify
  144. flags.
  145. 5.2 INTEGRITY-AWARE FILESYSTEM
  146. A filesystem that is integrity-aware can prepare I/Os with IMD
  147. attached. It can also use the application tag space if this is
  148. supported by the block device.
  149. int bdev_integrity_enabled(block_device, int rw);
  150. bdev_integrity_enabled() will return 1 if the block device
  151. supports integrity metadata transfer for the data direction
  152. specified in 'rw'.
  153. bdev_integrity_enabled() honors the write_generate and
  154. read_verify flags in sysfs and will respond accordingly.
  155. int bio_integrity_prep(bio);
  156. To generate IMD for WRITE and to set up buffers for READ, the
  157. filesystem must call bio_integrity_prep(bio).
  158. Prior to calling this function, the bio data direction and start
  159. sector must be set, and the bio should have all data pages
  160. added. It is up to the caller to ensure that the bio does not
  161. change while I/O is in progress.
  162. bio_integrity_prep() should only be called if
  163. bio_integrity_enabled() returned 1.
  164. int bio_integrity_tag_size(bio);
  165. If the filesystem wants to use the application tag space it will
  166. first have to find out how much storage space is available.
  167. Because tag space is generally limited (usually 2 bytes per
  168. sector regardless of sector size), the integrity framework
  169. supports interleaving the information between the sectors in an
  170. I/O.
  171. Filesystems can call bio_integrity_tag_size(bio) to find out how
  172. many bytes of storage are available for that particular bio.
  173. Another option is bdev_get_tag_size(block_device) which will
  174. return the number of available bytes per hardware sector.
  175. int bio_integrity_set_tag(bio, void *tag_buf, len);
  176. After a successful return from bio_integrity_prep(),
  177. bio_integrity_set_tag() can be used to attach an opaque tag
  178. buffer to a bio. Obviously this only makes sense if the I/O is
  179. a WRITE.
  180. int bio_integrity_get_tag(bio, void *tag_buf, len);
  181. Similarly, at READ I/O completion time the filesystem can
  182. retrieve the tag buffer using bio_integrity_get_tag().
  183. 5.3 PASSING EXISTING INTEGRITY METADATA
  184. Filesystems that either generate their own integrity metadata or
  185. are capable of transferring IMD from user space can use the
  186. following calls:
  187. struct bip * bio_integrity_alloc(bio, gfp_mask, nr_pages);
  188. Allocates the bio integrity payload and hangs it off of the bio.
  189. nr_pages indicate how many pages of protection data need to be
  190. stored in the integrity bio_vec list (similar to bio_alloc()).
  191. The integrity payload will be freed at bio_free() time.
  192. int bio_integrity_add_page(bio, page, len, offset);
  193. Attaches a page containing integrity metadata to an existing
  194. bio. The bio must have an existing bip,
  195. i.e. bio_integrity_alloc() must have been called. For a WRITE,
  196. the integrity metadata in the pages must be in a format
  197. understood by the target device with the notable exception that
  198. the sector numbers will be remapped as the request traverses the
  199. I/O stack. This implies that the pages added using this call
  200. will be modified during I/O! The first reference tag in the
  201. integrity metadata must have a value of bip->bip_sector.
  202. Pages can be added using bio_integrity_add_page() as long as
  203. there is room in the bip bio_vec array (nr_pages).
  204. Upon completion of a READ operation, the attached pages will
  205. contain the integrity metadata received from the storage device.
  206. It is up to the receiver to process them and verify data
  207. integrity upon completion.
  208. 5.4 REGISTERING A BLOCK DEVICE AS CAPABLE OF EXCHANGING INTEGRITY
  209. METADATA
  210. To enable integrity exchange on a block device the gendisk must be
  211. registered as capable:
  212. int blk_integrity_register(gendisk, blk_integrity);
  213. The blk_integrity struct is a template and should contain the
  214. following:
  215. static struct blk_integrity my_profile = {
  216. .name = "STANDARDSBODY-TYPE-VARIANT-CSUM",
  217. .generate_fn = my_generate_fn,
  218. .verify_fn = my_verify_fn,
  219. .get_tag_fn = my_get_tag_fn,
  220. .set_tag_fn = my_set_tag_fn,
  221. .tuple_size = sizeof(struct my_tuple_size),
  222. .tag_size = <tag bytes per hw sector>,
  223. };
  224. 'name' is a text string which will be visible in sysfs. This is
  225. part of the userland API so chose it carefully and never change
  226. it. The format is standards body-type-variant.
  227. E.g. T10-DIF-TYPE1-IP or T13-EPP-0-CRC.
  228. 'generate_fn' generates appropriate integrity metadata (for WRITE).
  229. 'verify_fn' verifies that the data buffer matches the integrity
  230. metadata.
  231. 'tuple_size' must be set to match the size of the integrity
  232. metadata per sector. I.e. 8 for DIF and EPP.
  233. 'tag_size' must be set to identify how many bytes of tag space
  234. are available per hardware sector. For DIF this is either 2 or
  235. 0 depending on the value of the Control Mode Page ATO bit.
  236. See 6.2 for a description of get_tag_fn and set_tag_fn.
  237. ----------------------------------------------------------------------
  238. 2007-12-24 Martin K. Petersen <martin.petersen@oracle.com>