Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-8590

Fix issues with SK privacy and integrity mode

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • Lustre 2.9.0, Lustre 2.10.0
    • Lustre 2.9.0
    • None
    • 3
    • 9223372036854775807

    Description

      Create a new ticket for tracking fixes to GSS/SK, since LU-3289 (the main feature implementation tracker) has been closed since the SSK feature is landed for 2.9.0 already.

      Several fixes are needed for skpi:

      1. The original SK patches failed to account for out of order
      handling of RPCs and bulk pages during encryption. As a result
      clients would be out of sync with the IV used for decryption.
      This patches moves the encryption to a format similar to RFC3686
      to handle these RPCs and bulk pages.

      2. A header was added to the SK mode RPCs to allow versioning and
      send the unencrypted IV used for an RPC. The versioning will allow
      for future protocol changes.

      3. Several changes to fix or improve security of the implementation
      based on a security review from Matthew Wood at Intel:

      • Derive a unique key for integrity modes instead of using the
        shared secret key (ska, ski, and skpi modes). This helps prevent
        replays.
      • Use PBKDF2 instead of HMAC to derive keys for integrity and
        encryption.
      • Have the server side pass a random value (like the client) and
        incorporate this value into the key binding information.

      4. Store generated prime into the client key file to avoid generating
      a new prime for every connection, which takes too long.

      5. Increase the default key size to 2048 bits, after #4 is done.

      Since #1 and #2 are network protocol changes, this is a blocker for the 2.9.0 release.

      Attachments

        Issue Links

          Activity

            [LU-8590] Fix issues with SK privacy and integrity mode

            Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/23722/
            Subject: LU-8590 utils: remove duplicate code in lgss_sk
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: a598df837b946711407ec93eed08f144dae6d35a

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/23722/ Subject: LU-8590 utils: remove duplicate code in lgss_sk Project: fs/lustre-release Branch: master Current Patch Set: Commit: a598df837b946711407ec93eed08f144dae6d35a

            Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/23691/
            Subject: LU-8590 utils: fix minor issues in lgss_sk usage
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: 075f98e585a27b846ebd26f1d70a77eefb0f8c5f

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/23691/ Subject: LU-8590 utils: fix minor issues in lgss_sk usage Project: fs/lustre-release Branch: master Current Patch Set: Commit: 075f98e585a27b846ebd26f1d70a77eefb0f8c5f

            Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: http://review.whamcloud.com/23722
            Subject: LU-8590 utils: remove duplicate code in lgss_sk
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: 265b5ee8af385086a6ba9b729c02573b26b7647b

            gerrit Gerrit Updater added a comment - Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: http://review.whamcloud.com/23722 Subject: LU-8590 utils: remove duplicate code in lgss_sk Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 265b5ee8af385086a6ba9b729c02573b26b7647b

            Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: http://review.whamcloud.com/23691
            Subject: LU-8590 gss: fix minor issues in lgss_sk usage
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: a4a607f40012a6c7365b26f59a1b97a1a095bfd6

            gerrit Gerrit Updater added a comment - Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: http://review.whamcloud.com/23691 Subject: LU-8590 gss: fix minor issues in lgss_sk usage Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: a4a607f40012a6c7365b26f59a1b97a1a095bfd6
            pjones Peter Jones added a comment -

            Landed for 2.9

            pjones Peter Jones added a comment - Landed for 2.9

            Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/23322/
            Subject: LU-8590 gss: Move DH parameter generation out of upcall
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: 2de43286f95281648881033062abf9503bd60541

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/23322/ Subject: LU-8590 gss: Move DH parameter generation out of upcall Project: fs/lustre-release Branch: master Current Patch Set: Commit: 2de43286f95281648881033062abf9503bd60541

            Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: http://review.whamcloud.com/22987
            Subject: LU-8590 ssk: increase default keylen to 2048 bits
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: 5bb5749cc3ad301b6d21174cd1b97583b7c08e50

            gerrit Gerrit Updater added a comment - Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: http://review.whamcloud.com/22987 Subject: LU-8590 ssk: increase default keylen to 2048 bits Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 5bb5749cc3ad301b6d21174cd1b97583b7c08e50
            pjones Peter Jones added a comment - - edited

            Items #1-3 are addressed by patch
            http://review.whamcloud.com/21922

            pjones Peter Jones added a comment - - edited Items #1-3 are addressed by patch http://review.whamcloud.com/21922

            People

              jfilizetti Jeremy Filizetti
              adilger Andreas Dilger
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: