feat(pool/encryption): handle new create and import API

Signed-off-by: Diwakar Sharma <diwakar.sharma@datacore.com>

Author: dsharma-dc

io-engine-tests/src/pool.rs

@@ -272,6 +272,8 @@ impl PoolBuilderLocal {
             cluster_size: None,
             md_args: None,
             backend: Default::default(),
+            enc_key: None,
+            crypto_vbdev_name: None,
         })
         .await?;
         Ok(lvs)

io-engine/examples/lvs-eval/main.rs

@@ -136,6 +136,8 @@ async fn create_lvs(args: &CliArgs) -> Lvs {
             md_resv_ratio: args.md_resv_ratio,
         }),
         backend: Default::default(),
+        enc_key: None,
+        crypto_vbdev_name: None,
     };
 
     Lvs::create_or_import(lvs_args.clone()).await.unwrap()

io-engine/src/bdev/lvs.rs

@@ -34,6 +34,8 @@ use crate::{
     pool_backend::{PoolArgs, PoolBackend},
 };
 
+use super::crypto::EncryptionKey;
+
 /// An lvol specified via URI.
 pub(super) struct Lvol {
     /// Name of the lvol.
@@ -50,6 +52,8 @@ struct Lvs {
     disk: String,
     /// The lvs creation mode.
     mode: LvsMode,
+    // Encryption key - if the lvs is encrypted.
+    key: Option<EncryptionKey>,
 }
 
 impl Debug for Lvol {
@@ -144,6 +148,7 @@ impl TryFrom<String> for Lvs {
             name: uri.path()[1..].into(),
             disk,
             mode,
+            key: None,
         })
     }
 }
@@ -209,6 +214,9 @@ impl Lvs {
             cluster_size: None,
             md_args: None,
             backend: PoolBackend::Lvs,
+            enc_key: self.key.clone(),
+            // XXX: Is this path ever exercised apart from test, or casperf perhaps?
+            crypto_vbdev_name: self.key.as_ref().map(|_| format!("crypto_{}", self.name)),
         };
         match &self.mode {
             LvsMode::Create => match crate::lvs::Lvs::import_from_args(args.clone()).await {

io-engine/src/bin/io-engine-client/v1/pool_cli.rs

@@ -54,6 +54,29 @@ pub fn subcommands() -> Command {
                 .required(false)
                 .value_parser(PoolType::types().to_vec())
                 .default_value(PoolType::Lvs.as_ref()),
+        )
+        .arg(
+            Arg::new("cipher")
+                .short('c')
+                .long("cipher")
+                .help("The cipher to use for encryption")
+                .required(false)
+                .requires("encryption-key"),
+        )
+        .arg(
+            Arg::new("encryption-key")
+                .short('k')
+                .long("encryption-key")
+                .help("The encryption key of the pool in hexlified format")
+                .required(false),
+        )
+        .arg(
+            Arg::new("xts-key")
+                .short('e')
+                .long("xts-key")
+                .help("encryption key2 required for AES_XTS")
+                .required(false)
+                .required_if_eq("cipher", "AES_XTS"),
         );
 
     let import = Command::new("import")
@@ -86,6 +109,28 @@ pub fn subcommands() -> Command {
                 .required(false)
                 .value_parser(PoolType::types().to_vec())
                 .default_value(PoolType::Lvs.as_ref()),
+        )
+        .arg(
+            Arg::new("cipher")
+                .short('c')
+                .long("cipher")
+                .help("The cipher to use for encryption")
+                .required(false)
+                .requires("encryption-key"),
+        )
+        .arg(
+            Arg::new("encryption-key")
+                .short('k')
+                .long("encryption-key")
+                .help("The encryption key of the pool in hexlified format")
+                .required(false),
+        )
+        .arg(
+            Arg::new("xts-key")
+                .short('e')
+                .long("xts-key")
+                .help("encryption key2 required for AES_XTS")
+                .required_if_eq("cipher", "AES_XTS"),
         );
 
     let destroy = Command::new("destroy")
@@ -211,6 +256,19 @@ async fn create(mut ctx: Context, matches: &ArgMatches) -> crate::Result<()> {
         .to_owned();
 
     let uuid = matches.get_one::<String>("uuid");
+    let cipher = matches.get_one::<String>("cipher");
+
+    if let Some(c) = cipher {
+        if !c.eq_ignore_ascii_case("AES_XTS") && !c.eq_ignore_ascii_case("AES_CBC") {
+            return Err(Status::invalid_argument(
+                "Need valid cipher(AES_XTS or AES_CBC)",
+            ))
+            .context(GrpcStatus);
+        }
+    }
+
+    let enc_key = matches.get_one::<String>("encryption-key");
+    let xts_key = matches.get_one::<String>("xts-key");
 
     let disks_list = matches
         .get_many::<String>("disk")
@@ -251,6 +309,23 @@ async fn create(mut ctx: Context, matches: &ArgMatches) -> crate::Result<()> {
         None => None,
     };
 
+    let enc_key_msg = enc_key.map(|k| v1rpc::common::EncryptionKey {
+        key_name: "key_".to_owned() + k.as_str(),
+        key: k.clone().into(),
+        key_length: (k.len() * 4) as u32,
+        key2: xts_key.map(|k2| k2.clone().into()),
+        key2_length: xts_key.map(|x| { x.len() * 4 } as u32),
+    });
+
+    let enc_msg = enc_key_msg.map(|e| {
+        v1rpc::common::create_pool_request::Encryption::Data(v1rpc::common::EncryptionData {
+            cipher: v1rpc::common::Cipher::from_str_name(cipher.unwrap())
+                .unwrap()
+                .into(),
+            key: Some(e),
+        })
+    });
+
     let response = ctx
         .v1
         .pool
@@ -261,7 +336,7 @@ async fn create(mut ctx: Context, matches: &ArgMatches) -> crate::Result<()> {
             pooltype: v1rpc::pool::PoolType::from(pooltype) as i32,
             cluster_size,
             md_args: Some(v1rpc::pool::PoolMetadataArgs { md_resv_ratio }),
-            encryption: None,
+            encryption: enc_msg,
         })
         .await
         .context(GrpcStatus)?;
@@ -284,6 +359,21 @@ async fn create(mut ctx: Context, matches: &ArgMatches) -> crate::Result<()> {
     Ok(())
 }
 
+#[derive(EnumString, VariantNames, AsRefStr)]
+#[strum(serialize_all = "UPPERCASE")]
+pub(super) enum Cipher {
+    AesCbc,
+    AesXts,
+}
+impl From<Cipher> for v1rpc::common::Cipher {
+    fn from(value: Cipher) -> Self {
+        match value {
+            Cipher::AesCbc => Self::AesCbc,
+            Cipher::AesXts => Self::AesXts,
+        }
+    }
+}
+
 #[derive(EnumString, VariantNames, AsRefStr)]
 #[strum(serialize_all = "camelCase")]
 pub(super) enum PoolType {
@@ -312,6 +402,20 @@ async fn import(mut ctx: Context, matches: &ArgMatches) -> crate::Result<()> {
         })?
         .to_owned();
     let uuid = matches.get_one::<String>("uuid");
+    let cipher = matches.get_one::<String>("cipher");
+
+    if let Some(c) = cipher {
+        if !c.eq_ignore_ascii_case("AES_XTS") && !c.eq_ignore_ascii_case("AES_CBC") {
+            return Err(Status::invalid_argument(
+                "Need valid cipher(AES_XTS or AES_CBC)",
+            ))
+            .context(GrpcStatus);
+        }
+    }
+
+    let enc_key = matches.get_one::<String>("encryption-key");
+    let xts_key = matches.get_one::<String>("xts-key");
+
     let disks_list = matches
         .get_many::<String>("disk")
         .ok_or_else(|| ClientError::MissingValue {
@@ -326,6 +430,23 @@ async fn import(mut ctx: Context, matches: &ArgMatches) -> crate::Result<()> {
         .map_err(|e| Status::invalid_argument(e.to_string()))
         .context(GrpcStatus)?;
 
+    let enc_key_msg = enc_key.map(|k| v1rpc::common::EncryptionKey {
+        key_name: "key_".to_owned() + k,
+        key: k.clone().into(),
+        key_length: k.len() as u32,
+        key2: xts_key.map(|k2| k2.clone().into()),
+        key2_length: xts_key.map(|x| x.len() as u32),
+    });
+
+    let enc_msg = enc_key_msg.map(|e| {
+        v1rpc::common::import_pool_request::Encryption::Data(v1rpc::common::EncryptionData {
+            cipher: v1rpc::common::Cipher::from_str_name(cipher.unwrap())
+                .unwrap()
+                .into(),
+            key: Some(e),
+        })
+    });
+
     let response = ctx
         .v1
         .pool
@@ -334,7 +455,7 @@ async fn import(mut ctx: Context, matches: &ArgMatches) -> crate::Result<()> {
             uuid: uuid.map(ToString::to_string),
             disks: disks_list,
             pooltype: v1rpc::pool::PoolType::from(pooltype) as i32,
-            encryption: None,
+            encryption: enc_msg,
         })
         .await
         .context(GrpcStatus)?;

io-engine/src/grpc/v1/pool.rs

@@ -1,5 +1,6 @@
 pub use crate::pool_backend::FindPoolArgs as PoolIdProbe;
 use crate::{
+    bdev::crypto::{Cipher, EncryptionKey as PoolEncKey},
     core::{NvmfShareProps, ProtectedSubsystems, Protocol, ResourceLockGuard, ResourceLockManager},
     grpc::{acquire_subsystem_lock, GrpcClientContext, GrpcResult, RWLock, RWSerializer},
     lvs::{BsError, LvsError},
@@ -11,9 +12,17 @@ use crate::{
 use ::function_name::named;
 use futures::FutureExt;
 use io_engine_api::v1::{
-    pool::*, replica::destroy_replica_request, snapshot::destroy_snapshot_request,
+    common::{create_pool_request, import_pool_request, Cipher as GrpcCipher, EncryptionData},
+    pool::*,
+    replica::destroy_replica_request,
+    snapshot::destroy_snapshot_request,
+};
+use std::{
+    convert::{TryFrom, TryInto},
+    fmt::Debug,
+    ops::Deref,
+    panic::AssertUnwindSafe,
 };
-use std::{convert::TryFrom, fmt::Debug, ops::Deref, panic::AssertUnwindSafe};
 use tonic::{Request, Status};
 
 impl From<DestroyPoolRequest> for FindPoolArgs {
@@ -126,6 +135,37 @@ impl RWLock for PoolService {
     }
 }
 
+impl TryFrom<EncryptionData> for PoolEncKey {
+    type Error = LvsError;
+    fn try_from(msg: EncryptionData) -> Result<Self, Self::Error> {
+        let key = if let Some(k) = msg.key {
+            k
+        } else {
+            return Err(LvsError::Invalid {
+                source: BsError::InvalidArgument {},
+                msg: "invalid argument, missing key".to_string(),
+            });
+        };
+
+        let arg_cipher = msg.cipher;
+        let ctype: Cipher = GrpcCipher::try_from(arg_cipher)
+            .map_err(|_| LvsError::Invalid {
+                source: BsError::InvalidArgument {},
+                msg: format!("invalid cipher provided: {}", arg_cipher),
+            })?
+            .into();
+
+        Ok(Self {
+            cipher: ctype,
+            key_name: key.key_name,
+            key: String::from_utf8_lossy(&key.key).to_string(),
+            key_len: key.key_length,
+            key2: key.key2.map(|k2| String::from_utf8_lossy(&k2).to_string()),
+            key2_len: key.key2_length,
+        })
+    }
+}
+
 impl TryFrom<CreatePoolRequest> for PoolArgs {
     type Error = LvsError;
     fn try_from(args: CreatePoolRequest) -> Result<Self, Self::Error> {
@@ -149,13 +189,24 @@ impl TryFrom<CreatePoolRequest> for PoolArgs {
             }
         }
 
+        let enc_key = match args.encryption.clone() {
+            Some(create_pool_request::Encryption::Data(kd)) => kd.try_into().ok(),
+            Some(create_pool_request::Encryption::Secret(_ks)) => None,
+            _ => None,
+        };
+
         Ok(Self {
-            name: args.name,
-            disks: args.disks,
-            uuid: args.uuid,
+            name: args.name.clone(),
+            disks: args.disks.clone(),
+            uuid: args.uuid.clone(),
             cluster_size: args.cluster_size,
             md_args: args.md_args.map(|md| md.into()),
             backend: backend.into(),
+            enc_key,
+            crypto_vbdev_name: args
+                .encryption
+                .as_ref()
+                .map(|_| format!("crypto_{}", args.name)),
         })
     }
 }
@@ -226,13 +277,24 @@ impl TryFrom<ImportPoolRequest> for PoolArgs {
             }
         }
 
+        let enc_key = match args.encryption.clone() {
+            Some(import_pool_request::Encryption::Data(kd)) => PoolEncKey::try_from(kd).ok(),
+            Some(import_pool_request::Encryption::Secret(_ks)) => None,
+            _ => None,
+        };
+
         Ok(Self {
-            name: args.name,
-            disks: args.disks,
-            uuid: args.uuid,
+            name: args.name.clone(),
+            disks: args.disks.clone(),
+            uuid: args.uuid.clone(),
             cluster_size: None,
             md_args: None,
             backend: backend.into(),
+            enc_key,
+            crypto_vbdev_name: args
+                .encryption
+                .as_ref()
+                .map(|_| format!("crypto_{}", args.name)),
         })
     }
 }

io-engine/src/pool_backend.rs

@@ -1,4 +1,5 @@
 use crate::{
+    bdev::crypto::EncryptionKey,
     core::{BdevStater, BdevStats, ToErrno},
     replica_backend::ReplicaOps,
 };
@@ -16,6 +17,8 @@ pub struct PoolArgs {
     pub cluster_size: Option<u32>,
     pub md_args: Option<PoolMetadataArgs>,
     pub backend: PoolBackend,
+    pub enc_key: Option<EncryptionKey>,
+    pub crypto_vbdev_name: Option<String>,
 }
 
 /// Pool metadata args.