by introducing an 'assert_encryption_mode' that checks the desired
state, and bails out if it's different, called directly where we
previously set the encryption mode (which is now done automatically)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
[ TL: add drive_ prefix and fleece in comment ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit
3579d724a3f094c4761dc89adabd8402d9113db2)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
use nix::fcntl::{fcntl, FcntlArg, OFlag};
mod encryption;
-pub use encryption::{drive_set_encryption, has_encryption};
+pub use encryption::{drive_set_encryption, drive_get_encryption, has_encryption};
mod volume_statistics;
use proxmox_uuid::Uuid;
bail!("got unexpected encryption mode {:?}", status.mode);
}
+/// Returns if encryption is enabled on the drive
+pub fn drive_get_encryption<F: AsRawFd>(file: &mut F) -> Result<bool, Error> {
+ let data = match sg_spin_data_encryption_status(file) {
+ Ok(data) => data,
+ Err(_) => {
+ // Assume device does not support HW encryption
+ return Ok(false);
+ }
+ };
+ let status = decode_spin_data_encryption_status(&data)?;
+ match status.mode {
+ // these three below have all encryption enabled, and only differ in how decryption is
+ // handled
+ DataEncryptionMode::On => Ok(true),
+ DataEncryptionMode::Mixed => Ok(true),
+ DataEncryptionMode::RawRead => Ok(true),
+ // currently, the mode below is the only one that has encryption actually disabled
+ DataEncryptionMode::Off => Ok(false),
+ }
+}
+
#[derive(Endian)]
#[repr(C, packed)]
struct SspSetDataEncryptionPage {
.map(|v| v.to_vec())
}
-#[derive(Debug)]
+#[derive(Debug, PartialEq, Eq)]
enum DataEncryptionMode {
On,
Mixed,
use anyhow::{bail, format_err, Error};
+use pbs_tape::sg_tape::drive_get_encryption;
use proxmox_uuid::Uuid;
use pbs_api_types::{
self.sg_tape.set_encryption(None)
}
}
+
+ fn assert_encryption_mode(&mut self, encryption_wanted: bool) -> Result<(), Error> {
+ let encryption_set = drive_get_encryption(self.sg_tape.file_mut())?;
+ if encryption_wanted != encryption_set {
+ bail!("Set encryption mode not what was desired (set: {encryption_set}, wanted: {encryption_wanted})");
+ }
+ Ok(())
+ }
}
fn run_sg_tape_cmd(subcmd: &str, args: &[&str], fd: RawFd) -> Result<String, Error> {
}
Ok(())
}
+
+ /// Asserts that the encryption mode is set to the given value
+ fn assert_encryption_mode(&mut self, encryption_wanted: bool) -> Result<(), Error> {
+ if encryption_wanted {
+ bail!("drive does not support encryption");
+ }
+ Ok(())
+ }
}
/// A boxed implementor of [`MediaChange`].
self.catalog_set.lock().unwrap().append_catalog(catalog)?;
+ let media_set = media.media_set_label().unwrap();
+
+ drive.assert_encryption_mode(media_set.encryption_key_fingerprint.is_some())?;
+
self.status = Some(PoolWriterState {
drive,
media_uuid: media_uuid.clone(),