From: Stefan Hajnoczi <stefanha@redhat.com>
To: Linlin Zhang <quic_linlzhan@quicinc.com>
Cc: virtio-dev@lists.linux.dev, quic_dshaikhu@quicinc.com
Subject: Re: [PATCH v1] virtio-blk: Add inline encryption support
Date: Wed, 4 Feb 2026 12:27:49 -0500 [thread overview]
Message-ID: <20260204172749.GA610283@fedora> (raw)
In-Reply-To: <694c4abd-b86b-4bc4-8d84-588bfb059d6c@quicinc.com>
[-- Attachment #1: Type: text/plain, Size: 4016 bytes --]
On Wed, Feb 04, 2026 at 09:57:11PM +0800, Linlin Zhang wrote:
> On 2/3/2026 10:43 PM, Stefan Hajnoczi wrote:
> > On Tue, Feb 03, 2026 at 06:06:33PM +0800, Linlin Zhang wrote:
> >> On 2/2/2026 11:56 PM, Stefan Hajnoczi wrote:
> >>> On Fri, Jan 30, 2026 at 06:23:55PM +0800, Linlin Zhang wrote:
> >>>> On 1/28/2026 5:09 AM, Stefan Hajnoczi wrote:
> >>>>> On Tue, Jan 27, 2026 at 10:20:32PM +0800, Linlin Zhang wrote:
> >>>>>> + starting block of the request.
> >>>>>> +\end{itemize}
> >>>>>> +
> >>>>>> VIRTIO_BLK_T_IN requests populate \field{data} with the contents of sectors
> >>>>>> read from the block device (in multiples of 512 bytes). VIRTIO_BLK_T_OUT
> >>>>>> requests write the contents of \field{data} to the block device (in multiples
> >>>>>> @@ -912,6 +979,8 @@ \subsection{Device Operation}\label{sec:Device Types / Block Device / Device Ope
> >>>>>> successfully, failed, or were processed by the device at all if the request
> >>>>>> failed with VIRTIO_BLK_S_IOERR.
> >>>>>>
> >>>>>> +A driver MUST set \field{activate} to 0 for a non VIRTIO_BLK_F_ICE request.
> >>>>>
> >>>>> Please explicitly list request types where the payload field is present
> >>>>> and where activate is optional.
> >>>>
> >>>> How about adding the following supplement?
> >>>>
> >>>> \begin{itemize}
> >>>> \item only when the block request contains crypto context and the request type
> >>>
> >>> I'm not sure what "when the block request contains crypto context"
> >>> means. Is that the same as "when VIRTIO_BLK_F_ICE has been negotiated"?
> >>
> >> No, crypto context means bio_crypt_ctx in BIO struct.
> >> struct bio {
> >> ...
> >> #ifdef CONFIG_BLK_INLINE_ENCRYPTION
> >> struct bio_crypt_ctx *bi_crypt_context;
> >> #endif
> >> ...
> >> }
> >>
> >> When VIRTIO_BLK_F_ICE has been negotiated, virtio block backend receives crypto
> >> payload from virtio block frontend, and the crypto payload, together with I/O
> >> transaction, is sent to block layer of the host finally. The crypto payload is
> >> used to construct the bio_crypt_ctx filed of BIO.
> >
> > Is that equivalent to struct virtio_blk_crypto_payload in this patch? If
> > yes, then I suggest only talking about the payload or slots - concepts
> > that are part of the virtio-blk inline crypto interface - instead of
> > Linux's bio_crypt_ctx.
> >
> > If that's not possible, then the crypto context needs to be defined in
> > the spec so that readers know what it means.
>
> Crypto context - bio_crypt_ctx structure - is different with virtio_blk_crypto_payload.
> bio_crypt_ctx is the struct bound to BIO and request structs in Linux to imply this is
> a inline encryption bio/request. While virtio_blk_crypto_payload is a new struct in this
> patch, it is used to issue the inline encryption metadata (slot, activate, DUN) to the
> virtio backend, so that the backend virtio device can use such inline encryption metadata
> to initialized the crypto info of Storage protocol. For instance, the CCI in DW0 of UTP
> Transfer Request Descriptor.
>
> Change it to the following.
> \begin{itemize}
> \item only when the block request contains a valid bio_crypt_ctx and the request type
> is one of VIRTIO_BLK_T_IN, VIRTIO_BLK_T_OUT and VIRTIO_BLK_T_FLUSH,\field{activate} MUST
> be set to 1. bio_crypt_ctx is defined in linux/blk-crypto.h.
> \begin{lstlisting}
> struct bio_crypt_ctx {
> const struct blk_crypto_key *bc_key;
> u64 bc_dun[BLK_CRYPTO_DUN_ARRAY_SIZE];
> };
> \end{lstlisting}
bio_crypt_ctx is Linux-specific. Can you phrase this in a way that does
not rely on Linux block layer concepts?
For example:
The \field{activate} field is set to 1 on VIRTIO_BLK_T_IN,
VIRTIO_BLK_T_OUT, and VIRTIO_BLK_T_FLUSH requests that require inline
encryption. For other request types or when inline encryption is not
required, it is set to 0.
Thanks,
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2026-02-04 17:27 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 14:14 [PATCH v1] virtio-blk: Add inline encryption support Linlin Zhang
2026-01-27 14:20 ` Linlin Zhang
2026-01-27 21:09 ` Stefan Hajnoczi
2026-01-30 10:23 ` Linlin Zhang
2026-02-02 15:56 ` Stefan Hajnoczi
2026-02-03 10:06 ` Linlin Zhang
2026-02-03 14:43 ` Stefan Hajnoczi
2026-02-04 13:57 ` Linlin Zhang
2026-02-04 17:27 ` Stefan Hajnoczi [this message]
2026-02-06 17:12 ` [PATCH v2] " Linlin Zhang
2026-02-19 14:35 ` Sebastian Mauritsson
2026-02-22 6:09 ` Linlin Zhang
2026-02-26 11:08 ` Sebastian Mauritsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260204172749.GA610283@fedora \
--to=stefanha@redhat.com \
--cc=quic_dshaikhu@quicinc.com \
--cc=quic_linlzhan@quicinc.com \
--cc=virtio-dev@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.