From: Stefan Hajnoczi <stefanha@redhat.com>
To: Linlin Zhang <quic_linlzhan@quicinc.com>
Cc: virtio-dev@lists.linux.dev, quic_dshaikhu@quicinc.com
Subject: Re: [PATCH v1] virtio-blk: Add inline encryption support
Date: Wed, 4 Feb 2026 12:27:49 -0500 [thread overview]
Message-ID: <20260204172749.GA610283@fedora> (raw)
In-Reply-To: <694c4abd-b86b-4bc4-8d84-588bfb059d6c@quicinc.com>
[-- Attachment #1: Type: text/plain, Size: 4016 bytes --]
On Wed, Feb 04, 2026 at 09:57:11PM +0800, Linlin Zhang wrote:
> On 2/3/2026 10:43 PM, Stefan Hajnoczi wrote:
> > On Tue, Feb 03, 2026 at 06:06:33PM +0800, Linlin Zhang wrote:
> >> On 2/2/2026 11:56 PM, Stefan Hajnoczi wrote:
> >>> On Fri, Jan 30, 2026 at 06:23:55PM +0800, Linlin Zhang wrote:
> >>>> On 1/28/2026 5:09 AM, Stefan Hajnoczi wrote:
> >>>>> On Tue, Jan 27, 2026 at 10:20:32PM +0800, Linlin Zhang wrote:
> >>>>>> + starting block of the request.
> >>>>>> +\end{itemize}
> >>>>>> +
> >>>>>> VIRTIO_BLK_T_IN requests populate \field{data} with the contents of sectors
> >>>>>> read from the block device (in multiples of 512 bytes). VIRTIO_BLK_T_OUT
> >>>>>> requests write the contents of \field{data} to the block device (in multiples
> >>>>>> @@ -912,6 +979,8 @@ \subsection{Device Operation}\label{sec:Device Types / Block Device / Device Ope
> >>>>>> successfully, failed, or were processed by the device at all if the request
> >>>>>> failed with VIRTIO_BLK_S_IOERR.
> >>>>>>
> >>>>>> +A driver MUST set \field{activate} to 0 for a non VIRTIO_BLK_F_ICE request.
> >>>>>
> >>>>> Please explicitly list request types where the payload field is present
> >>>>> and where activate is optional.
> >>>>
> >>>> How about adding the following supplement?
> >>>>
> >>>> \begin{itemize}
> >>>> \item only when the block request contains crypto context and the request type
> >>>
> >>> I'm not sure what "when the block request contains crypto context"
> >>> means. Is that the same as "when VIRTIO_BLK_F_ICE has been negotiated"?
> >>
> >> No, crypto context means bio_crypt_ctx in BIO struct.
> >> struct bio {
> >> ...
> >> #ifdef CONFIG_BLK_INLINE_ENCRYPTION
> >> struct bio_crypt_ctx *bi_crypt_context;
> >> #endif
> >> ...
> >> }
> >>
> >> When VIRTIO_BLK_F_ICE has been negotiated, virtio block backend receives crypto
> >> payload from virtio block frontend, and the crypto payload, together with I/O
> >> transaction, is sent to block layer of the host finally. The crypto payload is
> >> used to construct the bio_crypt_ctx filed of BIO.
> >
> > Is that equivalent to struct virtio_blk_crypto_payload in this patch? If
> > yes, then I suggest only talking about the payload or slots - concepts
> > that are part of the virtio-blk inline crypto interface - instead of
> > Linux's bio_crypt_ctx.
> >
> > If that's not possible, then the crypto context needs to be defined in
> > the spec so that readers know what it means.
>
> Crypto context - bio_crypt_ctx structure - is different with virtio_blk_crypto_payload.
> bio_crypt_ctx is the struct bound to BIO and request structs in Linux to imply this is
> a inline encryption bio/request. While virtio_blk_crypto_payload is a new struct in this
> patch, it is used to issue the inline encryption metadata (slot, activate, DUN) to the
> virtio backend, so that the backend virtio device can use such inline encryption metadata
> to initialized the crypto info of Storage protocol. For instance, the CCI in DW0 of UTP
> Transfer Request Descriptor.
>
> Change it to the following.
> \begin{itemize}
> \item only when the block request contains a valid bio_crypt_ctx and the request type
> is one of VIRTIO_BLK_T_IN, VIRTIO_BLK_T_OUT and VIRTIO_BLK_T_FLUSH,\field{activate} MUST
> be set to 1. bio_crypt_ctx is defined in linux/blk-crypto.h.
> \begin{lstlisting}
> struct bio_crypt_ctx {
> const struct blk_crypto_key *bc_key;
> u64 bc_dun[BLK_CRYPTO_DUN_ARRAY_SIZE];
> };
> \end{lstlisting}
bio_crypt_ctx is Linux-specific. Can you phrase this in a way that does
not rely on Linux block layer concepts?
For example:
The \field{activate} field is set to 1 on VIRTIO_BLK_T_IN,
VIRTIO_BLK_T_OUT, and VIRTIO_BLK_T_FLUSH requests that require inline
encryption. For other request types or when inline encryption is not
required, it is set to 0.
Thanks,
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2026-02-04 17:27 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 14:14 [PATCH v1] virtio-blk: Add inline encryption support Linlin Zhang
2026-01-27 14:20 ` Linlin Zhang
2026-01-27 21:09 ` Stefan Hajnoczi
2026-01-30 10:23 ` Linlin Zhang
2026-02-02 15:56 ` Stefan Hajnoczi
2026-02-03 10:06 ` Linlin Zhang
2026-02-03 14:43 ` Stefan Hajnoczi
2026-02-04 13:57 ` Linlin Zhang
2026-02-04 17:27 ` Stefan Hajnoczi [this message]
2026-02-06 17:12 ` [PATCH v2] " Linlin Zhang
2026-02-19 14:35 ` Sebastian Mauritsson
2026-02-22 6:09 ` Linlin Zhang
2026-02-26 11:08 ` Sebastian Mauritsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260204172749.GA610283@fedora \
--to=stefanha@redhat.com \
--cc=quic_dshaikhu@quicinc.com \
--cc=quic_linlzhan@quicinc.com \
--cc=virtio-dev@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox