proxmox-mirrors/proxmox-backup
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox-backup synced 2025-04-29 20:48:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tape: move 'set_encryption' calls to the TapeDriver (and implementation)

Browse Source 
namely everytime we know what the key for the tape has to be:
* after we write the MediaSetLabel
* after reading the MediaSetLabel

When handling data on tape, we always have to have the MediaSetLabel, so
we should always trigger one of these. Because of that, we should not be
able to forget to set the encryption mode.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2024-01-22 12:50:33 +01:00 committed by Thomas Lamprecht
parent 1dc0df339b
commit 1343dcaf01
5 changed files with 19 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/api2/tape/drive.rs
View File

@ -677,9 +677,6 @@ pub async fn read_label(drive: String, inventorize: Option<bool>) -> Result<Medi
let label = if let Some(ref set) = media_id.media_set_label {
let key = &set.encryption_key_fingerprint;
if let Err(err) = drive.set_encryption(key.clone().map(|fp| (fp, set.uuid.clone()))) {
eprintln!("unable to load encryption key: {}", err); // best-effort only
}
MediaIdFlat {
ctime: media_id.label.ctime,
encryption_key_fingerprint: key.as_ref().map(|fp| fp.signature()),
@ -1358,12 +1355,6 @@ pub fn catalog_media(
inventory.store(media_id.clone(), false)?;
return Ok(());
}
let encrypt_fingerprint = set
.encryption_key_fingerprint
.clone()
.map(|fp| (fp, set.uuid.clone()));
drive.set_encryption(encrypt_fingerprint)?;
let _pool_lock = lock_media_pool(TAPE_STATUS_DIR, &set.pool)?;
let media_set_lock = lock_media_set(TAPE_STATUS_DIR, &set.uuid, None)?;

12
src/api2/tape/restore.rs
View File

@ -1029,12 +1029,6 @@ fn restore_snapshots_to_tmpdir(
media_set_uuid
);
}
let encrypt_fingerprint = set.encryption_key_fingerprint.clone().map(|fp| {
task_log!(worker, "Encryption key fingerprint: {}", fp);
(fp, set.uuid.clone())
});
drive.set_encryption(encrypt_fingerprint)?;
}
}
@ -1279,12 +1273,6 @@ pub fn request_and_restore_media(
media_set_uuid
);
}
let encrypt_fingerprint = set
.encryption_key_fingerprint
.clone()
.map(|fp| (fp, set.uuid.clone()));
drive.set_encryption(encrypt_fingerprint)?;
}
}

7
src/tape/drive/lto/mod.rs
View File

@ -269,6 +269,13 @@ impl TapeDriver for LtoTapeHandle {
self.sync()?; // sync data to tape
let encrypt_fingerprint = media_set_label
.encryption_key_fingerprint
.clone()
.map(|fp| (fp, media_set_label.uuid.clone()));
self.set_encryption(encrypt_fingerprint)?;
Ok(())
}

12
src/tape/drive/mod.rs
View File

@ -182,6 +182,15 @@ pub trait TapeDriver {
bail!("got unexpected data after media set label");
}
drop(reader);
let encrypt_fingerprint = media_set_label
.encryption_key_fingerprint
.clone()
.map(|fp| (fp, media_set_label.uuid.clone()));
self.set_encryption(encrypt_fingerprint)?;
media_id.media_set_label = Some(media_set_label);
Ok((Some(media_id), key_config))
@ -203,6 +212,9 @@ pub trait TapeDriver {
/// We use the media_set_uuid to XOR the secret key with the
/// uuid (first 16 bytes), so that each media set uses an unique
/// key for encryption.
///
/// Should be called as part of write_media_set_label or read_label,
/// so this should not be called manually.
fn set_encryption(
&mut self,
key_fingerprint: Option<(Fingerprint, Uuid)>,

9
src/tape/pool_writer/mod.rs
View File

@ -270,15 +270,6 @@ impl PoolWriter {
self.catalog_set.lock().unwrap().append_catalog(catalog)?;
let media_set = media.media_set_label().unwrap();
let encrypt_fingerprint = media_set
.encryption_key_fingerprint
.clone()
.map(|fp| (fp, media_set.uuid.clone()));
drive.set_encryption(encrypt_fingerprint)?;
self.status = Some(PoolWriterState {
drive,
media_uuid: media_uuid.clone(),