/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Installer should detect SSD drive presence and set lvm issue_discards=1 config option itself #3686

Open
tlaurion opened this Issue Mar 9, 2018 · 5 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Ongoing
4 participants
@tlaurion @marmarek @awokd @andrewdavidwong
@tlaurion
Contributor

tlaurion commented Mar 9, 2018

Qubes OS version:

R3.2, R4.0

Affected component(s):

dom0

Steps to reproduce the behavior:

Use Qubes intenseively. lvm_thin will use too much space compared to what is actually used on disk.

Expected behavior:

Disk space should be related to what is actually used.
Documentation specifies what should be done by user. It should be the installer's job to set the configuration option instead.

Actual behavior:

Disk space is filled until all disks are remounted RO.

General notes:

Documentation specifies what should be done by user. It should be the installer's job to set the configuration option instead.

Related issues:

@tlaurion tlaurion changed the title from Installer should detect if SSD drive and set lvm isue_discards=1 to Installer should detect if SSD drive and set lvm issue_discards=1 config option Mar 9, 2018

@tlaurion tlaurion changed the title from Installer should detect if SSD drive and set lvm issue_discards=1 config option to Installer should SSD drive presence and set lvm issue_discards=1 config option Mar 9, 2018

@tlaurion tlaurion changed the title from Installer should SSD drive presence and set lvm issue_discards=1 config option to Installer should detect SSD drive presence and set lvm issue_discards=1 config option itself Mar 9, 2018

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 9, 2018

Member

lvm.conf issue_discards=1 settings is relevant for SSD wear leveling, but not really for free space on lvm_thin. As noted in the documentation, all parts required for lvm_thin space calculation are already done by Qubes 4.0 installer (some fixes are part only of 4.0rc5, so if you have older version, you may need to enable fstrim.timer manually).
On 3.2 LVM thin volumes are not used (and even if you install with lvm_thin, all VMs are in dom0 filesystem as files), so this is not really needed. Unless you heavily customize storage layer manually.

The thing that is not done automatically, is passing this down to SSD disk. Doing this might help with some attacks on LUKS layer (reveal data layout, but not really data itself). See the article linked in the documentation. So, this is a trade-off between security and SSD life time. We choose to have safer default.
Member

marmarek commented Mar 9, 2018

lvm.conf issue_discards=1 settings is relevant for SSD wear leveling, but not really for free space on lvm_thin. As noted in the documentation, all parts required for lvm_thin space calculation are already done by Qubes 4.0 installer (some fixes are part only of 4.0rc5, so if you have older version, you may need to enable fstrim.timer manually).
On 3.2 LVM thin volumes are not used (and even if you install with lvm_thin, all VMs are in dom0 filesystem as files), so this is not really needed. Unless you heavily customize storage layer manually.

The thing that is not done automatically, is passing this down to SSD disk. Doing this might help with some attacks on LUKS layer (reveal data layout, but not really data itself). See the article linked in the documentation. So, this is a trade-off between security and SSD life time. We choose to have safer default.
@awokd

This comment has been minimized.

Show comment
Hide comment
@awokd

awokd Mar 9, 2018

Should we downgrade the "is recommended if using an SSD" to something like "you may wish to [...] if using an SSD"?

awokd commented Mar 9, 2018

Should we downgrade the "is recommended if using an SSD" to something like "you may wish to [...] if using an SSD"?
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 10, 2018

Member

Should we downgrade the "is recommended if using an SSD" to something like "you may wish to [...] if using an SSD"?

This sounds like the right approach, but Marek's point should be made explicit. ("So, this is a trade-off between security and SSD life time. We choose to have safer default.") It sounds like the installer is choosing the safer default, while the documentation is currently advising the user to opt for a less-safe configuration. Not good!
Member

andrewdavidwong commented Mar 10, 2018

Should we downgrade the "is recommended if using an SSD" to something like "you may wish to [...] if using an SSD"?

This sounds like the right approach, but Marek's point should be made explicit. ("So, this is a trade-off between security and SSD life time. We choose to have safer default.") It sounds like the installer is choosing the safer default, while the documentation is currently advising the user to opt for a less-safe configuration. Not good!

@andrewdavidwong andrewdavidwong added C: doc task labels Mar 10, 2018

@andrewdavidwong andrewdavidwong added this to the Documentation/website milestone Mar 10, 2018

@awokd

This comment has been minimized.

Show comment
Hide comment
@awokd

awokd Mar 10, 2018

less-safe

I think it's splitting hairs to an extent, but will refer back to that linked article in my edit.

awokd commented Mar 10, 2018

less-safe

I think it's splitting hairs to an extent, but will refer back to that linked article in my edit.

@awokd awokd referenced this issue in QubesOS/qubes-doc Mar 10, 2018

Merged

disk-trim downgrade "recommended" to "you may want" #615

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 10, 2018

Member

It really depends on the threat model. My understanding is, based on the information revealed by the TRIM/DISCARD operation you can get used/free space. In practice, you can get from this a number and sizes of VMs (if you're lucky, because of blocks allocation by LVM thin/dom0 filesystem). Some don't consider this information to be sensitive, to the extend of publishing it explicitly: https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html

But yes, changing "recommended" to "you may want" is a good idea.
Member

marmarek commented Mar 10, 2018

It really depends on the threat model. My understanding is, based on the information revealed by the TRIM/DISCARD operation you can get used/free space. In practice, you can get from this a number and sizes of VMs (if you're lucky, because of blocks allocation by LVM thin/dom0 filesystem). Some don't consider this information to be sensitive, to the extend of publishing it explicitly: https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html

But yes, changing "recommended" to "you may want" is a good idea.

@andrewdavidwong andrewdavidwong added the help wanted label Mar 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment