On Tue, Jun 30, 2020 at 05:42:29PM +0100, Richard W.M. Jones wrote:
Argon2 is the default LUKS Password-Based Key Derivation Function
(PBKDF) for some new guests such as RHEL 8.2 and Fedora. It is
designed to be "memory hard", meaning that by design it requires large
amounts of memory, making it expensive to brute-force. Unfortunately
the default for guests which had more than a few GB of RAM at install
time is to require about 1 GB of RAM to decrypt the block device,
which is considerably larger than the default available in the
libguestfs appliance.
To make it possible to open these encrypted disks we need to make the
appliance larger. This could be done as a one-off, and the current
workaround is simply to set LIBGUESTFS_MEMSIZE=2048 or a similar
amount. However since we don't know in advance whether we could be
dealing with an encrypted disk, partition, etc. or what PBKDF it uses,
the only way to deal with this in all circumstances is to increase the
default memsize. This commit increases it quite a lot (768 -> 1280)
which is unfortunate.
I guess if you really want to minimize overhead for people, then
DIMM hotplug is the way to go.
ie launch with small memory, but configure memory to allow hotplug
of another GB. So you can launch the appliance normally, and when
you see a disk using argon2, then hotadd the DIMM before decrypting.
Whether that complexity is worth it though depends on how important
it is to keep RAM of the appliance small.
Having said all that, increasing the QEMU RAM size doesn't actually
consume memory on the host unless the guest actually touches the
memory pages or you've told QEMU to use hugepage or RAM pre-alloc.
So mostly you'll just pay for the small kernel pagetable accounting
eg with default libguesfs settings I see resident RAM of 200 MB
setting LIBGUESTFS_MEMSIZE=2048 i see resident RAM of 220 MB
setting LIBGUESTFS_MEMSIZE=20480 I see resident RAM of ~600 MB
So I think you could easily afford to bump from 768 to 2 GB without
worrying about impact on real RAM usage.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|