linux-imx

----------------------------------------------------------------------

1. INTRODUCTION

​

Modern filesystems feature checksumming of data and metadata to

protect against data corruption.  However, the detection of the

corruption is done at read time which could potentially be months

after the data was written.  At that point the original data that the

application tried to write is most likely lost.

​

The solution is to ensure that the disk is actually storing what the

application meant it to.  Recent additions to both the SCSI family

protocols (SBC Data Integrity Field, SCC protection proposal) as well

as SATA/T13 (External Path Protection) try to remedy this by adding

support for appending integrity metadata to an I/O.  The integrity

metadata (or protection information in SCSI terminology) includes a

checksum for each sector as well as an incrementing counter that

ensures the individual sectors are written in the right order.  And

for some protection schemes also that the I/O is written to the right

place on disk.

​

Current storage controllers and devices implement various protective

measures, for instance checksumming and scrubbing.  But these

technologies are working in their own isolated domains or at best

between adjacent nodes in the I/O path.  The interesting thing about

DIF and the other integrity extensions is that the protection format

is well defined and every node in the I/O path can verify the

integrity of the I/O and reject it if corruption is detected.  This

allows not only corruption prevention but also isolation of the point

of failure.

​

----------------------------------------------------------------------

2. THE DATA INTEGRITY EXTENSIONS

​

As written, the protocol extensions only protect the path between

controller and storage device.  However, many controllers actually

allow the operating system to interact with the integrity metadata

(IMD).  We have been working with several FC/SAS HBA vendors to enable

the protection information to be transferred to and from their

controllers.

​

The SCSI Data Integrity Field works by appending 8 bytes of protection

information to each sector.  The data + integrity metadata is stored

in 520 byte sectors on disk.  Data + IMD are interleaved when

transferred between the controller and target.  The T13 proposal is

similar.

​

Because it is highly inconvenient for operating systems to deal with

520 (and 4104) byte sectors, we approached several HBA vendors and

encouraged them to allow separation of the data and integrity metadata

scatter-gather lists.

​

The controller will interleave the buffers on write and split them on

read.  This means that Linux can DMA the data buffers to and from

host memory without changes to the page cache.

​

Also, the 16-bit CRC checksum mandated by both the SCSI and SATA specs

is somewhat heavy to compute in software.  Benchmarks found that

calculating this checksum had a significant impact on system

performance for a number of workloads.  Some controllers allow a

lighter-weight checksum to be used when interfacing with the operating

system.  Emulex, for instance, supports the TCP/IP checksum instead.

The IP checksum received from the OS is converted to the 16-bit CRC

when writing and vice versa.  This allows the integrity metadata to be

generated by Linux or the application at very low cost (comparable to

software RAID5).

​

The IP checksum is weaker than the CRC in terms of detecting bit

errors.  However, the strength is really in the separation of the data

buffers and the integrity metadata.  These two distinct buffers must

match up for an I/O to complete.

​

The separation of the data and integrity metadata buffers as well as

the choice in checksums is referred to as the Data Integrity

Extensions.  As these extensions are outside the scope of the protocol

bodies (T10, T13), Oracle and its partners are trying to standardize

them within the Storage Networking Industry Association.

​

----------------------------------------------------------------------

3. KERNEL CHANGES

​

The data integrity framework in Linux enables protection information

to be pinned to I/Os and sent to/received from controllers that

support it.

​

The advantage to the integrity extensions in SCSI and SATA is that

they enable us to protect the entire path from application to storage

device.  However, at the same time this is also the biggest

disadvantage. It means that the protection information must be in a

format that can be understood by the disk.

​

Generally Linux/POSIX applications are agnostic to the intricacies of

the storage devices they are accessing.  The virtual filesystem switch