摘要:
A method is provided for providing an operating system (OS) independent input/output (I/O) filter driver capable of encrypting at least a portion of a logical unit (LUN), the method comprising the unordered steps of: providing an I/O filter driver component to an I/O stack for a host in communication with the LUN; determining, based at least in part on at least one of OS requirements and an arrangement of data on the LUN, at least one region in the LUN that contains data that is used below the I/O filter driver in an I/O stack on the host; and performing at least one of a read and a write of the one or more regions while keeping the one or more regions in plaintext, while permitting other regions of the LUN to be at least one of encrypted and decrypted.
摘要:
An in-band protocol transport carries command-response protocol communications between first and second functional components of a storage input/output (I/O) interface stack, for example to control encryption-related processing of storage I/O commands. A storage read command used as a protocol transport message has protocol data in a read data buffer, and predetermined read address information, such as a prime-numbered starting block address and a small, odd-valued length value, unlikely to occur in normal (non-transport) storage read commands. The second functional component determines that the storage read command contains the predetermined read address information, indicating that the storage read command is a protocol transport message rather than a normal read. For greater confidence, it also determines that the protocol data in the read data buffer includes protocol identification data such as a protocol signature. The protocol data is used to control a processing action for subsequent normal storage I/O commands, such as encryption-related processing, and a protocol response is returned by creating and storing response data in the read data buffer and signaling completion of the storage read command to the first functional component.
摘要:
A system shares encryption-related metadata between layers of a storage I/O stack. Additionally, a detection mechanism ensures that certain layers within the storage I/O stack are present and cooperate with a particular protocol. Along these lines, functional components engage in an in-band communications protocol, such as a data encryption key (DEK) management protocol. The in-band communications protocol employs protocol commands and responses carried along the data path as contents of in-band transport messages and responses, such as special SCSI read commands and their responses. The protocol commands and responses include a handshake command and a handshake response used during an initial handshake operation. Each protocol command and response has a protocol signature field carrying one of distinct first and second signature values which are used to identify the presence of the protocol command or response in the transport messages and responses at different locations along the data path.
摘要:
Described are techniques for upgrading a driver. A driver is installed which includes an upgrade facility, a base driver and a first set of one or more driver extension modules for processing input/output operations for one or more devices. Processing is performed to upgrade the driver using the upgrade facility. The processing includes loading one or more upgrade modules associated with a second version of said driver and performing cutover processing for each of the one or more devices.
摘要:
A computer of a data processing system includes a software encryption engine and path circuitry that initially provides one or more paths for conveying data of storage I/O requests to and from a storage device, the paths including an encrypting path having a hardware encrypting component. According to a failover technique, in a first operating state, (a) the data of the storage I/O requests is conveyed via the encrypting path with encryption and decryption of the data being performed by the hardware encrypting component, and (b) monitoring is performed for occurrence of an event indicating that the hardware encrypting component has become unavailable for encrypting and decrypting the data of the storage I/O requests. Upon occurrence of the event, if the path circuitry provides a non-encrypting path for conveying the data of the storage I/O requests to and from the storage device, then operation is switched to a second operating state in which the data of the storage I/O requests is conveyed via the non-encrypting path and is encrypted and decrypted by the software encryption engine. A failback technique provides for reverting to hardware-assisted encryption under proper circumstances.
摘要:
Methods and apparatus for non-disruptive upgrade by redirecting I/O operations. With this arrangement, a driver upgrade does not require restarting an application. In one embodiment, a method includes installing on a computer a legacy upgrade module in a kernel having a legacy driver with first and second loadable extensions for handling input/output operations for applications to and from devices, retrieving and storing static configuration data from the legacy driver, transferring the stored static configuration data to a new driver, obtaining runtime device configuration data from the devices and transferring the runtime device configuration data to the new driver, and filtering device input/output operations such that prior to cutover input/output operations are directed by the LUM through device stacks for the legacy driver and after cutover input/output operations are directed to the new driver.
摘要:
An improved technique for storing I/O metrics includes assigning metric values to data buckets held in kernel memory. Each data bucket covers a particular range of values of a respective metric and is configured as a counter, whose count is incremented each time the multipathing driver obtains or computes a metric value that falls within the range of the data bucket. Bucket counts can be read by an external program to obtain aggregate information about I/O metrics over time. The aggregate information can be fed back to the multipathing driver to enable improved selections of paths for conveying data to and from a storage array.
摘要:
Methods and systems are disclosed that relate to selecting a path for sending an I/O request from a host to a data storage subsystem from among a plurality of paths from the host to the subsystem. An exemplary method includes identifying a limitation on the traffic level for the plurality of paths, tracking a first metric corresponding to the limitation on the traffic level for each path, and transmitting a first I/O request having an urgency level other than the highest urgency level by one of the plurality of paths whose first metric does not exceed its limitation on the traffic level.
摘要:
Methods and systems are disclosed that relate to selecting a path for sending an I/O request from a host to a data storage subsystem from among a plurality of paths from the host to the subsystem. An exemplary method includes identifying a limitation on the traffic level for the plurality of paths, tracking a first metric corresponding to the limitation on the traffic level for each path, and transmitting a first I/O request having an urgency level other than the highest urgency level by one of the plurality of paths whose first metric does not exceed its limitation on the traffic level.
摘要:
A host in an encrypted data storage system sends encryption metadata associated with an encrypted logical volume (LV) from a key controller module to an encryption endpoint via a storage I/O stack. The encryption metadata identifies an encryption key and encrypted regions of the LV, and the sending results in establishment of one or more shared associations between the key controller module and the encryption endpoint which associates the encrypted LV with the encryption metadata for the encrypted LV. A data storage operation is performed on the encrypted LV by sending a data storage command from the key controller module to an encrypted region of the encryption endpoint via the storage I/O stack. The encryption endpoint uses the encryption metadata associated with the encrypted LV to cryptographically process data of the data storage operation.