I agree that it is probably not as simple
as what I suggested. Clearly you have pointed out conflicting interpretations.
But you also pointed out that if the intent was to have the LOCK
protect against missed UA's (and I confirm that the intent of LOCK is indeed
to protect against mission UA's) then we have some issues to work through.
Dave,
Please list this as a technical comment
that needs a proposal for resolution.
Thanks,
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-2869 / 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt@us.ibm.com
http://www-03.ibm.com/servers/storage/
"Ballard, Curtis C
(StorageWorks)" <curtis.ballard@hp.com> Sent by: owner-t10@t10.org
03/31/2008 01:51 PM
To
"'t10@t10.org'" <t10@t10.org>
cc
Subject
RE: SSC-3: Late Letter Ballot comment
Kevin,
I looked into this a bit and came to a different
conclusion.
You reference section 4.2.21.6 on Managing
keys within the device server and the section on when to release a set
of data encryption parameters which does not discuss turning off encryption.
I believe the section we need to reference
is a little further into 4.2.21.6 at that start of document page 56 in
SSC3r04a.pdf where it discusses what to do when both the ENCRYPTION MODE
and the DECRYPTION MODE are set to DISABLE which is the encryption off
condition.
"If a device server processes a Set
Data Encryption page with the ENCRYPTION
MODE field set to DISABLE and DECRYPTION
MODE field set to DISABLE or RAW, the
physical device shall:
a)release any resources that it had allocated
to store data encryption parameters for the I_T nexus
associated with the SECURITY PROTOCOL
OUT command and shall change the contents of all memory containing a key
value associated with the data encryption parameters that are released;
and
b)establish a unit attention condition .
. ."
The statement "data encryption parameters"
was referenced to 4.2.21.8 earlier in that clause so if we follow that
reference we find that virtually all of the settings that a host can establish
are included in the data encryption parameters including the key instance
counter which is tied to locking. When both modes are set to DISABLED
which is what has to be done to turn encryption off, then everything in
the set of data encryption parameters is released so all of those values
are gone. If the counter is gone along with all the other parameters
I don't see how the parameters can possibly continue to be associated with
that I_T nexus.
According to my notes we discussed at the
last SSC-3 meeting that "LOCK" should also be included in the
data encryption parameters but wasn't due to an oversight. If it
had been then it would be clear that "LOCK" is gone when the
encryption parameters are released.
I'm concerned that this behavior seems to
be inconsistent with the introduction to 4.2.21.11 which discusses exactly
the case of resources being released and the UA not detected and suggests
that LOCK solves the issue.
If the intent is that LOCK persist when the
rest of the parameters are released then I don't think the change is as
simple as you suggest. I think that we would need to modify 4.2.21.6
to indicate that the key instance counter is not released with the rest
of the parameters if LOCK is set to one, but instead is incremented. That
way the test described in the section on locking where a changed key instance
counter triggers the CHECK CONDITION will still work. We might also
have to modify some text describing releasing resources when limited resources
are exhausted to make it clear that parameters containing a LOCK bit set
to one can't be released (I have some concerns with whether that can be
required). There might also be other sections that talking about
releasing parameters that would need examined.
This one looks to me like it's going to take
a proposal to address.
Curtis Ballard
Hewlett Packard
From: owner-t10@t10.org [mailto:owner-t10@t10.org]
On Behalf Of Kevin D Butt
Sent: 20 March 2008 21:48
To: t10@t10.org
Subject: SSC-3: Late Letter Ballot comment
I received communication from an ISV today related to Encryption mode locking
(4.2.21.11). They were unable to determine if the locking applied
when the data encryption parameters were set such that encryption/decryption
is turned off. In a close reading this clause refers to "...locked
to that set of data encryption parameters and key instance counter value
until a hard reset condition occurs or another [SPOUT command is received]"
In 4.2.21.6 Managing keys within the physical device, where it describes
when to release a set of data encryption parameters, there is no mention
of turning off encryption. Therefore, the locking does apply to the
saved set of encryption parameters even when encryption is turned off.
This is indeed the desired behavior. However, it is not clear
to the casual or novice standards reader that this is the case.
Proposed Solution (Editorial):
In 4.2.21.11, p2, add a new sentence after s1:
The LOCK bit in the Set Data Encryption page is set to one to lock the
I_T nexus that issued the SECURITY PROTOCOL OUT command to the set of data
encryption parameters established at the completion of the processing of
the command. A set of
data encryption parameters are established and locked even if the ENCRYPTION
MODE is set to DISABLE and the DECRYPTION MODE is set to DISABLE.
Thanks,
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-2869 / 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt@us.ibm.com
http://www-03.ibm.com/servers/storage/