[systemd-devel] Authenticated Boot: dm-integrity modes
Wol
antlists at youngman.org.uk
Sun Nov 28 20:56:41 UTC 2021
On 28/11/2021 19:56, Adrian Vovk wrote:
> - Journal mode: is slow. It atomically writes data+hash, so the
> situation I describe above can never happen. However, to pull this off
> it writes the data twice. Effectively every layer of journaled
> dm-integrity will cut write speeds in half. This isn't too bad to
> protect the rootfs since writes there will be rare, but it is terrible
> for /home. Layering systemd-homed's LUKS+dm-integrity image on top of
> that will cut performance in half again. So with the whole setup
> proposed by the blog post (even with dm-verity) writes to home will be
> limited to 1/4 of the drive's performance and the data will be written
> four times over. On top of performance issues, won't writing the data 4x
> wear out SSDs faster? Am I missing something?
Why can't you just enable journalling in systemd-homed, so we have
LUKS+dm-integrity-journalling?
If the user needs to separate / and /home, isn't that just sensible design?
As for SSDs, the latest ones, as far as I can tell, have a lifespan
measured in years even if they're being absolutely hammered by a stress
test. If you're really worried about wearing out an SSD, put the journal
on rotating rust, but I think those in the know are likely to tell you
that the rust will die before the SSD.
Cheers,
Wol
More information about the systemd-devel
mailing list