On Thu, Oct 7, 2021 at 10:27:15AM +0200, Antonin Houska wrote: > Bruce Momjian <br...@momjian.us> wrote: > > The above text isn't very clear. What I am saying is that currently > > torn pages can be tolerated by hint bit writes because only a single > > byte is changing. If we use a block cipher like AES-XTS, later 16-byte > > encrypted blocks would be changed by hint bit changes, meaning torn > > pages could not be tolerated. This means we would have to use full page > > writes for hint bit changes, perhaps making this feature have > > unacceptable performance overhead. > > IIRC, in the XTS scheme, a change of a single byte in the 16-byte block causes > the whole encrypted block to be different after the next encryption, however > the following blocks are not affected. CBC (cipher-block chaining) is the mode > where the change in one block does affect the encryption of the following > block.
Oh, good point. I was not aware of that. It means XTS does not feed the previous block as part of the nonce to the next block. > I'm not sure if this fact is important from the hint bit perspective > though. It would be an important difference if there was a guarantee that the > 16-byte blocks are consitent even on torn page - does e.g. proper alignment of > pages guarantee that? Nevertheless, the absence of the chaining may be a > reason to prefer CBC to XTS anyway. Uh, technically most drives use 512-byte sectors, but I don't know if there is any guarantee that 512-byte sectors will not be torn --- I have a feeling there isn't. I think we get away with the hint bit case because you can't tear a single bit. ;-) However, my patch created a full page write for hint bit changes. If we don't use the LSN, those full page writes will only happen once per checkpoint, which seems acceptable, at least to Robert. Interesting on the CBC idea which would force the rest of the page to change --- not sure if that is valuable. I know stream ciphers can be diff'ed to see data because they are xor'ing the data --- I don't remember if block ciphers have similar weaknesses. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.