Support TRIM in LUKS partitions mounted by Kairos

[kreeuwijk]

Kairos version:
3.0.14

CPU architecture, OS, and Version:
Ubuntu 24.04

Describe the bug
Kairos does not pass the allow-discards config option to systemd-cryptsetup attach, causing the mounted LUKS partitions to not support TRIM. As a result, SSD drive performance falls off a cliff after some time. When a LUKS partition is mounted from a non-rotational disk, the allow-discards option should be automatically added so that weekly fstrim runs can trim the LUKS partitions as well.

DEVICE=nvme0n1

if [ "$(cat /sys/block/$DEVICE/queue/rotational)" == "0" ]
then
  OPTIONS="tpm2-device=auto,allow-discards"
else
  OPTIONS="tpm2-device=auto"
fi

This example shows that fstrim functions correctly when allow-discards is set:

# /usr/lib/systemd/systemd-cryptsetup attach nvme0n1p2 $(findfs PARTLABEL=oem) - tpm2-device=auto,allow-discards

# mount /dev/mapper/nvme0n1p2 /oem

# fstrim -v /oem
/oem: 4.7 GiB (5027479552 bytes) trimmed

To Reproduce
Deploy Kairos with Trusted Boot and attempt to run fstrim -v /oem

Expected behavior
Non-rotational disks should use LUKS partitions that have TRIM support enabled.

[mudler]

that can't be taken as slightly as a bug - systemd-cryptsetup does not set discards on SSDs for a reason probably. We need to spike on this first to see what would be a good approach here, or even let this to be configurable by the end-user.

See for instance also: https://wiki.debian.org/SSDOptimization on the topic.

[mudler]

for the moment being - maybe we can investigate a workaround that does not require a patch release. E.g. a cloud config that can be shipped in the base image that reattach and remounts the partition with discard enabled on the HW that requires it.

[kreeuwijk]

We do not need remounting of any mountpoints. All that's needed is kcrypt being adjusted to pass the allow-discards option to the systemd-cryptsetup command when attaching the LUKS partition. This will allow weekly fstrim runs to perform TRIM on LUKS partitions, just like it does for regular ext4 partitions.

[Itxaka]

workaround found:

cryptsetup refresh --allow-discards DEVICE will enable discards for the DEVICE while its mounted, it wont need to dettach/attach. This is only valid for attached devices. Once you detach and attach them the value will be lost and you will need to run it again

cryptsetup refresh --persistent --allow-discards DEVICE will do the same, but save the option to the luks header so on each dettach/attach operation the device will use that option forever. To remove the option just run the same but without the flag cryptsetup refresh --persistent DEVICE

[Itxaka]

@kreeuwijk confirmed this as working

[mudler]

for reference, this is the workaround from @kreeuwijk :

stages:
  boot.after:
    - name: Ensure encrypted partitions can be trimmed
      commands:
        - |
          DEVICES=$(lsblk -p -n -l -o NAME)
          if cat /proc/cmdline | grep rd.immucore.uki; then TRUSTED_BOOT="true"; fi
          for part in $DEVICES
          do
            if cryptsetup isLuks $part; then
              echo "Detected encrypted partition $part, ensuring TRIM is enabled..."
              if ! cryptsetup status ${part#/dev/} | grep discards; then
                echo "TRIM is not enabled on $part, enabling TRIM..."
                if [ "$TRUSTED_BOOT" = "true" ]; then
                  cryptsetup refresh --allow-discards --persistent ${part#/dev/}
                else
                  passphrase=$(echo '{ "data": "{ \"label\": \"LABEL\" }"}' | /system/discovery/kcrypt-discovery-challenger "discovery.password" | jq -r '.data')
                  echo $passphrase | cryptsetup refresh --allow-discards ${part#/dev/}
                fi
                if [ "$?" = "0" ]; then
                  echo "TRIM is now enabled on $part"
                else
                  echo "TRIM coud not be enabled on $part!"
                fi
              else
                echo "TRIM is already enabled on $part, nothing to do."
              fi
            fi
          done

[jimmykarily]

Planning decision: Let's try to implement this in immucore and control it with a config flag (in Kairos config).

[Itxaka]

After a small discussion

• --allow-insecure flag will always be used as it refers to the future possibility of mounting unencrypted parts. It doesnt automatically enable the discard option, it just allows to do it
• agent will gain new config option for mouting encrypted partition with discard flag. It wont affect anything on install
• On boot, immucore will mount oem, read the config, get the value of the discard and remount /oem with that flag if needed
• On boot, immucore will mount persistent directly with the option as it can read it from the config in oem directly
• defaults will be the same, no discard option on anything

[kreeuwijk]

@Itxaka we can't you pass the --allow-discards option to cryptsetup by default? We don't want to set the discard flag on the filesystem mount, we only want fstrim to be able to perform TRIM on crypted filesystems during its weekly run...

[Itxaka]

@Itxaka we can't you pass the --allow-discards option to cryptsetup by default? We don't want to set the discard flag on the filesystem mount, we only want fstrim to be able to perform TRIM on crypted filesystems during its weekly run...

We do? It's mentioned above, we will pass that to the crypt setup Luks creation by default?

[Itxaka]

kcrypt and agent will now create the luks encrypted partitions with the allow-discard option always enabled.

As the OS now have an auto-trim service running, I dont think we need to go any further. Trim will be auto-run and it should trim the system automatically.

[Itxaka]

@kreeuwijk will this cover the current use-case? Encrypted partitions have the allow-discard option on by default, underlying mounts are NOT mounted witht he discard option, trim service still works on the timer.

Or is there some scenario missing here? Notice that nobody recommends using the discard option on encrypted mounts by default as it weakens security, so we would prefer to NOT allow mounting the underlying partitions with the discard option.

Feel free to to reopen if we are missing something here

[kreeuwijk]

@Itxaka this is great, thank you!