From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: Chris Mason <clm@fb.com>, Alex Elsayed <eternaleye@gmail.com>,
linux-btrfs@vger.kernel.org
Subject: Re: Experimental btrfs encryption
Date: Tue, 20 Sep 2016 00:09:17 -0400 [thread overview]
Message-ID: <20160920040917.GM21290@hungrycats.org> (raw)
In-Reply-To: <20160920025041.mzeljxxzclikktxn@thunk.org>
[-- Attachment #1: Type: text/plain, Size: 3956 bytes --]
On Mon, Sep 19, 2016 at 10:50:41PM -0400, Theodore Ts'o wrote:
> On Mon, Sep 19, 2016 at 08:32:34PM -0400, Chris Mason wrote:
> One of the other things that was in the original design, but which got
> dropped in our initial implementation, was the concept of having the
> per-inode key wrapped by multiple user keys. This would allow a file
> to be accessible by more than one user. So something to consider is
> that there may very well be situations where you *want* to have more
> than one key associated with a directory hierarchy.
That can get very complicated very quickly, unless you push the keys
off to one side and make them objects with separate lifetimes from the
files and subvols that use them by reference. Any problem can be made
different by another layer of indirection.
> The main issue is if you want to reflink a file and then have the two
> files have different permissions / ownerships. In that case, you
> really want to use different keys for user A and for user B --- but if
> you are assuming a single key per subvolume, you can't support
> different keys for different users anyway, so you're kind of toast for
> that use case in any case.
The gotcha there is that reflink file copies are just a special case
of shared extent refs in which all the individual extents in a file are
reflinked at once, but that's not the only case (or even a common one).
Currently any extent in the filesystem can be shared by any inode in
the filesystem (assuming the two inodes have compatible attributes,
which could include encryption policy), including multiple references
from the same inode to the same extent at different logical offsets.
This is the basis of the deduplication and copy_file_range features.
This confuses the VFS caching layer when dealing with deduped reflinked,
or snapshotted files. It's not surprising that VFS crypto has problems
coping with it as well.
It's much more natural for btrfs to attach nonces to the extents rather
than the inodes, and even put references to keys on the extents as well.
Key references could be inherited from the inode (directory, parent,
subvol, wherever you want to put them) that was used to create the extent,
the same way extents inherit their other attributes from inodes now.
> So in any case, assuming you're using block encryption (which is what
> fscrypt uses) there really isn't a problem with nonce reuse, although
> in some cases if you really do want to reflink a file and have it be
> protected by different user keys, this would have to force copy of the
> duplicated blocks at that point. But arguably, that is a feature, not
> a bug. If the two users are mutually suspicious, you don't _want_ to
> leak information about who much of a particular file had been changed
> by a particular user. So you would want to break the reflink and have
> separate copies for both users anyway.
It would probably be most naturally implemented as not allowing the
reflink in the first place, or not allowing a key change on a non-empty
file (the same way that attributes like nodatasum and nodatacow are
implemented). 'cp' would then have to fall back to a brute-force copy.
Cloning reflinks after the fact would be a radical change of direction
for btrfs.
This does create all sorts of interesting interactions with snapshots.
What happens if you remove a user's key to a file in a snapshot? If the
key is embedded in an inode, only one snapshot is affected, but if the
key is stored separately by reference, it could revoke access to files
in all the snapshots at once.
The only information I know of that one (non-root) user gets about
modifications to the other user's reflink file is the SHARED bit in
FIEMAP, which goes from 1 to 0 when the user holds the last reference
to the file. That could simply be forced to always be 1 if the extent
is encrypted so it doesn't leak information.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2016-09-20 4:09 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-13 13:39 [RFC] Preliminary BTRFS Encryption Anand Jain
2016-09-13 13:39 ` [PATCH] btrfs: Encryption: Add btrfs encryption support Anand Jain
2016-09-13 14:12 ` kbuild test robot
2016-09-13 14:24 ` kbuild test robot
2016-09-13 16:10 ` kbuild test robot
2016-09-13 13:39 ` [PATCH 1/2] btrfs-progs: make wait_for_commit non static Anand Jain
2016-09-13 13:39 ` [PATCH 2/2] btrfs-progs: add encryption support Anand Jain
2016-09-13 13:39 ` [PATCH] fstests: btrfs: support encryption Anand Jain
2016-09-13 16:42 ` [RFC] Preliminary BTRFS Encryption Wilson Meier
2016-09-14 7:02 ` Anand Jain
2016-09-14 18:26 ` Wilson Meier
2016-09-15 4:53 ` Alex Elsayed
2016-09-15 11:33 ` Anand Jain
2016-09-15 11:47 ` Alex Elsayed
2016-09-16 11:35 ` Anand Jain
2016-09-15 5:38 ` Chris Murphy
2016-09-15 11:32 ` Anand Jain
2016-09-15 11:37 ` Austin S. Hemmelgarn
2016-09-15 14:06 ` Anand Jain
2016-09-15 14:24 ` Austin S. Hemmelgarn
2016-09-16 8:58 ` David Sterba
2016-09-17 2:18 ` Zygo Blaxell
2016-09-16 1:12 ` Dave Chinner
2016-09-16 5:47 ` Roman Mamedov
2016-09-16 6:49 ` Alex Elsayed
2016-09-17 4:38 ` Zygo Blaxell
2016-09-17 6:37 ` Alex Elsayed
2016-09-19 18:08 ` Zygo Blaxell
2016-09-19 20:01 ` Alex Elsayed
2016-09-19 22:22 ` Zygo Blaxell
2016-09-19 22:25 ` Chris Murphy
2016-09-19 22:31 ` Zygo Blaxell
2016-09-20 1:10 ` Zygo Blaxell
2016-09-17 18:45 ` David Sterba
2016-09-20 14:26 ` Anand Jain
2016-09-16 10:45 ` Brendan Hide
2016-09-16 11:46 ` Anand Jain
2016-09-16 8:49 ` David Sterba
2016-09-16 11:56 ` Anand Jain
2016-09-17 20:35 ` David Sterba
2016-09-18 8:34 ` RAID1 availability issue[2], Hot-spare and auto-replace Anand Jain
2016-09-18 17:28 ` Chris Murphy
2016-09-18 17:34 ` Chris Murphy
2016-09-19 2:25 ` Anand Jain
2016-09-19 12:07 ` Austin S. Hemmelgarn
2016-09-19 12:25 ` Austin S. Hemmelgarn
2016-09-18 9:54 ` [RFC] Preliminary BTRFS Encryption Anand Jain
2016-09-20 0:12 ` Chris Mason
2016-09-20 0:55 ` Anand Jain
2016-09-17 6:58 ` Eric Biggers
2016-09-17 7:13 ` Alex Elsayed
2016-09-19 18:57 ` Zygo Blaxell
2016-09-19 19:50 ` Alex Elsayed
2016-09-19 22:12 ` Zygo Blaxell
2016-09-17 16:12 ` Anand Jain
2016-09-17 18:57 ` Chris Murphy
2016-09-19 15:15 ` Experimental btrfs encryption Theodore Ts'o
2016-09-19 20:58 ` Alex Elsayed
2016-09-20 0:32 ` Chris Mason
2016-09-20 2:47 ` Alex Elsayed
2016-09-20 2:50 ` Theodore Ts'o
2016-09-20 3:05 ` Alex Elsayed
2016-09-20 4:09 ` Zygo Blaxell [this message]
2016-09-20 15:44 ` Chris Mason
2016-09-21 13:52 ` Anand Jain
2016-09-20 4:05 ` Anand Jain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160920040917.GM21290@hungrycats.org \
--to=ce3g8jdj@umail.furryterror.org \
--cc=clm@fb.com \
--cc=eternaleye@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.