From: Eric Biggers <ebiggers@kernel.org>
To: Theodore Ts'o <tytso@mit.edu>
Cc: linux-fscrypt@vger.kernel.org,
Satya Tangirala <satyat@google.com>,
linux-api@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net, keyrings@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
Paul Crowley <paulcrowley@google.com>
Subject: Re: [PATCH v6 00/16] fscrypt: key management improvements
Date: Mon, 20 May 2019 17:41:20 -0700 [thread overview]
Message-ID: <20190521004119.GA647@sol.localdomain> (raw)
In-Reply-To: <20190521001636.GA2369@mit.edu>
On Mon, May 20, 2019 at 08:16:36PM -0400, Theodore Ts'o wrote:
> On Mon, May 20, 2019 at 10:25:36AM -0700, Eric Biggers wrote:
> >
> > This patchset makes major improvements to how keys are added, removed,
> > and derived in fscrypt, aka ext4/f2fs/ubifs encryption. It does this by
> > adding new ioctls that add and remove encryption keys directly to/from
> > the filesystem, and by adding a new encryption policy version ("v2")
> > where the user-provided keys are only used as input to HKDF-SHA512 and
> > are identified by their cryptographic hash.
>
> Do you have userspace programs which use these new ioctl's? What's
> are testing strategy for these new ioctls?
>
> Thanks,
>
> - Ted
This was answered in the cover letter, quoted below:
I've written xfstests for the new APIs. They test the APIs themselves
as well as verify the correctness of the ciphertext stored on-disk for
v2 encryption policies. The tests can be found at:
Repository: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/xfstests-dev.git
Branch: fscrypt-key-mgmt-improvements
The xfstests depend on new xfs_io commands which can be found at:
Repository: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/xfsprogs-dev.git
Branch: fscrypt-key-mgmt-improvements
I've also made proof-of-concept changes to the 'fscrypt' userspace
program (https://github.com/google/fscrypt) to make it support v2
encryption policies. You can find these changes in git at:
Repository: https://github.com/ebiggers/fscrypt.git
Branch: fscrypt-key-mgmt-improvements
To make the 'fscrypt' userspace program experimentally use v2 encryption
policies on new encrypted directories, add the following to
/etc/fscrypt.conf within the "options" section:
"policy_version": "2"
Finally, it's also planned for Android and Chromium OS to switch to the
new ioctls and eventually to v2 encryption policies. Work-in-progress,
proof-of-concept changes by Satya Tangirala for AOSP can be found at
https://android-review.googlesource.com/q/topic:fscrypt-key-mgmt-improvements
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Theodore Ts'o <tytso@mit.edu>
Cc: linux-ext4@vger.kernel.org, linux-api@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-fscrypt@vger.kernel.org, keyrings@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Satya Tangirala <satyat@google.com>,
Paul Crowley <paulcrowley@google.com>
Subject: Re: [PATCH v6 00/16] fscrypt: key management improvements
Date: Tue, 21 May 2019 00:41:20 +0000 [thread overview]
Message-ID: <20190521004119.GA647@sol.localdomain> (raw)
In-Reply-To: <20190521001636.GA2369@mit.edu>
On Mon, May 20, 2019 at 08:16:36PM -0400, Theodore Ts'o wrote:
> On Mon, May 20, 2019 at 10:25:36AM -0700, Eric Biggers wrote:
> >
> > This patchset makes major improvements to how keys are added, removed,
> > and derived in fscrypt, aka ext4/f2fs/ubifs encryption. It does this by
> > adding new ioctls that add and remove encryption keys directly to/from
> > the filesystem, and by adding a new encryption policy version ("v2")
> > where the user-provided keys are only used as input to HKDF-SHA512 and
> > are identified by their cryptographic hash.
>
> Do you have userspace programs which use these new ioctl's? What's
> are testing strategy for these new ioctls?
>
> Thanks,
>
> - Ted
This was answered in the cover letter, quoted below:
I've written xfstests for the new APIs. They test the APIs themselves
as well as verify the correctness of the ciphertext stored on-disk for
v2 encryption policies. The tests can be found at:
Repository: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/xfstests-dev.git
Branch: fscrypt-key-mgmt-improvements
The xfstests depend on new xfs_io commands which can be found at:
Repository: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/xfsprogs-dev.git
Branch: fscrypt-key-mgmt-improvements
I've also made proof-of-concept changes to the 'fscrypt' userspace
program (https://github.com/google/fscrypt) to make it support v2
encryption policies. You can find these changes in git at:
Repository: https://github.com/ebiggers/fscrypt.git
Branch: fscrypt-key-mgmt-improvements
To make the 'fscrypt' userspace program experimentally use v2 encryption
policies on new encrypted directories, add the following to
/etc/fscrypt.conf within the "options" section:
"policy_version": "2"
Finally, it's also planned for Android and Chromium OS to switch to the
new ioctls and eventually to v2 encryption policies. Work-in-progress,
proof-of-concept changes by Satya Tangirala for AOSP can be found at
https://android-review.googlesource.com/q/topic:fscrypt-key-mgmt-improvements
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Theodore Ts'o <tytso@mit.edu>
Cc: linux-ext4@vger.kernel.org, linux-api@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-fscrypt@vger.kernel.org, keyrings@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Satya Tangirala <satyat@google.com>,
Paul Crowley <paulcrowley@google.com>
Subject: Re: [PATCH v6 00/16] fscrypt: key management improvements
Date: Mon, 20 May 2019 17:41:20 -0700 [thread overview]
Message-ID: <20190521004119.GA647@sol.localdomain> (raw)
In-Reply-To: <20190521001636.GA2369@mit.edu>
On Mon, May 20, 2019 at 08:16:36PM -0400, Theodore Ts'o wrote:
> On Mon, May 20, 2019 at 10:25:36AM -0700, Eric Biggers wrote:
> >
> > This patchset makes major improvements to how keys are added, removed,
> > and derived in fscrypt, aka ext4/f2fs/ubifs encryption. It does this by
> > adding new ioctls that add and remove encryption keys directly to/from
> > the filesystem, and by adding a new encryption policy version ("v2")
> > where the user-provided keys are only used as input to HKDF-SHA512 and
> > are identified by their cryptographic hash.
>
> Do you have userspace programs which use these new ioctl's? What's
> are testing strategy for these new ioctls?
>
> Thanks,
>
> - Ted
This was answered in the cover letter, quoted below:
I've written xfstests for the new APIs. They test the APIs themselves
as well as verify the correctness of the ciphertext stored on-disk for
v2 encryption policies. The tests can be found at:
Repository: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/xfstests-dev.git
Branch: fscrypt-key-mgmt-improvements
The xfstests depend on new xfs_io commands which can be found at:
Repository: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/xfsprogs-dev.git
Branch: fscrypt-key-mgmt-improvements
I've also made proof-of-concept changes to the 'fscrypt' userspace
program (https://github.com/google/fscrypt) to make it support v2
encryption policies. You can find these changes in git at:
Repository: https://github.com/ebiggers/fscrypt.git
Branch: fscrypt-key-mgmt-improvements
To make the 'fscrypt' userspace program experimentally use v2 encryption
policies on new encrypted directories, add the following to
/etc/fscrypt.conf within the "options" section:
"policy_version": "2"
Finally, it's also planned for Android and Chromium OS to switch to the
new ioctls and eventually to v2 encryption policies. Work-in-progress,
proof-of-concept changes by Satya Tangirala for AOSP can be found at
https://android-review.googlesource.com/q/topic:fscrypt-key-mgmt-improvements
- Eric
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2019-05-21 0:41 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-20 17:25 [PATCH v6 00/16] fscrypt: key management improvements Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 01/16] fs, fscrypt: move uapi definitions to new header <linux/fscrypt.h> Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 02/16] fscrypt: use FSCRYPT_ prefix for uapi constants Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 03/16] fscrypt: use FSCRYPT_* definitions, not FS_* Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 04/16] fscrypt: add ->ci_inode to fscrypt_info Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 05/16] fscrypt: refactor v1 policy key setup into keysetup_legacy.c Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 06/16] fscrypt: add FS_IOC_ADD_ENCRYPTION_KEY ioctl Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 07/16] fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 08/16] fscrypt: add FS_IOC_GET_ENCRYPTION_KEY_STATUS ioctl Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 09/16] fscrypt: add an HKDF-SHA512 implementation Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 10/16] fscrypt: v2 encryption policy support Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 11/16] fscrypt: allow unprivileged users to add/remove keys for v2 policies Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 12/16] fscrypt: require that key be added when setting a v2 encryption policy Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 13/16] ext4: wire up new fscrypt ioctls Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 14/16] f2fs: " Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 15/16] ubifs: " Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-20 17:25 ` [PATCH v6 16/16] fscrypt: document the new ioctls and policy version Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` Eric Biggers
2019-05-20 17:25 ` [f2fs-dev] " Eric Biggers
2019-05-21 0:16 ` [PATCH v6 00/16] fscrypt: key management improvements Theodore Ts'o
2019-05-21 0:16 ` Theodore Ts'o
2019-05-21 0:16 ` Theodore Ts'o
2019-05-21 0:16 ` Theodore Ts'o
2019-05-21 0:41 ` Eric Biggers [this message]
2019-05-21 0:41 ` Eric Biggers
2019-05-21 0:41 ` Eric Biggers
2019-05-21 3:29 ` Theodore Ts'o
2019-05-21 3:29 ` Theodore Ts'o
2019-05-21 3:29 ` Theodore Ts'o
2019-05-21 3:29 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190521004119.GA647@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=paulcrowley@google.com \
--cc=satyat@google.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.