From: "Theodore Ts'o" <tytso@mit.edu>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org,
linux-integrity@vger.kernel.org, Jaegeuk Kim <jaegeuk@kernel.org>,
Victor Hsieh <victorhsieh@google.com>,
Dave Chinner <david@fromorbit.com>,
Christoph Hellwig <hch@lst.de>,
"Darrick J . Wong" <darrick.wong@oracle.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH v4 14/16] ext4: add basic fs-verity support
Date: Tue, 18 Jun 2019 23:05:22 -0400 [thread overview]
Message-ID: <20190619030522.GA28351@mit.edu> (raw)
In-Reply-To: <20190618234133.GL184520@gmail.com>
On Tue, Jun 18, 2019 at 04:41:34PM -0700, Eric Biggers wrote:
>
> I don't think your proposed solution is so simple. By definition the last
> extent ends on a filesystem block boundary, while the Merkle tree ends on a
> Merkle tree block boundary. In the future we might support the case where these
> differ, so we don't want to preclude that in the on-disk format we choose now.
> Therefore, just storing the desc_size isn't enough; we'd actually have to store
> (desc_pos, desc_size), like I'm doing in the xattr.
I don't think any of this matters much, since what you're describing
above is all about the Merkle tree, and that doesn't affect how we
find the fsverity descriptor information. We can just say that
fsverity descriptor block begins on the next file system block
boundary after the Merkle tree. And in the case where say, the Merkle
tree is 4k and the file system block size is 64k, that's fine --- the
fs descriptor would just begin at the next 64k (fs blocksize)
boundary.
> Also, using ext4_find_extent() to find the last mapped block (as the v1 and v2
> patchsets did) assumes the file actually uses extents. So we'd have to forbid
> non-extents based files as a special case, as the v2 patchset did. We'd also
> have to find a way to implement the same functionality on f2fs (which should be
> possible, but it seems it would require some new code; there's nothing like
> f2fs_get_extent()) unless we did something different for f2fs.
So first, if f2fs wants to continue using the xattr, that's fine. The
code to write and fetch the fsverity descriptor is in file system
specific code, and so this is something I'm happy to support just for
ext4, and it shouldn't require any special changes in the common
fsverity code at all. Secondly, I suspect it's not *that* hard to
find the last logical block mapping in f2fs, but I'll let Jaeguk
comment on that.
Finally, it's not that hard to find the last mapped block for indirect
blocks, if we really care about supporting that combination. (There
are enough other things --- like fallocate --- which don't work with
indirect mapped files, so I don't feel especially bad forbidding that
combination. A quick check in enable_verity() to return EOPNOTSUPP if
the EXTENTS_FL flag is not present is not all that different from what
we do with fallocate today.)
But if we *did* want to support it, it's actually quite easy to find
the last mapped block for an indirect mapped inode. I just didn't
bother to write the code, but it requires at most 3 block reads if
there is a triple indirection block. Otherwise, if there is a double
indirection block in the inode, it requires at most 2 block reads, and
otherwise, at most a single block read.
> Note that on Android devices (the motivating use case for fs-verity), the xattrs
> of user data files on ext4 already spill into an external xattr block, due to
> the fscrypt and SELinux xattrs. If/when people actually start caring about
> this, they'll need to increase the inode size to 512 bytes anyway, in which case
> there will be plenty of space for a few more in-line xattrs. So I don't think
> we should jump through too many hoops to avoid using an xattr.
I'm thinking about other cases where we might not be using fscrypt,
but where we might still be using fsverity and SELinux --- or maybe
cases where the file systems are using 128 byte inodes, and where only
fsverity is required. (There are a *vast* number of production file
systems using 128 byte inodes.)
Cheers,
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: "Theodore Ts'o" <tytso@mit.edu>
To: Eric Biggers <ebiggers@kernel.org>
Cc: "Darrick J . Wong" <darrick.wong@oracle.com>,
linux-api@vger.kernel.org, Dave Chinner <david@fromorbit.com>,
linux-f2fs-devel@lists.sourceforge.net,
linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Jaegeuk Kim <jaegeuk@kernel.org>,
linux-integrity@vger.kernel.org, linux-ext4@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>,
Victor Hsieh <victorhsieh@google.com>
Subject: Re: [PATCH v4 14/16] ext4: add basic fs-verity support
Date: Tue, 18 Jun 2019 23:05:22 -0400 [thread overview]
Message-ID: <20190619030522.GA28351@mit.edu> (raw)
In-Reply-To: <20190618234133.GL184520@gmail.com>
On Tue, Jun 18, 2019 at 04:41:34PM -0700, Eric Biggers wrote:
>
> I don't think your proposed solution is so simple. By definition the last
> extent ends on a filesystem block boundary, while the Merkle tree ends on a
> Merkle tree block boundary. In the future we might support the case where these
> differ, so we don't want to preclude that in the on-disk format we choose now.
> Therefore, just storing the desc_size isn't enough; we'd actually have to store
> (desc_pos, desc_size), like I'm doing in the xattr.
I don't think any of this matters much, since what you're describing
above is all about the Merkle tree, and that doesn't affect how we
find the fsverity descriptor information. We can just say that
fsverity descriptor block begins on the next file system block
boundary after the Merkle tree. And in the case where say, the Merkle
tree is 4k and the file system block size is 64k, that's fine --- the
fs descriptor would just begin at the next 64k (fs blocksize)
boundary.
> Also, using ext4_find_extent() to find the last mapped block (as the v1 and v2
> patchsets did) assumes the file actually uses extents. So we'd have to forbid
> non-extents based files as a special case, as the v2 patchset did. We'd also
> have to find a way to implement the same functionality on f2fs (which should be
> possible, but it seems it would require some new code; there's nothing like
> f2fs_get_extent()) unless we did something different for f2fs.
So first, if f2fs wants to continue using the xattr, that's fine. The
code to write and fetch the fsverity descriptor is in file system
specific code, and so this is something I'm happy to support just for
ext4, and it shouldn't require any special changes in the common
fsverity code at all. Secondly, I suspect it's not *that* hard to
find the last logical block mapping in f2fs, but I'll let Jaeguk
comment on that.
Finally, it's not that hard to find the last mapped block for indirect
blocks, if we really care about supporting that combination. (There
are enough other things --- like fallocate --- which don't work with
indirect mapped files, so I don't feel especially bad forbidding that
combination. A quick check in enable_verity() to return EOPNOTSUPP if
the EXTENTS_FL flag is not present is not all that different from what
we do with fallocate today.)
But if we *did* want to support it, it's actually quite easy to find
the last mapped block for an indirect mapped inode. I just didn't
bother to write the code, but it requires at most 3 block reads if
there is a triple indirection block. Otherwise, if there is a double
indirection block in the inode, it requires at most 2 block reads, and
otherwise, at most a single block read.
> Note that on Android devices (the motivating use case for fs-verity), the xattrs
> of user data files on ext4 already spill into an external xattr block, due to
> the fscrypt and SELinux xattrs. If/when people actually start caring about
> this, they'll need to increase the inode size to 512 bytes anyway, in which case
> there will be plenty of space for a few more in-line xattrs. So I don't think
> we should jump through too many hoops to avoid using an xattr.
I'm thinking about other cases where we might not be using fscrypt,
but where we might still be using fsverity and SELinux --- or maybe
cases where the file systems are using 128 byte inodes, and where only
fsverity is required. (There are a *vast* number of production file
systems using 128 byte inodes.)
Cheers,
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: "Theodore Ts'o" <tytso@mit.edu>
To: Eric Biggers <ebiggers@kernel.org>
Cc: "Darrick J . Wong" <darrick.wong@oracle.com>,
linux-api@vger.kernel.org, Dave Chinner <david@fromorbit.com>,
linux-f2fs-devel@lists.sourceforge.net,
linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Jaegeuk Kim <jaegeuk@kernel.org>,
linux-integrity@vger.kernel.org, linux-ext4@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>,
Victor Hsieh <victorhsieh@google.com>
Subject: Re: [f2fs-dev] [PATCH v4 14/16] ext4: add basic fs-verity support
Date: Tue, 18 Jun 2019 23:05:22 -0400 [thread overview]
Message-ID: <20190619030522.GA28351@mit.edu> (raw)
In-Reply-To: <20190618234133.GL184520@gmail.com>
On Tue, Jun 18, 2019 at 04:41:34PM -0700, Eric Biggers wrote:
>
> I don't think your proposed solution is so simple. By definition the last
> extent ends on a filesystem block boundary, while the Merkle tree ends on a
> Merkle tree block boundary. In the future we might support the case where these
> differ, so we don't want to preclude that in the on-disk format we choose now.
> Therefore, just storing the desc_size isn't enough; we'd actually have to store
> (desc_pos, desc_size), like I'm doing in the xattr.
I don't think any of this matters much, since what you're describing
above is all about the Merkle tree, and that doesn't affect how we
find the fsverity descriptor information. We can just say that
fsverity descriptor block begins on the next file system block
boundary after the Merkle tree. And in the case where say, the Merkle
tree is 4k and the file system block size is 64k, that's fine --- the
fs descriptor would just begin at the next 64k (fs blocksize)
boundary.
> Also, using ext4_find_extent() to find the last mapped block (as the v1 and v2
> patchsets did) assumes the file actually uses extents. So we'd have to forbid
> non-extents based files as a special case, as the v2 patchset did. We'd also
> have to find a way to implement the same functionality on f2fs (which should be
> possible, but it seems it would require some new code; there's nothing like
> f2fs_get_extent()) unless we did something different for f2fs.
So first, if f2fs wants to continue using the xattr, that's fine. The
code to write and fetch the fsverity descriptor is in file system
specific code, and so this is something I'm happy to support just for
ext4, and it shouldn't require any special changes in the common
fsverity code at all. Secondly, I suspect it's not *that* hard to
find the last logical block mapping in f2fs, but I'll let Jaeguk
comment on that.
Finally, it's not that hard to find the last mapped block for indirect
blocks, if we really care about supporting that combination. (There
are enough other things --- like fallocate --- which don't work with
indirect mapped files, so I don't feel especially bad forbidding that
combination. A quick check in enable_verity() to return EOPNOTSUPP if
the EXTENTS_FL flag is not present is not all that different from what
we do with fallocate today.)
But if we *did* want to support it, it's actually quite easy to find
the last mapped block for an indirect mapped inode. I just didn't
bother to write the code, but it requires at most 3 block reads if
there is a triple indirection block. Otherwise, if there is a double
indirection block in the inode, it requires at most 2 block reads, and
otherwise, at most a single block read.
> Note that on Android devices (the motivating use case for fs-verity), the xattrs
> of user data files on ext4 already spill into an external xattr block, due to
> the fscrypt and SELinux xattrs. If/when people actually start caring about
> this, they'll need to increase the inode size to 512 bytes anyway, in which case
> there will be plenty of space for a few more in-line xattrs. So I don't think
> we should jump through too many hoops to avoid using an xattr.
I'm thinking about other cases where we might not be using fscrypt,
but where we might still be using fsverity and SELinux --- or maybe
cases where the file systems are using 128 byte inodes, and where only
fsverity is required. (There are a *vast* number of production file
systems using 128 byte inodes.)
Cheers,
- Ted
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next prev parent reply other threads:[~2019-06-19 3:05 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-06 15:51 [PATCH v4 00/16] fs-verity: read-only file-based authenticity protection Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-06 15:51 ` [PATCH v4 01/16] fs-verity: add a documentation file Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-15 12:39 ` Theodore Ts'o
2019-06-15 12:39 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 12:39 ` Theodore Ts'o
2019-06-18 16:31 ` Eric Biggers
2019-06-18 16:31 ` [f2fs-dev] " Eric Biggers
2019-06-18 16:31 ` Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] [PATCH v4 02/16] fs-verity: add MAINTAINERS file entry Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-15 12:39 ` Theodore Ts'o
2019-06-15 12:39 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 12:39 ` Theodore Ts'o
2019-06-06 15:51 ` [f2fs-dev] [PATCH v4 03/16] fs-verity: add UAPI header Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] [PATCH v4 04/16] fs: uapi: define verity bit for FS_IOC_GETFLAGS Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-15 12:40 ` Theodore Ts'o
2019-06-15 12:40 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 12:40 ` Theodore Ts'o
2019-06-06 15:51 ` [PATCH v4 05/16] fs-verity: add Kconfig and the helper functions for hashing Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-15 12:57 ` Theodore Ts'o
2019-06-15 12:57 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 12:57 ` Theodore Ts'o
2019-06-18 16:32 ` Eric Biggers
2019-06-18 16:32 ` [f2fs-dev] " Eric Biggers
2019-06-18 16:32 ` Eric Biggers
2019-06-06 15:51 ` [PATCH v4 06/16] fs-verity: add inode and superblock fields Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-15 12:57 ` Theodore Ts'o
2019-06-15 12:57 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 12:57 ` Theodore Ts'o
2019-06-06 15:51 ` [PATCH v4 07/16] fs-verity: add the hook for file ->open() Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-15 14:42 ` Theodore Ts'o
2019-06-15 14:42 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 14:42 ` Theodore Ts'o
2019-06-18 16:35 ` Eric Biggers
2019-06-18 16:35 ` [f2fs-dev] " Eric Biggers
2019-06-18 16:35 ` Eric Biggers
2019-06-06 15:51 ` [PATCH v4 08/16] fs-verity: add the hook for file ->setattr() Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-15 14:43 ` Theodore Ts'o
2019-06-15 14:43 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 14:43 ` Theodore Ts'o
2019-06-06 15:51 ` [PATCH v4 09/16] fs-verity: add data verification hooks for ->readpages() Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-15 14:48 ` Theodore Ts'o
2019-06-15 14:48 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 14:48 ` Theodore Ts'o
2019-06-06 15:51 ` [PATCH v4 10/16] fs-verity: implement FS_IOC_ENABLE_VERITY ioctl Eric Biggers
2019-06-06 15:51 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:51 ` Eric Biggers
2019-06-15 15:08 ` Theodore Ts'o
2019-06-15 15:08 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 15:08 ` Theodore Ts'o
2019-06-18 16:50 ` Eric Biggers
2019-06-18 16:50 ` [f2fs-dev] " Eric Biggers
2019-06-18 16:50 ` Eric Biggers
2019-06-06 15:52 ` [PATCH v4 11/16] fs-verity: implement FS_IOC_MEASURE_VERITY ioctl Eric Biggers
2019-06-06 15:52 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:52 ` Eric Biggers
2019-06-15 15:10 ` Theodore Ts'o
2019-06-15 15:10 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 15:10 ` Theodore Ts'o
2019-06-06 15:52 ` [PATCH v4 12/16] fs-verity: add SHA-512 support Eric Biggers
2019-06-06 15:52 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:52 ` Eric Biggers
2019-06-15 15:11 ` Theodore Ts'o
2019-06-15 15:11 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 15:11 ` Theodore Ts'o
2019-06-06 15:52 ` [PATCH v4 13/16] fs-verity: support builtin file signatures Eric Biggers
2019-06-06 15:52 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:52 ` Eric Biggers
2019-06-15 15:21 ` Theodore Ts'o
2019-06-15 15:21 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 15:21 ` Theodore Ts'o
2019-06-18 16:58 ` Eric Biggers
2019-06-18 16:58 ` [f2fs-dev] " Eric Biggers
2019-06-18 16:58 ` Eric Biggers
2019-06-06 15:52 ` [PATCH v4 14/16] ext4: add basic fs-verity support Eric Biggers
2019-06-06 15:52 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:52 ` Eric Biggers
2019-06-15 15:31 ` Theodore Ts'o
2019-06-15 15:31 ` [f2fs-dev] " Theodore Ts'o
2019-06-15 15:31 ` Theodore Ts'o
2019-06-18 17:51 ` Eric Biggers
2019-06-18 17:51 ` [f2fs-dev] " Eric Biggers
2019-06-18 17:51 ` Eric Biggers
2019-06-18 22:46 ` Theodore Ts'o
2019-06-18 22:46 ` [f2fs-dev] " Theodore Ts'o
2019-06-18 22:46 ` Theodore Ts'o
2019-06-18 23:41 ` Eric Biggers
2019-06-18 23:41 ` [f2fs-dev] " Eric Biggers
2019-06-18 23:41 ` Eric Biggers
2019-06-19 3:05 ` Theodore Ts'o [this message]
2019-06-19 3:05 ` [f2fs-dev] " Theodore Ts'o
2019-06-19 3:05 ` Theodore Ts'o
2019-06-19 19:13 ` Eric Biggers
2019-06-19 19:13 ` [f2fs-dev] " Eric Biggers
2019-06-19 19:13 ` Eric Biggers
2019-06-06 15:52 ` [PATCH v4 15/16] ext4: add fs-verity read support Eric Biggers
2019-06-06 15:52 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:52 ` Eric Biggers
2019-06-06 15:52 ` [PATCH v4 16/16] f2fs: add fs-verity support Eric Biggers
2019-06-06 15:52 ` [f2fs-dev] " Eric Biggers
2019-06-06 15:52 ` Eric Biggers
2019-06-06 17:21 ` [PATCH v4 00/16] fs-verity: read-only file-based authenticity protection Linus Torvalds
2019-06-06 17:21 ` [f2fs-dev] " Linus Torvalds
2019-06-06 17:21 ` Linus Torvalds
2019-06-06 19:43 ` Eric Biggers
2019-06-06 19:43 ` [f2fs-dev] " Eric Biggers
2019-06-06 19:43 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190619030522.GA28351@mit.edu \
--to=tytso@mit.edu \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=ebiggers@kernel.org \
--cc=hch@lst.de \
--cc=jaegeuk@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=victorhsieh@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.