Re: [RFC PATCH 00/17] fscrypt: add per-extent encryption keys

From: Neal Gompa <ngompa13@gmail.com>
To: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
Cc: linux-fscrypt@vger.kernel.org, ebiggers@kernel.org,
	paulcrowley@google.com, linux-btrfs@vger.kernel.org,
	kernel-team@meta.com
Subject: Re: [RFC PATCH 00/17] fscrypt: add per-extent encryption keys
Date: Wed, 22 Feb 2023 06:52:54 -0500	[thread overview]
Message-ID: <CAEg-Je-tcpu0u2TekzjrtQ4x0PQtV_1A300WxAiTVswjKbJjYw@mail.gmail.com> (raw)
In-Reply-To: <cover.1672547582.git.sweettea-kernel@dorminy.me>

On Sun, Jan 1, 2023 at 12:08 AM Sweet Tea Dorminy
<sweettea-kernel@dorminy.me> wrote:
>
> Last month, after a discussion of using fscrypt in btrfs, several
> potential areas for expansion of fscrypt functionality were identified:
> specifically, per-extent keys, authenticated encryption, and 'rekeying'
> a directory tree [1]. These additions will permit btrfs to have better
> cryptographic characteristics than previous attempts at expanding btrfs
> to use fscrypt.
>
> This attempts to implement the first of these, per-extent keys (in
> analogy to the current per-inode keys) in fscrypt. For a filesystem
> using per-extent keys, the idea is that each regular file inode is
> linked to its parent directory's fscrypt_info, while each extent in
> the filesystem -- opaque to fscrypt -- stores a fscrypt_info providing
> the key for the data in that extent. For non-regular files, the inode
> has its own fscrypt_info as in current ("inode-based") fscrypt.
>
> IV generation methods using logical block numbers use the logical block
> number within the extent, and for IV generation methods using inode
> numbers, such filesystems may optionally implement a method providing an
> equivalent on a per-extent basis.
>
> Known limitations: change 12 ("fscrypt: notify per-extent infos if
> master key vanishes") does not sufficiently argue that there cannot be a
> race between freeing a master key and using it for some pending extent IO.
> Change 16 ("fscrypt: disable inline encryption for extent-based
> encryption") merely disables inline encryption, when it should implement
> generating appropriate inline encryption info for extent infos.
>
> This has not been thoroughly tested against a btrfs implementation of
> the interfaces -- I've thrown out everything here and tried something
> new several times, and while I think this interface is a decent one, I
> would like to get input on it in parallel with finishing the btrfs side
> of this part, and the other elements of the design mentioned in [1]
>
> [1] https://docs.google.com/document/d/1janjxewlewtVPqctkWOjSa7OhCgB8Gdx7iDaCDQQNZA/edit?usp=sharing
>
> *** BLURB HERE ***
>
> Sweet Tea Dorminy (17):
>   fscrypt: factor accessing inode->i_crypt_info
>   fscrypt: separate getting info for a specific block
>   fscrypt: adjust effective lblks based on extents
>   fscrypt: factor out fscrypt_set_inode_info()
>   fscrypt: use parent dir's info for extent-based encryption.
>   fscrypt: add a super_block pointer to fscrypt_info
>   fscrypt: update comments about inodes to include extents
>   fscrypt: rename mk->mk_decrypted_inodes*
>   fscrypt: make fscrypt_setup_encryption_info generic for extents
>   fscrypt: let fscrypt_infos be owned by an extent
>   fscrypt: update all the *per_file_* function names
>   fscrypt: notify per-extent infos if master key vanishes
>   fscrypt: use an optional ino equivalent for per-extent infos
>   fscrypt: add creation/usage/freeing of per-extent infos
>   fscrypt: allow load/save of extent contexts
>   fscrypt: disable inline encryption for extent-based encryption
>   fscrypt: update documentation to mention per-extent keys.
>
>  Documentation/filesystems/fscrypt.rst |  38 +++-
>  fs/crypto/crypto.c                    |  17 +-
>  fs/crypto/fname.c                     |   9 +-
>  fs/crypto/fscrypt_private.h           | 174 +++++++++++++----
>  fs/crypto/hooks.c                     |   2 +-
>  fs/crypto/inline_crypt.c              |  42 ++--
>  fs/crypto/keyring.c                   |  67 ++++---
>  fs/crypto/keysetup.c                  | 263 ++++++++++++++++++++------
>  fs/crypto/keysetup_v1.c               |  24 +--
>  fs/crypto/policy.c                    |  28 ++-
>  include/linux/fscrypt.h               |  76 ++++++++
>  11 files changed, 580 insertions(+), 160 deletions(-)
>
>
> base-commit: b7af0635c87ff78d6bd523298ab7471f9ffd3ce5
> --
> 2.38.1
>

I'm surprised that this submission generated no discussion across a
timeframe of over a month. Is this normal for RFC patch sets?

-- 
真実はいつも一つ！/ Always, there's only one truth!