From: Eric Biggers <ebiggers@kernel.org>
To: Jeff Layton <jlayton@kernel.org>
Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org, ceph-devel@vger.kernel.org
Subject: Re: [RFC PATCH 1/8] fscrypt: add fscrypt_prepare_new_inode() and fscrypt_set_context()
Date: Mon, 24 Aug 2020 13:49:12 -0700 [thread overview]
Message-ID: <20200824204912.GD1650861@gmail.com> (raw)
In-Reply-To: <fe81c713ed827b91004b0e2838800684da33e60c.camel@kernel.org>
On Mon, Aug 24, 2020 at 03:42:59PM -0400, Jeff Layton wrote:
> On Mon, 2020-08-24 at 12:02 -0700, Eric Biggers wrote:
> > On Mon, Aug 24, 2020 at 02:47:07PM -0400, Jeff Layton wrote:
> > > On Mon, 2020-08-24 at 11:21 -0700, Eric Biggers wrote:
> > > > On Mon, Aug 24, 2020 at 12:48:48PM -0400, Jeff Layton wrote:
> > > > > > +void fscrypt_hash_inode_number(struct fscrypt_info *ci,
> > > > > > + const struct fscrypt_master_key *mk)
> > > > > > +{
> > > > > > + WARN_ON(ci->ci_inode->i_ino == 0);
> > > > > > + WARN_ON(!mk->mk_ino_hash_key_initialized);
> > > > > > +
> > > > > > + ci->ci_hashed_ino = (u32)siphash_1u64(ci->ci_inode->i_ino,
> > > > > > + &mk->mk_ino_hash_key);
> > > > >
> > > > > i_ino is an unsigned long. Will this produce a consistent results on
> > > > > arches with 32 and 64 bit long values? I think it'd be nice to ensure
> > > > > that we can access an encrypted directory created on a 32-bit host from
> > > > > (e.g.) a 64-bit host.
> > > >
> > > > The result is the same regardless of word size and endianness.
> > > > siphash_1u64(v, k) is equivalent to:
> > > >
> > > > __le64 x = cpu_to_le64(v);
> > > > siphash(&x, 8, k);
> > > >
> > >
> > > In the case where you have an (on-storage) inode number that is larger
> > > than 2^32, x will almost certainly be different on a 32 vs. 64-bit
> > > wordsize.
> > >
> > > On the box with the 32-bit wordsize, you'll end up promoting i_ino to a
> > > 64-bit word and the upper 32 bits will be zeroed out. So it seems like
> > > this means that if you're using inline hardware you're going to end up
> > > with a result that won't work correctly across different wordsizes.
> >
> > That's only possible if the VFS is truncating the inode number, which would also
> > break userspace in lots of ways like making applications think that files are
> > hard-linked together when they aren't. Also, IV_INO_LBLK_64 would break.
> >
> > The correct fix for that would be to make inode::i_ino 64-bit.
> >
>
> ...or just ask the filesystem for the 64-bit inode number via ->getattr
> or a new op. You could also just truncate it down to 32 bits or xor the
> top and bottom bits together first, etc...
>
> > Note that ext4 and f2fs (currently the only filesystems that support the
> > IV_INO_LBLK_* flags) only support 32-bit inode numbers.
> >
>
> Ahh, ok. That explains why it's not been an issue so far. Still, if
> you're reworking this code anyway, you might want to consider avoiding
> i_ino here.
Let's just enforce ino_bits <= 32 for IV_INO_LBLK_32 for now,
like is done for IV_INO_LBLK_64:
https://lkml.kernel.org/r/20200824203841.1707847-1-ebiggers@kernel.org
There's no need to add extra complexity for something that no one wants yet.
(And as mentioned, this won't prevent ceph or other filesystems with 64-bit
inode numbers from adding support for fscrypt, as IV_INO_LBLK_32 support is
optional and has a pretty specific use case.)
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Jeff Layton <jlayton@kernel.org>
Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-mtd@lists.infradead.org, ceph-devel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [f2fs-dev] [RFC PATCH 1/8] fscrypt: add fscrypt_prepare_new_inode() and fscrypt_set_context()
Date: Mon, 24 Aug 2020 13:49:12 -0700 [thread overview]
Message-ID: <20200824204912.GD1650861@gmail.com> (raw)
In-Reply-To: <fe81c713ed827b91004b0e2838800684da33e60c.camel@kernel.org>
On Mon, Aug 24, 2020 at 03:42:59PM -0400, Jeff Layton wrote:
> On Mon, 2020-08-24 at 12:02 -0700, Eric Biggers wrote:
> > On Mon, Aug 24, 2020 at 02:47:07PM -0400, Jeff Layton wrote:
> > > On Mon, 2020-08-24 at 11:21 -0700, Eric Biggers wrote:
> > > > On Mon, Aug 24, 2020 at 12:48:48PM -0400, Jeff Layton wrote:
> > > > > > +void fscrypt_hash_inode_number(struct fscrypt_info *ci,
> > > > > > + const struct fscrypt_master_key *mk)
> > > > > > +{
> > > > > > + WARN_ON(ci->ci_inode->i_ino == 0);
> > > > > > + WARN_ON(!mk->mk_ino_hash_key_initialized);
> > > > > > +
> > > > > > + ci->ci_hashed_ino = (u32)siphash_1u64(ci->ci_inode->i_ino,
> > > > > > + &mk->mk_ino_hash_key);
> > > > >
> > > > > i_ino is an unsigned long. Will this produce a consistent results on
> > > > > arches with 32 and 64 bit long values? I think it'd be nice to ensure
> > > > > that we can access an encrypted directory created on a 32-bit host from
> > > > > (e.g.) a 64-bit host.
> > > >
> > > > The result is the same regardless of word size and endianness.
> > > > siphash_1u64(v, k) is equivalent to:
> > > >
> > > > __le64 x = cpu_to_le64(v);
> > > > siphash(&x, 8, k);
> > > >
> > >
> > > In the case where you have an (on-storage) inode number that is larger
> > > than 2^32, x will almost certainly be different on a 32 vs. 64-bit
> > > wordsize.
> > >
> > > On the box with the 32-bit wordsize, you'll end up promoting i_ino to a
> > > 64-bit word and the upper 32 bits will be zeroed out. So it seems like
> > > this means that if you're using inline hardware you're going to end up
> > > with a result that won't work correctly across different wordsizes.
> >
> > That's only possible if the VFS is truncating the inode number, which would also
> > break userspace in lots of ways like making applications think that files are
> > hard-linked together when they aren't. Also, IV_INO_LBLK_64 would break.
> >
> > The correct fix for that would be to make inode::i_ino 64-bit.
> >
>
> ...or just ask the filesystem for the 64-bit inode number via ->getattr
> or a new op. You could also just truncate it down to 32 bits or xor the
> top and bottom bits together first, etc...
>
> > Note that ext4 and f2fs (currently the only filesystems that support the
> > IV_INO_LBLK_* flags) only support 32-bit inode numbers.
> >
>
> Ahh, ok. That explains why it's not been an issue so far. Still, if
> you're reworking this code anyway, you might want to consider avoiding
> i_ino here.
Let's just enforce ino_bits <= 32 for IV_INO_LBLK_32 for now,
like is done for IV_INO_LBLK_64:
https://lkml.kernel.org/r/20200824203841.1707847-1-ebiggers@kernel.org
There's no need to add extra complexity for something that no one wants yet.
(And as mentioned, this won't prevent ceph or other filesystems with 64-bit
inode numbers from adding support for fscrypt, as IV_INO_LBLK_32 support is
optional and has a pretty specific use case.)
- Eric
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Jeff Layton <jlayton@kernel.org>
Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-mtd@lists.infradead.org, ceph-devel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [RFC PATCH 1/8] fscrypt: add fscrypt_prepare_new_inode() and fscrypt_set_context()
Date: Mon, 24 Aug 2020 13:49:12 -0700 [thread overview]
Message-ID: <20200824204912.GD1650861@gmail.com> (raw)
In-Reply-To: <fe81c713ed827b91004b0e2838800684da33e60c.camel@kernel.org>
On Mon, Aug 24, 2020 at 03:42:59PM -0400, Jeff Layton wrote:
> On Mon, 2020-08-24 at 12:02 -0700, Eric Biggers wrote:
> > On Mon, Aug 24, 2020 at 02:47:07PM -0400, Jeff Layton wrote:
> > > On Mon, 2020-08-24 at 11:21 -0700, Eric Biggers wrote:
> > > > On Mon, Aug 24, 2020 at 12:48:48PM -0400, Jeff Layton wrote:
> > > > > > +void fscrypt_hash_inode_number(struct fscrypt_info *ci,
> > > > > > + const struct fscrypt_master_key *mk)
> > > > > > +{
> > > > > > + WARN_ON(ci->ci_inode->i_ino == 0);
> > > > > > + WARN_ON(!mk->mk_ino_hash_key_initialized);
> > > > > > +
> > > > > > + ci->ci_hashed_ino = (u32)siphash_1u64(ci->ci_inode->i_ino,
> > > > > > + &mk->mk_ino_hash_key);
> > > > >
> > > > > i_ino is an unsigned long. Will this produce a consistent results on
> > > > > arches with 32 and 64 bit long values? I think it'd be nice to ensure
> > > > > that we can access an encrypted directory created on a 32-bit host from
> > > > > (e.g.) a 64-bit host.
> > > >
> > > > The result is the same regardless of word size and endianness.
> > > > siphash_1u64(v, k) is equivalent to:
> > > >
> > > > __le64 x = cpu_to_le64(v);
> > > > siphash(&x, 8, k);
> > > >
> > >
> > > In the case where you have an (on-storage) inode number that is larger
> > > than 2^32, x will almost certainly be different on a 32 vs. 64-bit
> > > wordsize.
> > >
> > > On the box with the 32-bit wordsize, you'll end up promoting i_ino to a
> > > 64-bit word and the upper 32 bits will be zeroed out. So it seems like
> > > this means that if you're using inline hardware you're going to end up
> > > with a result that won't work correctly across different wordsizes.
> >
> > That's only possible if the VFS is truncating the inode number, which would also
> > break userspace in lots of ways like making applications think that files are
> > hard-linked together when they aren't. Also, IV_INO_LBLK_64 would break.
> >
> > The correct fix for that would be to make inode::i_ino 64-bit.
> >
>
> ...or just ask the filesystem for the 64-bit inode number via ->getattr
> or a new op. You could also just truncate it down to 32 bits or xor the
> top and bottom bits together first, etc...
>
> > Note that ext4 and f2fs (currently the only filesystems that support the
> > IV_INO_LBLK_* flags) only support 32-bit inode numbers.
> >
>
> Ahh, ok. That explains why it's not been an issue so far. Still, if
> you're reworking this code anyway, you might want to consider avoiding
> i_ino here.
Let's just enforce ino_bits <= 32 for IV_INO_LBLK_32 for now,
like is done for IV_INO_LBLK_64:
https://lkml.kernel.org/r/20200824203841.1707847-1-ebiggers@kernel.org
There's no need to add extra complexity for something that no one wants yet.
(And as mentioned, this won't prevent ceph or other filesystems with 64-bit
inode numbers from adding support for fscrypt, as IV_INO_LBLK_32 support is
optional and has a pretty specific use case.)
- Eric
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2020-08-24 20:49 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-24 6:17 [RFC PATCH 0/8] fscrypt: avoid GFP_NOFS-unsafe key setup during transaction Eric Biggers
2020-08-24 6:17 ` Eric Biggers
2020-08-24 6:17 ` [f2fs-dev] " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 1/8] fscrypt: add fscrypt_prepare_new_inode() and fscrypt_set_context() Eric Biggers
2020-08-24 6:17 ` Eric Biggers
2020-08-24 6:17 ` [f2fs-dev] " Eric Biggers
2020-08-24 16:48 ` Jeff Layton
2020-08-24 16:48 ` Jeff Layton
2020-08-24 16:48 ` [f2fs-dev] " Jeff Layton
2020-08-24 18:21 ` Eric Biggers
2020-08-24 18:21 ` Eric Biggers
2020-08-24 18:21 ` [f2fs-dev] " Eric Biggers
2020-08-24 18:47 ` Jeff Layton
2020-08-24 18:47 ` Jeff Layton
2020-08-24 18:47 ` [f2fs-dev] " Jeff Layton
2020-08-24 19:02 ` Eric Biggers
2020-08-24 19:02 ` Eric Biggers
2020-08-24 19:02 ` [f2fs-dev] " Eric Biggers
2020-08-24 19:42 ` Jeff Layton
2020-08-24 19:42 ` Jeff Layton
2020-08-24 19:42 ` [f2fs-dev] " Jeff Layton
2020-08-24 20:49 ` Eric Biggers [this message]
2020-08-24 20:49 ` Eric Biggers
2020-08-24 20:49 ` [f2fs-dev] " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 2/8] ext4: factor out ext4_xattr_credits_for_new_inode() Eric Biggers
2020-08-24 6:17 ` Eric Biggers
2020-08-24 6:17 ` [f2fs-dev] " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 3/8] ext4: remove some #ifdefs in ext4_xattr_credits_for_new_inode() Eric Biggers
2020-08-24 6:17 ` Eric Biggers
2020-08-24 6:17 ` [f2fs-dev] " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 4/8] ext4: use fscrypt_prepare_new_inode() and fscrypt_set_context() Eric Biggers
2020-08-24 6:17 ` Eric Biggers
2020-08-24 6:17 ` [f2fs-dev] " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 5/8] f2fs: " Eric Biggers
2020-08-24 6:17 ` Eric Biggers
2020-08-24 6:17 ` [f2fs-dev] " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 6/8] ubifs: " Eric Biggers
2020-08-24 6:17 ` Eric Biggers
2020-08-24 6:17 ` [f2fs-dev] " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 7/8] fscrypt: remove fscrypt_inherit_context() Eric Biggers
2020-08-24 6:17 ` Eric Biggers
2020-08-24 6:17 ` [f2fs-dev] " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 8/8] fscrypt: stop pretending that key setup is nofs-safe Eric Biggers
2020-08-24 6:17 ` Eric Biggers
2020-08-24 6:17 ` [f2fs-dev] " Eric Biggers
2020-08-24 20:01 [RFC PATCH 1/8] fscrypt: add fscrypt_prepare_new_inode() and fscrypt_set_context() kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200824204912.GD1650861@gmail.com \
--to=ebiggers@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=jlayton@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.