From: Victor Hsieh <victorhsieh@google.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-api@vger.kernel.org, "Theodore Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>
Subject: Re: [PATCH 0/6] fs-verity: add an ioctl to read verity metadata
Date: Fri, 22 Jan 2021 15:26:48 -0800 [thread overview]
Message-ID: <CAFCauYN12bWRn2N+uP455KuRmz7CQkCBXnz0B2sr5kCQtpJo4A@mail.gmail.com> (raw)
In-Reply-To: <20210115181819.34732-1-ebiggers@kernel.org>
LGTM. Thanks!
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
On Fri, Jan 15, 2021 at 10:19 AM Eric Biggers <ebiggers@kernel.org> wrote:
>
> [This patchset applies to v5.11-rc3]
>
> Add an ioctl FS_IOC_READ_VERITY_METADATA which allows reading verity
> metadata from a file that has fs-verity enabled, including:
>
> - The Merkle tree
> - The fsverity_descriptor (not including the signature if present)
> - The built-in signature, if present
>
> This ioctl has similar semantics to pread(). It is passed the type of
> metadata to read (one of the above three), and a buffer, offset, and
> size. It returns the number of bytes read or an error.
>
> This ioctl doesn't make any assumption about where the metadata is
> stored on-disk. It does assume the metadata is in a stable format, but
> that's basically already the case:
>
> - The Merkle tree and fsverity_descriptor are defined by how fs-verity
> file digests are computed; see the "File digest computation" section
> of Documentation/filesystems/fsverity.rst. Technically, the way in
> which the levels of the tree are ordered relative to each other wasn't
> previously specified, but it's logical to put the root level first.
>
> - The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
>
> This ioctl is useful because it allows writing a server program that
> takes a verity file and serves it to a client program, such that the
> client can do its own fs-verity compatible verification of the file.
> This only makes sense if the client doesn't trust the server and if the
> server needs to provide the storage for the client.
>
> More concretely, there is interest in using this ability in Android to
> export APK files (which are protected by fs-verity) to "protected VMs".
> This would use Protected KVM (https://lwn.net/Articles/836693), which
> provides an isolated execution environment without having to trust the
> traditional "host". A "guest" VM can boot from a signed image and
> perform specific tasks in a minimum trusted environment using files that
> have fs-verity enabled on the host, without trusting the host or
> requiring that the guest has its own trusted storage.
>
> Technically, it would be possible to duplicate the metadata and store it
> in separate files for serving. However, that would be less efficient
> and would require extra care in userspace to maintain file consistency.
>
> In addition to the above, the ability to read the built-in signatures is
> useful because it allows a system that is using the in-kernel signature
> verification to migrate to userspace signature verification.
>
> This patchset has been tested by new xfstests which call this new ioctl
> via a new subcommand for the 'fsverity' program from fsverity-utils.
>
> Eric Biggers (6):
> fs-verity: factor out fsverity_get_descriptor()
> fs-verity: don't pass whole descriptor to fsverity_verify_signature()
> fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
> fs-verity: support reading Merkle tree with ioctl
> fs-verity: support reading descriptor with ioctl
> fs-verity: support reading signature with ioctl
>
> Documentation/filesystems/fsverity.rst | 76 ++++++++++
> fs/ext4/ioctl.c | 7 +
> fs/f2fs/file.c | 11 ++
> fs/verity/Makefile | 1 +
> fs/verity/fsverity_private.h | 13 +-
> fs/verity/open.c | 133 +++++++++++------
> fs/verity/read_metadata.c | 195 +++++++++++++++++++++++++
> fs/verity/signature.c | 20 +--
> include/linux/fsverity.h | 12 ++
> include/uapi/linux/fsverity.h | 14 ++
> 10 files changed, 417 insertions(+), 65 deletions(-)
> create mode 100644 fs/verity/read_metadata.c
>
>
> base-commit: 7c53f6b671f4aba70ff15e1b05148b10d58c2837
> --
> 2.30.0
>
next prev parent reply other threads:[~2021-01-22 23:27 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-15 18:18 [PATCH 0/6] fs-verity: add an ioctl to read verity metadata Eric Biggers
2021-01-15 18:18 ` [PATCH 1/6] fs-verity: factor out fsverity_get_descriptor() Eric Biggers
2021-01-28 1:04 ` Jaegeuk Kim
2021-01-15 18:18 ` [PATCH 2/6] fs-verity: don't pass whole descriptor to fsverity_verify_signature() Eric Biggers
2021-01-28 1:04 ` Jaegeuk Kim
2021-01-28 3:24 ` Amy Parker
2021-01-15 18:18 ` [PATCH 3/6] fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl Eric Biggers
2021-01-28 1:03 ` Jaegeuk Kim
2021-02-07 7:46 ` [f2fs-dev] " Chao Yu
2021-02-07 8:01 ` Eric Biggers
2021-02-07 8:32 ` Chao Yu
2021-01-15 18:18 ` [PATCH 4/6] fs-verity: support reading Merkle tree with ioctl Eric Biggers
2021-01-28 1:10 ` Jaegeuk Kim
2021-01-28 2:17 ` Eric Biggers
2021-01-15 18:18 ` [PATCH 5/6] fs-verity: support reading descriptor " Eric Biggers
2021-01-28 1:11 ` Jaegeuk Kim
2021-01-15 18:18 ` [PATCH 6/6] fs-verity: support reading signature " Eric Biggers
2021-01-28 1:11 ` Jaegeuk Kim
2021-01-22 23:26 ` Victor Hsieh [this message]
2021-01-25 18:41 ` [PATCH 0/6] fs-verity: add an ioctl to read verity metadata Eric Biggers
2021-02-01 17:41 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFCauYN12bWRn2N+uP455KuRmz7CQkCBXnz0B2sr5kCQtpJo4A@mail.gmail.com \
--to=victorhsieh@google.com \
--cc=ebiggers@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).