Linux-ext4 Archive on lore.kernel.org
 help / color / Atom feed
From: Andreas Dilger <adilger@dilger.ca>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-ext4 <linux-ext4@vger.kernel.org>, linux-fscrypt@vger.kernel.org
Subject: Re: [PATCH 1/4] tune2fs: prevent changing UUID of fs with stable_inodes feature
Date: Fri, 10 Apr 2020 05:53:54 -0600
Message-ID: <AC4A8A20-E23D-4695-B127-65CBCD3A3209@dilger.ca> (raw)
In-Reply-To: <20200408031149.GA852@sol.localdomain>


[-- Attachment #1: Type: text/plain, Size: 4214 bytes --]

On Apr 7, 2020, at 9:11 PM, Eric Biggers <ebiggers@kernel.org> wrote:
> 
> On Tue, Apr 07, 2020 at 10:18:55AM -0600, Andreas Dilger wrote:
>> 
>> One question though - for the data checksums it uses s_checksum_seed
>> to generate checksums, rather than directly using the UUID itself,
>> so that it *is* possible to change the filesystem UUID after
>> metadata_csum is in use, without the need to rewrite all of the
>> checksums in the filesystem.  Could the same be done for stable_inode?
> 
> We could have used s_encrypt_pw_salt, but from a cryptographic perspective I
> feel a bit safer using the UUID.  ext4 metadata checksums are non-cryptographic
> and for integrity-only, so it's not disastrous if multiple filesystems share the
> same s_checksum_seed.  So EXT4_FEATURE_INCOMPAT_CSUM_SEED makes sense as a
> usability improvement for people doing things with filesystem cloning.
> 
> The new inode-number based encryption is a bit different since it may (depending
> on how userspace chooses keys) depend on the per-filesystem ID for cryptographic
> purposes.  So it can be much more important that these IDs are really unique.
> 
> On this basis, the UUID seems like a better choice since people doing things
> with filesystem cloning are more likely to remember to set up the UUIDs as
> unique, vs. some "second UUID" that's more hidden and would be forgotten about.

Actually, I think the opposite is true here.  To avoid usability problems,
users *have* to change the UUID of a cloned/snapshot filesystem to avoid
problems with mount-by-UUID (e.g. either filesystem may be mounted randomly
on each boot, depending on the device enumeration order).  However, if they
try to change the UUID, that would immediately break all of the encrypted
files in the filesystem, so that means with the stable_inode feature either:
- a snapshot/clone of a filesystem may subtly break your system, or
- you can't keep a snapshot/clone of such a filesystem on the same node

> Using s_encrypt_pw_salt would also have been a bit more complex, as we'd have
> had to add fscrypt_operations to retrieve it rather than just using s_uuid --
> remembering to generate it if unset (mke2fs doesn't set it).  We'd also have
> wanted to rename it to something else like s_encrypt_uuid to avoid confusion as
> it would no longer be just a password salt.
> 
> Anyway, we couldn't really change this now even if we wanted to, since
> IV_INO_LBLK_64 encryption policies were already released in v5.5.

I'm not sure I buy these arguments...  We changed handling of metadata_csum
after the fact, by checking at mount if s_checksum_seed is initialized,
otherwise hashing s_uuid and storing if it is zero.  Storing s_checksum_seed
proactively in the kernel and e2fsck allows users to change s_uuid if they
have a new enough kernel without noticing that the checksums were originally
based on s_uuid rather than the hash of it in s_checksum_seed.

I'm not sure of the details of whether s_encrypt_pw_salt is used in the
IV_INO_LBLK_64 case or not (since it uses inode/block number as the salt?),
but I see that the code is already initializing s_encrypt_pw_salt in the
kernel if unset, so that is not hard to do.  It could just make a copy from
s_uuid rather than generating a new UUID for s_encrypt_pw_salt, or for new
filesystems it can generate a unique s_encrypt_pw_salt and only use that?

Storing a feature flag to indicate whether s_uuid or s_encrypt_pw_salt is
used for the IV_INO_LBLK_64 case seems pretty straight forward?  Maybe any
filesystems that are using IV_INO_LBLK_64 with s_uuid can't change the UUID,
but a few bits and lines of code could allow any new filesystem to do so?
If you consider that 5.5 has been out for a few months, there aren't going
to be a lot of users of that approach, vs. the next 10 years or more.

In the end, you are the guy who has to deal with issues here, so I leave it
to you.  I just think it is a problem waiting to happen, and preventing the
users from shooting themselves in the foot with tune2fs doesn't mean that
they won't have significant problems later that could easily be solved now.

Cheers, Andreas






[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 873 bytes --]

  reply index

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-01 20:32 [PATCH 0/4] e2fsprogs: fix and document the " Eric Biggers
2020-04-01 20:32 ` [PATCH 1/4] tune2fs: prevent changing UUID of fs with " Eric Biggers
2020-04-02  2:19   ` Andreas Dilger
2020-04-07  5:32     ` Eric Biggers
2020-04-07 16:18       ` Andreas Dilger
2020-04-08  3:11         ` Eric Biggers
2020-04-10 11:53           ` Andreas Dilger [this message]
2020-04-10 15:06             ` Theodore Y. Ts'o
2020-04-10 16:30             ` Eric Biggers
2020-04-01 20:32 ` [PATCH 2/4] tune2fs: prevent stable_inodes feature from being cleared Eric Biggers
2020-04-01 20:32 ` [PATCH 3/4] ext4.5: document the stable_inodes feature Eric Biggers
2020-04-01 20:32 ` [PATCH 4/4] tune2fs.8: " Eric Biggers
2020-04-02  2:12   ` Andreas Dilger
2020-04-07  5:10     ` Eric Biggers
2020-04-10 15:24 ` [PATCH 0/4] e2fsprogs: fix and " Theodore Y. Ts'o
2020-05-07 18:18   ` Eric Biggers
2020-06-15 22:22     ` Eric Biggers
2020-07-27 16:45       ` Eric Biggers
2020-09-01 16:19         ` Eric Biggers
2020-09-21 22:41           ` Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=AC4A8A20-E23D-4695-B127-65CBCD3A3209@dilger.ca \
    --to=adilger@dilger.ca \
    --cc=ebiggers@kernel.org \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-ext4 Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-ext4/0 linux-ext4/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-ext4 linux-ext4/ https://lore.kernel.org/linux-ext4 \
		linux-ext4@vger.kernel.org
	public-inbox-index linux-ext4

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-ext4


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git