From: Eric Biggers <ebiggers@kernel.org>
To: Jeff Layton <jlayton@kernel.org>
Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org, ceph-devel@vger.kernel.org
Subject: Re: [RFC PATCH 1/8] fscrypt: add fscrypt_prepare_new_inode() and fscrypt_set_context()
Date: Mon, 24 Aug 2020 13:49:12 -0700 [thread overview]
Message-ID: <20200824204912.GD1650861@gmail.com> (raw)
In-Reply-To: <fe81c713ed827b91004b0e2838800684da33e60c.camel@kernel.org>
On Mon, Aug 24, 2020 at 03:42:59PM -0400, Jeff Layton wrote:
> On Mon, 2020-08-24 at 12:02 -0700, Eric Biggers wrote:
> > On Mon, Aug 24, 2020 at 02:47:07PM -0400, Jeff Layton wrote:
> > > On Mon, 2020-08-24 at 11:21 -0700, Eric Biggers wrote:
> > > > On Mon, Aug 24, 2020 at 12:48:48PM -0400, Jeff Layton wrote:
> > > > > > +void fscrypt_hash_inode_number(struct fscrypt_info *ci,
> > > > > > + const struct fscrypt_master_key *mk)
> > > > > > +{
> > > > > > + WARN_ON(ci->ci_inode->i_ino == 0);
> > > > > > + WARN_ON(!mk->mk_ino_hash_key_initialized);
> > > > > > +
> > > > > > + ci->ci_hashed_ino = (u32)siphash_1u64(ci->ci_inode->i_ino,
> > > > > > + &mk->mk_ino_hash_key);
> > > > >
> > > > > i_ino is an unsigned long. Will this produce a consistent results on
> > > > > arches with 32 and 64 bit long values? I think it'd be nice to ensure
> > > > > that we can access an encrypted directory created on a 32-bit host from
> > > > > (e.g.) a 64-bit host.
> > > >
> > > > The result is the same regardless of word size and endianness.
> > > > siphash_1u64(v, k) is equivalent to:
> > > >
> > > > __le64 x = cpu_to_le64(v);
> > > > siphash(&x, 8, k);
> > > >
> > >
> > > In the case where you have an (on-storage) inode number that is larger
> > > than 2^32, x will almost certainly be different on a 32 vs. 64-bit
> > > wordsize.
> > >
> > > On the box with the 32-bit wordsize, you'll end up promoting i_ino to a
> > > 64-bit word and the upper 32 bits will be zeroed out. So it seems like
> > > this means that if you're using inline hardware you're going to end up
> > > with a result that won't work correctly across different wordsizes.
> >
> > That's only possible if the VFS is truncating the inode number, which would also
> > break userspace in lots of ways like making applications think that files are
> > hard-linked together when they aren't. Also, IV_INO_LBLK_64 would break.
> >
> > The correct fix for that would be to make inode::i_ino 64-bit.
> >
>
> ...or just ask the filesystem for the 64-bit inode number via ->getattr
> or a new op. You could also just truncate it down to 32 bits or xor the
> top and bottom bits together first, etc...
>
> > Note that ext4 and f2fs (currently the only filesystems that support the
> > IV_INO_LBLK_* flags) only support 32-bit inode numbers.
> >
>
> Ahh, ok. That explains why it's not been an issue so far. Still, if
> you're reworking this code anyway, you might want to consider avoiding
> i_ino here.
Let's just enforce ino_bits <= 32 for IV_INO_LBLK_32 for now,
like is done for IV_INO_LBLK_64:
https://lkml.kernel.org/r/20200824203841.1707847-1-ebiggers@kernel.org
There's no need to add extra complexity for something that no one wants yet.
(And as mentioned, this won't prevent ceph or other filesystems with 64-bit
inode numbers from adding support for fscrypt, as IV_INO_LBLK_32 support is
optional and has a pretty specific use case.)
- Eric
next prev parent reply other threads:[~2020-08-24 20:49 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-24 6:17 [RFC PATCH 0/8] fscrypt: avoid GFP_NOFS-unsafe key setup during transaction Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 1/8] fscrypt: add fscrypt_prepare_new_inode() and fscrypt_set_context() Eric Biggers
2020-08-24 16:48 ` Jeff Layton
2020-08-24 18:21 ` Eric Biggers
2020-08-24 18:47 ` Jeff Layton
2020-08-24 19:02 ` Eric Biggers
2020-08-24 19:42 ` Jeff Layton
2020-08-24 20:49 ` Eric Biggers [this message]
2020-08-24 6:17 ` [RFC PATCH 2/8] ext4: factor out ext4_xattr_credits_for_new_inode() Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 3/8] ext4: remove some #ifdefs in ext4_xattr_credits_for_new_inode() Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 4/8] ext4: use fscrypt_prepare_new_inode() and fscrypt_set_context() Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 5/8] f2fs: " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 6/8] ubifs: " Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 7/8] fscrypt: remove fscrypt_inherit_context() Eric Biggers
2020-08-24 6:17 ` [RFC PATCH 8/8] fscrypt: stop pretending that key setup is nofs-safe Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200824204912.GD1650861@gmail.com \
--to=ebiggers@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=jlayton@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).