From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Theodore Y. Ts'o" Subject: Proposal: A new fs-verity interface Date: Thu, 10 Jan 2019 00:15:00 -0500 Message-ID: <20190110051500.GA32361@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Linus Torvalds , Christoph Hellwig , Dave Chinner , "Darrick J. Wong" , Eric Biggers , , linux-fsdevel , , Return-path: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net List-Id: linux-fsdevel.vger.kernel.org The following approach is based in Darrick's suggestion: int ioctl(fd, FS_IOC_ENABLE_VERITY, struct fsverity_arg *arg); struct fsverity_arg { int fsv_donor_fd; u64 fsv_offset; u64 fsv_size; }; fsv_offset and fsz_size must be a multiple of the file system block size. If the ioctl comples successfully, as a side effect the donor_fd will have a hole punch operation on the specified range. In other words, the equivalent of operation of fallocate(fsv_donor_fd, FALLOC_FL_PUNCH_HOLE, fsv_offset, fsv_size), and the file specified by fd will be protected using fsverity. It will be legal for fsv_donor_fd == fd, so this interface is a superset of the original FS_IOC_ENABLE_VERITY ioctl. This will hopefully make Christoph and Dave happy because the interface does not presuppose how ext4 and f2fs will implement fsverity behind the scenes. However, it does not forbid it, and the net cost is that ext4 and f2fs will have to implement code which transplants the blocks from the donor_fd to fd in the case where donor_fd != fd --- and in the case where blocks are encrypted using fscrypt, we will have to decrypt the blocks from donor_fd and possibly re-encrypt then in fd's per-file key, which means we'll have to add extra complexity to implement the decrypt and re-encrypt passing through the page cache. But if this helps resolve Christoph and Dave's objections, it shouldn't be _too_ much extra complexity. Before we go ahead an implement it, though, I'd appreciate a confirmation that this will indeed actually resolve their complaints. Thanks, - Ted From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67FE2C43387 for ; Thu, 10 Jan 2019 05:15:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 26626214DA for ; Thu, 10 Jan 2019 05:15:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=mit.edu header.i=@mit.edu header.b="lkpmI7GY" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725915AbfAJFPJ (ORCPT ); Thu, 10 Jan 2019 00:15:09 -0500 Received: from mail-eopbgr800102.outbound.protection.outlook.com ([40.107.80.102]:2785 "EHLO NAM03-DM3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725379AbfAJFPJ (ORCPT ); Thu, 10 Jan 2019 00:15:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hFWdha7y0xrL1jdCNg85SwmgsFP1WxJWOoC55cPdcbs=; b=lkpmI7GYg4ebntB/QOO9k3d2yK811uoLQFiXLswdG7s+na9Ge7VN/Ufd+84hB1jjDYQ+LjNHqiHGZ6aXvpY77x+5VmDEa8XH+CNw8TkscThG0gIGkRM6qWi2U6mqh78PCTiBSGixXBVkWBnQsG0vW6iZ7RlcXusBH3jNMxxNUKk= Received: from SN2PR01CA0014.prod.exchangelabs.com (2603:10b6:804:2::24) by MWHPR0101MB2958.prod.exchangelabs.com (2603:10b6:301:2b::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1495.9; Thu, 10 Jan 2019 05:15:05 +0000 Received: from DM3NAM03FT051.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::209) by SN2PR01CA0014.outlook.office365.com (2603:10b6:804:2::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1516.13 via Frontend Transport; Thu, 10 Jan 2019 05:15:04 +0000 Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=bestguesspass action=none header.from=mit.edu; Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu; Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT051.mail.protection.outlook.com (10.152.83.56) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Thu, 10 Jan 2019 05:15:04 +0000 Received: from callcc.thunk.org (guestnat-104-133-0-100.corp.google.com [104.133.0.100] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x0A5F1w8001142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Jan 2019 00:15:01 -0500 Received: by callcc.thunk.org (Postfix, from userid 15806) id 94B707A02F2; Thu, 10 Jan 2019 00:15:00 -0500 (EST) Date: Thu, 10 Jan 2019 00:15:00 -0500 From: "Theodore Y. Ts'o" To: Linus Torvalds , Christoph Hellwig , Dave Chinner , "Darrick J. Wong" , Eric Biggers , , linux-fsdevel , , Subject: Proposal: A new fs-verity interface Message-ID: <20190110051500.GA32361@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:18.9.28.11;IPV:CAL;SCL:-1;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(10019020)(376002)(346002)(396003)(39860400002)(136003)(2980300002)(189003)(199004)(86362001)(47776003)(356004)(8936002)(186003)(26005)(106002)(246002)(1076003)(2201001)(336012)(58126008)(36756003)(36906005)(110136005)(16586007)(5660300001)(8676002)(42186006)(316002)(103686004)(75432002)(52956003)(786003)(478600001)(26826003)(14444005)(23726003)(486006)(33656002)(6266002)(90966002)(305945005)(46406003)(2906002)(106466001)(97756001)(50466002)(88552002)(476003)(2616005)(126002)(18370500001)(42866002)(2101003);DIR:OUT;SFP:1102;SCL:1;SRVR:MWHPR0101MB2958;H:outgoing.mit.edu;FPR:;SPF:Pass;LANG:en;PTR:outgoing-auth-1.mit.edu;MX:1;A:1; X-Microsoft-Exchange-Diagnostics: 1;DM3NAM03FT051;1:Fcb108HSzCjBCjySqD4GK/7vhlWvYJdRjnxFYHoqaNRt2y5SuqSeM164x1GasSTlhsh+CJl/TV8m301VDTzyjrrXA7CFtLJoHA12npR1mLeVDS/qOalbYMpdkJAd38Bh X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4d0163e7-1c4f-45b8-4248-08d676ba9494 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4608076)(4709027)(2017052603328)(7153060);SRVR:MWHPR0101MB2958; X-Microsoft-Exchange-Diagnostics: 1;MWHPR0101MB2958;3:J+nhpRkw6mqGtf37cO5q9v0u2X1lfh5uOh8F50IHFnYIAu7Noe457yOIxhEyHuqsQ/HuShjZ5v5GecMwj5oFO9wfTIVZyzCyhklfN//Vy3X6luMeV3zyfeBpUXJPp3YFR3yP+PifuoIy2IJtfaVMxBQzQnnjQ2Mtil+91PTFu7ocMyqNJLnhryukPXL+8l0iOo2GX4aKsgysSN4b77KH4iAIWiGQUcdyBa8jTBBgjwEhzGNCw6gYKa++dGP6udVNZM6emfx3lWaT8EOW9r1FZAW1uUoVPQ/cdelP0Nnv8+PCizfueQvzY3usP2cPF0W0VAhBh//QaktnrzjVGXoYS/uQn8iWGzn0/cb3/EQFt1ucMvyopZX86sHV1c+pQbcH;25:qdbi5kASN2gizc4BN9SWyxlKbdsZmuxcnpqpTklEU3yf6Rptm6Ku8G90EWJehenwprJzvUYI61AjCdsj+MszhiY0uXxU2yiafMyk7vibRcSCEzjU0+OrxsUISsDCjbM2I/Z1QU+OAsIbP18Isj5bCHt49Rv32fZYGPDcxCzWMTVD0hLE0XIoeFSHe+RKUonCGDcmdbOd+M+EJNfF0wEeITa4LyZiC220M6uW6x6UlTWISIUqiZ08NoDpvwovqGYHRF3I5XHNyoWYMwf4i0gBnDXe3y6hnbc/DYPxQAStvFOIa4qjLP2M51laKt3/3b1LHcKYnEGiKqbGwh898gbSbQ== X-MS-TrafficTypeDiagnostic: MWHPR0101MB2958: X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr X-Microsoft-Exchange-Diagnostics: 1;MWHPR0101MB2958;31:5eyXg7NIFO3NpluBSBTgCIMHuWGts1RPHlEJewTG/BuzBkwoXmbYPF8foCGjzYMSRDk1p+RPIERdT+3W2aGwFR6BIAH8CizcWCI11apGKxe0J0k0aTCxOxzifcSHOh5vQmLf5DDY4e7j/gRP1NvqXPd2Ce07WMMnHgj4RH7ZYoLP2xe9dWnRWpKkltFtXDRcdrBSsd9zH3TTbq/UWa/T19lqsKU5fQx48FrK9/udMgw=;20:1U/A0tAFgiunX7VgyOZxvGsdqoH0ajsuMRjqEJwwNYMAB7G44yfufn3og9RASdxCUlVEsd3LckvKQOMqdyU0Ws8O9yM+TcWavF+1pNPWmG5rGzfE8lbIyc1UopFcmOI/c/fBw+917L4zbxCw0ppwKBnHvz/DRTnQS03UL7OwXHXb16m5vQC76jD6QyAuxGqWCs8yjZOo3oqpDq4hvea4rVl0AR1lMEqDRmPYFIpAMOVgEK9hIDHTWbJhNZHgEiol+h/Q/UzVAFaqKpr2yf1rzER8c1KceStGJWYZvM4h0AUDNqeDcgWaYZctzOP8S+PB4LQtuNCzbXBZZUSnmnDX8kahLD6HsaEk8kSofV+hlPxtAc0pj59Al48RkIQteiGglXbLM4qGARVMXsrTVRwgaf0EpueJeGnQXe8G0OBqKz0o3utcpECI3JxKob1zk86SdqK1e6+dUvHhaJI2CW3bYZWQscpioLxZgJXPFGUtK+StKcjZQwmQvbaPyWpci6La X-Microsoft-Antispam-PRVS: X-Microsoft-Exchange-Diagnostics: 1;MWHPR0101MB2958;4:p2sWwz5MkhUZQjE/EIESGU+aJzFSS9U4/kJJa5GNUY+yBdJvuObAeCSx7pmN/0lshNuVAUDEcJ5pF/iy8vrtO4rTTbXLSSNVjgkEzBc8WqfXwIPiAoqMFwZHGRR7Mp+EHLd7cbuuYhWK9pfwtWiF6KGIHHdWbZs1GaAaVYE6S+flocMWZrn5xHEmAPj2/GULTY45RzeV7hajVzP0Jlql7APNuzxFGbS28lAb4wKCc4wX3P/tVYZUtPpiqgoQ9F+T5xgQlRvKPuTiU1iAG1IoP9iIClnFvSt3fcFWDM5x5RE= X-Forefront-PRVS: 0913EA1D60 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;MWHPR0101MB2958;23:4/DSUwd2bz7e/HihGTZpM3Uqd4jSkaT2BFs3vsi?= =?us-ascii?Q?NxUJBKdeByN6Dmuqp0Ae2A51t9Zn+CuknX8v7QjfxMD8EDA9/qHdZUdDy9cz?= =?us-ascii?Q?k9NfrC9QJtXPW0Hlmjg4hzj9PxpDEYeLcFZZKUBIFjctpQMBELmZBMWylpkV?= =?us-ascii?Q?nQWGrdjykFjugltjgbLxxO2MEQlESCi6qlad9soI8q9/z5RssC4AB4OzAEbr?= =?us-ascii?Q?WjBdDfj4UyxH/tY/AXy33tz1sFjiBGPy0V0Y7mTUJ8riOKikWwM65bgJXufr?= =?us-ascii?Q?oqPZdbaAkTICFvfMDVC8P1KFCgWQiX37wBjNq6jN6RsisN0qBmFS2/X1Kbyn?= =?us-ascii?Q?EZ6SPEs7AzfbEp3yj6B3zc1ggScNHStjnisD7hMxoNZGTI4u0MqEcwA73ipX?= =?us-ascii?Q?hN1gxJGefee+qGVxkQU2qaDLUE3JYYvFdFmnkmKshE77BliZzecnSYKhQDVT?= =?us-ascii?Q?pVMU+7HfFjWf8rFasT18Ch6sPaJqG9uQ22URjhDL50MLIPJMSNnl511MwbEu?= =?us-ascii?Q?UgQO9htNwWwNn3EL7iO2QDPBG1ZBCFNkkqs0i1tXc8TUXntOxoNhvqQUwCl5?= =?us-ascii?Q?1JGUcAsYwbSDH6IMIgLVkAeewOfQhQAZ6F0H4vH0WV0tOrE9v9F0h6Kfy5Sw?= =?us-ascii?Q?IBdjtbR0lSFSK5bmVY4Sl5aV4VfYQ3Y8F8EOi1DoAanaiLps/nEzqSgweyYk?= =?us-ascii?Q?Bil4zErrz52rHKQ+o3gBwH+uuJMc/wx5nxOTwxr3JYDz31UDrX2NsM8El6LB?= =?us-ascii?Q?LSDDGM2qP6tcytd126ayFPrsen1McTGbKxfkaGSVofasHQuZnUGvKUk+FS3P?= =?us-ascii?Q?KTmlWDuufeAJ0XL5dspGMVD5GRae+gLpdMHHbH7szkzgsAsaGqvEixBJ8lJn?= =?us-ascii?Q?yP3oDzQ2STf/gtPE5oG71TVqjuy3DDh+WxRcYutMVe18KTOw8vl7vMSXopvU?= =?us-ascii?Q?sXQD1QjM2iTls+nduY0TQJe5rdI4ettgm5X5MBD6wkq4c2VfZIZmMgYuRvUU?= =?us-ascii?Q?QrQ7VeZThwUt6klSID8kyCfeqBmMtKRAZq0FAjWBvoOqF6dN1Nr3ZaB9s9fi?= =?us-ascii?Q?P9Fgkk2Nw+VuKwO+tZ851lyM8bvqnZz0HeJvN4jpnPgKlZpcf2NERHC1kNyI?= =?us-ascii?Q?gu0RnBEAkpwtTCZAzNNhy/zEkAiJ9CutktPk8YHRhzDHtCjVT6sEhOow14f3?= =?us-ascii?Q?Bl4QkQAQiFxtlKb4=3D?= X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: WlNsdQznImHw5aT7syeB4sIO+lDUSUMJD6WJX8cl29mc1npVSw1h/SeyHWAYlX41+kYKL0bK219wA3VqAUPLECWIn5mvEAcNyM8AZjp+1W6KQFKGWOb6fy+UT0WQ31ouxefrE/oEsf5l8T6yjKrW0b5sEervfqR/l+ZB9uBnkmeOkSYFg8cUVbnalPOw6c11KRRRu9Sg80oQiI2JDK2S+eJUkmjOcC93lxqb8zkicKOXKL+5BV5aB/jCd7Vtuic0k+Apsjuj3ky56piu019EC3DNW1uewntJBy6lg85E8EE7hruOJbdGeTd7oSwE4dyV X-Microsoft-Exchange-Diagnostics: 1;MWHPR0101MB2958;6:HEpq3CmJl2xzMYcfB9WbXE0cwAkR41Yc0an+A837Ocv8F8b4qc0NUQ3DWXRhGa/w22NAlOuQ4tiSTzF42ydlAtUXvbGac+sfbkonux0GIYyGPHY0dggwFeC063n6rPtoPIMg3TOy6+TR4zkEijUjawUbrhyl6KLlsRw/q9xUJitrFkuw43hFVo2O9YMZnIyFEF3AGMrTYxnJK/ek7mmD3sTwXg0h032R8FSPULElOpnZZn2kZ6BBt7A0nIWmLS89h3QNznUfMY6Q1KPw1pKJAo6cUsZ0aKA2cdkVA2a1dns/89Ir8cFqv6chlkeAZbIMUGFKNWLiFXowMZ36S4cnlBoMAsIoXoSxu48q5QzIqApjUPyzSX8aXBSOVfdcs4cSCizraCrmvYN29d0nlhBnKwPSM8ZVuviPTacX63m4CwOhE0MZmhhxkw6yWMXpnMSP4VtYuIDHUG9HDizROj+aMQ==;5:mXFFLLJUefF42ebBUzH/ykFKghn+E5JHHgYLEMTjT6eMOdTNM1xrDslR7PX4e7Bt2B/FMa5fI43Lft9h1HDww7xG4dMngOrSKyK9HMEiCB0poWcAzASIA3RMSuZUnnEOKlURGrkWbE3zQB4OmpD/N11SL8jppeCEUaDddKUpBohg+KsEzCHyeDIytXu+fcRKaQODdYNWPBgUdc+CG0uvdQ==;7:tIRHtexu9KFmIfX2cst7eHtNNuua4IgPzqw28QmiKiumAiZBGfOH3tm8C0XdEMHolcg/UcO2s2diix2B8Z90LhmFUYbDgn5KFkht1k4d1vHQw2XwrZxCNTLVmGkNnr7fo4XJYLPuEPGKmkT80OZbFw== SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: mit.edu X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jan 2019 05:15:04.1680 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4d0163e7-1c4f-45b8-4248-08d676ba9494 X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b;Ip=[18.9.28.11];Helo=[outgoing.mit.edu] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR0101MB2958 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Message-ID: <20190110051500.4zJtRvB6iYrY6PcIVgUu-J40lJh_HTomU3VBHfT0u5I@z> The following approach is based in Darrick's suggestion: int ioctl(fd, FS_IOC_ENABLE_VERITY, struct fsverity_arg *arg); struct fsverity_arg { int fsv_donor_fd; u64 fsv_offset; u64 fsv_size; }; fsv_offset and fsz_size must be a multiple of the file system block size. If the ioctl comples successfully, as a side effect the donor_fd will have a hole punch operation on the specified range. In other words, the equivalent of operation of fallocate(fsv_donor_fd, FALLOC_FL_PUNCH_HOLE, fsv_offset, fsv_size), and the file specified by fd will be protected using fsverity. It will be legal for fsv_donor_fd == fd, so this interface is a superset of the original FS_IOC_ENABLE_VERITY ioctl. This will hopefully make Christoph and Dave happy because the interface does not presuppose how ext4 and f2fs will implement fsverity behind the scenes. However, it does not forbid it, and the net cost is that ext4 and f2fs will have to implement code which transplants the blocks from the donor_fd to fd in the case where donor_fd != fd --- and in the case where blocks are encrypted using fscrypt, we will have to decrypt the blocks from donor_fd and possibly re-encrypt then in fd's per-file key, which means we'll have to add extra complexity to implement the decrypt and re-encrypt passing through the page cache. But if this helps resolve Christoph and Dave's objections, it shouldn't be _too_ much extra complexity. Before we go ahead an implement it, though, I'd appreciate a confirmation that this will indeed actually resolve their complaints. Thanks, - Ted