From: Qu Wenruo <quwenruo.btrfs@gmx.com>
To: Johannes Thumshirn <jth@kernel.org>, David Sterba <dsterba@suse.cz>
Cc: linux-fsdevel@vger.kernel.org, linux-btrfs@vger.kernel.org,
Eric Biggers <ebiggers@google.com>,
Richard Weinberger <richard@nod.at>,
Johannes Thumshirn <johannes.thumshirn@wdc.com>,
Johannes Thumshirn <jthumshirn@suse.de>
Subject: Re: [PATCH v2 1/2] btrfs: add authentication support
Date: Tue, 5 May 2020 17:43:32 +0800 [thread overview]
Message-ID: <bcd4e839-36ac-9be5-e5e7-613124385177@gmx.com> (raw)
In-Reply-To: <20200428105859.4719-2-jth@kernel.org>
[-- Attachment #1.1: Type: text/plain, Size: 10294 bytes --]
On 2020/4/28 下午6:58, Johannes Thumshirn wrote:
> From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
>
> Add authentication support for a BTRFS file-system.
>
> This works, because in BTRFS every meta-data block as well as every
> data-block has a own checksum. For meta-data the checksum is in the
> meta-data node itself. For data blocks, the checksums are stored in the
> checksum tree.
>
> When replacing the checksum algorithm with a keyed hash, like HMAC(SHA256),
> a key is needed to mount a verified file-system. This key also needs to be
> used at file-system creation time.
>
> We have to used a keyed hash scheme, in contrast to doing a normal
> cryptographic hash, to guarantee integrity of the file system, as a
> potential attacker could just replay file-system operations and the
> changes would go unnoticed.
>
> Having a keyed hash only on the topmost Node of a tree or even just in the
> super-block and using cryptographic hashes on the normal meta-data nodes
> and checksum tree entries doesn't work either, as the BTRFS B-Tree's Nodes
> do not include the checksums of their respective child nodes, but only the
> block pointers and offsets where to find them on disk.
>
> Also note, we do not need a incompat R/O flag for this, because if an old
> kernel tries to mount an authenticated file-system it will fail the
> initial checksum type verification and thus refuses to mount.
>
> The key has to be supplied by the kernel's keyring and the method of
> getting the key securely into the kernel is not subject of this patch.
>
> Example usage:
> Create a file-system with authentication key 0123456
> mkfs.btrfs --csum hmac-sha256 --auth-key 0123456 /dev/disk
>
> Add the key to the kernel's keyring as keyid 'btrfs:foo'
> keyctl add logon btrfs:foo 0123456 @u
>
> Mount the fs using the 'btrfs:foo' key
> mount -t btrfs -o auth_key=btrfs:foo /dev/disk /mnt/point
>
> Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Looks pretty straight forward, and has the basic protection against
re-writing all csum attack.
So looks good to me.
But still I have one question around the device scan part.
Since now superblock can only be read after verified the csum, it means
without auth_key mount option, device scan won't even work properly.
Do you assume that all such hmac protected multi-device btrfs must be
mounted using device= mount option along with auth_key?
If so, a lot of users won't be that happy afaik.
Thanks,
Qu
> ---
> fs/btrfs/ctree.c | 3 ++-
> fs/btrfs/ctree.h | 2 ++
> fs/btrfs/disk-io.c | 53 ++++++++++++++++++++++++++++++++++++++++-
> fs/btrfs/super.c | 24 ++++++++++++++++---
> include/uapi/linux/btrfs_tree.h | 1 +
> 5 files changed, 78 insertions(+), 5 deletions(-)
>
> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
> index 6c28efe5b14a..76418b5b00a6 100644
> --- a/fs/btrfs/ctree.c
> +++ b/fs/btrfs/ctree.c
> @@ -31,7 +31,7 @@ static void del_ptr(struct btrfs_root *root, struct btrfs_path *path,
>
> static const struct btrfs_csums {
> u16 size;
> - const char name[10];
> + const char name[12];
> const char driver[12];
> } btrfs_csums[] = {
> [BTRFS_CSUM_TYPE_CRC32] = { .size = 4, .name = "crc32c" },
> @@ -39,6 +39,7 @@ static const struct btrfs_csums {
> [BTRFS_CSUM_TYPE_SHA256] = { .size = 32, .name = "sha256" },
> [BTRFS_CSUM_TYPE_BLAKE2] = { .size = 32, .name = "blake2b",
> .driver = "blake2b-256" },
> + [BTRFS_CSUM_TYPE_HMAC_SHA256] = { .size = 32, .name = "hmac(sha256)" }
> };
>
> int btrfs_super_csum_size(const struct btrfs_super_block *s)
> diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
> index c79e0b0eac54..b692b3dc4593 100644
> --- a/fs/btrfs/ctree.h
> +++ b/fs/btrfs/ctree.h
> @@ -719,6 +719,7 @@ struct btrfs_fs_info {
> struct rb_root swapfile_pins;
>
> struct crypto_shash *csum_shash;
> + char *auth_key_name;
>
> /*
> * Number of send operations in progress.
> @@ -1027,6 +1028,7 @@ static inline u32 BTRFS_MAX_XATTR_SIZE(const struct btrfs_fs_info *info)
> #define BTRFS_MOUNT_NOLOGREPLAY (1 << 27)
> #define BTRFS_MOUNT_REF_VERIFY (1 << 28)
> #define BTRFS_MOUNT_DISCARD_ASYNC (1 << 29)
> +#define BTRFS_MOUNT_AUTH_KEY (1 << 30)
>
> #define BTRFS_DEFAULT_COMMIT_INTERVAL (30)
> #define BTRFS_DEFAULT_MAX_INLINE (2048)
> diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
> index d10c7be10f3b..fe403fb62178 100644
> --- a/fs/btrfs/disk-io.c
> +++ b/fs/btrfs/disk-io.c
> @@ -17,6 +17,7 @@
> #include <linux/error-injection.h>
> #include <linux/crc32c.h>
> #include <linux/sched/mm.h>
> +#include <keys/user-type.h>
> #include <asm/unaligned.h>
> #include <crypto/hash.h>
> #include "ctree.h"
> @@ -339,6 +340,7 @@ static bool btrfs_supported_super_csum(u16 csum_type)
> case BTRFS_CSUM_TYPE_XXHASH:
> case BTRFS_CSUM_TYPE_SHA256:
> case BTRFS_CSUM_TYPE_BLAKE2:
> + case BTRFS_CSUM_TYPE_HMAC_SHA256:
> return true;
> default:
> return false;
> @@ -2187,6 +2189,9 @@ static int btrfs_init_csum_hash(struct btrfs_fs_info *fs_info, u16 csum_type)
> {
> struct crypto_shash *csum_shash;
> const char *csum_driver = btrfs_super_csum_driver(csum_type);
> + struct key *key;
> + const struct user_key_payload *ukp;
> + int err = 0;
>
> csum_shash = crypto_alloc_shash(csum_driver, 0, 0);
>
> @@ -2198,7 +2203,53 @@ static int btrfs_init_csum_hash(struct btrfs_fs_info *fs_info, u16 csum_type)
>
> fs_info->csum_shash = csum_shash;
>
> - return 0;
> + /*
> + * if we're not doing authentication, we're done by now. Still we have
> + * to validate the possible combinations of BTRFS_MOUNT_AUTH_KEY and
> + * keyed hashes.
> + */
> + if (csum_type == BTRFS_CSUM_TYPE_HMAC_SHA256 &&
> + !btrfs_test_opt(fs_info, AUTH_KEY)) {
> + crypto_free_shash(fs_info->csum_shash);
> + return -EINVAL;
> + } else if (btrfs_test_opt(fs_info, AUTH_KEY)
> + && csum_type != BTRFS_CSUM_TYPE_HMAC_SHA256) {
> + crypto_free_shash(fs_info->csum_shash);
> + return -EINVAL;
> + } else if (!btrfs_test_opt(fs_info, AUTH_KEY)) {
> + /*
> + * This is the normal case, if noone want's authentication and
> + * doesn't have a keyed hash, we're done.
> + */
> + return 0;
> + }
> +
> + key = request_key(&key_type_logon, fs_info->auth_key_name, NULL);
> + if (IS_ERR(key))
> + return PTR_ERR(key);
> +
> + down_read(&key->sem);
> +
> + ukp = user_key_payload_locked(key);
> + if (!ukp) {
> + btrfs_err(fs_info, "");
> + err = -EKEYREVOKED;
> + goto out;
> + }
> +
> + err = crypto_shash_setkey(fs_info->csum_shash, ukp->data, ukp->datalen);
> + if (err)
> + btrfs_err(fs_info, "error setting key %s for verification",
> + fs_info->auth_key_name);
> +
> +out:
> + if (err)
> + crypto_free_shash(fs_info->csum_shash);
> +
> + up_read(&key->sem);
> + key_put(key);
> +
> + return err;
> }
>
> static int btrfs_replay_log(struct btrfs_fs_info *fs_info,
> diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
> index 7932d8d07cff..2645a9cee8d1 100644
> --- a/fs/btrfs/super.c
> +++ b/fs/btrfs/super.c
> @@ -333,6 +333,7 @@ enum {
> Opt_treelog, Opt_notreelog,
> Opt_usebackuproot,
> Opt_user_subvol_rm_allowed,
> + Opt_auth_key,
>
> /* Deprecated options */
> Opt_alloc_start,
> @@ -401,6 +402,7 @@ static const match_table_t tokens = {
> {Opt_notreelog, "notreelog"},
> {Opt_usebackuproot, "usebackuproot"},
> {Opt_user_subvol_rm_allowed, "user_subvol_rm_allowed"},
> + {Opt_auth_key, "auth_key=%s"},
>
> /* Deprecated options */
> {Opt_alloc_start, "alloc_start=%s"},
> @@ -910,7 +912,8 @@ int btrfs_parse_options(struct btrfs_fs_info *info, char *options,
> * All other options will be parsed on much later in the mount process and
> * only when we need to allocate a new super block.
> */
> -static int btrfs_parse_device_options(const char *options, fmode_t flags,
> +static int btrfs_parse_device_options(struct btrfs_fs_info *info,
> + const char *options, fmode_t flags,
> void *holder)
> {
> substring_t args[MAX_OPT_ARGS];
> @@ -939,7 +942,8 @@ static int btrfs_parse_device_options(const char *options, fmode_t flags,
> continue;
>
> token = match_token(p, tokens, args);
> - if (token == Opt_device) {
> + switch (token) {
> + case Opt_device:
> device_name = match_strdup(&args[0]);
> if (!device_name) {
> error = -ENOMEM;
> @@ -952,6 +956,18 @@ static int btrfs_parse_device_options(const char *options, fmode_t flags,
> error = PTR_ERR(device);
> goto out;
> }
> + break;
> + case Opt_auth_key:
> + info->auth_key_name = match_strdup(&args[0]);
> + if (!info->auth_key_name) {
> + error = -ENOMEM;
> + goto out;
> + }
> + btrfs_info(info, "doing authentication");
> + btrfs_set_opt(info->mount_opt, AUTH_KEY);
> + break;
> + default:
> + break;
> }
> }
>
> @@ -1394,6 +1410,8 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry)
> #endif
> if (btrfs_test_opt(info, REF_VERIFY))
> seq_puts(seq, ",ref_verify");
> + if (btrfs_test_opt(info, AUTH_KEY))
> + seq_printf(seq, ",auth_key=%s", info->auth_key_name);
> seq_printf(seq, ",subvolid=%llu",
> BTRFS_I(d_inode(dentry))->root->root_key.objectid);
> seq_puts(seq, ",subvol=");
> @@ -1542,7 +1560,7 @@ static struct dentry *btrfs_mount_root(struct file_system_type *fs_type,
> }
>
> mutex_lock(&uuid_mutex);
> - error = btrfs_parse_device_options(data, mode, fs_type);
> + error = btrfs_parse_device_options(fs_info, data, mode, fs_type);
> if (error) {
> mutex_unlock(&uuid_mutex);
> goto error_fs_info;
> diff --git a/include/uapi/linux/btrfs_tree.h b/include/uapi/linux/btrfs_tree.h
> index a02318e4d2a9..bfaf127b37fd 100644
> --- a/include/uapi/linux/btrfs_tree.h
> +++ b/include/uapi/linux/btrfs_tree.h
> @@ -344,6 +344,7 @@ enum btrfs_csum_type {
> BTRFS_CSUM_TYPE_XXHASH = 1,
> BTRFS_CSUM_TYPE_SHA256 = 2,
> BTRFS_CSUM_TYPE_BLAKE2 = 3,
> + BTRFS_CSUM_TYPE_HMAC_SHA256 = 32,
> };
>
> /*
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2020-05-05 9:43 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 10:58 [PATCH v2 0/2] Add file-system authentication to BTRFS Johannes Thumshirn
2020-04-28 10:58 ` [PATCH v2 1/2] btrfs: add authentication support Johannes Thumshirn
2020-04-29 7:23 ` kbuild test robot
2020-04-29 11:46 ` Johannes Thumshirn
2020-05-01 5:39 ` Eric Biggers
2020-05-01 6:30 ` Eric Biggers
2020-05-04 8:38 ` Johannes Thumshirn
2020-05-05 22:33 ` David Sterba
2020-05-06 8:10 ` Johannes Thumshirn
2020-05-04 10:09 ` Johannes Thumshirn
2020-05-04 20:59 ` Eric Biggers
2020-05-05 8:11 ` Johannes Thumshirn
2020-05-05 9:26 ` Qu Wenruo
2020-05-05 9:59 ` Qu Wenruo
2020-05-05 22:32 ` David Sterba
2020-05-05 23:55 ` Qu Wenruo
2020-05-06 20:40 ` btree [was Re: [PATCH v2 1/2] btrfs: add authentication support] Goffredo Baroncelli
2020-05-05 22:19 ` [PATCH v2 1/2] btrfs: add authentication support David Sterba
2020-05-05 22:37 ` Eric Biggers
2020-05-06 8:30 ` Johannes Thumshirn
2020-05-05 22:14 ` David Sterba
2020-05-05 22:31 ` Eric Biggers
2020-05-05 22:46 ` David Sterba
2020-05-05 23:31 ` Eric Biggers
2020-05-06 0:29 ` David Sterba
2020-05-06 0:44 ` Eric Biggers
2020-05-04 21:37 ` Richard Weinberger
2020-05-05 7:46 ` Johannes Thumshirn
2020-05-05 11:56 ` Richard Weinberger
2020-05-04 21:59 ` Richard Weinberger
2020-05-05 7:55 ` Johannes Thumshirn
2020-05-05 12:36 ` Jeff Mahoney
2020-05-05 12:39 ` Qu Wenruo
2020-05-05 12:41 ` Jeff Mahoney
2020-05-05 12:48 ` Qu Wenruo
2020-05-05 23:02 ` David Sterba
2020-05-06 21:24 ` Goffredo Baroncelli
2020-05-05 23:00 ` David Sterba
2020-05-05 9:43 ` Qu Wenruo [this message]
2020-05-06 20:59 ` Goffredo Baroncelli
2020-04-28 10:58 ` [PATCH v2 2/2] btrfs: rename btrfs_parse_device_options back to btrfs_parse_early_options Johannes Thumshirn
2020-05-01 6:03 ` [PATCH v2 0/2] Add file-system authentication to BTRFS Eric Biggers
2020-05-04 8:39 ` Johannes Thumshirn
2020-05-05 23:16 ` David Sterba
2020-05-01 21:26 ` Jason A. Donenfeld
2020-05-05 23:38 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bcd4e839-36ac-9be5-e5e7-613124385177@gmx.com \
--to=quwenruo.btrfs@gmx.com \
--cc=dsterba@suse.cz \
--cc=ebiggers@google.com \
--cc=johannes.thumshirn@wdc.com \
--cc=jth@kernel.org \
--cc=jthumshirn@suse.de \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=richard@nod.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).