From: Goffredo Baroncelli <kreijack@libero.it>
To: Qu Wenruo <quwenruo.btrfs@gmx.com>,
Johannes Thumshirn <jth@kernel.org>,
David Sterba <dsterba@suse.cz>
Cc: linux-fsdevel@vger.kernel.org, linux-btrfs@vger.kernel.org,
Eric Biggers <ebiggers@google.com>,
Richard Weinberger <richard@nod.at>,
Johannes Thumshirn <johannes.thumshirn@wdc.com>,
Johannes Thumshirn <jthumshirn@suse.de>
Subject: Re: [PATCH v2 1/2] btrfs: add authentication support
Date: Wed, 6 May 2020 22:59:13 +0200 [thread overview]
Message-ID: <ee971571-cbc2-31b5-e092-c8c7d229e5e3@libero.it> (raw)
In-Reply-To: <bcd4e839-36ac-9be5-e5e7-613124385177@gmx.com>
On 5/5/20 11:43 AM, Qu Wenruo wrote:
>
>
> On 2020/4/28 下午6:58, Johannes Thumshirn wrote:
>> From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
>>
>> Add authentication support for a BTRFS file-system.
>>
>> This works, because in BTRFS every meta-data block as well as every
>> data-block has a own checksum. For meta-data the checksum is in the
>> meta-data node itself. For data blocks, the checksums are stored in the
>> checksum tree.
>>
>> When replacing the checksum algorithm with a keyed hash, like HMAC(SHA256),
>> a key is needed to mount a verified file-system. This key also needs to be
>> used at file-system creation time.
>>
>> We have to used a keyed hash scheme, in contrast to doing a normal
>> cryptographic hash, to guarantee integrity of the file system, as a
>> potential attacker could just replay file-system operations and the
>> changes would go unnoticed.
>>
>> Having a keyed hash only on the topmost Node of a tree or even just in the
>> super-block and using cryptographic hashes on the normal meta-data nodes
>> and checksum tree entries doesn't work either, as the BTRFS B-Tree's Nodes
>> do not include the checksums of their respective child nodes, but only the
>> block pointers and offsets where to find them on disk.
>>
>> Also note, we do not need a incompat R/O flag for this, because if an old
>> kernel tries to mount an authenticated file-system it will fail the
>> initial checksum type verification and thus refuses to mount.
>>
>> The key has to be supplied by the kernel's keyring and the method of
>> getting the key securely into the kernel is not subject of this patch.
>>
>> Example usage:
>> Create a file-system with authentication key 0123456
>> mkfs.btrfs --csum hmac-sha256 --auth-key 0123456 /dev/disk
>>
>> Add the key to the kernel's keyring as keyid 'btrfs:foo'
>> keyctl add logon btrfs:foo 0123456 @u
>>
>> Mount the fs using the 'btrfs:foo' key
>> mount -t btrfs -o auth_key=btrfs:foo /dev/disk /mnt/point
>>
>> Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
>
> Looks pretty straight forward, and has the basic protection against
> re-writing all csum attack.
>
> So looks good to me.
>
> But still I have one question around the device scan part.
>
> Since now superblock can only be read after verified the csum, it means
> without auth_key mount option, device scan won't even work properly.
It is really needed to perform the checksum at "scan" time ? It should be possible to defer the cksum at the mount time.
The device scan is used only to track the disks for building a filesystem. We could check only the "magic", the UUID and the FSID.
The check of the cheksum may be performed at mount time.
>
> Do you assume that all such hmac protected multi-device btrfs must be
> mounted using device= mount option along with auth_key?
> If so, a lot of users won't be that happy afaik.
>
> Thanks,
> Qu
>
>> ---
>> fs/btrfs/ctree.c | 3 ++-
>> fs/btrfs/ctree.h | 2 ++
>> fs/btrfs/disk-io.c | 53 ++++++++++++++++++++++++++++++++++++++++-
>> fs/btrfs/super.c | 24 ++++++++++++++++---
>> include/uapi/linux/btrfs_tree.h | 1 +
>> 5 files changed, 78 insertions(+), 5 deletions(-)
>>
>> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
>> index 6c28efe5b14a..76418b5b00a6 100644
>> --- a/fs/btrfs/ctree.c
>> +++ b/fs/btrfs/ctree.c
>> @@ -31,7 +31,7 @@ static void del_ptr(struct btrfs_root *root, struct btrfs_path *path,
>>
>> static const struct btrfs_csums {
>> u16 size;
>> - const char name[10];
>> + const char name[12];
>> const char driver[12];
>> } btrfs_csums[] = {
>> [BTRFS_CSUM_TYPE_CRC32] = { .size = 4, .name = "crc32c" },
>> @@ -39,6 +39,7 @@ static const struct btrfs_csums {
>> [BTRFS_CSUM_TYPE_SHA256] = { .size = 32, .name = "sha256" },
>> [BTRFS_CSUM_TYPE_BLAKE2] = { .size = 32, .name = "blake2b",
>> .driver = "blake2b-256" },
>> + [BTRFS_CSUM_TYPE_HMAC_SHA256] = { .size = 32, .name = "hmac(sha256)" }
>> };
>>
>> int btrfs_super_csum_size(const struct btrfs_super_block *s)
>> diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
>> index c79e0b0eac54..b692b3dc4593 100644
>> --- a/fs/btrfs/ctree.h
>> +++ b/fs/btrfs/ctree.h
>> @@ -719,6 +719,7 @@ struct btrfs_fs_info {
>> struct rb_root swapfile_pins;
>>
>> struct crypto_shash *csum_shash;
>> + char *auth_key_name;
>>
>> /*
>> * Number of send operations in progress.
>> @@ -1027,6 +1028,7 @@ static inline u32 BTRFS_MAX_XATTR_SIZE(const struct btrfs_fs_info *info)
>> #define BTRFS_MOUNT_NOLOGREPLAY (1 << 27)
>> #define BTRFS_MOUNT_REF_VERIFY (1 << 28)
>> #define BTRFS_MOUNT_DISCARD_ASYNC (1 << 29)
>> +#define BTRFS_MOUNT_AUTH_KEY (1 << 30)
>>
>> #define BTRFS_DEFAULT_COMMIT_INTERVAL (30)
>> #define BTRFS_DEFAULT_MAX_INLINE (2048)
>> diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
>> index d10c7be10f3b..fe403fb62178 100644
>> --- a/fs/btrfs/disk-io.c
>> +++ b/fs/btrfs/disk-io.c
>> @@ -17,6 +17,7 @@
>> #include <linux/error-injection.h>
>> #include <linux/crc32c.h>
>> #include <linux/sched/mm.h>
>> +#include <keys/user-type.h>
>> #include <asm/unaligned.h>
>> #include <crypto/hash.h>
>> #include "ctree.h"
>> @@ -339,6 +340,7 @@ static bool btrfs_supported_super_csum(u16 csum_type)
>> case BTRFS_CSUM_TYPE_XXHASH:
>> case BTRFS_CSUM_TYPE_SHA256:
>> case BTRFS_CSUM_TYPE_BLAKE2:
>> + case BTRFS_CSUM_TYPE_HMAC_SHA256:
>> return true;
>> default:
>> return false;
>> @@ -2187,6 +2189,9 @@ static int btrfs_init_csum_hash(struct btrfs_fs_info *fs_info, u16 csum_type)
>> {
>> struct crypto_shash *csum_shash;
>> const char *csum_driver = btrfs_super_csum_driver(csum_type);
>> + struct key *key;
>> + const struct user_key_payload *ukp;
>> + int err = 0;
>>
>> csum_shash = crypto_alloc_shash(csum_driver, 0, 0);
>>
>> @@ -2198,7 +2203,53 @@ static int btrfs_init_csum_hash(struct btrfs_fs_info *fs_info, u16 csum_type)
>>
>> fs_info->csum_shash = csum_shash;
>>
>> - return 0;
>> + /*
>> + * if we're not doing authentication, we're done by now. Still we have
>> + * to validate the possible combinations of BTRFS_MOUNT_AUTH_KEY and
>> + * keyed hashes.
>> + */
>> + if (csum_type == BTRFS_CSUM_TYPE_HMAC_SHA256 &&
>> + !btrfs_test_opt(fs_info, AUTH_KEY)) {
>> + crypto_free_shash(fs_info->csum_shash);
>> + return -EINVAL;
>> + } else if (btrfs_test_opt(fs_info, AUTH_KEY)
>> + && csum_type != BTRFS_CSUM_TYPE_HMAC_SHA256) {
>> + crypto_free_shash(fs_info->csum_shash);
>> + return -EINVAL;
>> + } else if (!btrfs_test_opt(fs_info, AUTH_KEY)) {
>> + /*
>> + * This is the normal case, if noone want's authentication and
>> + * doesn't have a keyed hash, we're done.
>> + */
>> + return 0;
>> + }
>> +
>> + key = request_key(&key_type_logon, fs_info->auth_key_name, NULL);
>> + if (IS_ERR(key))
>> + return PTR_ERR(key);
>> +
>> + down_read(&key->sem);
>> +
>> + ukp = user_key_payload_locked(key);
>> + if (!ukp) {
>> + btrfs_err(fs_info, "");
>> + err = -EKEYREVOKED;
>> + goto out;
>> + }
>> +
>> + err = crypto_shash_setkey(fs_info->csum_shash, ukp->data, ukp->datalen);
>> + if (err)
>> + btrfs_err(fs_info, "error setting key %s for verification",
>> + fs_info->auth_key_name);
>> +
>> +out:
>> + if (err)
>> + crypto_free_shash(fs_info->csum_shash);
>> +
>> + up_read(&key->sem);
>> + key_put(key);
>> +
>> + return err;
>> }
>>
>> static int btrfs_replay_log(struct btrfs_fs_info *fs_info,
>> diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
>> index 7932d8d07cff..2645a9cee8d1 100644
>> --- a/fs/btrfs/super.c
>> +++ b/fs/btrfs/super.c
>> @@ -333,6 +333,7 @@ enum {
>> Opt_treelog, Opt_notreelog,
>> Opt_usebackuproot,
>> Opt_user_subvol_rm_allowed,
>> + Opt_auth_key,
>>
>> /* Deprecated options */
>> Opt_alloc_start,
>> @@ -401,6 +402,7 @@ static const match_table_t tokens = {
>> {Opt_notreelog, "notreelog"},
>> {Opt_usebackuproot, "usebackuproot"},
>> {Opt_user_subvol_rm_allowed, "user_subvol_rm_allowed"},
>> + {Opt_auth_key, "auth_key=%s"},
>>
>> /* Deprecated options */
>> {Opt_alloc_start, "alloc_start=%s"},
>> @@ -910,7 +912,8 @@ int btrfs_parse_options(struct btrfs_fs_info *info, char *options,
>> * All other options will be parsed on much later in the mount process and
>> * only when we need to allocate a new super block.
>> */
>> -static int btrfs_parse_device_options(const char *options, fmode_t flags,
>> +static int btrfs_parse_device_options(struct btrfs_fs_info *info,
>> + const char *options, fmode_t flags,
>> void *holder)
>> {
>> substring_t args[MAX_OPT_ARGS];
>> @@ -939,7 +942,8 @@ static int btrfs_parse_device_options(const char *options, fmode_t flags,
>> continue;
>>
>> token = match_token(p, tokens, args);
>> - if (token == Opt_device) {
>> + switch (token) {
>> + case Opt_device:
>> device_name = match_strdup(&args[0]);
>> if (!device_name) {
>> error = -ENOMEM;
>> @@ -952,6 +956,18 @@ static int btrfs_parse_device_options(const char *options, fmode_t flags,
>> error = PTR_ERR(device);
>> goto out;
>> }
>> + break;
>> + case Opt_auth_key:
>> + info->auth_key_name = match_strdup(&args[0]);
>> + if (!info->auth_key_name) {
>> + error = -ENOMEM;
>> + goto out;
>> + }
>> + btrfs_info(info, "doing authentication");
>> + btrfs_set_opt(info->mount_opt, AUTH_KEY);
>> + break;
>> + default:
>> + break;
>> }
>> }
>>
>> @@ -1394,6 +1410,8 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry)
>> #endif
>> if (btrfs_test_opt(info, REF_VERIFY))
>> seq_puts(seq, ",ref_verify");
>> + if (btrfs_test_opt(info, AUTH_KEY))
>> + seq_printf(seq, ",auth_key=%s", info->auth_key_name);
>> seq_printf(seq, ",subvolid=%llu",
>> BTRFS_I(d_inode(dentry))->root->root_key.objectid);
>> seq_puts(seq, ",subvol=");
>> @@ -1542,7 +1560,7 @@ static struct dentry *btrfs_mount_root(struct file_system_type *fs_type,
>> }
>>
>> mutex_lock(&uuid_mutex);
>> - error = btrfs_parse_device_options(data, mode, fs_type);
>> + error = btrfs_parse_device_options(fs_info, data, mode, fs_type);
>> if (error) {
>> mutex_unlock(&uuid_mutex);
>> goto error_fs_info;
>> diff --git a/include/uapi/linux/btrfs_tree.h b/include/uapi/linux/btrfs_tree.h
>> index a02318e4d2a9..bfaf127b37fd 100644
>> --- a/include/uapi/linux/btrfs_tree.h
>> +++ b/include/uapi/linux/btrfs_tree.h
>> @@ -344,6 +344,7 @@ enum btrfs_csum_type {
>> BTRFS_CSUM_TYPE_XXHASH = 1,
>> BTRFS_CSUM_TYPE_SHA256 = 2,
>> BTRFS_CSUM_TYPE_BLAKE2 = 3,
>> + BTRFS_CSUM_TYPE_HMAC_SHA256 = 32,
>> };
>>
>> /*
>>
>
--
gpg @keyserver.linux.it: Goffredo Baroncelli <kreijackATinwind.it>
Key fingerprint BBF5 1610 0B64 DAC6 5F7D 17B2 0EDA 9B37 8B82 E0B5
next prev parent reply other threads:[~2020-05-06 20:59 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 10:58 [PATCH v2 0/2] Add file-system authentication to BTRFS Johannes Thumshirn
2020-04-28 10:58 ` [PATCH v2 1/2] btrfs: add authentication support Johannes Thumshirn
2020-04-29 7:23 ` kbuild test robot
2020-04-29 11:46 ` Johannes Thumshirn
2020-05-01 5:39 ` Eric Biggers
2020-05-01 6:30 ` Eric Biggers
2020-05-04 8:38 ` Johannes Thumshirn
2020-05-05 22:33 ` David Sterba
2020-05-06 8:10 ` Johannes Thumshirn
2020-05-04 10:09 ` Johannes Thumshirn
2020-05-04 20:59 ` Eric Biggers
2020-05-05 8:11 ` Johannes Thumshirn
2020-05-05 9:26 ` Qu Wenruo
2020-05-05 9:59 ` Qu Wenruo
2020-05-05 22:32 ` David Sterba
2020-05-05 23:55 ` Qu Wenruo
2020-05-06 20:40 ` btree [was Re: [PATCH v2 1/2] btrfs: add authentication support] Goffredo Baroncelli
2020-05-05 22:19 ` [PATCH v2 1/2] btrfs: add authentication support David Sterba
2020-05-05 22:37 ` Eric Biggers
2020-05-06 8:30 ` Johannes Thumshirn
2020-05-05 22:14 ` David Sterba
2020-05-05 22:31 ` Eric Biggers
2020-05-05 22:46 ` David Sterba
2020-05-05 23:31 ` Eric Biggers
2020-05-06 0:29 ` David Sterba
2020-05-06 0:44 ` Eric Biggers
2020-05-04 21:37 ` Richard Weinberger
2020-05-05 7:46 ` Johannes Thumshirn
2020-05-05 11:56 ` Richard Weinberger
2020-05-04 21:59 ` Richard Weinberger
2020-05-05 7:55 ` Johannes Thumshirn
2020-05-05 12:36 ` Jeff Mahoney
2020-05-05 12:39 ` Qu Wenruo
2020-05-05 12:41 ` Jeff Mahoney
2020-05-05 12:48 ` Qu Wenruo
2020-05-05 23:02 ` David Sterba
2020-05-06 21:24 ` Goffredo Baroncelli
2020-05-05 23:00 ` David Sterba
2020-05-05 9:43 ` Qu Wenruo
2020-05-06 20:59 ` Goffredo Baroncelli [this message]
2020-04-28 10:58 ` [PATCH v2 2/2] btrfs: rename btrfs_parse_device_options back to btrfs_parse_early_options Johannes Thumshirn
2020-05-01 6:03 ` [PATCH v2 0/2] Add file-system authentication to BTRFS Eric Biggers
2020-05-04 8:39 ` Johannes Thumshirn
2020-05-05 23:16 ` David Sterba
2020-05-01 21:26 ` Jason A. Donenfeld
2020-05-05 23:38 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ee971571-cbc2-31b5-e092-c8c7d229e5e3@libero.it \
--to=kreijack@libero.it \
--cc=dsterba@suse.cz \
--cc=ebiggers@google.com \
--cc=johannes.thumshirn@wdc.com \
--cc=jth@kernel.org \
--cc=jthumshirn@suse.de \
--cc=kreijack@inwind.it \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=quwenruo.btrfs@gmx.com \
--cc=richard@nod.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).