From: Chandan Rajendra <chandan@linux.vnet.ibm.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
Victor Hsieh <victorhsieh@google.com>
Subject: Re: [PATCH v2 10/12] ext4: add basic fs-verity support
Date: Tue, 06 Nov 2018 12:22:39 +0530 [thread overview]
Message-ID: <3113392.yxf3e5PHVf@localhost.localdomain> (raw)
In-Reply-To: <20181106012503.GB28490@gmail.com>
On Tuesday, November 6, 2018 6:55:03 AM IST Eric Biggers wrote:
> Hi Chandan,
>
> On Fri, Nov 02, 2018 at 03:13:14PM +0530, Chandan Rajendra wrote:
> > On Friday, November 2, 2018 4:22:28 AM IST Eric Biggers wrote:
> > > From: Eric Biggers <ebiggers@google.com>
> > >
> > > Add basic fs-verity support to ext4. fs-verity is a filesystem feature
> > > that enables transparent integrity protection and authentication of
> > > read-only files. It uses a dm-verity like mechanism at the file level:
> > > a Merkle tree is used to verify any block in the file in log(filesize)
> > > time. It is implemented mainly by helper functions in fs/verity/.
> > > See Documentation/filesystems/fsverity.rst for details.
> > >
> > > This patch adds everything except the data verification hooks that will
> > > needed in ->readpages().
> > >
> > > On ext4, enabling fs-verity on a file requires that the filesystem has
> > > the 'verity' feature, e.g. that it was formatted with
> > > 'mkfs.ext4 -O verity' or had 'tune2fs -O verity' run on it.
> > > This requires e2fsprogs 1.44.4-2 or later.
> > >
> > > In ext4, we choose to retain the fs-verity metadata past the end of the
> > > file rather than trying to move it into an external inode xattr, since
> > > in practice keeping the metadata in-line actually results in the
> > > simplest and most efficient implementation. One non-obvious advantage
> > > of keeping the verity metadata in-line is that when fs-verity is
> > > combined with fscrypt, the verity metadata naturally gets encrypted too;
> > > this is actually necessary because it contains hashes of the plaintext.
> > >
> > > We also choose to keep the on-disk i_size equal to the original file
> > > size, in order to make the 'verity' feature a RO_COMPAT feature. Thus,
> > > ext4 has to find the fsverity_footer by looking in the last extent.
> > >
> > > Co-developed-by: Theodore Ts'o <tytso@mit.edu>
> > > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > > ---
> > > fs/ext4/Kconfig | 20 +++++++++++
> > > fs/ext4/ext4.h | 20 ++++++++++-
> > > fs/ext4/file.c | 6 ++++
> > > fs/ext4/inode.c | 8 +++++
> > > fs/ext4/ioctl.c | 12 +++++++
> > > fs/ext4/super.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++++
> > > fs/ext4/sysfs.c | 6 ++++
> > > 7 files changed, 162 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/fs/ext4/Kconfig b/fs/ext4/Kconfig
> > > index a453cc87082b5..5a76125ac0f8a 100644
> > > --- a/fs/ext4/Kconfig
> > > +++ b/fs/ext4/Kconfig
> > > @@ -111,6 +111,26 @@ config EXT4_FS_ENCRYPTION
> > > default y
> > > depends on EXT4_ENCRYPTION
> > >
> > > +config EXT4_FS_VERITY
> > > + bool "Ext4 Verity"
> > > + depends on EXT4_FS
> > > + select FS_VERITY
> > > + help
> > > + This option enables fs-verity for ext4. fs-verity is the
> > > + dm-verity mechanism implemented at the file level. Userspace
> > > + can append a Merkle tree (hash tree) to a file, then enable
> > > + fs-verity on the file. ext4 will then transparently verify
> > > + any data read from the file against the Merkle tree. The file
> > > + is also made read-only.
> > > +
> > > + This serves as an integrity check, but the availability of the
> > > + Merkle tree root hash also allows efficiently supporting
> > > + various use cases where normally the whole file would need to
> > > + be hashed at once, such as auditing and authenticity
> > > + verification (appraisal).
> > > +
> > > + If unsure, say N.
> > > +
> > > config EXT4_DEBUG
> > > bool "EXT4 debugging support"
> > > depends on EXT4_FS
> > > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > > index 12f90d48ba613..e5475a629ed80 100644
> > > --- a/fs/ext4/ext4.h
> > > +++ b/fs/ext4/ext4.h
> > > @@ -43,6 +43,9 @@
> > > #define __FS_HAS_ENCRYPTION IS_ENABLED(CONFIG_EXT4_FS_ENCRYPTION)
> > > #include <linux/fscrypt.h>
> > >
> > > +#define __FS_HAS_VERITY IS_ENABLED(CONFIG_EXT4_FS_VERITY)
> > > +#include <linux/fsverity.h>
> > > +
> > > #include <linux/compiler.h>
> > >
> > > /* Until this gets included into linux/compiler-gcc.h */
> > > @@ -405,6 +408,7 @@ struct flex_groups {
> > > #define EXT4_TOPDIR_FL 0x00020000 /* Top of directory hierarchies*/
> > > #define EXT4_HUGE_FILE_FL 0x00040000 /* Set to each huge file */
> > > #define EXT4_EXTENTS_FL 0x00080000 /* Inode uses extents */
> > > +#define EXT4_VERITY_FL 0x00100000 /* Verity protected inode */
> > > #define EXT4_EA_INODE_FL 0x00200000 /* Inode used for large EA */
> > > #define EXT4_EOFBLOCKS_FL 0x00400000 /* Blocks allocated beyond EOF */
> > > #define EXT4_INLINE_DATA_FL 0x10000000 /* Inode has inline data. */
> > > @@ -472,6 +476,7 @@ enum {
> > > EXT4_INODE_TOPDIR = 17, /* Top of directory hierarchies*/
> > > EXT4_INODE_HUGE_FILE = 18, /* Set to each huge file */
> > > EXT4_INODE_EXTENTS = 19, /* Inode uses extents */
> > > + EXT4_INODE_VERITY = 20, /* Verity protected inode */
> > > EXT4_INODE_EA_INODE = 21, /* Inode used for large EA */
> > > EXT4_INODE_EOFBLOCKS = 22, /* Blocks allocated beyond EOF */
> > > EXT4_INODE_INLINE_DATA = 28, /* Data in inode. */
> > > @@ -517,6 +522,7 @@ static inline void ext4_check_flag_values(void)
> > > CHECK_FLAG_VALUE(TOPDIR);
> > > CHECK_FLAG_VALUE(HUGE_FILE);
> > > CHECK_FLAG_VALUE(EXTENTS);
> > > + CHECK_FLAG_VALUE(VERITY);
> > > CHECK_FLAG_VALUE(EA_INODE);
> > > CHECK_FLAG_VALUE(EOFBLOCKS);
> > > CHECK_FLAG_VALUE(INLINE_DATA);
> > > @@ -1654,6 +1660,7 @@ static inline void ext4_clear_state_flags(struct ext4_inode_info *ei)
> > > #define EXT4_FEATURE_RO_COMPAT_METADATA_CSUM 0x0400
> > > #define EXT4_FEATURE_RO_COMPAT_READONLY 0x1000
> > > #define EXT4_FEATURE_RO_COMPAT_PROJECT 0x2000
> > > +#define EXT4_FEATURE_RO_COMPAT_VERITY 0x8000
> > >
> > > #define EXT4_FEATURE_INCOMPAT_COMPRESSION 0x0001
> > > #define EXT4_FEATURE_INCOMPAT_FILETYPE 0x0002
> > > @@ -1742,6 +1749,7 @@ EXT4_FEATURE_RO_COMPAT_FUNCS(bigalloc, BIGALLOC)
> > > EXT4_FEATURE_RO_COMPAT_FUNCS(metadata_csum, METADATA_CSUM)
> > > EXT4_FEATURE_RO_COMPAT_FUNCS(readonly, READONLY)
> > > EXT4_FEATURE_RO_COMPAT_FUNCS(project, PROJECT)
> > > +EXT4_FEATURE_RO_COMPAT_FUNCS(verity, VERITY)
> > >
> > > EXT4_FEATURE_INCOMPAT_FUNCS(compression, COMPRESSION)
> > > EXT4_FEATURE_INCOMPAT_FUNCS(filetype, FILETYPE)
> > > @@ -1797,7 +1805,8 @@ EXT4_FEATURE_INCOMPAT_FUNCS(encrypt, ENCRYPT)
> > > EXT4_FEATURE_RO_COMPAT_BIGALLOC |\
> > > EXT4_FEATURE_RO_COMPAT_METADATA_CSUM|\
> > > EXT4_FEATURE_RO_COMPAT_QUOTA |\
> > > - EXT4_FEATURE_RO_COMPAT_PROJECT)
> > > + EXT4_FEATURE_RO_COMPAT_PROJECT |\
> > > + EXT4_FEATURE_RO_COMPAT_VERITY)
> > >
> > > #define EXTN_FEATURE_FUNCS(ver) \
> > > static inline bool ext4_has_unknown_ext##ver##_compat_features(struct super_block *sb) \
> > > @@ -2293,6 +2302,15 @@ static inline bool ext4_encrypted_inode(struct inode *inode)
> > > return ext4_test_inode_flag(inode, EXT4_INODE_ENCRYPT);
> > > }
> > >
> > > +static inline bool ext4_verity_inode(struct inode *inode)
> > > +{
> > > +#ifdef CONFIG_EXT4_FS_VERITY
> > > + return ext4_test_inode_flag(inode, EXT4_INODE_VERITY);
> > > +#else
> > > + return false;
> > > +#endif
> > > +}
> > > +
> >
> > Hi Eric,
> >
> > Can you please explain as to why we check for the presence of
> > EXT4_INODE_VERITY flag only when fsverity is enabled during kernel build?
> >
>
> Good question, this might not be the best approach actually; I think this was
> originally copied from the f2fs version. It does reduce the overhead introduced
> by the fs-verity changes in the !CONFIG_EXT4_FS_VERITY case. But it will allow
> opening verity files, even for writing which will corrupt them.
>
> Probably we should make ext4_verity_inode() work regardless of
> CONFIG_EXT4_FS_VERITY, so open(), truncate(), etc. will fail with EOPNOTSUPP on
> verity files when !CONFIG_EXT4_FS_VERITY, like how ext4 encryption works.
>
Yes, I agree with what you say. I have followed the above explained logic when
implementing S_VERITY and IS_VERITY() for Ext4 and will extend that to F2FS as
well.
--
chandan
next prev parent reply other threads:[~2018-11-06 6:50 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-01 22:52 [PATCH v2 00/12] fs-verity: read-only file-based authenticity protection Eric Biggers
2018-11-01 22:52 ` [PATCH v2 01/12] fs-verity: add a documentation file Eric Biggers
2018-12-12 9:14 ` Christoph Hellwig
2018-12-12 20:26 ` Eric Biggers
2018-12-13 20:22 ` Christoph Hellwig
2018-12-14 4:48 ` Eric Biggers
2018-12-17 16:49 ` Christoph Hellwig
2018-12-17 18:32 ` Eric Biggers
2018-12-19 7:09 ` Christoph Hellwig
2018-12-17 20:00 ` Darrick J. Wong
2018-12-19 0:16 ` Theodore Y. Ts'o
2018-12-19 2:19 ` Dave Chinner
2018-12-19 19:30 ` Theodore Y. Ts'o
2018-12-19 21:35 ` Dave Chinner
2018-12-20 22:01 ` Theodore Y. Ts'o
2018-12-21 7:04 ` Christoph Hellwig
2018-12-21 10:06 ` Richard Weinberger
2018-12-21 15:47 ` Theodore Y. Ts'o
2018-12-21 15:53 ` Matthew Wilcox
2018-12-21 16:28 ` Theodore Y. Ts'o
2018-12-21 16:34 ` Matthew Wilcox
2018-12-21 19:13 ` Linus Torvalds
2018-12-22 4:17 ` Theodore Y. Ts'o
2018-12-22 22:47 ` Linus Torvalds
2018-12-23 4:34 ` Theodore Y. Ts'o
2018-12-23 4:10 ` Matthew Wilcox
2018-12-23 4:45 ` Theodore Y. Ts'o
2019-01-04 20:41 ` Daniel Colascione
2018-12-19 7:14 ` Christoph Hellwig
2018-12-19 7:11 ` Christoph Hellwig
[not found] ` <CAHk-=wiB8vGbje+NgNkMZupHsZ_cqg6YEBV+ZXSF4wnywFLRHQ@mail.gmail.com>
2018-12-19 7:19 ` Christoph Hellwig
2018-12-14 5:17 ` Theodore Y. Ts'o
2018-12-14 5:39 ` Eric Biggers
2018-12-17 16:52 ` Christoph Hellwig
2018-12-17 19:15 ` Eric Biggers
2018-12-21 16:11 ` Matthew Wilcox
2018-11-01 22:52 ` [PATCH v2 02/12] fs-verity: add setup code, UAPI, and Kconfig Eric Biggers
2018-11-01 22:52 ` [PATCH v2 03/12] fs-verity: add MAINTAINERS file entry Eric Biggers
2018-11-01 22:52 ` [PATCH v2 04/12] fs-verity: add data verification hooks for ->readpages() Eric Biggers
2018-11-01 22:52 ` [PATCH v2 05/12] fs-verity: implement FS_IOC_ENABLE_VERITY ioctl Eric Biggers
2018-11-01 22:52 ` [PATCH v2 06/12] fs-verity: implement FS_IOC_MEASURE_VERITY ioctl Eric Biggers
2018-11-01 22:52 ` [PATCH v2 07/12] fs-verity: add SHA-512 support Eric Biggers
2018-11-01 22:52 ` [PATCH v2 08/12] fs-verity: add CRC-32C support Eric Biggers
2018-11-01 22:52 ` [PATCH v2 09/12] fs-verity: support builtin file signatures Eric Biggers
2018-11-01 22:52 ` [PATCH v2 10/12] ext4: add basic fs-verity support Eric Biggers
2018-11-02 9:43 ` Chandan Rajendra
2018-11-06 1:25 ` Eric Biggers
2018-11-06 6:52 ` Chandan Rajendra [this message]
2018-11-05 21:05 ` Andreas Dilger
2018-11-06 1:11 ` Eric Biggers
2018-11-01 22:52 ` [PATCH v2 11/12] ext4: add fs-verity read support Eric Biggers
2018-11-01 22:52 ` [PATCH v2 12/12] f2fs: fs-verity support Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3113392.yxf3e5PHVf@localhost.localdomain \
--to=chandan@linux.vnet.ibm.com \
--cc=ebiggers@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=victorhsieh@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).