* [RFD] Common userspace tool for fscypto @ 2016-10-19 11:35 Richard Weinberger 2016-10-19 17:36 ` Michael Halcrow 2016-10-24 12:49 ` Karel Zak 0 siblings, 2 replies; 12+ messages in thread From: Richard Weinberger @ 2016-10-19 11:35 UTC (permalink / raw) To: linux-fsdevel Cc: kzak, Theodore Ts'o, Jaegeuk Kim, Eric Biggers, David Gstir, linux-ext4, linux-f2fs-devel, linux-kernel Hi! Since file level encryption has more than one user, currently ext4, f2fs and soon ubifs it would be nice to have a single tool to control fscrypto from userspace. For ext4 we have already at least two tools, one as part of e2fsprogs and another one on github[0]. IMHO the latter one is much more user friendly and intuitive to use. I as unable to find the userspace tool for f2fs. That said, what about implementing such a tool as part of util-linux to control fscrypto? We (David and I) would volunteer. Thanks, //richard [0] https://github.com/gdelugre/ext4-crypt ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-10-19 11:35 [RFD] Common userspace tool for fscypto Richard Weinberger @ 2016-10-19 17:36 ` Michael Halcrow 2016-10-24 11:59 ` Richard Weinberger 2016-11-29 20:48 ` Richard Weinberger 2016-10-24 12:49 ` Karel Zak 1 sibling, 2 replies; 12+ messages in thread From: Michael Halcrow @ 2016-10-19 17:36 UTC (permalink / raw) To: Richard Weinberger Cc: linux-fsdevel, kzak, Theodore Ts'o, Jaegeuk Kim, Eric Biggers, David Gstir, Ext4 Developers List, linux-f2fs-devel, linux-kernel On Wed, Oct 19, 2016 at 4:35 AM, Richard Weinberger <richard@nod.at> wrote: > Hi! > > Since file level encryption has more than one user, currently ext4, f2fs and soon ubifs > it would be nice to have a single tool to control fscrypto from userspace. > > For ext4 we have already at least two tools, one as part of e2fsprogs and another > one on github[0]. IMHO the latter one is much more user friendly and intuitive to use. > I as unable to find the userspace tool for f2fs. > > That said, what about implementing such a tool as part of util-linux to control > fscrypto? We (David and I) would volunteer. While discussing several changes we have staged for release (we're trying to minimize churn by batching a large set of format changes all at once), we've recently recognized this need on my team and were planning on starting work on exactly what you propose. > Thanks, > //richard > > [0] https://github.com/gdelugre/ext4-crypt ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-10-19 17:36 ` Michael Halcrow @ 2016-10-24 11:59 ` Richard Weinberger 2016-11-29 20:48 ` Richard Weinberger 1 sibling, 0 replies; 12+ messages in thread From: Richard Weinberger @ 2016-10-24 11:59 UTC (permalink / raw) To: Michael Halcrow Cc: linux-fsdevel, kzak, Theodore Ts'o, Jaegeuk Kim, Eric Biggers, David Gstir, Ext4 Developers List, linux-f2fs-devel, linux-kernel Michael, On 19.10.2016 19:36, Michael Halcrow wrote: > On Wed, Oct 19, 2016 at 4:35 AM, Richard Weinberger <richard@nod.at> wrote: >> Hi! >> >> Since file level encryption has more than one user, currently ext4, f2fs and soon ubifs >> it would be nice to have a single tool to control fscrypto from userspace. >> >> For ext4 we have already at least two tools, one as part of e2fsprogs and another >> one on github[0]. IMHO the latter one is much more user friendly and intuitive to use. >> I as unable to find the userspace tool for f2fs. >> >> That said, what about implementing such a tool as part of util-linux to control >> fscrypto? We (David and I) would volunteer. > > While discussing several changes we have staged for release (we're > trying to minimize churn by batching a large set of format changes all > at once), we've recently recognized this need on my team and were > planning on starting work on exactly what you propose. Can you please some details? Will it be GPL? Part of util-linux? What features does it have? I hope more than just being a wrapper to the ioctls(). Thanks, //richard ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-10-19 17:36 ` Michael Halcrow 2016-10-24 11:59 ` Richard Weinberger @ 2016-11-29 20:48 ` Richard Weinberger 2016-11-29 21:42 ` Joe Richey 1 sibling, 1 reply; 12+ messages in thread From: Richard Weinberger @ 2016-11-29 20:48 UTC (permalink / raw) To: Michael Halcrow Cc: linux-fsdevel, kzak, Theodore Ts'o, Jaegeuk Kim, Eric Biggers, David Gstir, Ext4 Developers List, linux-f2fs-devel, linux-kernel Michael, On 19.10.2016 19:36, Michael Halcrow wrote: >> That said, what about implementing such a tool as part of util-linux to control >> fscrypto? We (David and I) would volunteer. > > While discussing several changes we have staged for release (we're > trying to minimize churn by batching a large set of format changes all > at once), we've recently recognized this need on my team and were > planning on starting work on exactly what you propose. Did this plan already materialize? :-) Thanks, //richard ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-11-29 20:48 ` Richard Weinberger @ 2016-11-29 21:42 ` Joe Richey 2016-11-29 21:59 ` Richard Weinberger 0 siblings, 1 reply; 12+ messages in thread From: Joe Richey @ 2016-11-29 21:42 UTC (permalink / raw) To: Richard Weinberger Cc: Michael Halcrow, linux-fsdevel, kzak, Theodore Ts'o, Jaegeuk Kim, Eric Biggers, David Gstir, Ext4 Developers List, linux-f2fs-devel, linux-kernel [-- Attachment #1: Type: text/plain, Size: 1306 bytes --] Hi Richard, I'm Joe Richey, and I work on Mike's team. We've been playing around with a few design ideas regarding a tool for managing filesystem encryption. After going though some iterations with Ted, we have a fairly good idea about where to head design wise, and I'm working on a design document for it. It's a bit preliminary at this point, but I can share it if you want. Our goal is to have a finished doc by end of Q4 and then get your and Jaegeuk's feedback. Thanks, Joe On Tue, Nov 29, 2016 at 12:48 PM, Richard Weinberger <richard@nod.at> wrote: > > Michael, > > On 19.10.2016 19:36, Michael Halcrow wrote: > >> That said, what about implementing such a tool as part of util-linux to control > >> fscrypto? We (David and I) would volunteer. > > > > While discussing several changes we have staged for release (we're > > trying to minimize churn by batching a large set of format changes all > > at once), we've recently recognized this need on my team and were > > planning on starting work on exactly what you propose. > > Did this plan already materialize? :-) > > Thanks, > //richard > > -- > To unsubscribe from this list: send the line "unsubscribe linux-ext4" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html [-- Attachment #2: S/MIME Cryptographic Signature --] [-- Type: application/pkcs7-signature, Size: 4849 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-11-29 21:42 ` Joe Richey @ 2016-11-29 21:59 ` Richard Weinberger 2016-11-30 0:04 ` Eric Biggers 2016-11-30 21:00 ` Theodore Ts'o 0 siblings, 2 replies; 12+ messages in thread From: Richard Weinberger @ 2016-11-29 21:59 UTC (permalink / raw) To: Joe Richey Cc: Michael Halcrow, linux-fsdevel, kzak, Theodore Ts'o, Jaegeuk Kim, Eric Biggers, David Gstir, Ext4 Developers List, linux-f2fs-devel, linux-kernel Joe, On 29.11.2016 22:42, Joe Richey wrote: > Hi Richard, > > I'm Joe Richey, and I work on Mike's team. We've been playing around > with a few design > ideas regarding a tool for managing filesystem encryption. After going > though some iterations > with Ted, we have a fairly good idea about where to head design wise, > and I'm working on a > design document for it. It's a bit preliminary at this point, but I > can share it if you want. > > Our goal is to have a finished doc by end of Q4 and then get your and > Jaegeuk's feedback. Thanks for your quick response! I hoped you had already some code, but having a decent design document is also nice. I'm eager to read it. Do you also plan to address d/page cache related issues? i.e. when two users are logged into the system user rw is able to see decrypted file names and contents in /home/dags/ if user dags installs a key and accessed a file. Or files in /home/dags/ are still readable even after user dags purged the key. The tool could play games with CLONE_NEWNS to hide directories. To provide a correct "logout" we could expose shrink_dcache_parent() to usespace such that the emerging tool can purge the key and flush the dcache on the encrypted directory. But I fear exposing shrink_dcache_parent() is not a good idea. :-) Just some random ideas... Thanks, //richard ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-11-29 21:59 ` Richard Weinberger @ 2016-11-30 0:04 ` Eric Biggers 2016-11-30 8:27 ` Richard Weinberger 2016-11-30 21:00 ` Theodore Ts'o 1 sibling, 1 reply; 12+ messages in thread From: Eric Biggers @ 2016-11-30 0:04 UTC (permalink / raw) To: Richard Weinberger Cc: Joe Richey, Michael Halcrow, linux-fsdevel, kzak, Theodore Ts'o, Jaegeuk Kim, David Gstir, Ext4 Developers List, linux-f2fs-devel, linux-kernel On Tue, Nov 29, 2016 at 10:59:28PM +0100, Richard Weinberger wrote: > > Do you also plan to address d/page cache related issues? > i.e. when two users are logged into the system user rw > is able to see decrypted file names and contents in /home/dags/ > if user dags installs a key and accessed a file. > As far as I know, there are no plans to make it possible for one user to see plaintext while another user sees ciphertext. Fundamentally, the dentry, inode, and page caches are shared systemwide. This cannot be changed by using namespaces; it can only be changed by doing something like an ecryptfs-style stacked mount where the plaintext and ciphertext are actually exposed by different filesystems. And it was a fundamental design goal of ext4 encryption to not do a stacked mount. So the expectation is that to restrict access by other users once a key has been provisioned, file permissions should be used. > Or files in /home/dags/ are still readable even after > user dags purged the key. If you revoke the key (with 'keyctl revoke') rather than unlink the key (with 'keyctl unlink') then it actually does appear to work currently. The difference is that revoking the key is a modification of the key, whereas unlinking the key is only removing a link to the key without affecting any links which the kernel may have internally or which userspace may have in other keyrings. Revocation (but not unlinking) is detected by fscrypt_get_encryption_info() when someone tries to open an encrypted file or directory. There's also a d_revalidate dentry operation which cause a dentry to be invalidated if it's a plaintext name but the directory key is no longer valid, or if it's a ciphertext name but the directory key is now valid. There is however still work needed to make key revocation interact sanely with ongoing filesystem operations. Eric ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-11-30 0:04 ` Eric Biggers @ 2016-11-30 8:27 ` Richard Weinberger 2016-12-03 0:40 ` Eric Biggers 0 siblings, 1 reply; 12+ messages in thread From: Richard Weinberger @ 2016-11-30 8:27 UTC (permalink / raw) To: Eric Biggers Cc: Joe Richey, Michael Halcrow, linux-fsdevel, kzak, Theodore Ts'o, Jaegeuk Kim, David Gstir, Ext4 Developers List, linux-f2fs-devel, linux-kernel Eric, On 30.11.2016 01:04, Eric Biggers wrote: > On Tue, Nov 29, 2016 at 10:59:28PM +0100, Richard Weinberger wrote: >> >> Do you also plan to address d/page cache related issues? >> i.e. when two users are logged into the system user rw >> is able to see decrypted file names and contents in /home/dags/ >> if user dags installs a key and accessed a file. >> > > As far as I know, there are no plans to make it possible for one user to see > plaintext while another user sees ciphertext. Fundamentally, the dentry, inode, > and page caches are shared systemwide. This cannot be changed by using > namespaces; it can only be changed by doing something like an ecryptfs-style > stacked mount where the plaintext and ciphertext are actually exposed by > different filesystems. And it was a fundamental design goal of ext4 encryption > to not do a stacked mount. Well, we could over-mount /home/rw with an empty directory for every user except rw. > So the expectation is that to restrict access by other users once a key has been > provisioned, file permissions should be used. > >> Or files in /home/dags/ are still readable even after >> user dags purged the key. > > If you revoke the key (with 'keyctl revoke') rather than unlink the key (with > 'keyctl unlink') then it actually does appear to work currently. The difference > is that revoking the key is a modification of the key, whereas unlinking the key > is only removing a link to the key without affecting any links which the kernel > may have internally or which userspace may have in other keyrings. Revocation > (but not unlinking) is detected by fscrypt_get_encryption_info() when someone > tries to open an encrypted file or directory. There's also a d_revalidate > dentry operation which cause a dentry to be invalidated if it's a plaintext name > but the directory key is no longer valid, or if it's a ciphertext name but the > directory key is now valid. Ahh, in my quick and dirty tests I've always used purge. Let me try revoke. :) BTW: This limitations needs to be clearly documented somewhere. Usually an user thinks that only she can access encrypted files... Thanks, //richard ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-11-30 8:27 ` Richard Weinberger @ 2016-12-03 0:40 ` Eric Biggers 0 siblings, 0 replies; 12+ messages in thread From: Eric Biggers @ 2016-12-03 0:40 UTC (permalink / raw) To: Richard Weinberger Cc: Joe Richey, Michael Halcrow, linux-fsdevel, kzak, Theodore Ts'o, Jaegeuk Kim, David Gstir, Ext4 Developers List, linux-f2fs-devel, linux-kernel On Wed, Nov 30, 2016 at 09:27:28AM +0100, Richard Weinberger wrote: > > BTW: This limitations needs to be clearly documented somewhere. > Usually an user thinks that only she can access encrypted files... > > Thanks, > //richard For what it's worth, I've been making a few updates to the public design document for ext4 encryption based on what's actually upstream now: https://docs.google.com/document/d/1ft26lUQyuSpiu6VleP70_npaWdRfXFoNnB8JYnykNTg It still needs work, though. It doesn't really answer the questions about access control and key revocation, for example, and of course now the upstream code isn't actually ext4 specific anymore. At some point it might be nice to write some in-tree documentation for fscrypto, e.g. a file Documentation/filesystems/fscrypto.txt. Eric ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-11-29 21:59 ` Richard Weinberger 2016-11-30 0:04 ` Eric Biggers @ 2016-11-30 21:00 ` Theodore Ts'o 1 sibling, 0 replies; 12+ messages in thread From: Theodore Ts'o @ 2016-11-30 21:00 UTC (permalink / raw) To: Richard Weinberger Cc: Joe Richey, Michael Halcrow, linux-fsdevel, kzak, Jaegeuk Kim, Eric Biggers, David Gstir, Ext4 Developers List, linux-f2fs-devel, linux-kernel On Tue, Nov 29, 2016 at 10:59:28PM +0100, Richard Weinberger wrote: > Thanks for your quick response! > I hoped you had already some code, but having a decent design document > is also nice. I'm eager to read it. To be clear, the design document which Joe is working on is only addressing a new way of transforming a password or passphrase into a key. Previouly, we used PBKDF2 using a per-file system salt. (Well, that's what e4crypt used. Android used a completely random key that was protected by the user's pin or passphrase --- possibly stored in ARM TrustZone on some handsets.) The goal is to come up with something that works well with single-signon (i.e., can be integrated into PAM), as well as removable storage devices and directories that are protected by some passphrase other than the user's login for those people who are especially security conscious. It should also handle the password change case. It probably won't cover key recovery initially (that's probably more of a V2 or V3 thing), but the design should accomodate that. > Do you also plan to address d/page cache related issues? > i.e. when two users are logged into the system user rw > is able to see decrypted file names and contents in /home/dags/ > if user dags installs a key and accessed a file. > > Or files in /home/dags/ are still readable even after > user dags purged the key. > > The tool could play games with CLONE_NEWNS to hide directories. > To provide a correct "logout" we could expose shrink_dcache_parent() > to usespace such that the emerging tool can purge the key and flush > the dcache on the encrypted directory. But I fear exposing shrink_dcache_parent() > is not a good idea. :-) Right now, the best thing I can suggest is "echo 3 > /proc/sys/vm/drop_caches" in executed PAM module on when the user terminates their login session. If you're really paranoid, make sure all processes running under the user's pid are terminated with extreme prejudice first. We don't have a good solution for a high security directory (e.g., $HOME/bitcoin) where you want to drop its keys and cached data in the middle of a user login session today. The drop_caches solution doesn't work well on a time sharing system since it drops *all* caches. Also, if you have anything keeping pages or file descriptors, etc., pinned, the drop_cache solution won't address that either. I suspect any realistic solution will require changes that will need to be run by the Al Viro and the MM folks, and may require adding something like BSD's revoke(2) functionality. To be honest, this isn't a particularly high priority item at the moment for me or Michael's team at the moment, so if someone wants to work on it, feel free. As they say, high quality patches are always accepted. :-) Cheers, - Ted ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-10-19 11:35 [RFD] Common userspace tool for fscypto Richard Weinberger 2016-10-19 17:36 ` Michael Halcrow @ 2016-10-24 12:49 ` Karel Zak 2016-10-24 13:28 ` Theodore Ts'o 1 sibling, 1 reply; 12+ messages in thread From: Karel Zak @ 2016-10-24 12:49 UTC (permalink / raw) To: Richard Weinberger Cc: linux-fsdevel, Theodore Ts'o, Jaegeuk Kim, Eric Biggers, David Gstir, linux-ext4, linux-f2fs-devel, linux-kernel On Wed, Oct 19, 2016 at 01:35:54PM +0200, Richard Weinberger wrote: > Hi! > > Since file level encryption has more than one user, currently ext4, f2fs and soon ubifs > it would be nice to have a single tool to control fscrypto from userspace. > > For ext4 we have already at least two tools, one as part of e2fsprogs and another > one on github[0]. IMHO the latter one is much more user friendly and intuitive to use. > I as unable to find the userspace tool for f2fs. > > That said, what about implementing such a tool as part of util-linux to control > fscrypto? We (David and I) would volunteer. I have nothing against this plan (add to util-linux) if ext4, f2fs and ubifs guys agree too. Karel -- Karel Zak <kzak@redhat.com> http://karelzak.blogspot.com ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [RFD] Common userspace tool for fscypto 2016-10-24 12:49 ` Karel Zak @ 2016-10-24 13:28 ` Theodore Ts'o 0 siblings, 0 replies; 12+ messages in thread From: Theodore Ts'o @ 2016-10-24 13:28 UTC (permalink / raw) To: Karel Zak Cc: Richard Weinberger, linux-fsdevel, Jaegeuk Kim, Eric Biggers, David Gstir, linux-ext4, linux-f2fs-devel, linux-kernel On Mon, Oct 24, 2016 at 02:49:37PM +0200, Karel Zak wrote: > > That said, what about implementing such a tool as part of util-linux to control > > fscrypto? We (David and I) would volunteer. > > I have nothing against this plan (add to util-linux) if ext4, f2fs and > ubifs guys agree too. Our current plan is to implement it in e2fsprogs since we can more quickly iterate over code reviews and code improvements. At some future point I'm happy to transfer it over to util-linux much like we've done with blkid and uuid libraries and associated utilities. We'll probably also keep a version in e2fsprogs for the long term just because upstream e2fsprogs is now integrated into the Android's AOSP build infrastructure, and it's probably simpler keep the tool there than to try to add Android.mk files and add the necessary helper scripts to deal with the fact (a) in the AOSP build system, you have to be able to cross-compile packages using Linux, MacOS, and Windows as the host OS and (b) Android using the Bionic C library instead of glibc. In answer to Richard's other questions, of course it would be released under the GPL, and our goals for creating a new fscrypto are (a) make it be more user-friendly, (b) support the new file-system level encryption features and new algorithms which Michael's team will be implementing, including a stronger string-to-key (password hashing) algorithm, new encryption modes, data integrity, etc), and (c) not have to be tied to backwards compatibility concerns with the e4crypt command. (Since we are just starting a new e2fsprogs 1.44 development cycle, we'll have plenty of time to experiment with the UI and make incompatible changes before 1.44 gets released and at that point I would want to lock down the any option names, etc., for long-term backwards compatibility.) I suspect we'll keep e4crypt around for a while, just because it's a handy debugging tool, and in general it's faster to add quick wrapper around ioctls for testing purposes than it is to be very thoughtful about creating a UI which is both friendly and able to support new features in a backwards compatible way. I also suspect we'll want to put most of the bits that could be usefully called from other C programs (e.g., Android's userspace stack, and libpam modules) and put it in a new libfscrypto library. Cheers, - Ted P.S. If anyone is ever interested in trying to make util-linux build using AOSP (which would be cool since every once in a while I wish I had some of the util-linux tools purely for debugging purposes, but it's a bunch of work and I've never had the time, plus I wasn't at all convinced Karel would be willing to accept such changes upstream for util-linux), see e2fsprogs's Android.mk files plus the script in util/gen-android-files. ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2016-12-03 0:40 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-10-19 11:35 [RFD] Common userspace tool for fscypto Richard Weinberger 2016-10-19 17:36 ` Michael Halcrow 2016-10-24 11:59 ` Richard Weinberger 2016-11-29 20:48 ` Richard Weinberger 2016-11-29 21:42 ` Joe Richey 2016-11-29 21:59 ` Richard Weinberger 2016-11-30 0:04 ` Eric Biggers 2016-11-30 8:27 ` Richard Weinberger 2016-12-03 0:40 ` Eric Biggers 2016-11-30 21:00 ` Theodore Ts'o 2016-10-24 12:49 ` Karel Zak 2016-10-24 13:28 ` Theodore Ts'o
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).