Re: [PATCH] ext4: mark extents index blocks as dirty to avoid information leakage

From: brookxu <brookxu.cn@gmail.com>
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ext4: mark extents index blocks as dirty to avoid information leakage
Date: Mon, 16 Mar 2020 16:01:18 +0800	[thread overview]
Message-ID: <d9209144-4b20-61c7-aff3-942150806b9a@gmail.com> (raw)
In-Reply-To: <20200312144642.GF7159@mit.edu>

Thanks for your reply, but threre's some points implement inconsistently

1. + s attribute will cause a big performance problem. With only data
   blocks but no index blocks, it is difficult to recover the complete
   data. Therefore, we can also improve data security with the lowest
   cost.
2. In the SSD scenario, discard on some devices cannot guarantee that
   data is erased. but if we update the dirty pages of memory to disk.
   ssd will remap the corresponding lba, then the user will not be able
   to access the old data, it's security.
3. In the small file scenario, the file extent is stored on the inode.
   Because the inode block will not be forgotten by jbd2, the extent on
   the disk is always cleared after the small file is deleted. If security
   is only pretended, why not take effect on the small file.
4. If to facilitate data recovery, why do need to clear extents in
   memory? This operation does not seem to make sense.

I think that the page of the index block is not updated to disk after
the file is deleted, which may be a logical defect.

Theodore Y. Ts'o wrote on 2020/3/12 22:46:
> On Tue, Mar 03, 2020 at 04:51:06PM +0800, brookxu wrote:
>> From: Chunguang Xu <brookxu@tencent.com>
>>
>> In the scene of deleting a file, the physical block information in the
>> extent will be cleared to 0, the buffer_head contains these extents is
>> marked as dirty, and then managed by jbd2, which will clear the
>> buffer_head's dirty flag by clear_buffer_dirty. However, when the entire
>> extent block is deleted, it is revoked from the jbd2, but  the extents
>> block is not redirtied.
>>
>> Not quite reasonable here, for the following concerns:
>>
>> 1. This has the risk of information leakage and leads to an interesting
>> phenomenon that deleting the entire file is no more secure than truncate
>> to 1 byte, because the whole extents physical block clear to zero in cache
>> will never written back as the page is not redirtied.
>>
>> 2. For large files, the number of index block is usually very small.
>> Ignoring index pages not get much more benefit in IO performance. But if
>> we remark the page as dirty, the page is then written back by the system
>> writeback mechanism asynchronously with little performance impact. As a
>> result, the risk of information leakage can be avoided. At least not wrose
>> than truncate file length to 1 byte
>>
>> Therefore, when the index block is released, we need to remark its page
>> as dirty, so that the index block on the disk will be updated and the
>> data is more security.
>>
>> Signed-off-by: Chunguang Xu <brookxu@tencent.com>
> Trying to zero the extent block is only going to provide pretend
> security; the data blocks are still there, and anyone looking for the
> data can still find it if they look hard enough.  Also, for most
> files, it really doesn't matter.
>
> So, no, I don't think this patch is appropriate.a
>
> If you are really worried about the security for deleted files, I
> would suggest trying to implement the secure delete flag (chattr +s)
> for ext4, and actually trying to zero out the data blocks for those
> files where this kind of security is required.  (Please note that for
> SSD's, this probably won't provide as much security as you would like
> unless they implement the secure discard operation.)
>
> 							- Ted