From: Michael Halcrow <mhalcrow@google.com>
To: Michael Halcrow <mhalcrow@google.com>,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Eric Biggers <ebiggers@google.com>,
Jaegeuk Kim <jaegeuk@kernel.org>,
linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-block@vger.kernel.org, dm-devel@redhat.com,
linux-ext4@vger.kernel.org,
Tyler Hicks <tyler.hicks@canonical.com>
Subject: [RFC PATCH 0/4] Allow file systems to selectively bypass dm-crypt
Date: Wed, 14 Jun 2017 16:40:36 -0700 [thread overview]
Message-ID: <20170614234040.4326-1-mhalcrow@google.com> (raw)
Several file systems either have already implemented encryption or are
in the process of doing so. This addresses usability and storage
isolation requirements on mobile devices and in multi-tenant
environments.
While distinct keys locked down to user accounts protect the names and
contents of individual files, a volume-level encryption key should
protect the file system metadata. When using dm-crypt to do this, the
blocks that the file system encrypts undergo another round of
encryption. In many contexts this isn't necessary, and it results in
decreased performance and increased power consumption. This
discourages users and vendors from taking steps to protect file system
metadata in addition to file contents.
This patchset provides a new I/O request flag that suggests to lower
layers that encryption may not be necessary because the file system
has already done it. The first patch targets the block subsystem and
adds the REQ_NOENCRYPT flag. The second patch targets dm-crypt and
adds logic to observe the flag only when the user has opted-in by
passing allow_encrypt_override as one of the optional parameters to
the dm-crypt target. The third patch targets ext4 and sets the
REQ_NOENCRYPT flag for blocks it encrypts and decrypts. The fourth
patch does the same for f2fs.
In this patchset I'm proposing that we make dm-crypt's observation of
the file system "don't encrypt" request optional, but I'm not sure
that's a good tradeoff. Under the assumption that encryption in
upstream file systems is sound, the most common way I expect things
can go awry is if the file system keys don't meet security
requirements while dm-crypt keys do. However I'm not convinced that
will end up being a widespread problem in practice, and there's a real
data corruption concern with making dm-crypt's observation of the flag
optional.
The problem is that once dm-crypt observes the flag, it must always
continue to do so or dm-crypt might decrypt content that it didn't
encrypt. This can lead to scenarios where a vendor sets the dm-crypt
option to observe the "don't encrypt" flag, and then down the road a
user follows one of the many online guides to manually recover a
dm-crypt partition without setting this new option.
Should there be an encryption disable flag? I'm interested in
considering other solutions.
Michael Halcrow (4):
block: Add bio req flag to disable encryption in block
dm-crypt: Skip encryption of file system-encrypted blocks
ext4: Set the bio REQ_NOENCRYPT flag
f2fs: Set the bio REQ_NOENCRYPT flag
drivers/md/dm-crypt.c | 17 +++++++++++++----
fs/crypto/bio.c | 2 +-
fs/ext4/ext4.h | 3 +++
fs/ext4/inode.c | 13 ++++++++-----
fs/ext4/page-io.c | 5 +++++
fs/ext4/readpage.c | 3 ++-
fs/f2fs/data.c | 10 ++++++++--
include/linux/blk_types.h | 2 ++
8 files changed, 42 insertions(+), 13 deletions(-)
--
2.13.1.508.gb3defc5cc-goog
next reply other threads:[~2017-06-14 23:40 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-14 23:40 Michael Halcrow [this message]
2017-06-14 23:40 ` [RFC PATCH 1/4] block: Add bio req flag to disable encryption in block Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 2/4] dm-crypt: Skip encryption of file system-encrypted blocks Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 3/4] ext4: Set the bio REQ_NOENCRYPT flag Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 4/4] f2fs: " Michael Halcrow
2017-06-15 7:33 ` [dm-crypt] [RFC PATCH 0/4] Allow file systems to selectively bypass dm-crypt Milan Broz
2017-06-15 7:33 ` Milan Broz
2017-06-15 17:24 ` [dm-crypt] " Michael Halcrow
2017-06-15 17:24 ` Michael Halcrow
2017-06-15 18:17 ` [dm-crypt] " Milan Broz
2017-06-15 18:17 ` Milan Broz
2017-06-16 18:42 ` [dm-crypt] " Michael Halcrow
2017-06-16 18:42 ` Michael Halcrow
2017-06-20 14:44 ` [dm-crypt] " Mike Snitzer
2017-06-20 14:44 ` Mike Snitzer
2017-06-16 12:55 ` [dm-crypt] " Michael Kjörling
2017-06-16 14:31 ` Arno Wagner
2017-06-16 14:47 ` Michael Kjörling
2017-06-16 18:35 ` Arno Wagner
2017-06-16 10:34 ` Daniel P. Berrange
2017-06-16 14:02 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170614234040.4326-1-mhalcrow@google.com \
--to=mhalcrow@google.com \
--cc=dm-devel@redhat.com \
--cc=ebiggers@google.com \
--cc=jaegeuk@kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=tyler.hicks@canonical.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.