From: Mike Snitzer <snitzer@redhat.com>
To: Michael Halcrow <mhalcrow@google.com>
Cc: Milan Broz <gmazyland@gmail.com>,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Eric Biggers <ebiggers@google.com>, dm-crypt <dm-crypt@saout.de>,
dm-devel@redhat.com, linux-block@vger.kernel.org,
Tyler Hicks <tyler.hicks@canonical.com>,
linux-fscrypt@vger.kernel.org,
"Daniel P. Berrange" <berrange@redhat.com>,
linux-fsdevel@vger.kernel.org, Jaegeuk Kim <jaegeuk@kernel.org>,
linux-ext4@vger.kernel.org
Subject: Re: [dm-crypt] [RFC PATCH 0/4] Allow file systems to selectively bypass dm-crypt
Date: Tue, 20 Jun 2017 10:44:23 -0400 [thread overview]
Message-ID: <20170620144423.GA22495@redhat.com> (raw)
In-Reply-To: <20170616184240.GA13904@google.com>
On Fri, Jun 16 2017 at 2:42pm -0400,
Michael Halcrow <mhalcrow@google.com> wrote:
> On Thu, Jun 15, 2017 at 08:17:02PM +0200, Milan Broz wrote:
> > On 06/15/2017 07:24 PM, Michael Halcrow wrote:
> > ...
> > >> If this is accepted, we basically allow attacker to trick system to
> > >> write plaintext to media just by setting this flag. This must never
> > >> ever happen with FDE - BY DESIGN.
> > >
> > > That's an important point. This expands the attack surface to include
> > > the file system, so if an adversary can provide a bad encryption key
> > > or policy at the file system layer or if there's a bug in the file
> > > system that an adversary can exploit, then users setting the
> > > allow_encrypt_override option on dmcrypt would be vulnerable.
> > >
> > >> For me, ABSOLUTE NACK to this approach.
> > >
> > > I can understand where you're coming from. Given our challenges on
> > > mobile, do you have any suggestions for an alternative approach?
> >
> > Well, what I really do not like here that you are solving problem
> > of missing properly designed cryptographic filesystem by hacking
> > some layers together that were not designed to it.
>
> Agreed. I enthusiastically withdraw this proposal.
>
> I think I'm instead going to look into proposing something new in the
> block layer to address performance concerns with file system
> encryption and inline cryptographic engine support.
As should have been done from the start. The emergence of ICE support
for mobile/embedded platforms should result in a properly designed
solution to enable dm-crypt to leverage them (easier said than done!).
And if only certain files need to be encrypted then dm-crypt may or may
not be configured in the stack.
> > It would better to go with some model that actually increases security.
> >
> > For example, if your patch marks IO operation that comes from fs as
> > REQ_NOENCRYPT, could fs send some metadata information in bio of
> > owner (user, translated to key id) instead and encrypt the sector
> > with a different key?
>
> I really like this idea. However because users can access the dmcrypt
> device without the file system, I wouldn't want to try to do it
> without dmcrypt maintaining additional metadata about which keys
> protect which blocks. Even then, the user directly accessing the
> dmcrypt device would be surprised when dmcrypt returns EIO because it
> doesn't have a key for the blocks at offsets 42 and 128.
>
> At this point I do think something new at the block layer for file
> system managed encryption and inline cryptographic engine support will
> be necessary.
Yes.
WARNING: multiple messages have this Message-ID (diff)
From: Mike Snitzer <snitzer@redhat.com>
To: Michael Halcrow <mhalcrow@google.com>
Cc: Milan Broz <gmazyland@gmail.com>,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Eric Biggers <ebiggers@google.com>, dm-crypt <dm-crypt@saout.de>,
dm-devel@redhat.com, linux-block@vger.kernel.org,
Tyler Hicks <tyler.hicks@canonical.com>,
linux-fscrypt@vger.kernel.org,
"Daniel P. Berrange" <berrange@redhat.com>,
linux-fsdevel@vger.kernel.org, Jaegeuk Kim <jaegeuk@kernel.org>,
linux-ext4@vger.kernel.org
Subject: Re: [RFC PATCH 0/4] Allow file systems to selectively bypass dm-crypt
Date: Tue, 20 Jun 2017 10:44:23 -0400 [thread overview]
Message-ID: <20170620144423.GA22495@redhat.com> (raw)
In-Reply-To: <20170616184240.GA13904@google.com>
On Fri, Jun 16 2017 at 2:42pm -0400,
Michael Halcrow <mhalcrow@google.com> wrote:
> On Thu, Jun 15, 2017 at 08:17:02PM +0200, Milan Broz wrote:
> > On 06/15/2017 07:24 PM, Michael Halcrow wrote:
> > ...
> > >> If this is accepted, we basically allow attacker to trick system to
> > >> write plaintext to media just by setting this flag. This must never
> > >> ever happen with FDE - BY DESIGN.
> > >
> > > That's an important point. This expands the attack surface to include
> > > the file system, so if an adversary can provide a bad encryption key
> > > or policy at the file system layer or if there's a bug in the file
> > > system that an adversary can exploit, then users setting the
> > > allow_encrypt_override option on dmcrypt would be vulnerable.
> > >
> > >> For me, ABSOLUTE NACK to this approach.
> > >
> > > I can understand where you're coming from. Given our challenges on
> > > mobile, do you have any suggestions for an alternative approach?
> >
> > Well, what I really do not like here that you are solving problem
> > of missing properly designed cryptographic filesystem by hacking
> > some layers together that were not designed to it.
>
> Agreed. I enthusiastically withdraw this proposal.
>
> I think I'm instead going to look into proposing something new in the
> block layer to address performance concerns with file system
> encryption and inline cryptographic engine support.
As should have been done from the start. The emergence of ICE support
for mobile/embedded platforms should result in a properly designed
solution to enable dm-crypt to leverage them (easier said than done!).
And if only certain files need to be encrypted then dm-crypt may or may
not be configured in the stack.
> > It would better to go with some model that actually increases security.
> >
> > For example, if your patch marks IO operation that comes from fs as
> > REQ_NOENCRYPT, could fs send some metadata information in bio of
> > owner (user, translated to key id) instead and encrypt the sector
> > with a different key?
>
> I really like this idea. However because users can access the dmcrypt
> device without the file system, I wouldn't want to try to do it
> without dmcrypt maintaining additional metadata about which keys
> protect which blocks. Even then, the user directly accessing the
> dmcrypt device would be surprised when dmcrypt returns EIO because it
> doesn't have a key for the blocks at offsets 42 and 128.
>
> At this point I do think something new at the block layer for file
> system managed encryption and inline cryptographic engine support will
> be necessary.
Yes.
next prev parent reply other threads:[~2017-06-20 14:51 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-14 23:40 [RFC PATCH 0/4] Allow file systems to selectively bypass dm-crypt Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 1/4] block: Add bio req flag to disable encryption in block Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 2/4] dm-crypt: Skip encryption of file system-encrypted blocks Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 3/4] ext4: Set the bio REQ_NOENCRYPT flag Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 4/4] f2fs: " Michael Halcrow
2017-06-15 7:33 ` [dm-crypt] [RFC PATCH 0/4] Allow file systems to selectively bypass dm-crypt Milan Broz
2017-06-15 7:33 ` Milan Broz
2017-06-15 17:24 ` [dm-crypt] " Michael Halcrow
2017-06-15 17:24 ` Michael Halcrow
2017-06-15 18:17 ` [dm-crypt] " Milan Broz
2017-06-15 18:17 ` Milan Broz
2017-06-16 18:42 ` [dm-crypt] " Michael Halcrow
2017-06-16 18:42 ` Michael Halcrow
2017-06-20 14:44 ` Mike Snitzer [this message]
2017-06-20 14:44 ` Mike Snitzer
2017-06-16 12:55 ` [dm-crypt] " Michael Kjörling
2017-06-16 14:31 ` Arno Wagner
2017-06-16 14:47 ` Michael Kjörling
2017-06-16 18:35 ` Arno Wagner
2017-06-16 10:34 ` Daniel P. Berrange
2017-06-16 14:02 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170620144423.GA22495@redhat.com \
--to=snitzer@redhat.com \
--cc=berrange@redhat.com \
--cc=dm-crypt@saout.de \
--cc=dm-devel@redhat.com \
--cc=ebiggers@google.com \
--cc=gmazyland@gmail.com \
--cc=jaegeuk@kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=tyler.hicks@canonical.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.