From: Eric Biggers <ebiggers3@gmail.com>
To: Michael Halcrow <mhalcrow@google.com>
Cc: linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>, Alex Cope <alexcope@google.com>,
Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH 1/6] fscrypt: add v2 encryption context and policy
Date: Thu, 13 Jul 2017 15:58:38 -0700 [thread overview]
Message-ID: <20170713225838.GA73286@gmail.com> (raw)
In-Reply-To: <20170713222944.GA23111@google.com>
Hi Michael,
On Thu, Jul 13, 2017 at 03:29:44PM -0700, Michael Halcrow wrote:
> On Wed, Jul 12, 2017 at 02:00:30PM -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Currently, the fscrypt_context (i.e. the encryption xattr) does not
> > contain a cryptographically secure identifier for the master key's
> > payload. Therefore it's not possible to verify that the correct key was
> > supplied, which is problematic in multi-user scenarios. To make this
> > possible, define a new fscrypt_context version (v2) which includes a
> > key_hash field, and allow userspace to opt-in to it when setting an
> > encryption policy by setting fscrypt_policy.version to 2. For now just
> > zero the new field; a later patch will start setting it for real.
>
> The main concern that comes to mind is potentially blowing past the
> inline xattr size limit and allocating a new inode block. The
> security benefit probably outweighs that concern in this case.
>
The way it adds up now for ext4 is:
128 bytes for base inode
+ 32 bytes for i_extra fields
+ 4 bytes for in-inode xattrs header
+ 20 bytes for encryption xattr header + name
+ 28 bytes for encryption xattr value
----------------------------------
= 212 bytes total.
By adding the 16-byte 'key_hash' field it grows to 228 bytes total. So it still
fits in a 256-byte inode, though it's getting closer to the limit. We could
save 8 bytes by instead using the design where master_key_descriptor is extended
to 16 bytes and redefined as a cryptographically secure hash. But as noted,
that has some significant disadvantages.
Also note that we don't really have to worry about leaving space for a SELinux
xattr anymore because with 256-byte inodes + encryption the SELinux xattr is
already being written to an external block, given that it requires about 52-62
bytes (at least when using Android's SELinux policy; different SELinux policies
may use different values), and 212 + 52 > 256. So if someone wants both xattrs
in-inode they need to use 512-byte inodes already.
Eric
next prev parent reply other threads:[~2017-07-13 22:58 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 21:00 [PATCH 0/6] fscrypt: key verification and KDF improvement Eric Biggers
2017-07-12 21:00 ` [PATCH 1/6] fscrypt: add v2 encryption context and policy Eric Biggers
2017-07-13 22:29 ` Michael Halcrow
2017-07-13 22:58 ` Eric Biggers [this message]
2017-07-14 20:08 ` Andreas Dilger
2017-07-12 21:00 ` [PATCH 2/6] fscrypt: rename ->ci_master_key to ->ci_master_key_descriptor Eric Biggers
2017-07-14 15:36 ` Michael Halcrow
2017-07-12 21:00 ` [PATCH 3/6] fscrypt: use HKDF-SHA512 to derive the per-inode encryption keys Eric Biggers
2017-07-12 21:00 ` Eric Biggers
2017-07-13 14:54 ` Stephan Müller
2017-07-13 16:07 ` Herbert Xu
2017-07-13 16:07 ` Herbert Xu
2017-07-13 16:18 ` Stephan Müller
2017-07-13 18:10 ` Eric Biggers
2017-07-13 18:10 ` Eric Biggers
2017-07-13 18:10 ` Eric Biggers
2017-07-14 15:50 ` Stephan Müller
2017-07-14 15:50 ` Stephan Müller
2017-07-14 15:50 ` Stephan Müller
2017-07-14 16:24 ` Michael Halcrow
2017-07-14 17:11 ` Michael Halcrow
2017-07-19 17:32 ` Eric Biggers
2017-07-12 21:00 ` [PATCH 4/6] fscrypt: verify that the correct master key was supplied Eric Biggers
2017-07-14 16:40 ` Michael Halcrow via Linux-f2fs-devel
2017-07-14 16:40 ` Michael Halcrow
2017-07-14 17:34 ` Jeffrey Walton
2017-07-15 0:52 ` Eric Biggers
2017-07-12 21:00 ` [PATCH 5/6] fscrypt: cache the HMAC transform for each master key Eric Biggers
2017-07-12 21:00 ` Eric Biggers
2017-07-17 17:45 ` Michael Halcrow
2017-07-19 17:37 ` Eric Biggers
2017-07-12 21:00 ` [PATCH 6/6] fscrypt: for v2 policies, support "fscrypt:" key prefix only Eric Biggers
2017-07-17 17:54 ` Michael Halcrow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170713225838.GA73286@gmail.com \
--to=ebiggers3@gmail.com \
--cc=alexcope@google.com \
--cc=ebiggers@google.com \
--cc=jaegeuk@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=mhalcrow@google.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.