Re: [f2fs-dev] Proposal: Yet another possible fs-verity interface

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers@kernel.org>
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
	"Darrick J. Wong" <darrick.wong@oracle.com>,
	Dave Chinner <david@fromorbit.com>,
	linux-f2fs-devel@lists.sourceforge.net,
	Christoph Hellwig <hch@infradead.org>,
	linux-fscrypt@vger.kernel.org,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	James Bottomley <James.Bottomley@HansenPartnership.com>,
	linux-ext4@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [f2fs-dev] Proposal: Yet another possible fs-verity interface
Date: Tue, 12 Feb 2019 10:42:10 -0800	[thread overview]
Message-ID: <20190212184209.GA3373@gmail.com> (raw)
In-Reply-To: <20190212172433.GT23000@mit.edu>

On Tue, Feb 12, 2019 at 12:24:33PM -0500, Theodore Y. Ts'o wrote:
> 
> > > > The existing file hashes included in the measurement list and the
> > > > audit log, are currently being used for remote attestation, forensics
> > > > and security analytics.
> > 
> > Again, the context for this comment was Linus' suggestion "each level
> > of the merkle tree needs to have a hash seeding thing or whatever."
> > Up to this point, I had assumed the Merkle tree file root hash could
> > be used as an identifier, similar to the file hash.  With his
> > suggestion, it sounds like the Merkle tree file root hash would be
> > system dependent, making it useless for the above usages.
> 
> Yeah, I have no idea what Linus was talking about there.  The only
> thing that really makes sense is that if you don't have any
> file-system place to store a seed, you don't use a seed for the Merkle
> tree, and for a given set of bytes, the Merkle root hash is the same.
> So it's basically an expensive to calculate crypto checksum, as I said.
> 

I think there's confusion due to the use of the phrase "Merkle tree root hash".
Linus's point was:

> Now, since I assume that only the merkle tree root hash would be
> returned by the "enable merkle tree" operation (so that the code
> enabling it can verify that the hash matches the expected value), you
> do have to worry about the preimage attack, and make sure that you
> can't fool the hashing by making the (bad) file contents themselves be
> just the hashes of the (good) blocks. So each level of the merkle tree
> needs to have a hash seeding thing or whatever.

This is already taken into account in the original design.  The file hash
reported by fs-verity is *not* the Merkle tree root hash directly, but rather a
hash of the Merkle tree root hash and additional metadata in the
fsverity_descriptor including the file size in bytes.  This resulting hash is
referred to in the code, documentation, etc. as the "fs-verity file measurement".

Thus you can't fool the hashing in the way that Linus mentioned, because the
file size is included in the hash too.  And I don't expect this part of the
design should change, even if we change the API.

It's been difficult to get people to start saying "fs-verity file measurement"
rather than "Merkle tree root hash", though, so if anyone has a suggestion for a
better name it would be appreciated.  An earlier name was "fs-verity root hash",
but I thought that would too easily be confused with the Merkle tree root hash.

fs-verity does support a salt as well, but it's optional and isn't needed to
prevent preimage attacks, assuming the user chose a strong cryptographic hash
function such as SHA-256 or SHA-512.

- Eric

WARNING: multiple messages have this Message-ID (diff)

From: Eric Biggers <ebiggers@kernel.org>
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
	"Darrick J. Wong" <darrick.wong@oracle.com>,
	Dave Chinner <david@fromorbit.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	linux-f2fs-devel@lists.sourceforge.net,
	Christoph Hellwig <hch@infradead.org>,
	linux-fscrypt@vger.kernel.org,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	linux-ext4@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: Proposal: Yet another possible fs-verity interface
Date: Tue, 12 Feb 2019 10:42:10 -0800	[thread overview]
Message-ID: <20190212184209.GA3373@gmail.com> (raw)
In-Reply-To: <20190212172433.GT23000@mit.edu>

On Tue, Feb 12, 2019 at 12:24:33PM -0500, Theodore Y. Ts'o wrote:
> 
> > > > The existing file hashes included in the measurement list and the
> > > > audit log, are currently being used for remote attestation, forensics
> > > > and security analytics.
> > 
> > Again, the context for this comment was Linus' suggestion "each level
> > of the merkle tree needs to have a hash seeding thing or whatever."
> > Up to this point, I had assumed the Merkle tree file root hash could
> > be used as an identifier, similar to the file hash.  With his
> > suggestion, it sounds like the Merkle tree file root hash would be
> > system dependent, making it useless for the above usages.
> 
> Yeah, I have no idea what Linus was talking about there.  The only
> thing that really makes sense is that if you don't have any
> file-system place to store a seed, you don't use a seed for the Merkle
> tree, and for a given set of bytes, the Merkle root hash is the same.
> So it's basically an expensive to calculate crypto checksum, as I said.
> 

I think there's confusion due to the use of the phrase "Merkle tree root hash".
Linus's point was:

> Now, since I assume that only the merkle tree root hash would be
> returned by the "enable merkle tree" operation (so that the code
> enabling it can verify that the hash matches the expected value), you
> do have to worry about the preimage attack, and make sure that you
> can't fool the hashing by making the (bad) file contents themselves be
> just the hashes of the (good) blocks. So each level of the merkle tree
> needs to have a hash seeding thing or whatever.

This is already taken into account in the original design.  The file hash
reported by fs-verity is *not* the Merkle tree root hash directly, but rather a
hash of the Merkle tree root hash and additional metadata in the
fsverity_descriptor including the file size in bytes.  This resulting hash is
referred to in the code, documentation, etc. as the "fs-verity file measurement".

Thus you can't fool the hashing in the way that Linus mentioned, because the
file size is included in the hash too.  And I don't expect this part of the
design should change, even if we change the API.

It's been difficult to get people to start saying "fs-verity file measurement"
rather than "Merkle tree root hash", though, so if anyone has a suggestion for a
better name it would be appreciated.  An earlier name was "fs-verity root hash",
but I thought that would too easily be confused with the Merkle tree root hash.

fs-verity does support a salt as well, but it's optional and isn't needed to
prevent preimage attacks, assuming the user chose a strong cryptographic hash
function such as SHA-256 or SHA-512.

- Eric

WARNING: multiple messages have this Message-ID (diff)

From: Eric Biggers <ebiggers@kernel.org>
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
	"Darrick J. Wong" <darrick.wong@oracle.com>,
	Dave Chinner <david@fromorbit.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	linux-f2fs-devel@lists.sourceforge.net,
	Christoph Hellwig <hch@infradead.org>,
	linux-fscrypt@vger.kernel.org,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	linux-ext4@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [f2fs-dev] Proposal: Yet another possible fs-verity interface
Date: Tue, 12 Feb 2019 10:42:10 -0800	[thread overview]
Message-ID: <20190212184209.GA3373@gmail.com> (raw)
In-Reply-To: <20190212172433.GT23000@mit.edu>

On Tue, Feb 12, 2019 at 12:24:33PM -0500, Theodore Y. Ts'o wrote:
> 
> > > > The existing file hashes included in the measurement list and the
> > > > audit log, are currently being used for remote attestation, forensics
> > > > and security analytics.
> > 
> > Again, the context for this comment was Linus' suggestion "each level
> > of the merkle tree needs to have a hash seeding thing or whatever."
> > Up to this point, I had assumed the Merkle tree file root hash could
> > be used as an identifier, similar to the file hash.  With his
> > suggestion, it sounds like the Merkle tree file root hash would be
> > system dependent, making it useless for the above usages.
> 
> Yeah, I have no idea what Linus was talking about there.  The only
> thing that really makes sense is that if you don't have any
> file-system place to store a seed, you don't use a seed for the Merkle
> tree, and for a given set of bytes, the Merkle root hash is the same.
> So it's basically an expensive to calculate crypto checksum, as I said.
> 

I think there's confusion due to the use of the phrase "Merkle tree root hash".
Linus's point was:

> Now, since I assume that only the merkle tree root hash would be
> returned by the "enable merkle tree" operation (so that the code
> enabling it can verify that the hash matches the expected value), you
> do have to worry about the preimage attack, and make sure that you
> can't fool the hashing by making the (bad) file contents themselves be
> just the hashes of the (good) blocks. So each level of the merkle tree
> needs to have a hash seeding thing or whatever.

This is already taken into account in the original design.  The file hash
reported by fs-verity is *not* the Merkle tree root hash directly, but rather a
hash of the Merkle tree root hash and additional metadata in the
fsverity_descriptor including the file size in bytes.  This resulting hash is
referred to in the code, documentation, etc. as the "fs-verity file measurement".

Thus you can't fool the hashing in the way that Linus mentioned, because the
file size is included in the hash too.  And I don't expect this part of the
design should change, even if we change the API.

It's been difficult to get people to start saying "fs-verity file measurement"
rather than "Merkle tree root hash", though, so if anyone has a suggestion for a
better name it would be appreciated.  An earlier name was "fs-verity root hash",
but I thought that would too easily be confused with the Merkle tree root hash.

fs-verity does support a salt as well, but it's optional and isn't needed to
prevent preimage attacks, assuming the user chose a strong cryptographic hash
function such as SHA-256 or SHA-512.

- Eric

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

next prev parent reply	other threads:[~2019-02-12 18:42 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-07  3:11 Proposal: Yet another possible fs-verity interface Theodore Y. Ts'o
2019-02-07  3:11 ` Theodore Y. Ts'o
2019-02-07  3:11 ` Theodore Y. Ts'o
2019-02-08 19:10 ` James Bottomley
2019-02-08 19:10   ` James Bottomley
2019-02-09 20:38 ` Linus Torvalds
2019-02-09 20:38   ` Linus Torvalds
2019-02-09 20:54   ` Ali Mezgani
2019-02-10 14:06   ` Mimi Zohar
2019-02-10 14:06     ` Mimi Zohar
2019-02-12  5:31     ` Theodore Y. Ts'o
2019-02-12  5:31       ` Theodore Y. Ts'o
2019-02-12  5:31       ` Theodore Y. Ts'o
2019-02-12 13:06       ` Mimi Zohar
2019-02-12 13:06         ` Mimi Zohar
2019-02-12 17:24         ` Theodore Y. Ts'o
2019-02-12 17:24           ` [f2fs-dev] " Theodore Y. Ts'o
2019-02-12 17:24           ` Theodore Y. Ts'o
2019-02-12 18:42           ` Eric Biggers [this message]
2019-02-12 18:42             ` [f2fs-dev] " Eric Biggers
2019-02-12 18:42             ` Eric Biggers
2019-02-12  5:12   ` Theodore Y. Ts'o
2019-02-12  5:12     ` Theodore Y. Ts'o
2019-02-12  5:12     ` Theodore Y. Ts'o
2019-02-12 14:44     ` Mimi Zohar
2019-02-12 14:44       ` Mimi Zohar
2019-02-12 17:11       ` Theodore Y. Ts'o
2019-02-12 17:11         ` [f2fs-dev] " Theodore Y. Ts'o
2019-02-12 17:11         ` Theodore Y. Ts'o

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190212184209.GA3373@gmail.com \
    --to=ebiggers@kernel.org \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=darrick.wong@oracle.com \
    --cc=david@fromorbit.com \
    --cc=hch@infradead.org \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-f2fs-devel@lists.sourceforge.net \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.