From: Eric Biggers <ebiggers@kernel.org>
To: Omar Sandoval <osandov@osandov.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
"Theodore Y. Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-btrfs <linux-btrfs@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Christoph Hellwig <hch@infradead.org>,
Dave Chinner <david@fromorbit.com>, Jann Horn <jannh@google.com>,
Amir Goldstein <amir73il@gmail.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Linux API <linux-api@vger.kernel.org>,
Kernel Team <kernel-team@fb.com>
Subject: Re: [PATCH RERESEND v9 0/9] fs: interface for directly reading/writing compressed data
Date: Mon, 17 May 2021 17:07:07 -0700 [thread overview]
Message-ID: <YKMFK3GtcWaRz4DA@gmail.com> (raw)
In-Reply-To: <YKL7W7QO7Wis2n8a@relinquished.localdomain>
On Mon, May 17, 2021 at 04:25:15PM -0700, Omar Sandoval wrote:
>
> Okay, I think we're in agreement: RWF_ENCODED for the data and separate
> ioctls for the encryption context. Since the fscrypt policy struct
> includes all of the relevant information, RWF_ENCODED can probably just
> have a single ENCODED_IOV_ENCRYPTION_FSCRYPT encryption type.
> RWF_ENCODED can express data which is both compressed and encrypted, so
> that should be fine as well.
>
> The only other missing piece that I see (other than filesystem support)
> is an FS_IOC_SET_ENCRYPTION_NONCE ioctl. Would such an interface be
> reasonable?
In theory, it will be possible to add FS_IOC_SET_ENCRYPTION_NONCE. The
implementation might be tricky. It would have to take the inode lock, verify
that the file is empty, replace the encryption xattr, and re-derive and replace
the file's encryption key. Replacing the key should be safe because the file is
empty, but it's hard to be sure -- and what about directories? Another concern
is that userspace could misuse this ioctl and somehow end up reusing nonces,
which would be bad; probably this should be a CAP_SYS_ADMIN thing only.
A larger question is whether the goal is to support users backing up and
restoring encrypted files without their encryption key being available -- in
which case things would become *much* harder. First because of the filenames
encryption, and second because we currently don't allow opening files without
their encryption key.
- Eric
next prev parent reply other threads:[~2021-05-18 0:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 18:35 [PATCH RERESEND v9 0/9] fs: interface for directly reading/writing compressed data Omar Sandoval
2021-05-17 18:35 ` [PATCH RERESEND v9 1/9] iov_iter: add copy_struct_from_iter() Omar Sandoval
2021-05-17 18:35 ` [PATCH RERESEND v9 2/9] fs: add O_ALLOW_ENCODED open flag Omar Sandoval
2021-05-17 18:35 ` [PATCH RERESEND v9 3/9] fs: add RWF_ENCODED for reading/writing compressed data Omar Sandoval
2021-05-17 18:35 ` [PATCH RERESEND v9 4/9] btrfs: don't advance offset for compressed bios in btrfs_csum_one_bio() Omar Sandoval
2021-05-17 18:35 ` [PATCH RERESEND v9 5/9] btrfs: add ram_bytes and offset to btrfs_ordered_extent Omar Sandoval
2021-05-17 18:35 ` [PATCH RERESEND v9 6/9] btrfs: support different disk extent size for delalloc Omar Sandoval
2021-05-17 18:35 ` [PATCH RERESEND v9 7/9] btrfs: optionally extend i_size in cow_file_range_inline() Omar Sandoval
2021-05-17 18:35 ` [PATCH RERESEND v9 8/9] btrfs: implement RWF_ENCODED reads Omar Sandoval
2021-05-17 18:35 ` [PATCH RERESEND v9 9/9] btrfs: implement RWF_ENCODED writes Omar Sandoval
2021-05-17 21:32 ` [PATCH RERESEND v9 0/9] fs: interface for directly reading/writing compressed data Linus Torvalds
2021-05-17 22:27 ` Omar Sandoval
2021-05-17 22:48 ` Eric Biggers
2021-05-17 23:25 ` Omar Sandoval
2021-05-18 0:07 ` Eric Biggers [this message]
2021-05-18 2:53 ` Theodore Y. Ts'o
2021-05-18 8:38 ` Omar Sandoval
2021-05-18 16:21 ` Theodore Y. Ts'o
2021-06-07 19:27 ` Omar Sandoval
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YKMFK3GtcWaRz4DA@gmail.com \
--to=ebiggers@kernel.org \
--cc=amir73il@gmail.com \
--cc=cyphar@cyphar.com \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=jaegeuk@kernel.org \
--cc=jannh@google.com \
--cc=kernel-team@fb.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=osandov@osandov.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.