From: Dave Chinner <david@fromorbit.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: "Darrick J. Wong" <djwong@kernel.org>,
Andrey Albershteyn <aalbersh@redhat.com>,
dchinner@redhat.com, hch@infradead.org,
linux-xfs@vger.kernel.org, fsverity@lists.linux.dev,
rpeterso@redhat.com, agruenba@redhat.com, xiang@kernel.org,
chao@kernel.org, damien.lemoal@opensource.wdc.com,
jth@kernel.org, linux-erofs@lists.ozlabs.org,
linux-btrfs@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net, cluster-devel@redhat.com
Subject: Re: [PATCH v2 21/23] xfs: handle merkle tree block size != fs blocksize != PAGE_SIZE
Date: Thu, 6 Apr 2023 08:26:46 +1000 [thread overview]
Message-ID: <20230405222646.GR3223426@dread.disaster.area> (raw)
In-Reply-To: <ZC264FSkDQidOQ4N@gmail.com>
On Wed, Apr 05, 2023 at 06:16:00PM +0000, Eric Biggers wrote:
> On Wed, Apr 05, 2023 at 09:38:47AM -0700, Darrick J. Wong wrote:
> > > The merkle tree pages are dropped after verification. When page is
> > > dropped xfs_buf is marked as verified. If fs-verity wants to
> > > verify again it will get the same verified buffer. If buffer is
> > > evicted it won't have verified state.
> > >
> > > So, with enough memory pressure buffers will be dropped and need to
> > > be reverified.
> >
> > Please excuse me if this was discussed and rejected long ago, but
> > perhaps fsverity should try to hang on to the merkle tree pages that
> > this function returns for as long as possible until reclaim comes for
> > them?
> >
> > With the merkle tree page lifetimes extended, you then don't need to
> > attach the xfs_buf to page->private, nor does xfs have to extend the
> > buffer cache to stash XBF_VERITY_CHECKED.
>
> Well, all the other filesystems that support fsverity (ext4, f2fs, and btrfs)
> just cache the Merkle tree pages in the inode's page cache. It's an approach
> that I know some people aren't a fan of, but it's efficient and it works.
Which puts pages beyond EOF in the page cache. Given that XFS also
allows persistent block allocation beyond EOF, having both data in the page
cache and blocks beyond EOF that contain unrelated information is a
Real Bad Idea.
Just because putting metadata in the file data address space works
for one filesystem, it doesn't me it's a good idea or that it works
for every filesystem.
> We could certainly think about moving to a design where fs/verity/ asks the
> filesystem to just *read* a Merkle tree block, without adding it to a cache, and
> then fs/verity/ implements the caching itself. That would require some large
> changes to each filesystem, though, unless we were to double-cache the Merkle
> tree blocks which would be inefficient.
No, that's unnecessary.
All we need if for fsverity to require filesystems to pass it byte
addressable data buffers that are externally reference counted. The
filesystem can take a page reference before mapping the page and
passing the kaddr to fsverity, then unmap and drop the reference
when the merkle tree walk is done as per Andrey's new drop callout.
fsverity doesn't need to care what the buffer is made from, how it
is cached, what it's life cycle is, etc. The caching mechanism and
reference counting is entirely controlled by the filesystem callout
implementations, and fsverity only needs to deal with memory buffers
that are guaranteed to live for the entire walk of the merkle
tree....
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2023-04-05 22:26 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-04 14:52 [PATCH v2 00/23] fs-verity support for XFS Andrey Albershteyn
2023-04-04 14:52 ` [PATCH v2 01/23] xfs: Add new name to attri/d Andrey Albershteyn
2023-04-04 14:52 ` [PATCH v2 02/23] xfs: add parent pointer support to attribute code Andrey Albershteyn
2023-04-04 14:52 ` [PATCH v2 03/23] xfs: define parent pointer xattr format Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 04/23] xfs: Add xfs_verify_pptr Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 05/23] fsverity: make fsverity_verify_folio() accept folio's offset and size Andrey Albershteyn
2023-04-04 15:30 ` Christoph Hellwig
2023-04-05 10:36 ` Andrey Albershteyn
2023-04-05 15:46 ` Christoph Hellwig
2023-04-05 17:50 ` Eric Biggers
2023-04-04 14:53 ` [PATCH v2 06/23] fsverity: add drop_page() callout Andrey Albershteyn
2023-04-04 23:40 ` Dave Chinner
2023-04-05 10:39 ` Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 07/23] fsverity: pass Merkle tree block size to ->read_merkle_tree_page() Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 08/23] iomap: hoist iomap_readpage_ctx from the iomap_readahead/_folio Andrey Albershteyn
2023-04-04 15:32 ` Christoph Hellwig
2023-04-04 14:53 ` [PATCH v2 09/23] iomap: allow filesystem to implement read path verification Andrey Albershteyn
2023-04-04 15:37 ` Christoph Hellwig
2023-04-05 11:01 ` Andrey Albershteyn
2023-04-05 15:06 ` Darrick J. Wong
2023-04-05 15:48 ` Christoph Hellwig
2023-04-04 14:53 ` [PATCH v2 10/23] xfs: add XBF_VERITY_CHECKED xfs_buf flag Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 11/23] xfs: add XFS_DA_OP_BUFFER to make xfs_attr_get() return buffer Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 12/23] xfs: introduce workqueue for post read IO work Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 13/23] xfs: add iomap's readpage operations Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 14/23] xfs: add attribute type for fs-verity Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 15/23] xfs: add fs-verity ro-compat flag Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 16/23] xfs: add inode on-disk VERITY flag Andrey Albershteyn
2023-04-04 22:41 ` Eric Biggers
2023-04-04 23:56 ` Dave Chinner
2023-04-05 11:07 ` Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 17/23] xfs: initialize fs-verity on file open and cleanup on inode destruction Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 18/23] xfs: don't allow to enable DAX on fs-verity sealsed inode Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 19/23] xfs: disable direct read path for fs-verity sealed files Andrey Albershteyn
2023-04-04 16:10 ` Darrick J. Wong
2023-04-05 15:01 ` Andrey Albershteyn
2023-04-05 15:09 ` Darrick J. Wong
2023-04-05 15:50 ` Christoph Hellwig
2023-04-05 18:02 ` Eric Biggers
2023-04-05 22:14 ` Dave Chinner
2023-04-05 22:10 ` Dave Chinner
2023-04-04 14:53 ` [PATCH v2 20/23] xfs: add fs-verity support Andrey Albershteyn
2023-04-04 16:27 ` Darrick J. Wong
2023-04-05 15:18 ` Eric Sandeen
2023-04-04 18:01 ` kernel test robot
2023-04-04 20:03 ` kernel test robot
2023-04-04 14:53 ` [PATCH v2 21/23] xfs: handle merkle tree block size != fs blocksize != PAGE_SIZE Andrey Albershteyn
2023-04-04 16:36 ` Darrick J. Wong
2023-04-05 16:02 ` Andrey Albershteyn
2023-04-05 16:38 ` Darrick J. Wong
2023-04-05 18:16 ` Eric Biggers
2023-04-05 22:26 ` Dave Chinner [this message]
2023-04-05 22:54 ` Eric Biggers
2023-04-05 23:37 ` Dave Chinner
2023-04-06 0:44 ` Eric Biggers
2023-04-07 19:56 ` Eric Biggers
2023-04-04 23:32 ` Eric Biggers
2023-04-05 15:12 ` Andrey Albershteyn
2023-04-05 22:51 ` Dave Chinner
2023-04-04 14:53 ` [PATCH v2 22/23] xfs: add fs-verity ioctls Andrey Albershteyn
2023-04-04 14:53 ` [PATCH v2 23/23] xfs: enable ro-compat fs-verity flag Andrey Albershteyn
2023-04-04 16:39 ` [PATCH v2 00/23] fs-verity support for XFS Darrick J. Wong
2023-04-05 16:27 ` Andrey Albershteyn
2023-04-04 23:37 ` Eric Biggers
2023-04-05 16:04 ` Andrey Albershteyn
2023-04-11 5:19 ` Christoph Hellwig
2023-04-12 2:33 ` Eric Biggers
2023-04-12 3:18 ` Dave Chinner
2023-04-12 12:42 ` Christoph Hellwig
2023-04-12 12:40 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230405222646.GR3223426@dread.disaster.area \
--to=david@fromorbit.com \
--cc=aalbersh@redhat.com \
--cc=agruenba@redhat.com \
--cc=chao@kernel.org \
--cc=cluster-devel@redhat.com \
--cc=damien.lemoal@opensource.wdc.com \
--cc=dchinner@redhat.com \
--cc=djwong@kernel.org \
--cc=ebiggers@kernel.org \
--cc=fsverity@lists.linux.dev \
--cc=hch@infradead.org \
--cc=jth@kernel.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-xfs@vger.kernel.org \
--cc=rpeterso@redhat.com \
--cc=xiang@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox