From: Andrey Albershteyn <aalbersh@kernel.org>
To: linux-xfs@vger.kernel.org, fsverity@lists.linux.dev,
linux-fsdevel@vger.kernel.org, ebiggers@kernel.org
Cc: Andrey Albershteyn <aalbersh@kernel.org>,
hch@lst.de, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-btrfs@vger.kernel.org, djwong@kernel.org,
david@fromorbit.com
Subject: [PATCH v4 00/25] fs-verity support for XFS with post EOF merkle tree
Date: Mon, 9 Mar 2026 20:23:15 +0100 [thread overview]
Message-ID: <20260309192355.176980-1-aalbersh@kernel.org> (raw)
Hi all,
This patch series adds fs-verity support for XFS. This version stores
merkle tree beyond end of the file, the same way as ext4 does it. The
difference is that verity descriptor is stored at the next aligned 64k
block after the merkle tree last block. This is done due to sparse
merkle tree which doesn't store hashes of zero data blocks.
The patchset starts with a few fs-verity preparation patches. Then, a
few patches to allow iomap to work in post EOF region. The XFS fs-verity
implementation follows.
The tree is read by iomap into page cache at offset of next largest
folio past end of file. The same offset is used for on-disk.
This patchsets also synthesizes merkle tree block full of hashes of
zeroed data blocks. This merkle blocks are not stored on disk, they are
holes in the tree.
Testing. The -g verity is passing for 1k, 8k and 4k with/without quota,
the tests include different merkle tree block size.
This series based on latest fsverity branch with patchset fs generated
integrity information [1] on top of fsverity/for-current.
kernel:
https://git.kernel.org/pub/scm/linux/kernel/git/aalbersh/xfs-linux.git/log/?h=b4/fsverity
xfsprogs:
https://github.com/alberand/xfsprogs/tree/b4/fsverity
xfstests:
https://github.com/alberand/xfstests/tree/b4/fsverity
Cc: fsverity@lists.linux.dev
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-xfs@vger.kernel.org
Cc: david@fromorbit.com
Cc: djwong@kernel.org
Cc: ebiggers@kernel.org
Cc: hch@lst.de
[1]: https://lore.kernel.org/linux-xfs/20260223132021.292832-1-hch@lst.de/
---
Changes in v4:
- Use fserror interface in fsverity instead of fs callback
- Hoist pagecache_read from f2fs/ext4 to fsverity
- Refactor iomap code
- Fetch fsverity_info only for file data and merkle tree holes
- Do not disable preallocation, remove unwritten extents instead
- Offload fsverity hash I/O to fsverity workqueue in read path
- Store merkle tree at round_up(i_size, 64k)
- Add a spacing between merkle tree and fsverity descriptor as next 64k
aligned block
- Squash helpers into first user commits
- Squash on-disk format changes into single commit
- Drop different offset for pagecache/on-disk
- Don't zero out pages in higher order folios in write path
- Link to v3: https://lore.kernel.org/fsverity/20260217231937.1183679-1-aalbersh@kernel.org/T/#t
Changes in v3:
- Different on-disk and pagecache offset
- Use read path ioends
- Switch to hashtable fsverity info
- Synthesize merkle tree blocks full of zeroes
- Other minor refactors
- Link to v2: https://lore.kernel.org/fsverity/20260114164210.GO15583@frogsfrogsfrogs/T/#t
Changes in v2:
- Move to VFS interface for merkle tree block reading
- Drop patchset for per filesystem workqueues
- Change how offsets of the descriptor and tree metadata is calculated
- Store fs-verity descriptor in data fork side by side with merkle tree
- Simplify iomap changes, remove interface for post eof read/write
- Get rid of extended attribute implementation
- Link to v1: https://lore.kernel.org/r/20250728-fsverity-v1-0-9e5443af0e34@kernel.org
Andrey Albershteyn (23):
fsverity: report validation errors through fserror to fsnotify
fsverity: expose ensure_fsverity_info()
fsverity: generate and store zero-block hash
fsverity: introduce fsverity_folio_zero_hash()
fsverity: pass digest size and hash of the empty block to ->write
fsverity: hoist pagecache_read from f2fs/ext4 to fsverity
iomap: introduce IOMAP_F_FSVERITY and teach writeback to handle
fsverity
iomap: obtain fsverity info for read path
iomap: issue readahead for fsverity merkle tree
iomap: teach iomap to handle fsverity holes and verify data holes
iomap: introduce iomap_fsverity_write() for writing fsverity metadata
xfs: introduce fsverity on-disk changes
xfs: initialize fs-verity on file open
xfs: don't allow to enable DAX on fs-verity sealed inode
xfs: disable direct read path for fs-verity files
xfs: handle fsverity I/O in write/read path
xfs: use read ioend for fsverity data verification
xfs: add fs-verity support
xfs: remove unwritten extents after preallocations in fsverity
metadata
xfs: add fs-verity ioctls
xfs: introduce health state for corrupted fsverity metadata
xfs: add fsverity traces
xfs: enable ro-compat fs-verity flag
Darrick J. Wong (2):
xfs: advertise fs-verity being available on filesystem
xfs: check and repair the verity inode flag state
fs/btrfs/verity.c | 6 +-
fs/ext4/verity.c | 36 +--
fs/f2fs/verity.c | 34 +--
fs/iomap/buffered-io.c | 97 ++++++-
fs/iomap/trace.h | 3 +-
fs/verity/enable.c | 4 +-
fs/verity/fsverity_private.h | 3 +
fs/verity/open.c | 8 +-
fs/verity/pagecache.c | 55 ++++
fs/verity/verify.c | 2 +
fs/xfs/Makefile | 1 +
fs/xfs/libxfs/xfs_bmap.c | 7 +
fs/xfs/libxfs/xfs_format.h | 13 +-
fs/xfs/libxfs/xfs_fs.h | 2 +
fs/xfs/libxfs/xfs_health.h | 4 +-
fs/xfs/libxfs/xfs_inode_buf.c | 8 +
fs/xfs/libxfs/xfs_inode_util.c | 2 +
fs/xfs/libxfs/xfs_sb.c | 4 +
fs/xfs/scrub/attr.c | 7 +
fs/xfs/scrub/common.c | 53 ++++
fs/xfs/scrub/common.h | 2 +
fs/xfs/scrub/inode.c | 7 +
fs/xfs/scrub/inode_repair.c | 36 +++
fs/xfs/xfs_aops.c | 48 +++-
fs/xfs/xfs_bmap_util.c | 8 +
fs/xfs/xfs_file.c | 19 +-
fs/xfs/xfs_fsverity.c | 460 +++++++++++++++++++++++++++++++++
fs/xfs/xfs_fsverity.h | 28 ++
fs/xfs/xfs_health.c | 1 +
fs/xfs/xfs_inode.h | 6 +
fs/xfs/xfs_ioctl.c | 14 +
fs/xfs/xfs_iomap.c | 15 +-
fs/xfs/xfs_iops.c | 4 +
fs/xfs/xfs_message.c | 4 +
fs/xfs/xfs_message.h | 1 +
fs/xfs/xfs_mount.h | 4 +
fs/xfs/xfs_super.c | 7 +
fs/xfs/xfs_trace.h | 45 ++++
include/linux/fsverity.h | 17 +-
include/linux/iomap.h | 10 +
40 files changed, 992 insertions(+), 93 deletions(-)
create mode 100644 fs/xfs/xfs_fsverity.c
create mode 100644 fs/xfs/xfs_fsverity.h
--
2.51.2
next reply other threads:[~2026-03-09 19:24 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 19:23 Andrey Albershteyn [this message]
2026-03-09 19:23 ` [PATCH v4 01/25] fsverity: report validation errors through fserror to fsnotify Andrey Albershteyn
2026-03-10 0:46 ` Darrick J. Wong
2026-03-11 11:47 ` Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 02/25] fsverity: expose ensure_fsverity_info() Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 03/25] fsverity: generate and store zero-block hash Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 04/25] fsverity: introduce fsverity_folio_zero_hash() Andrey Albershteyn
2026-03-10 0:47 ` Darrick J. Wong
2026-03-09 19:23 ` [PATCH v4 05/25] fsverity: pass digest size and hash of the empty block to ->write Andrey Albershteyn
2026-03-10 0:49 ` Darrick J. Wong
2026-03-09 19:23 ` [PATCH v4 06/25] fsverity: hoist pagecache_read from f2fs/ext4 to fsverity Andrey Albershteyn
2026-03-10 0:49 ` Darrick J. Wong
2026-03-09 19:23 ` [PATCH v4 07/25] iomap: introduce IOMAP_F_FSVERITY and teach writeback to handle fsverity Andrey Albershteyn
2026-03-10 0:54 ` Darrick J. Wong
2026-03-10 8:44 ` Christoph Hellwig
2026-03-09 19:23 ` [PATCH v4 08/25] iomap: obtain fsverity info for read path Andrey Albershteyn
2026-03-10 0:57 ` Darrick J. Wong
2026-03-10 8:44 ` Christoph Hellwig
2026-03-09 19:23 ` [PATCH v4 09/25] iomap: issue readahead for fsverity merkle tree Andrey Albershteyn
2026-03-10 0:57 ` Darrick J. Wong
2026-03-10 8:45 ` Christoph Hellwig
2026-03-09 19:23 ` [PATCH v4 10/25] iomap: teach iomap to handle fsverity holes and verify data holes Andrey Albershteyn
2026-03-10 1:05 ` Darrick J. Wong
2026-03-10 14:42 ` Andrey Albershteyn
2026-03-10 9:14 ` Christoph Hellwig
2026-03-09 19:23 ` [PATCH v4 11/25] iomap: introduce iomap_fsverity_write() for writing fsverity metadata Andrey Albershteyn
2026-03-10 1:02 ` Darrick J. Wong
2026-03-09 19:23 ` [PATCH v4 12/25] xfs: introduce fsverity on-disk changes Andrey Albershteyn
2026-03-10 1:05 ` Darrick J. Wong
2026-03-09 19:23 ` [PATCH v4 13/25] xfs: initialize fs-verity on file open Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 14/25] xfs: don't allow to enable DAX on fs-verity sealed inode Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 15/25] xfs: disable direct read path for fs-verity files Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 16/25] xfs: handle fsverity I/O in write/read path Andrey Albershteyn
2026-03-10 1:17 ` Darrick J. Wong
2026-03-09 19:23 ` [PATCH v4 17/25] xfs: use read ioend for fsverity data verification Andrey Albershteyn
2026-03-10 1:21 ` Darrick J. Wong
2026-03-11 11:40 ` Andrey Albershteyn
2026-03-10 9:11 ` Christoph Hellwig
2026-03-09 19:23 ` [PATCH v4 18/25] xfs: add fs-verity support Andrey Albershteyn
2026-03-10 1:26 ` Darrick J. Wong
2026-03-10 15:26 ` Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 19/25] xfs: remove unwritten extents after preallocations in fsverity metadata Andrey Albershteyn
2026-03-10 1:29 ` Darrick J. Wong
2026-03-12 13:50 ` Andrey Albershteyn
2026-03-12 14:52 ` Darrick J. Wong
2026-03-13 11:17 ` Andrey Albershteyn
2026-03-13 14:55 ` Darrick J. Wong
2026-03-09 19:23 ` [PATCH v4 20/25] xfs: add fs-verity ioctls Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 21/25] xfs: advertise fs-verity being available on filesystem Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 22/25] xfs: check and repair the verity inode flag state Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 23/25] xfs: introduce health state for corrupted fsverity metadata Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 24/25] xfs: add fsverity traces Andrey Albershteyn
2026-03-09 19:23 ` [PATCH v4 25/25] xfs: enable ro-compat fs-verity flag Andrey Albershteyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260309192355.176980-1-aalbersh@kernel.org \
--to=aalbersh@kernel.org \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=ebiggers@kernel.org \
--cc=fsverity@lists.linux.dev \
--cc=hch@lst.de \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox