Re: [RFC PATCH] Btrfs: add sha256 checksum option

[Austin S Hemmelgarn <ahferroin7@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3088 bytes --]

On 2014-12-01 12:22, John Williams wrote:
> On Mon, Dec 1, 2014 at 4:39 AM, Austin S Hemmelgarn
> <ahferroin7@gmail.com> wrote:
>
>> Just because it's a filesystem doesn't always mean that speed is the most
>> important thing.  Personally, I can think of multiple cases where using a
>> cryptographically strong hash would be preferable, for example:
>>   * On an fs used solely for backup purposes
>>   * On a fs used for /boot
>>   * On an fs spread across a very large near-line disk array and mounted
>>     by a system with a powerful CPU
>>   * Almost any other case where data integrity is more important than
>>     speed
>
> What does data integrity have to do with whether the hash is
> cryptographic or not? The primary difference between a cryptographic
> and non-cryptographic hash is that the non-cryptographic hash can be
> easily guessed / predicted (eg., an attack to deliberately create
> collisions) whereas the cryptographic hash cannot (given reasonable
> assumptions of CPU power).
>
> For filesystem checksums it is difficult to imagine a deliberate
> attack on the checksums. Consequently, the only really important
> quality for the hash besides speed is collision resistance. The
> non-crypto hashes that I have mentioned in this thread have excellent
> collision resistant properties.
I'm not saying they don't have excellent collision resistance 
properties.  I'm also not saying that we shouldn't support such 
non-cryptographic hashes, just that we shouldn't explicitly NOT support 
other hashes, and that if we are going to support more than one hash 
algorithm, we should use the infrastructure already in place in the 
kernel for such things because it greatly simplifies maintaining the code.

In fact, if I had the time, I'd just write CryptoAPI implementations of 
those hashes myself.
>
>> The biggest reason to use the in-kernel Crypto API though, is that it gives
>> a huge amount of flexibility, and provides pretty much transparent
>> substitution of CPU optimized versions of the exported hash functions (for
>> example, you don't have to know whether or not your processor supports
>> Intel's CRC32 ISA extensions).
>
> Which is worse than useless if the CPU-optimized crypto hash is slower
> than the default non-crypto hash, and that will almost always be the
> case. Besides, there is nothing magic happening in the Crypto API
> library. If you implement your own hash, you can easily do a few
> checks and choose the best code for the CPU.
>
Except most of the CPU optimized hashes aren't crypto hashes (other than 
the various SHA implementations).  Furthermore, I've actually tested the 
speed of a generic CRC32c implementation versus SHA-1 using the SHA 
instructions on an UltraSPARC processor, and the difference ammounts to 
a few microseconds in _favor_ of the optimized crypto hash; and I've run 
the math for every other ISA that has instructions for computing SHA 
hashes (I don't have the hardware for any of the others), and expect 
similar results for those as well.



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2455 bytes --]