From: Jeff Mahoney <jeffm@suse.com>
To: Johannes Thumshirn <Johannes.Thumshirn@wdc.com>,
Richard Weinberger <richard@nod.at>,
Johannes Thumshirn <jth@kernel.org>
Cc: David Sterba <dsterba@suse.cz>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-btrfs <linux-btrfs@vger.kernel.org>,
Eric Biggers <ebiggers@google.com>,
Johannes Thumshirn <jthumshirn@suse.de>,
david <david@sigma-star.at>,
Sascha Hauer <s.hauer@pengutronix.de>
Subject: Re: [PATCH v2 1/2] btrfs: add authentication support
Date: Tue, 5 May 2020 08:36:24 -0400 [thread overview]
Message-ID: <bc2811dd-8d1e-f2ff-7a9b-326fe4270b96@suse.com> (raw)
In-Reply-To: <SN4PR0401MB3598DDEF9BF9BACA71A1041D9BA70@SN4PR0401MB3598.namprd04.prod.outlook.com>
[-- Attachment #1.1: Type: text/plain, Size: 1808 bytes --]
On 5/5/20 3:55 AM, Johannes Thumshirn wrote:
> On 04/05/2020 23:59, Richard Weinberger wrote:
>> Eric already raised doubts, let me ask more directly.
>> Does the checksum tree really cover all moving parts of BTRFS?
>>
>> I'm a little surprised how small your patch is.
>> Getting all this done for UBIFS was not easy and given that UBIFS is truly
>> copy-on-write it was still less work than it would be for other filesystems.
>>
>> If I understand the checksum tree correctly, the main purpose is protecting
>> you from flipping bits.
>> An attacker will perform much more sophisticated attacks.
>
> [ Adding Jeff with whom I did the design work ]
>
> The checksum tree only covers the file-system payload. But combined with
> the checksum field, which is the start of every on-disk structure, we
> have all parts of the filesystem checksummed.
That the checksums were originally intended for bitflip protection isn't
really relevant. Using a different algorithm doesn't change the
fundamentals and the disk format was designed to use larger checksums
than crc32c. The checksum tree covers file data. The contextual
information is in the metadata describing the disk blocks and all the
metadata blocks have internal checksums that would also be
authenticated. The only weak spot is that there has been a historical
race where a user submits a write using direct i/o and modifies the data
while in flight. This will cause CRC failures already and that would
still happen with this.
All that said, the biggest weak spot I see in the design was mentioned
on LWN: We require the key to mount the file system at all and there's
no way to have a read-only but still verifiable file system. That's
worth examining further.
-Jeff
--
Jeff Mahoney
SUSE Labs
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2020-05-05 12:36 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 10:58 [PATCH v2 0/2] Add file-system authentication to BTRFS Johannes Thumshirn
2020-04-28 10:58 ` [PATCH v2 1/2] btrfs: add authentication support Johannes Thumshirn
2020-04-29 7:23 ` kbuild test robot
2020-04-29 11:46 ` Johannes Thumshirn
2020-05-01 5:39 ` Eric Biggers
2020-05-01 6:30 ` Eric Biggers
2020-05-04 8:38 ` Johannes Thumshirn
2020-05-05 22:33 ` David Sterba
2020-05-06 8:10 ` Johannes Thumshirn
2020-05-04 10:09 ` Johannes Thumshirn
2020-05-04 20:59 ` Eric Biggers
2020-05-05 8:11 ` Johannes Thumshirn
2020-05-05 9:26 ` Qu Wenruo
2020-05-05 9:59 ` Qu Wenruo
2020-05-05 22:32 ` David Sterba
2020-05-05 23:55 ` Qu Wenruo
2020-05-06 20:40 ` btree [was Re: [PATCH v2 1/2] btrfs: add authentication support] Goffredo Baroncelli
2020-05-06 22:57 ` Qu Wenruo
2020-05-05 22:19 ` [PATCH v2 1/2] btrfs: add authentication support David Sterba
2020-05-05 22:37 ` Eric Biggers
2020-05-06 8:30 ` Johannes Thumshirn
2020-05-05 22:14 ` David Sterba
2020-05-05 22:31 ` Eric Biggers
2020-05-05 22:46 ` David Sterba
2020-05-05 23:31 ` Eric Biggers
2020-05-06 0:29 ` David Sterba
2020-05-06 0:44 ` Eric Biggers
2020-05-04 21:37 ` Richard Weinberger
2020-05-05 7:46 ` Johannes Thumshirn
2020-05-05 11:56 ` Richard Weinberger
2020-05-04 21:59 ` Richard Weinberger
2020-05-05 7:55 ` Johannes Thumshirn
2020-05-05 12:36 ` Jeff Mahoney [this message]
2020-05-05 12:39 ` Qu Wenruo
2020-05-05 12:41 ` Jeff Mahoney
2020-05-05 12:48 ` Qu Wenruo
2020-05-05 23:02 ` David Sterba
2020-05-06 21:24 ` Goffredo Baroncelli
2020-05-05 23:00 ` David Sterba
2020-05-05 9:43 ` Qu Wenruo
2020-05-06 20:59 ` Goffredo Baroncelli
2020-04-28 10:58 ` [PATCH v2 2/2] btrfs: rename btrfs_parse_device_options back to btrfs_parse_early_options Johannes Thumshirn
2020-05-01 6:03 ` [PATCH v2 0/2] Add file-system authentication to BTRFS Eric Biggers
2020-05-04 8:39 ` Johannes Thumshirn
2020-05-05 23:16 ` David Sterba
2020-05-01 21:26 ` Jason A. Donenfeld
2020-05-05 23:38 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc2811dd-8d1e-f2ff-7a9b-326fe4270b96@suse.com \
--to=jeffm@suse.com \
--cc=Johannes.Thumshirn@wdc.com \
--cc=david@sigma-star.at \
--cc=dsterba@suse.cz \
--cc=ebiggers@google.com \
--cc=jth@kernel.org \
--cc=jthumshirn@suse.de \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=richard@nod.at \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).