Re: eCryptfs Design Document

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Morton <akpm@osdl.org>
To: Michael Halcrow <mhalcrow@us.ibm.com>
Cc: phillip@hellewell.homeip.net, linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, viro@ftp.linux.org.uk,
	mike@halcrow.us, mcthomps@us.ibm.com, yoder1@us.ibm.com,
	toml@us.ibm.com, emilyr@us.ibm.com, daw@cs.berkeley.edu
Subject: Re: eCryptfs Design Document
Date: Fri, 24 Mar 2006 15:49:20 -0800	[thread overview]
Message-ID: <20060324154920.11561533.akpm@osdl.org> (raw)
In-Reply-To: <20060324222517.GA13688@us.ibm.com>

Michael Halcrow <mhalcrow@us.ibm.com> wrote:
>
> On Fri, Nov 18, 2005 at 10:16:59PM -0800, Andrew Morton wrote:
> > If Linux is going to offer a feature like this then people have to
> > be able to trust it to be quite secure.  What we don't want to
> > happen is to distribute it for six months and then be buried in
> > reports of vulnerabilites from cryptography specialists.  Even worse
> > if those reports lead to exploits.
> >
> > So I guess what I'm asking is: has this code been reviewed by crypto
> > experts?  Bearing in mind that it'll be world-class crypto people
> > who will try to poke holes in it.
> 
> 
> ...
> The PDF document is obtainable from the eCryptfs SourceForge file
> download section:
> 
> http://sourceforge.net/project/showfiles.php?group_id=133988
>
> I also have it posted on the eCryptfs web site:
> 
> http://ecryptfs.sourceforge.net/ecryptfs_design_doc_v0_1.pdf

Helps, thanks.

> ...
>
> 3.2.3 Page Read
> 
> ...
> 
> On a page read, the eCryptfs page index is interpolated into the
> corresponding lower page index, taking into account the header page in
> the file.

I trust that PAGE_CACHE_SIZE is not implicitly encoded into the file layout?

> ...
> When a writepage() request comes through as a result of a VFS syscall,
> eCryptfs will read the target extent from the lower file using the
> process described in the prior paragraph. The data on that page is
> modified according to the write request. The entire (modified) page is
> re-encrypted (again, in CBC mode) with the same IV and key that were
> used to originally encrypt the page; the newly encrypted page is then
> written out to the lower file.

So ecryptfs files have their own plain-text pagecache, which is backed by
the underlying file's encrypted pagecache.  Passing through things like
fsync() will be interesting.  We get that wrong for loop at present.

hm.  The above write() description doesn't sound right.  The read+decrypt
from the underlying fs should happen at ->prepare_write(), not at
->writepage().  And it can be elided if ->prepare_write() is about to write
the whole page, and if the underlying fs's blocksize is less than or equal
to the ecryptfs's blocksize.

Or something like that.  The way this document talks about a file's "page
size" is a worry.  Files have block sizes, and they're <= PAGE_CACHE_SIZE,
so the files are portable between different PAGE_SIZE setups.

Anyway, I'll stop trying to review the code without the code.



One dutifully wonders whether all this functionality could be provided via
FUSE...

next prev parent reply	other threads:[~2006-03-24 23:47 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-03-24 22:25 eCryptfs Design Document Michael Halcrow
2006-03-24 23:12 ` James Morris
2006-03-27 16:17   ` Michael Thompson
2006-03-27 16:52   ` Michael Halcrow
2006-03-24 23:49 ` Andrew Morton [this message]
2006-03-25  0:13   ` Michael Halcrow
2006-03-25  0:33     ` Andrew Morton
2006-03-25  7:38       ` Miklos Szeredi
2006-03-27 23:31       ` Michael Halcrow
2006-03-28 16:00         ` Stephen C. Tweedie
2006-03-29 20:14           ` Michael Halcrow
2006-03-25 19:28 ` Phillip Susi
2006-03-25 19:50   ` Michael Halcrow
2006-03-26 17:10     ` Phillip Susi
2006-03-26 18:04       ` Michael Halcrow
2006-03-27  0:05         ` Phillip Hellewell
2006-03-27  2:53           ` Phillip Susi
2006-03-27 16:10             ` Michael Thompson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060324154920.11561533.akpm@osdl.org \
    --to=akpm@osdl.org \
    --cc=daw@cs.berkeley.edu \
    --cc=emilyr@us.ibm.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mcthomps@us.ibm.com \
    --cc=mhalcrow@us.ibm.com \
    --cc=mike@halcrow.us \
    --cc=phillip@hellewell.homeip.net \
    --cc=toml@us.ibm.com \
    --cc=viro@ftp.linux.org.uk \
    --cc=yoder1@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).