From: Michael Halcrow <mhalcrow@us.ibm.com>
To: Andrew Morton <akpm@osdl.org>
Cc: phillip@hellewell.homeip.net, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, viro@ftp.linux.org.uk,
mike@halcrow.us, mcthomps@us.ibm.com, yoder1@us.ibm.com,
toml@us.ibm.com, emilyr@us.ibm.com, daw@cs.berkeley.edu
Subject: Re: eCryptfs Design Document
Date: Fri, 24 Mar 2006 18:13:45 -0600 [thread overview]
Message-ID: <20060325001345.GC13688@us.ibm.com> (raw)
In-Reply-To: <20060324154920.11561533.akpm@osdl.org>
On Fri, Mar 24, 2006 at 03:49:20PM -0800, Andrew Morton wrote:
> Michael Halcrow <mhalcrow@us.ibm.com> wrote:
> > On a page read, the eCryptfs page index is interpolated into the
> > corresponding lower page index, taking into account the header page in
> > the file.
>
> I trust that PAGE_CACHE_SIZE is not implicitly encoded into the file
> layout?
For release 0.1, it is. Managing differing page sizes is one of the
not-so-trivial changes to eCryptfs that we have planned for the 0.2
release. For this release, we can easily include a flag setting in the
header that indicates the page size, so that at least eCryptfs will
return a -EIO when the file is moved between hosts with different page
sizes. We will make sure that this is in the code before it is
submitted.
Do you think that this is an acceptable approach for the initial
release of eCryptfs?
> hm. The above write() description doesn't sound right. The
> read+decrypt from the underlying fs should happen at
> ->prepare_write(), not at ->writepage(). And it can be elided if
> ->prepare_write() is about to write the whole page, and if the
> underlying fs's blocksize is less than or equal to the ecryptfs's
> blocksize.
Yes, the design document is unclear; what you describe here is what
the code actually does.
> Anyway, I'll stop trying to review the code without the code.
I would say that this design document is largely only good for
evaluating the security of the design. At this point, it looks like
the code is ready to go out for evaluation, so we will get to work on
cleaning it up and getting it into patches.
Speaking of which, is there any particular way of breaking the code
into patches that you would prefer for delivery of a new filesystem?
In the past, we have been breaking the code into one patch for
inode.c, another for dentry.c, and so forth.
> One dutifully wonders whether all this functionality could be
> provided via FUSE...
My main concern with FUSE has to do with shared memory mappings. My
next concern is with regard to performance impact of constant context
switching during page reads and writes.
Whether to implement in the kernel or in userspace was a fundamental
design decision that was the subject of debate early in the
development of eCryptfs. Given the in-kernel support for something
like a cryptographic filesystem, such as the kernel crypto API and the
keyring support, and given performance and shared memory mapping
concerns, it seemed rational to implement it directly in the kernel.
More heavy-weight cryptographic operations in later versions of
eCryptfs, such as policy evaluation and public key operations, will be
done mostly in userspace and only on file open/close events.
Thanks,
Mike
next prev parent reply other threads:[~2006-03-25 0:13 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-24 22:25 eCryptfs Design Document Michael Halcrow
2006-03-24 23:12 ` James Morris
2006-03-27 16:17 ` Michael Thompson
2006-03-27 16:52 ` Michael Halcrow
2006-03-24 23:49 ` Andrew Morton
2006-03-25 0:13 ` Michael Halcrow [this message]
2006-03-25 0:33 ` Andrew Morton
2006-03-25 7:38 ` Miklos Szeredi
2006-03-27 23:31 ` Michael Halcrow
2006-03-28 16:00 ` Stephen C. Tweedie
2006-03-29 20:14 ` Michael Halcrow
2006-03-25 19:28 ` Phillip Susi
2006-03-25 19:50 ` Michael Halcrow
2006-03-26 17:10 ` Phillip Susi
2006-03-26 18:04 ` Michael Halcrow
2006-03-27 0:05 ` Phillip Hellewell
2006-03-27 2:53 ` Phillip Susi
2006-03-27 16:10 ` Michael Thompson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060325001345.GC13688@us.ibm.com \
--to=mhalcrow@us.ibm.com \
--cc=akpm@osdl.org \
--cc=daw@cs.berkeley.edu \
--cc=emilyr@us.ibm.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcthomps@us.ibm.com \
--cc=mike@halcrow.us \
--cc=phillip@hellewell.homeip.net \
--cc=toml@us.ibm.com \
--cc=viro@ftp.linux.org.uk \
--cc=yoder1@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).