From: Dave Chinner <david@fromorbit.com>
To: Theodore Ts'o <tytso@mit.edu>
Cc: "Lukáš Czerner" <lczerner@redhat.com>,
"JP Abgrall" <jpa@google.com>,
"Eric Sandeen" <sandeen@redhat.com>,
linux-ext4@vger.kernel.org, "Geremy Condra" <gcondra@google.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH] ext4: Add support for SFITRIM, an ioctl for secure FITRIM.
Date: Thu, 19 Jun 2014 10:36:57 +1000 [thread overview]
Message-ID: <20140619003657.GF4453@dastard> (raw)
In-Reply-To: <20140618220601.GA5114@thunk.org>
On Wed, Jun 18, 2014 at 06:06:01PM -0400, Theodore Ts'o wrote:
> On Wed, Jun 18, 2014 at 11:33:47AM +0200, Lukáš Czerner wrote:
> > And I have no illusion that those are the only ones that does not
> > work. This hardware can not be trusted and this must not be
> > advertised as a security feature.
>
> There's always crappy hardware out there. If that's true, should then
> not call ATA Secure Erase by that term because somewhere out there,
> there will be an incompetently implemented SSD that doesn't do the
> right thing with ATA Secure Erase? I just don't think that's
> particularly useful. If the command is called "secure erase" or
> "secure discard" in the specification, then that's what we should use,
> just to avoid confusion if nothing else.
That's just a steaming pile of rhetoric. If that was true, then we
wouldn't be calling our operations BLKDISCARD or "discard", would
we? It would be called "TRIM" or "WRITE_SAME" because that's what
the device layer standards call the operations.
Sure, we have a "FITRIM" ioctl, but we acknowledged early on that it
was badly named because different protocols use different names.
That's why we started to use "discard" instead - it's a protocol and
device neutral term that describes the intent of the operation - to
-discard blocks-.
IOWs, I think that Lukas is right on the money here - we should not
imply something is secure when it is not, nor should we name high
level interfaces based on the standardise name on the low level
primitive some class of device or protocol uses.
Rather, we should describe it for what it is: it is a command
to *scrub the data* from a range of blocks. i.e. it's not a
discard operation at all - it's a "scrub" operation that we are
asking the device to perform.
And further, scrubbing has a specific meaning in the security
environment - it doesn't imply security - it just means there is a
mechanism for physically removing data from it's known locations.
Security comes from what you do with the scrubbing mechanism at
higher layers.
Scrubbing is something people already understand and it's clear
that it's a data manipulation operation and not some magic "secure"
operation. And by calling it "scrub" we get away from the idea that
it only works on specific hardware - hardware acceleration is good,
but there's no reason why we should design the functionality to only
be useful on systems with hardware scrubbing capability...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2014-06-19 0:37 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1402625647-31439-1-git-send-email-jpa@google.com>
2014-06-13 2:36 ` [PATCH] ext4: Add support for SFITRIM, an ioctl for secure FITRIM Eric Sandeen
2014-06-13 3:02 ` JP Abgrall
2014-06-13 3:12 ` Eric Sandeen
2014-06-13 3:19 ` JP Abgrall
2014-06-13 3:24 ` Eric Sandeen
2014-06-13 4:37 ` JP Abgrall
2014-06-13 3:15 ` Dave Chinner
2014-06-13 3:30 ` Dave Chinner
2014-06-13 4:37 ` JP Abgrall
2014-06-13 5:07 ` Dave Chinner
2014-06-13 14:20 ` Theodore Ts'o
2014-06-13 14:31 ` Theodore Ts'o
2014-06-13 19:44 ` JP Abgrall
2014-06-13 19:57 ` Eric Sandeen
2014-06-13 20:12 ` JP Abgrall
2014-06-13 23:41 ` Theodore Ts'o
2014-06-14 0:46 ` JP Abgrall
2014-06-17 2:49 ` Dave Chinner
2014-06-17 11:27 ` Theodore Ts'o
2014-06-17 11:55 ` Lukáš Czerner
2014-06-17 12:46 ` Theodore Ts'o
2014-06-17 13:00 ` Lukáš Czerner
2014-06-17 13:54 ` Theodore Ts'o
2014-06-17 17:53 ` JP Abgrall
2014-06-18 9:33 ` Lukáš Czerner
2014-06-18 21:51 ` JP Abgrall
2014-06-19 8:10 ` Lukáš Czerner
2014-06-18 22:06 ` Theodore Ts'o
2014-06-19 0:36 ` Dave Chinner [this message]
2014-06-19 8:15 ` Lukáš Czerner
2014-06-20 2:44 ` Martin K. Petersen
2014-06-19 8:33 ` Lukáš Czerner
2014-06-17 17:35 ` JP Abgrall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140619003657.GF4453@dastard \
--to=david@fromorbit.com \
--cc=gcondra@google.com \
--cc=jpa@google.com \
--cc=lczerner@redhat.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=sandeen@redhat.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).