From: Mike Snitzer <snitzer@redhat.com>
To: Michael Halcrow <mhalcrow@google.com>
Cc: Milan Broz <gmazyland@gmail.com>,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Eric Biggers <ebiggers@google.com>, dm-crypt <dm-crypt@saout.de>,
dm-devel@redhat.com, linux-block@vger.kernel.org,
Tyler Hicks <tyler.hicks@canonical.com>,
linux-fscrypt@vger.kernel.org,
"Daniel P. Berrange" <berrange@redhat.com>,
linux-fsdevel@vger.kernel.org, Jaegeuk Kim <jaegeuk@kernel.org>,
linux-ext4@vger.kernel.org
Subject: Re: [RFC PATCH 0/4] Allow file systems to selectively bypass dm-crypt
Date: Tue, 20 Jun 2017 10:44:23 -0400 [thread overview]
Message-ID: <20170620144423.GA22495@redhat.com> (raw)
In-Reply-To: <20170616184240.GA13904@google.com>
On Fri, Jun 16 2017 at 2:42pm -0400,
Michael Halcrow <mhalcrow@google.com> wrote:
> On Thu, Jun 15, 2017 at 08:17:02PM +0200, Milan Broz wrote:
> > On 06/15/2017 07:24 PM, Michael Halcrow wrote:
> > ...
> > >> If this is accepted, we basically allow attacker to trick system to
> > >> write plaintext to media just by setting this flag. This must never
> > >> ever happen with FDE - BY DESIGN.
> > >
> > > That's an important point. This expands the attack surface to include
> > > the file system, so if an adversary can provide a bad encryption key
> > > or policy at the file system layer or if there's a bug in the file
> > > system that an adversary can exploit, then users setting the
> > > allow_encrypt_override option on dmcrypt would be vulnerable.
> > >
> > >> For me, ABSOLUTE NACK to this approach.
> > >
> > > I can understand where you're coming from. Given our challenges on
> > > mobile, do you have any suggestions for an alternative approach?
> >
> > Well, what I really do not like here that you are solving problem
> > of missing properly designed cryptographic filesystem by hacking
> > some layers together that were not designed to it.
>
> Agreed. I enthusiastically withdraw this proposal.
>
> I think I'm instead going to look into proposing something new in the
> block layer to address performance concerns with file system
> encryption and inline cryptographic engine support.
As should have been done from the start. The emergence of ICE support
for mobile/embedded platforms should result in a properly designed
solution to enable dm-crypt to leverage them (easier said than done!).
And if only certain files need to be encrypted then dm-crypt may or may
not be configured in the stack.
> > It would better to go with some model that actually increases security.
> >
> > For example, if your patch marks IO operation that comes from fs as
> > REQ_NOENCRYPT, could fs send some metadata information in bio of
> > owner (user, translated to key id) instead and encrypt the sector
> > with a different key?
>
> I really like this idea. However because users can access the dmcrypt
> device without the file system, I wouldn't want to try to do it
> without dmcrypt maintaining additional metadata about which keys
> protect which blocks. Even then, the user directly accessing the
> dmcrypt device would be surprised when dmcrypt returns EIO because it
> doesn't have a key for the blocks at offsets 42 and 128.
>
> At this point I do think something new at the block layer for file
> system managed encryption and inline cryptographic engine support will
> be necessary.
Yes.
next prev parent reply other threads:[~2017-06-20 14:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-14 23:40 [RFC PATCH 0/4] Allow file systems to selectively bypass dm-crypt Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 1/4] block: Add bio req flag to disable encryption in block Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 2/4] dm-crypt: Skip encryption of file system-encrypted blocks Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 3/4] ext4: Set the bio REQ_NOENCRYPT flag Michael Halcrow
2017-06-14 23:40 ` [RFC PATCH 4/4] f2fs: " Michael Halcrow
2017-06-15 7:33 ` [RFC PATCH 0/4] Allow file systems to selectively bypass dm-crypt Milan Broz
2017-06-15 17:24 ` Michael Halcrow
2017-06-15 18:17 ` Milan Broz
2017-06-16 18:42 ` Michael Halcrow
2017-06-20 14:44 ` Mike Snitzer [this message]
2017-06-16 10:34 ` [dm-crypt] " Daniel P. Berrange
2017-06-16 14:02 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170620144423.GA22495@redhat.com \
--to=snitzer@redhat.com \
--cc=berrange@redhat.com \
--cc=dm-crypt@saout.de \
--cc=dm-devel@redhat.com \
--cc=ebiggers@google.com \
--cc=gmazyland@gmail.com \
--cc=jaegeuk@kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=tyler.hicks@canonical.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).