From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Darrick J. Wong" Subject: Re: Proposal: A new fs-verity interface Date: Thu, 10 Jan 2019 10:18:36 -0800 Message-ID: <20190110181836.GA20467@magnolia> References: <20190110051500.GA32361@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: Eric Biggers , Dave Chinner , linux-f2fs-devel@lists.sourceforge.net, Christoph Hellwig , linux-fscrypt@vger.kernel.org, linux-fsdevel , linux-ext4@vger.kernel.org, Linus Torvalds To: "Theodore Y. Ts'o" Return-path: Content-Disposition: inline In-Reply-To: <20190110051500.GA32361@mit.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net List-Id: linux-fsdevel.vger.kernel.org On Thu, Jan 10, 2019 at 12:15:00AM -0500, Theodore Y. Ts'o wrote: > The following approach is based in Darrick's suggestion: > > int ioctl(fd, FS_IOC_ENABLE_VERITY, struct fsverity_arg *arg); > > struct fsverity_arg { > int fsv_donor_fd; Explicitly sized fields and padding here, please. ISTR there are a few arches that don't have alignment requirements which will make this messy. > u64 fsv_offset; > u64 fsv_size; You might want to allocate some reserved space for flags in case you ever decide you need it, but otherwise it seems fine to me... --D > }; > > fsv_offset and fsz_size must be a multiple of the file system block > size. If the ioctl comples successfully, as a side effect the > donor_fd will have a hole punch operation on the specified range. In > other words, the equivalent of operation of fallocate(fsv_donor_fd, > FALLOC_FL_PUNCH_HOLE, fsv_offset, fsv_size), and the file specified by > fd will be protected using fsverity. > > It will be legal for fsv_donor_fd == fd, so this interface is a > superset of the original FS_IOC_ENABLE_VERITY ioctl. > > This will hopefully make Christoph and Dave happy because the > interface does not presuppose how ext4 and f2fs will implement > fsverity behind the scenes. However, it does not forbid it, and the > net cost is that ext4 and f2fs will have to implement code which > transplants the blocks from the donor_fd to fd in the case where > donor_fd != fd --- and in the case where blocks are encrypted using > fscrypt, we will have to decrypt the blocks from donor_fd and possibly > re-encrypt then in fd's per-file key, which means we'll have to add > extra complexity to implement the decrypt and re-encrypt passing > through the page cache. > > But if this helps resolve Christoph and Dave's objections, it > shouldn't be _too_ much extra complexity. Before we go ahead an > implement it, though, I'd appreciate a confirmation that this will > indeed actually resolve their complaints. > > Thanks, > > - Ted From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS,UNPARSEABLE_RELAY,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E87DFC43387 for ; Thu, 10 Jan 2019 18:19:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B96E820675 for ; Thu, 10 Jan 2019 18:19:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="xA4jJWW6" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730939AbfAJSTG (ORCPT ); Thu, 10 Jan 2019 13:19:06 -0500 Received: from aserp2130.oracle.com ([141.146.126.79]:56310 "EHLO aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729480AbfAJSTF (ORCPT ); Thu, 10 Jan 2019 13:19:05 -0500 Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id x0AIEPPl048813; Thu, 10 Jan 2019 18:18:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2018-07-02; bh=jHDazduWFqvenY+/WsPlvQeixayzZBnGChWl3WPj/IA=; b=xA4jJWW6/vTjCzw5l+OYq6u1zyJS1T6I1jOx1LPas5iyD9xI5Ilrt85SV4/7mybIq1GO sFsjCSIu8S5+bFP/rYJEIJ7T9gl6xZXOv1OgaIeMgAARDoeJ+inkvh/Jp+zCiDlqMDhw RUKmfYeMJHE1Gs1eyA2CY5dk4RkIKqDKSOw+iIr2+zmIw2hT2Q6GNyGew4PNW98+4/6A RHzWw0AW6udzIJKqkzLcgG8++oZn/Q2HOo2qlWV+b2Ghy1nXnPkYS+fTBVHnpq6nlT9L BN6y4zjB+N2aLainIiv/8bU4Kxu9w0NecOK9SSloxK7x4B4QVw+hh8+chyBs+4rwX33G PQ== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2130.oracle.com with ESMTP id 2ptj3e92a5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 10 Jan 2019 18:18:40 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id x0AIIdBg013674 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 10 Jan 2019 18:18:39 GMT Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x0AIIc0J028078; Thu, 10 Jan 2019 18:18:38 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 10 Jan 2019 10:18:38 -0800 Date: Thu, 10 Jan 2019 10:18:36 -0800 From: "Darrick J. Wong" To: "Theodore Y. Ts'o" Cc: Linus Torvalds , Christoph Hellwig , Dave Chinner , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-fsdevel , linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net Subject: Re: Proposal: A new fs-verity interface Message-ID: <20190110181836.GA20467@magnolia> References: <20190110051500.GA32361@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190110051500.GA32361@mit.edu> User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9132 signatures=668680 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=908 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901100142 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Message-ID: <20190110181836.UgAa3tdJnQLnGZAgCkEUbamHLUoAJP_jCnmbk2ZF4Tc@z> On Thu, Jan 10, 2019 at 12:15:00AM -0500, Theodore Y. Ts'o wrote: > The following approach is based in Darrick's suggestion: > > int ioctl(fd, FS_IOC_ENABLE_VERITY, struct fsverity_arg *arg); > > struct fsverity_arg { > int fsv_donor_fd; Explicitly sized fields and padding here, please. ISTR there are a few arches that don't have alignment requirements which will make this messy. > u64 fsv_offset; > u64 fsv_size; You might want to allocate some reserved space for flags in case you ever decide you need it, but otherwise it seems fine to me... --D > }; > > fsv_offset and fsz_size must be a multiple of the file system block > size. If the ioctl comples successfully, as a side effect the > donor_fd will have a hole punch operation on the specified range. In > other words, the equivalent of operation of fallocate(fsv_donor_fd, > FALLOC_FL_PUNCH_HOLE, fsv_offset, fsv_size), and the file specified by > fd will be protected using fsverity. > > It will be legal for fsv_donor_fd == fd, so this interface is a > superset of the original FS_IOC_ENABLE_VERITY ioctl. > > This will hopefully make Christoph and Dave happy because the > interface does not presuppose how ext4 and f2fs will implement > fsverity behind the scenes. However, it does not forbid it, and the > net cost is that ext4 and f2fs will have to implement code which > transplants the blocks from the donor_fd to fd in the case where > donor_fd != fd --- and in the case where blocks are encrypted using > fscrypt, we will have to decrypt the blocks from donor_fd and possibly > re-encrypt then in fd's per-file key, which means we'll have to add > extra complexity to implement the decrypt and re-encrypt passing > through the page cache. > > But if this helps resolve Christoph and Dave's objections, it > shouldn't be _too_ much extra complexity. Before we go ahead an > implement it, though, I'd appreciate a confirmation that this will > indeed actually resolve their complaints. > > Thanks, > > - Ted