From: "Darrick J. Wong" <djwong@kernel.org>
To: Andrey Albershteyn <aalbersh@redhat.com>
Cc: ebiggers@kernel.org, linux-fsdevel@vger.kernel.org,
fsverity@lists.linux.dev, linux-xfs@vger.kernel.org
Subject: Re: [PATCH 21/29] xfs: add fs-verity support
Date: Thu, 14 Mar 2024 19:59:58 -0700 [thread overview]
Message-ID: <20240315025958.GP6184@frogsfrogsfrogs> (raw)
In-Reply-To: <lveodvnohv4orprbr7xte2c3bbspd3ttmx2e5f5bvtf3353kfa@qsjqrliz4urs>
On Thu, Mar 14, 2024 at 06:16:02PM +0100, Andrey Albershteyn wrote:
> On 2024-03-14 10:06:20, Darrick J. Wong wrote:
> > On Wed, Mar 13, 2024 at 10:58:03AM -0700, Darrick J. Wong wrote:
> > > From: Andrey Albershteyn <aalbersh@redhat.com>
> > >
> > > Add integration with fs-verity. The XFS store fs-verity metadata in
> > > the extended file attributes. The metadata consist of verity
> > > descriptor and Merkle tree blocks.
> > >
> > > The descriptor is stored under "vdesc" extended attribute. The
> > > Merkle tree blocks are stored under binary indexes which are offsets
> > > into the Merkle tree.
> > >
> > > When fs-verity is enabled on an inode, the XFS_IVERITY_CONSTRUCTION
> > > flag is set meaning that the Merkle tree is being build. The
> > > initialization ends with storing of verity descriptor and setting
> > > inode on-disk flag (XFS_DIFLAG2_VERITY).
> > >
> > > The verification on read is done in read path of iomap.
> > >
> > > Signed-off-by: Andrey Albershteyn <aalbersh@redhat.com>
> > > Reviewed-by: Darrick J. Wong <djwong@kernel.org>
> > > [djwong: replace caching implementation with an xarray, other cleanups]
> > > Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> >
> > I started writing more of userspace (xfs_db decoding of verity xattrs,
> > repair/scrub support) so I think I want to make one more change to this.
>
> Just to note, I have a version of xfs_db with a few modification to
> make it work with xfstests and make it aware of fs-verity:
>
> https://github.com/alberand/xfsprogs/tree/fsverity-v5
<nod> I implemented online and offline repair today and made a few more
tweaks; after I let it run through QA overnight I'll send that out to
the list.
Note that I moved the to_disk/from_disk helpers back to xfs_da_format.h
and added some more hooks to fsverity so that online fsck can do some
basic checks for stale merkle tree blocks and the like.
Also I modified xfs_verity_write_merkle to skip trailing zeroes to save
space, and changed the hash function to use the merkle tree offset so
that the merkle blocks get written out in linear(ish) order with fewer
hash collisions in the xattr index.
That said, I think we're close to finished on this one. :)
--D
> --
> - Andrey
>
>
next prev parent reply other threads:[~2024-03-15 2:59 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-13 17:52 [PATCHSET v5.2] fs-verity support for XFS Darrick J. Wong
2024-03-13 17:52 ` [PATCH 01/29] fsverity: remove hash page spin lock Darrick J. Wong
2024-03-13 17:53 ` [PATCH 02/29] xfs: add parent pointer support to attribute code Darrick J. Wong
2024-03-13 17:53 ` [PATCH 03/29] xfs: define parent pointer ondisk extended attribute format Darrick J. Wong
2024-03-13 17:53 ` [PATCH 04/29] xfs: add parent pointer validator functions Darrick J. Wong
2024-03-13 17:53 ` [PATCH 05/29] fs: add FS_XFLAG_VERITY for verity files Darrick J. Wong
2024-03-13 17:54 ` [PATCH 06/29] fsverity: pass tree_blocksize to end_enable_verity() Darrick J. Wong
2024-03-13 17:54 ` [PATCH 07/29] fsverity: support block-based Merkle tree caching Darrick J. Wong
2024-03-13 17:54 ` [PATCH 08/29] fsverity: add per-sb workqueue for post read processing Darrick J. Wong
2024-03-19 23:30 ` Darrick J. Wong
2024-03-20 10:37 ` Andrey Albershteyn
2024-03-20 14:55 ` Darrick J. Wong
2024-03-20 16:22 ` Andrey Albershteyn
2024-03-13 17:54 ` [PATCH 09/29] fsverity: add tracepoints Darrick J. Wong
2024-03-13 17:55 ` [PATCH 10/29] fsverity: fix "support block-based Merkle tree caching" Darrick J. Wong
2024-03-13 17:55 ` [PATCH 11/29] fsverity: send the level of the merkle tree block to ->read_merkle_tree_block Darrick J. Wong
2024-03-13 17:55 ` [PATCH 12/29] fsverity: pass the new tree size and block size to ->begin_enable_verity Darrick J. Wong
2024-03-13 17:55 ` [PATCH 13/29] iomap: integrate fs-verity verification into iomap's read path Darrick J. Wong
2024-03-13 17:56 ` [PATCH 14/29] xfs: add attribute type for fs-verity Darrick J. Wong
2024-03-13 17:56 ` [PATCH 15/29] xfs: add fs-verity ro-compat flag Darrick J. Wong
2024-03-13 17:56 ` [PATCH 16/29] xfs: add inode on-disk VERITY flag Darrick J. Wong
2024-03-13 17:57 ` [PATCH 17/29] xfs: initialize fs-verity on file open and cleanup on inode destruction Darrick J. Wong
2024-03-13 17:57 ` [PATCH 18/29] xfs: don't allow to enable DAX on fs-verity sealed inode Darrick J. Wong
2024-03-13 17:57 ` [PATCH 19/29] xfs: disable direct read path for fs-verity files Darrick J. Wong
2024-03-13 17:57 ` [PATCH 20/29] xfs: widen flags argument to the xfs_iflags_* helpers Darrick J. Wong
2024-03-13 17:58 ` [PATCH 21/29] xfs: add fs-verity support Darrick J. Wong
2024-03-14 17:06 ` Darrick J. Wong
2024-03-14 17:16 ` Andrey Albershteyn
2024-03-15 2:59 ` Darrick J. Wong [this message]
2024-03-13 17:58 ` [PATCH 22/29] xfs: create a per-mount shrinker for verity inodes merkle tree blocks Darrick J. Wong
2024-03-13 17:58 ` [PATCH 23/29] xfs: create an icache tag for files with cached " Darrick J. Wong
2024-03-13 17:58 ` [PATCH 24/29] xfs: shrink verity blob cache Darrick J. Wong
2024-03-13 17:59 ` [PATCH 25/29] xfs: clean up stale fsverity metadata before starting Darrick J. Wong
2024-03-13 17:59 ` [PATCH 26/29] xfs: better reporting and error handling in xfs_drop_merkle_tree Darrick J. Wong
2024-03-13 17:59 ` [PATCH 27/29] xfs: make scrub aware of verity dinode flag Darrick J. Wong
2024-03-13 17:59 ` [PATCH 28/29] xfs: add fs-verity ioctls Darrick J. Wong
2024-03-13 18:00 ` [PATCH 29/29] xfs: enable ro-compat fs-verity flag Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240315025958.GP6184@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=aalbersh@redhat.com \
--cc=ebiggers@kernel.org \
--cc=fsverity@lists.linux.dev \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).