Secure Deletion Functionality in ext3

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Nikolai Joukov <kolya@cs.sunysb.edu>
To: linux-fsdevel@vger.kernel.org
Subject: Secure Deletion Functionality in ext3
Date: Mon, 13 Feb 2006 15:57:56 -0500 (EST)	[thread overview]
Message-ID: <Pine.GSO.4.53.0602031631560.21890@compserv2> (raw)

Hello,

We're working on secure deletion for ext3 to ensure that deleted data and
meta-data is permanently overwritten to prevent theft of information if,
say, a laptop is lost.

We have come up with a set of patches that we've been testing and we'd
like to get your initial feedback first before proceeding further.  Could
you please take a look at the simplest patch below.  It performs basic
one-time overwriting for files marked with the secure deletion file
attribute.  It overwrites file data in writeback and ordered (default)
journaling modes.

In the future, we will send the patches that work for the data in data
journaling mode and mata-data.  In these cases, we move deleted
files into a separate directory upon every delete operation.  This
approach allows us to: (1) avoid data and meta-data inconsistency if the
file is partially overwritten and power fails (we have to overwrite the
data in-place even in the data journaling mode) and (2) perform single
or multiple overwrites asynchronously after a file is deleted.  In
addition, much of the code can be reused to get a trash bin functionality
in ext3.

We will very much appreciate your early feedback.

Thanks,
Nikolai Joukov.
*****************************************
* Ph.D. student, Stony Brook University *
* Advisor: Dr. Erez Zadok               *
*****************************************

diff -NaurbB --ignore-all-space linux-2.6.15.1-orig/fs/ext3/balloc.c linux-2.6.15.1/fs/ext3/balloc.c
--- linux-2.6.15.1-orig/fs/ext3/balloc.c        2006-01-15 01:16:02.000000000 -0500
+++ linux-2.6.15.1/fs/ext3/balloc.c     2006-02-03 15:01:29.000000000 -0500
@@ -492,6 +492,47 @@
        return;
 }

+#ifdef CONFIG_EXT3_FS_SECDEL
+/* This overwrites file's data for secure deletion */
+int ext3_secdel_blocks(handle_t *handle, struct inode *inode,
+                       unsigned long block, unsigned long count)
+{
+       int retval = 0;
+       int i;
+       struct buffer_head *bh = NULL;
+       struct super_block *sb;
+
+       /* data journaling mode is not supported yet */
+       if (ext3_should_journal_data(inode))
+               goto out;
+
+       sb = inode->i_sb;
+
+       for (i = block; i < block + count; i++) {
+
+               bh = sb_getblk(sb, i);
+
+               lock_buffer(bh);
+               memset(bh->b_data, 0, bh->b_size);
+               unlock_buffer(bh);
+
+               if (ext3_should_order_data(inode)) {
+                       retval = ext3_journal_dirty_data(handle, bh);
+                       if (retval) {
+                               brelse(bh);
+                               goto out;
+                       }
+               }
+
+               mark_buffer_dirty(bh);
+               set_buffer_jbddirty(bh);
+               brelse(bh);
+       }
+out:
+       return retval;
+}
+#endif
+
 /* Free given blocks, update quota and i_blocks field */
 void ext3_free_blocks(handle_t *handle, struct inode *inode,
                        unsigned long block, unsigned long count)
@@ -504,6 +545,10 @@
                printk ("ext3_free_blocks: nonexistent device");
                return;
        }
+#ifdef CONFIG_EXT3_FS_SECDEL
+       if (EXT3_I(inode)->i_flags & EXT3_SECRM_FL)
+               ext3_secdel_blocks(handle, inode, block, count);
+#endif
        ext3_free_blocks_sb(handle, sb, block, count,
&dquot_freed_blocks);
        if (dquot_freed_blocks)
                DQUOT_FREE_BLOCK(inode, dquot_freed_blocks);

diff -NaurbB --ignore-all-space linux-2.6.15.1-orig/fs/Kconfig linux-2.6.15.1/fs/Kconfig
--- linux-2.6.15.1-orig/fs/Kconfig      2006-01-15 01:16:02.000000000 -0500
+++ linux-2.6.15.1/fs/Kconfig   2006-01-24 15:16:04.000000000 -0500
@@ -137,6 +137,19 @@
          If you are not using a security module that requires using
          extended attributes for file security labels, say N.

+config EXT3_FS_SECDEL
+       bool "Ext3 Secure Deletion"
+       depends on EXT3_FS
+       help
+         Secure Deletion support allows overwriting of the data and
+         file names on the disk after a file is deleted to prevent
+         further unintended recovery.
+
+         To learn more about Secure Deletion visit the Secure Deletion
+         File Systems website <http://www.filesystems.org/project-sdfs.html>.
+
+         If you don't know what Secure Deletion is, say N
+
 config JBD
 # CONFIG_JBD could be its own option (even modular), but until there are
 # other users than ext3, we will simply make it be the same as
CONFIG_EXT3_FS

                 reply	other threads:[~2006-02-13 20:58 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.GSO.4.53.0602031631560.21890@compserv2 \
    --to=kolya@cs.sunysb.edu \
    --cc=linux-fsdevel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).