From mboxrd@z Thu Jan  1 00:00:00 1970
From: Nikolai Joukov <kolya@cs.sunysb.edu>
Subject: Secure Deletion Functionality in ext3
Date: Mon, 13 Feb 2006 15:57:56 -0500 (EST)
Message-ID: <Pine.GSO.4.53.0602031631560.21890@compserv2>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from sbcs.cs.sunysb.edu ([130.245.1.15]:38540 "EHLO
	sbcs.cs.sunysb.edu") by vger.kernel.org with ESMTP id S964866AbWBMU6A
	(ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Mon, 13 Feb 2006 15:58:00 -0500
Received: from compserv2 (compserv2 [130.245.1.58])
	by sbcs.cs.sunysb.edu (8.12.3/8.12.11) with ESMTP id k1DKvt5A016511
	for <linux-fsdevel@vger.kernel.org>; Mon, 13 Feb 2006 15:57:55 -0500 (EST)
To: linux-fsdevel@vger.kernel.org
Sender: linux-fsdevel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

Hello,

We're working on secure deletion for ext3 to ensure that deleted data and
meta-data is permanently overwritten to prevent theft of information if,
say, a laptop is lost.

We have come up with a set of patches that we've been testing and we'd
like to get your initial feedback first before proceeding further.  Could
you please take a look at the simplest patch below.  It performs basic
one-time overwriting for files marked with the secure deletion file
attribute.  It overwrites file data in writeback and ordered (default)
journaling modes.

In the future, we will send the patches that work for the data in data
journaling mode and mata-data.  In these cases, we move deleted
files into a separate directory upon every delete operation.  This
approach allows us to: (1) avoid data and meta-data inconsistency if the
file is partially overwritten and power fails (we have to overwrite the
data in-place even in the data journaling mode) and (2) perform single
or multiple overwrites asynchronously after a file is deleted.  In
addition, much of the code can be reused to get a trash bin functionality
in ext3.

We will very much appreciate your early feedback.

Thanks,
Nikolai Joukov.
*****************************************
* Ph.D. student, Stony Brook University *
* Advisor: Dr. Erez Zadok               *
*****************************************

diff -NaurbB --ignore-all-space linux-2.6.15.1-orig/fs/ext3/balloc.c linux-2.6.15.1/fs/ext3/balloc.c
--- linux-2.6.15.1-orig/fs/ext3/balloc.c        2006-01-15 01:16:02.000000000 -0500
+++ linux-2.6.15.1/fs/ext3/balloc.c     2006-02-03 15:01:29.000000000 -0500
@@ -492,6 +492,47 @@
        return;
 }

+#ifdef CONFIG_EXT3_FS_SECDEL
+/* This overwrites file's data for secure deletion */
+int ext3_secdel_blocks(handle_t *handle, struct inode *inode,
+                       unsigned long block, unsigned long count)
+{
+       int retval = 0;
+       int i;
+       struct buffer_head *bh = NULL;
+       struct super_block *sb;
+
+       /* data journaling mode is not supported yet */
+       if (ext3_should_journal_data(inode))
+               goto out;
+
+       sb = inode->i_sb;
+
+       for (i = block; i < block + count; i++) {
+
+               bh = sb_getblk(sb, i);
+
+               lock_buffer(bh);
+               memset(bh->b_data, 0, bh->b_size);
+               unlock_buffer(bh);
+
+               if (ext3_should_order_data(inode)) {
+                       retval = ext3_journal_dirty_data(handle, bh);
+                       if (retval) {
+                               brelse(bh);
+                               goto out;
+                       }
+               }
+
+               mark_buffer_dirty(bh);
+               set_buffer_jbddirty(bh);
+               brelse(bh);
+       }
+out:
+       return retval;
+}
+#endif
+
 /* Free given blocks, update quota and i_blocks field */
 void ext3_free_blocks(handle_t *handle, struct inode *inode,
                        unsigned long block, unsigned long count)
@@ -504,6 +545,10 @@
                printk ("ext3_free_blocks: nonexistent device");
                return;
        }
+#ifdef CONFIG_EXT3_FS_SECDEL
+       if (EXT3_I(inode)->i_flags & EXT3_SECRM_FL)
+               ext3_secdel_blocks(handle, inode, block, count);
+#endif
        ext3_free_blocks_sb(handle, sb, block, count,
&dquot_freed_blocks);
        if (dquot_freed_blocks)
                DQUOT_FREE_BLOCK(inode, dquot_freed_blocks);

diff -NaurbB --ignore-all-space linux-2.6.15.1-orig/fs/Kconfig linux-2.6.15.1/fs/Kconfig
--- linux-2.6.15.1-orig/fs/Kconfig      2006-01-15 01:16:02.000000000 -0500
+++ linux-2.6.15.1/fs/Kconfig   2006-01-24 15:16:04.000000000 -0500
@@ -137,6 +137,19 @@
          If you are not using a security module that requires using
          extended attributes for file security labels, say N.

+config EXT3_FS_SECDEL
+       bool "Ext3 Secure Deletion"
+       depends on EXT3_FS
+       help
+         Secure Deletion support allows overwriting of the data and
+         file names on the disk after a file is deleted to prevent
+         further unintended recovery.
+
+         To learn more about Secure Deletion visit the Secure Deletion
+         File Systems website <http://www.filesystems.org/project-sdfs.html>.
+
+         If you don't know what Secure Deletion is, say N
+
 config JBD
 # CONFIG_JBD could be its own option (even modular), but until there are
 # other users than ext3, we will simply make it be the same as
CONFIG_EXT3_FS