From: "Darrick J. Wong" <djwong@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Andrey Albershteyn <aalbersh@redhat.com>,
linux-xfs@vger.kernel.org, david@fromorbit.com,
Andrey Albershteyn <aalbersh@kernel.org>
Subject: Re: [RFC] Directly mapped xattr data & fs-verity
Date: Thu, 9 Jan 2025 09:03:56 -0800 [thread overview]
Message-ID: <20250109170356.GN1387004@frogsfrogsfrogs> (raw)
In-Reply-To: <20250109074403.GA18326@lst.de>
On Thu, Jan 09, 2025 at 08:44:03AM +0100, Christoph Hellwig wrote:
> On Wed, Jan 08, 2025 at 11:39:08PM -0800, Darrick J. Wong wrote:
> > > >
> > > > Maybe we can used it for $HANDWAVE is not a good idea.
> > >
> > > > Hash based verification works poorly for mutable files, so we'd
> > > > rather have a really good argument for that.
> > >
> > > hmm, why? Not sure I have an understanding of this
> >
> > Me neither. I can see how you might design file data block checksumming
> > to be basically an array of u32 crc[nblocks][2]. Then if you turned on
> > stable folios for writeback, the folio contents can't change so you can
> > compute the checksum of the new data, run a transaction to set
> > crc[nblock][0] to the old checksum; crc[nblock][1] to the new checksum;
> > and only then issue the writeback bio.
>
> Are you (plural) talking about hash based integrity protection ala
> fsverity or checksums. While they look similar in some way those are
> totally different things! If we're talking about "simple" data
> checksums both post-EOF data blocks and xattrs are really badly wrong,
> as the checksum need to be assigned with the physical block due to
> reflinks, not the file. The natural way to implement them for XFS
> if we really wanted them would be a new per-AG/RTG metabtree that
> is indexed by the agblock/rgblock.
Agreed. For simple things like crc32 I would very much rather we stuff
them in a per-group btree because we only have to store the crc once in
the filesystem and now it protects all owners of that block. In theory
the double-crc scheme would work fine for untorn data block writes, I
think.
I only see a reason for per-file hash structures in the dabtree if the
hashes themselves have some sort of per-file configuration (like
distributor-signed merkle trees or whatever). I asked Eric Biggers if
he had any plans for mutable fsverity files and he said no.
> > But I don't think that works if you crash. At least one of the
> > checksums might be right if the device doesn't tear the write, but that
> > gets us tangled up in the untorn block writes patches. If the device
> > does not guarantee untorn writes, then you probably have to do it the
> > way the other checksumming fses do it -- write to a new location, then
> > run a transaction to store the checksum and update the file mapping.
>
> Yes. That's why for data checksums you'd always need to either write
> out of place (as with the pending zoned allocator) or work with intent /
> intent done items. That's assuming you can't offload the atomicy to the
> device by uisng T10 PI or at least per-block metadata that stores the
> checksum. Which would also remove the need for any new file system
> data struture, but require enterprise hardware that supports PI or
> metadata.
<nod>
--D
next prev parent reply other threads:[~2025-01-09 17:03 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-29 13:33 [RFC] Directly mapped xattr data & fs-verity Andrey Albershteyn
2024-12-29 13:35 ` [PATCH] xfs: direct mapped xattrs design documentation Andrey Albershteyn
2025-01-07 1:41 ` Darrick J. Wong
2025-01-07 10:24 ` Andrey Albershteyn
2024-12-29 13:36 ` [PATCH 0/2] Introduce iomap interface to work with regions beyond EOF Andrey Albershteyn
2024-12-29 13:36 ` [PATCH 1/2] iomap: add iomap_writepages_unbound() to write " Andrey Albershteyn
2024-12-29 17:54 ` kernel test robot
2024-12-29 21:36 ` kernel test robot
2024-12-29 13:36 ` [PATCH 2/2] iomap: introduce iomap_read/write_region interface Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 00/14] Direct mapped extended attribute data Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 01/14] iomap: add wrapper to pass readpage_ctx to read path Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 02/14] iomap: add read path ioends for filesystem read verification Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 03/14] iomap: introduce IOMAP_F_NO_MERGE for non-mergable ioends Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 04/14] xfs: add incompat directly mapped xattr flag Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 05/14] libxfs: add xfs_calc_chsum() Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 06/14] libxfs: pass xfs_sb to xfs_attr3_leaf_name_remote() Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 07/14] xfs: introduce XFS_DA_OP_EMPTY Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 08/14] xfs: introduce workqueue for post read processing Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 09/14] xfs: add interface to set CRC on leaf attributes Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 10/14] xfs: introduce XFS_ATTRUPDATE_FLAGS operation Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 11/14] xfs: add interface for page cache mapped remote xattrs Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 12/14] xfs: parse both remote attr name on-disk formats Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 13/14] xfs: do not use xfs_attr3_rmt_hdr for remote value blocks for dxattr Andrey Albershteyn
2024-12-29 13:38 ` [PATCH 14/14] xfs: enalbe XFS_SB_FEAT_INCOMPAT_DXATTR Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 00/24] fsverity integration for XFS based on direct mapped xattrs Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 01/24] fs: add FS_XFLAG_VERITY for verity files Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 02/24] fsverity: pass tree_blocksize to end_enable_verity() Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 03/24] fsverity: add tracepoints Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 04/24] fsverity: pass the new tree size and block size to ->begin_enable_verity Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 05/24] fsverity: expose merkle tree geometry to callers Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 06/24] fsverity: report validation errors back to the filesystem Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 07/24] fsverity: flush pagecache before enabling verity Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 08/24] iomap: integrate fs-verity verification into iomap's read path Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 09/24] xfs: use an empty transaction to protect xfs_attr_get from deadlocks Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 10/24] xfs: don't let xfs_bmap_first_unused overflow a xfs_dablk_t Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 11/24] xfs: add attribute type for fs-verity Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 12/24] xfs: add fs-verity ro-compat flag Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 13/24] xfs: add inode on-disk VERITY flag Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 14/24] xfs: initialize fs-verity on file open and cleanup on inode destruction Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 15/24] xfs: don't allow to enable DAX on fs-verity sealed inode Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 16/24] xfs: disable direct read path for fs-verity files Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 17/24] xfs: add fs-verity support Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 18/24] xfs: add writeback page mapping for fs-verity Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 19/24] xfs: use merkle tree offset as attr hash Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 20/24] xfs: add fs-verity ioctls Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 21/24] xfs: advertise fs-verity being available on filesystem Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 22/24] xfs: check and repair the verity inode flag state Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 23/24] xfs: report verity failures through the health system Andrey Albershteyn
2024-12-29 13:39 ` [PATCH 24/24] xfs: enable ro-compat fs-verity flag Andrey Albershteyn
2025-01-06 15:42 ` [RFC] Directly mapped xattr data & fs-verity Christoph Hellwig
2025-01-06 19:50 ` Darrick J. Wong
2025-01-06 20:56 ` Andrey Albershteyn
2025-01-07 16:50 ` Christoph Hellwig
2025-01-08 9:20 ` Andrey Albershteyn
2025-01-09 6:12 ` Christoph Hellwig
2025-01-09 7:39 ` Darrick J. Wong
2025-01-09 7:44 ` Christoph Hellwig
2025-01-09 17:03 ` Darrick J. Wong [this message]
2025-01-13 9:16 ` Andrey Albershteyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250109170356.GN1387004@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=aalbersh@kernel.org \
--cc=aalbersh@redhat.com \
--cc=david@fromorbit.com \
--cc=hch@lst.de \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox