Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4151987imm;
        Sat, 25 Aug 2018 10:08:22 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbV/TfCcXu9/guGhQiY1jErcU5noz649dE4T5EBJjTIG659eRnpPBjI0lXkyNRnAEj3ghfS
X-Received: by 2002:a63:d90b:: with SMTP id r11-v6mr6364036pgg.315.1535216902501;
        Sat, 25 Aug 2018 10:08:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535216902; cv=none;
        d=google.com; s=arc-20160816;
        b=DOEIHHsy0NnGJ3XzncYjuf1RORLljuF0WOu+dAU+ydS6iYbBkFk4+ZBYZ3N5+WKsv6
         8a2mTOxYZH5NNbNNw3343aMP3v+gJPCnEiqccawq0FU/FbcUuXzMkJ2tFlqd+qw0L8hA
         9m5SsY3tZNSW+5LCmuX2v7o8OhefBW1SPLLCoCBfUvJlvV2mgmXGfal2i34atyl3jtuQ
         zXxX3srY1b3gY3xACZW29s3kysWv41hwnD+4rAjKTAUfOZ2vAjpri/1GeKZm1bJ3AKm5
         jVmgD/QxxAU2Xpf3pSKjDXZDby35u9bD6Cc9egOroDuboRHrDD3cddvCjLTKAO+k5nOF
         4e0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=2Gvon5qCNUv1RdmJlEfyvsCgqsf0IUliZT9i8RxiwWw=;
        b=kiJtySh6aCP3fsbKQ9idKC8IJe5yrXaFk8iclVbQmxeBPu7eHtTmo32kNTdgSl+yrQ
         gezU4wViXxjarx8uAAEL/RC/fRg0f6ztvqvawq1LxD2+tl5/UcNkI0CAChMgXr4tof+A
         +ioJ93nOdQE/o+8A7awvAIa2FHbLWKc9ZSXQ+405OiVvQr3wnwahKOj8ngTvTy5E2xRr
         3T2h9PKfzNjM3EYcHqZdM++jyX1FBRW9Xsd34l6GhNiMW5Nf5AbQWO18/aydJuRjVQrk
         iXXQftVuJL6nJlV9mkkw+lTAEeBmXJUu0iPpuOKi63kjFULBD4jwbWWidY5O1q6PN0iN
         I3Kw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=L+DI2vXq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x24-v6si10211448pgh.295.2018.08.25.10.08.07;
        Sat, 25 Aug 2018 10:08:22 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=L+DI2vXq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726946AbeHYUqG (ORCPT <rfc822;chenhe.dev@gmail.com>
        + 99 others); Sat, 25 Aug 2018 16:46:06 -0400
Received: from imap.thunk.org ([74.207.234.97]:44848 "EHLO imap.thunk.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726673AbeHYUqG (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 25 Aug 2018 16:46:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org;
         s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:
        Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
        Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
        :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
        List-Post:List-Owner:List-Archive;
        bh=2Gvon5qCNUv1RdmJlEfyvsCgqsf0IUliZT9i8RxiwWw=; b=L+DI2vXqiahEQ4c/IvsJfMJS0G
        yB6sg4pyiV/SCkUTc68jUPx8pA/QXwiKRTM1pjh+uVSBPVbZ2A3C4QlBcQREE99Mg0hXHMEpCUw8O
        pC8DiUorGNt/EgAQcS6/YHdfTpcSaW1TpDTYr1YTdeQfi99t3xOMbRdntqwJQ6wCHOzA=;
Received: from root (helo=callcc.thunk.org)
        by imap.thunk.org with local-esmtp (Exim 4.89)
        (envelope-from <tytso@thunk.org>)
        id 1ftc14-00034U-94; Sat, 25 Aug 2018 17:06:26 +0000
Received: by callcc.thunk.org (Postfix, from userid 15806)
        id CF4AA7A4B70; Sat, 25 Aug 2018 13:06:24 -0400 (EDT)
Date:   Sat, 25 Aug 2018 13:06:24 -0400
From:   "Theodore Y. Ts'o" <tytso@mit.edu>
To:     Gao Xiang <gaoxiang25@huawei.com>
Cc:     Eric Biggers <ebiggers@kernel.org>, linux-fsdevel@vger.kernel.org,
        linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        Michael Halcrow <mhalcrow@google.com>,
        linux-kernel@vger.kernel.org, linux-fscrypt@vger.kernel.org,
        linux-integrity@vger.kernel.org,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Victor Hsieh <victorhsieh@google.com>
Subject: Re: [RFC PATCH 02/10] fs-verity: add data verification hooks for
 ->readpages()
Message-ID: <20180825170624.GB10619@thunk.org>
Mail-Followup-To: "Theodore Y. Ts'o" <tytso@mit.edu>,
        Gao Xiang <gaoxiang25@huawei.com>,
        Eric Biggers <ebiggers@kernel.org>, linux-fsdevel@vger.kernel.org,
        linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        Michael Halcrow <mhalcrow@google.com>, linux-kernel@vger.kernel.org,
        linux-fscrypt@vger.kernel.org, linux-integrity@vger.kernel.org,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Victor Hsieh <victorhsieh@google.com>
References: <20180824161642.1144-1-ebiggers@kernel.org>
 <20180824161642.1144-3-ebiggers@kernel.org>
 <2f2382c3-e5e9-f0da-dc89-42dfc7b2b636@huawei.com>
 <20180825041647.GA726@sol.localdomain>
 <21e86199-28a7-4693-aef5-5fc28842535c@huawei.com>
 <20180825071827.GD726@sol.localdomain>
 <c907ad1d-c7c8-714a-0e59-373c1df3afe8@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <c907ad1d-c7c8-714a-0e59-373c1df3afe8@huawei.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Aug 25, 2018 at 03:43:43PM +0800, Gao Xiang wrote:
> > I don't know of any plan to use fs-verity on Android's system partition or to
> > replace dm-verity on the system partition.  The use cases so far have been
> > verifying files on /data, like APK files.
> > 
> > So I don't think you need to support fs-verity in EROFS.
> 
> Thanks for your information about fs-verity, that is quite useful for us
> Actually, I was worrying about that these months...  :)

I'll be even clearer --- I can't *imagine* any situation where it
would make sense to use fs-verity on the Android system partition.
Remember, for OTA to work the system image has to be bit-for-bit
identical to the official golden image for that release.  So the
system image has to be completely locked down from any modification
(to data or metadata), and that means dm-verity and *NOT* fs-verity.

The initial use of fs-verity (as you can see if you look at AOSP) will
be to protect a small number of privileged APK's that are stored on
the data partition.  Previously, they were verified when they were
downloaded, and never again.

Part of the goal which we are trying to achieve here is that even if
the kernel gets compromised by a 0-day, a successful reboot should
restore the system to a known state.  That is, the secure bootloader
checks the signature of the kernel, and then in turn, dm-verity will
verify the root Merkle hash protecting the system partition, and
fs-verity will protect the privileged APK's.  If malware modifies any
these components in an attempt to be persistent, the modifications
would be detected, and the worst it could do is to cause subsequent
reboots to fail until the phone's software could be reflashed.

Cheers,

					- Ted