Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4922965imm;
        Sun, 26 Aug 2018 06:46:33 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdYECU3ibqpxNb/JA5ccSIDZ3K6hFMHh8t9KfSRVG9BEG9nbtXEP4RVHwI34JDDeQGYL+DKZ
X-Received: by 2002:a63:7c50:: with SMTP id l16-v6mr8591431pgn.311.1535291193346;
        Sun, 26 Aug 2018 06:46:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535291193; cv=none;
        d=google.com; s=arc-20160816;
        b=vNSYe+9dtKyoIYE6+YvaRid73Md+Yxl87kVr33iUDZY9FplAXd4yTwrybYtsIX48GO
         /RMEwfok3Ji5kKr2zLfb6a48CpFqqtPh50zONaxgI6YjqdO5OynehKfux9t3d9Gl6Yc8
         6KE1TcLgqOqXLNHLxNmSQIrTTkV3WIr1R8fCj6hkueq0nX2p9m9Ppfn34qd6xN5z068Z
         EE3SMX5DDj2Y4p2Gd//RdNLtBHkNXZZ4qbsmVeRcqYqrc3xKwTn8F6c1ovFLmR3QEc81
         O6HRhhIPpa62XME3hJZyccoxx5n4tywIK6vqFJs0I6V7/i7bZ/kHlAlL/MkyBg2LUmP+
         TYMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:references:cc:to:subject:from:dkim-signature
         :arc-authentication-results;
        bh=t3EoGl91gKLzLIAZTGBnXp/EAhF8F77vdqLrlP9wNkY=;
        b=QS8l1TlGnOxxomW6ZG9Wv5bck1Nx1L9iM7lc3hvFPeWznjL+1GJ1JKUzfHTb5tmJp5
         cJXPRJwaI18oPTdpoiki0VzWFc9Kg9XL0cqI46v4idfmL/VzIYQBJWE0j3PbnxZFcN2t
         RW0vbltL/Ree/IwAo9VBm3UG+/chF7pNYTCKaZlfzIh1NiPCjYDMNTR/md8bjsChRv0q
         3FNau534C4xU8XhUQ9haLmhI+3B874NddH7zCb2zCwEAEfD5HidEY+nF3e3NOGUxlOJc
         g8k8VTd60wQEp90LEAhdSXP/QTs299oOoT+XVN/ND3QvYYKacV2RTyQX6YD8xyc4vXLj
         UQzQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@aol.com header.s=a2048 header.b=Xqyh5kM5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=aol.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f27-v6si11124031pgb.302.2018.08.26.06.46.16;
        Sun, 26 Aug 2018 06:46:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@aol.com header.s=a2048 header.b=Xqyh5kM5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=aol.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726847AbeHZR0w (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Sun, 26 Aug 2018 13:26:52 -0400
Received: from sonic313-19.consmr.mail.gq1.yahoo.com ([98.137.65.82]:37919
        "EHLO sonic313-19.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726579AbeHZR0v (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 26 Aug 2018 13:26:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1535291054; bh=t3EoGl91gKLzLIAZTGBnXp/EAhF8F77vdqLrlP9wNkY=; h=From:Subject:To:Cc:References:Date:In-Reply-To:From:Subject; b=Xqyh5kM5mIOHWlW0VCEQH71dFniB04R7ipaf19c8dbdYkfLh7hTa6PDmNILMGewNqWsqFScmXig2++4M8sEjDQ2+ggck+lQFF5wim9V/iORjuhl3qisvLE2e0nXLVpApA4ybWYizWRwQCGDyHWrF8OvGhqTwtur3vNk2rD3m1/MGNJKH2YTRDm9YOa25W/No9MAAqECJbz+cfk9mIW+0CI9FFHw/Ka7ZJ3JzQeH0N/RXf+68UkiDojLMPOX3XaHy+PrSKLUkrMYe58FVhlF3oM8CUP4MxXa3VIj28N4pzX8yRcS4+VH4H+P+xRhyfGbmamOgdE7bevKejGChW9dSSQ==
X-YMail-OSG: 6mEE1VoVM1nCj.AoKOE1M4UTIKuzP3mHTOLFxIf4rjRK0JokLw91o5IVeoHUx1K
 xsIC9F.OyS9hirI.dIUhSe6IOQOcMtpV3yNrz4ezAsbLlsbK7iSHaVzo0mGa2hiFU3gVW1k65rP7
 bTMV4WSe0XtuA2FkGJPAJgmHGAJ9tTV7L245V.5B9nlirrqf6zIusGJ4gOBAYhqgEa.mCfYX.idk
 m6NyvzRc.0VZ0Ii.BG02vWlbtMH1OF__d97Pk6T0w_MhFKDDn8cs0gTJtEuy5m9RDpqfiOwlxydb
 U3fj3YOytfrahxkGN_QaKdped2KFyKLtLW8HY2RvgVn9y9AczooB4.wMsI2AKscrToTk8IresxbW
 dHVFT7OcpjWbFi6nc0aZWk9s0pT.389tb2p9WYib_odQcNnlP4lmtyaOL3Ja89srN5yF9Ze9yIAw
 NpnECf_A0dXjf5GxssYMmTg9L0fhNpGKaMzQWYwob_IXjU6ix0atoLkkjN3eBiSj5nZALRmXJ.kS
 4TfuGcgIskAQIUvUh2tq3NiOykZ.hGduBRbnzmdnn21nNLrH5vvCUjz1VIpm2UMby8VDZqzLGXsU
 h5WcB5BGQrSwm3WQ4B5tQCt3mu8QWhVSO9miJsFJ4iIma.9g8xtNcuz2SX4ASwwnd1gSCrJKPB.X
 hxyMKOwqylE_J25arViH1e989EwyD.C.BShviYgsIORtQlJrAsu041jx3MeEtg_PmAYxpEVvcl_X
 NBHOIoFZGLYT2PgG3MgMgE10YqEpaCVQfJwZzrJUC2LzbYaN0zQ4Cn7_JLwDrQsf6zeRop.3jgXw
 8n9NpjUw3TOk5s43JzGTuShH2FYzeao_9ncaYrTnNGoQcqaGw9yh1klxovfYX6BnhhuuakhHP2Qy
 h5xnXk5icuZk9a.MB7rrY2ZddhJVKxAJkifeFnxfQZcaJ5_cO9kdpikw.kEsan5YfBNdrQsvU729
 Bv9tjGh8Gb4HbS4Iuw5_XcLfyTPgjH.Adr8j6xztdX9huiPFb2xbD2QrSuNapBPWBLgzzZZO1
Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.gq1.yahoo.com with HTTP; Sun, 26 Aug 2018 13:44:14 +0000
Received: from 116.226.251.211 (EHLO [192.168.1.7]) ([116.226.251.211])
          by smtp432.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID f89c707d63cb376e614ab031b9829e85;
          Sun, 26 Aug 2018 13:44:13 +0000 (UTC)
From:   Gao Xiang <hsiangkao@aol.com>
Subject: Re: Re: [RFC PATCH 02/10] fs-verity: add data verification hooks for
 ->readpages()
To:     "Theodore Y. Ts'o" <tytso@mit.edu>
Cc:     Eric Biggers <ebiggers@kernel.org>, linux-fsdevel@vger.kernel.org,
        linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        Michael Halcrow <mhalcrow@google.com>,
        linux-kernel@vger.kernel.org, linux-fscrypt@vger.kernel.org,
        linux-integrity@vger.kernel.org,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Victor Hsieh <victorhsieh@google.com>,
        Gao Xiang <gaoxiang25@huawei.com>
References: <20180824161642.1144-1-ebiggers@kernel.org>
 <20180824161642.1144-3-ebiggers@kernel.org>
 <2f2382c3-e5e9-f0da-dc89-42dfc7b2b636@huawei.com>
 <20180825041647.GA726@sol.localdomain>
 <21e86199-28a7-4693-aef5-5fc28842535c@huawei.com>
 <20180825071827.GD726@sol.localdomain>
 <c907ad1d-c7c8-714a-0e59-373c1df3afe8@huawei.com>
 <20180825170624.GB10619@thunk.org>
Message-ID: <a7ee7fb5-26a0-6737-9246-93d6d7432a42@aol.com>
Date:   Sun, 26 Aug 2018 21:44:04 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20180825170624.GB10619@thunk.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Ted,

Sorry for the late reply...

On 2018/8/26 1:06, Theodore Y. Ts'o wrote:
> On Sat, Aug 25, 2018 at 03:43:43PM +0800, Gao Xiang wrote:
>>> I don't know of any plan to use fs-verity on Android's system partition or to
>>> replace dm-verity on the system partition.  The use cases so far have been
>>> verifying files on /data, like APK files.
>>>
>>> So I don't think you need to support fs-verity in EROFS.
>>
>> Thanks for your information about fs-verity, that is quite useful for us
>> Actually, I was worrying about that these months...  :)
> 
> I'll be even clearer --- I can't *imagine* any situation where it
> would make sense to use fs-verity on the Android system partition.
> Remember, for OTA to work the system image has to be bit-for-bit
> identical to the official golden image for that release.  So the
> system image has to be completely locked down from any modification
> (to data or metadata), and that means dm-verity and *NOT* fs-verity.

I think so mainly because of the security reason you said above.

In addition, I think it is mandatory that the Android system partition
should also _never_ suffer from filesystem corrupted by design (expect
for the storage device corrupt or malware), therefore I think the
bit-for-bit read-only, and identical-verity requirement is quite strong
for Android, which will make the Android system steady and as solid as
rocks.

But I need to make sure my personal thoughts through this topic. :)

> 
> The initial use of fs-verity (as you can see if you look at AOSP) will
> be to protect a small number of privileged APK's that are stored on
> the data partition.  Previously, they were verified when they were
> downloaded, and never again.
> 
> Part of the goal which we are trying to achieve here is that even if
> the kernel gets compromised by a 0-day, a successful reboot should
> restore the system to a known state.  That is, the secure bootloader
> checks the signature of the kernel, and then in turn, dm-verity will
> verify the root Merkle hash protecting the system partition, and
> fs-verity will protect the privileged APK's.  If malware modifies any
> these components in an attempt to be persistent, the modifications
> would be detected, and the worst it could do is to cause subsequent
> reboots to fail until the phone's software could be reflashed.
> 

Yeah, I have seen the the fs-verity presentation and materials from
Android bootcamp and other official channels before.


Thanks for your kindly detailed explanation. :)


Best regards,
Gao Xiang

> Cheers,
> 
> 					- Ted
>