Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1674511imu; Thu, 13 Dec 2018 21:18:34 -0800 (PST) X-Google-Smtp-Source: AFSGD/UzVKWGD85ShHKaOgbVa9ZYSWrqeaw9IJyTtDTT91GyUejkN58cJ+xiHFTgi3BeqID2ovzI X-Received: by 2002:a17:902:e085:: with SMTP id cb5mr1628571plb.24.1544764713982; Thu, 13 Dec 2018 21:18:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544764713; cv=none; d=google.com; s=arc-20160816; b=pz0PGChijHwvgtdgQqeBygIBV7ETadAGL48ChS+hQDn/TLYHfBfW3XbmdUFJiXABE2 Kz0EDEkXwFe12BW6UR4t8csBEoskW/a7lawnKJH04FkOr+LBeOGo7gbTaGrP5Z3kBL3r zrLgrhVOSu4zJGKsq8LCbxyMlowAvyepwn9Z3oUdlOc1Vc2m/0fKG94CC+7mJT3AI3UW QQXBTjQWEA/XsnR+PLcuBT2CxhI2qEGBHHxYNJmxr/zrCZXPFVFhCWn/nDAdTgqXKfT9 SGiumjAX6cavFemEmivnC6IiNsFbbe/wtXwpB1KvnsiaoO5OmR1EeoKTz8xqaCSIJqwy 5tGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=3xMUm4Cp+sbjnIUTU/+4CArgMYn1ieKAjLQkJp7bwZ0=; b=pjfgyrmTRLet/gUBFRqTUI8x+Lyc6dHRJ41mFzAaBpoU834WKuwa66T5kYoO5Ok6PS t3y2oQrPCLFdcyHsTe3hiQF/AvSAYXf26Ax2bLi6U7qZ9AD4DODyC/SGzMWnFO2Uof6G fqepc6JRrb0hX0BCfgb2yGM7O798A0pd2hyHlFmfGrqfFE3r2TIL0CaswZ6ndlnbveWb 2mSpUq6URDBgEU2gb/DnD4DjOmwAH9jRnwhW1SD07wSQtLDMZkh5D9lDIgXEg6moYgGD yC/zK568bE+FNio3ILCZwZUKohKl8Qc7ZIPQmpblqlEylVeCN1FjqwT4tnMXg5PTiQck JePg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=DiopmTh8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n19si3073839pgd.271.2018.12.13.21.18.17; Thu, 13 Dec 2018 21:18:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=DiopmTh8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727054AbeLNFR3 (ORCPT + 99 others); Fri, 14 Dec 2018 00:17:29 -0500 Received: from imap.thunk.org ([74.207.234.97]:35554 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726437AbeLNFR3 (ORCPT ); Fri, 14 Dec 2018 00:17:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3xMUm4Cp+sbjnIUTU/+4CArgMYn1ieKAjLQkJp7bwZ0=; b=DiopmTh8owRmw7kxdA8e93pF8m vomwQWWTyJ9NlTqgSm5MQahuDgG4v4ymeuhYTpQkSXA2sHppDPmmDZ5sIeWzU+G6ogRqlnxWqoFXQ DDDUlngbpeFrI5WePKesd0JjWxJEY1ox638yokC924Btu2t1MpjDCWIDArlqPIrkJc9g=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1gXfql-0006Gv-6h; Fri, 14 Dec 2018 05:17:23 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 869B97A4FE6; Fri, 14 Dec 2018 00:17:22 -0500 (EST) Date: Fri, 14 Dec 2018 00:17:22 -0500 From: "Theodore Y. Ts'o" To: Christoph Hellwig Cc: Eric Biggers , linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Jaegeuk Kim , Victor Hsieh , Chandan Rajendra , Linus Torvalds Subject: Re: [PATCH v2 01/12] fs-verity: add a documentation file Message-ID: <20181214051722.GF20880@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , Christoph Hellwig , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Jaegeuk Kim , Victor Hsieh , Chandan Rajendra , Linus Torvalds References: <20181101225230.88058-1-ebiggers@kernel.org> <20181101225230.88058-2-ebiggers@kernel.org> <20181212091406.GA31723@infradead.org> <20181212202609.GA193967@gmail.com> <20181213202249.GA3797@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181213202249.GA3797@infradead.org> User-Agent: Mutt/1.10.1 (2018-07-13) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Dec 13, 2018 at 12:22:49PM -0800, Christoph Hellwig wrote: > On Wed, Dec 12, 2018 at 12:26:10PM -0800, Eric Biggers wrote: > > > As this apparently got merged despite no proper reviews from VFS > > > level persons: > > > > fs-verity has been out for review since August, and Cc'ed to all relevant > > mailing lists including linux-fsdevel, linux-ext4, linux-f2fs-devel, > > linux-fscrypt, linux-integrity, and linux-kernel. There are tests, > > documentation (since v2), and a userspace tool. It's also been presented at > > multiple conferences, and has been covered by LWN multiple times. If more > > people want to review it, then they should do so; there's nothing stopping them. > > But you did not got a review from someone like Al, Linus, Andrew or me, > did you? I don't consider fs-verity to be part of core VFS, but rather a library that happens to be used by ext4 and f2fs. This is much like fscrypt, which was originally an ext4-only thing, but the code was always set up so it could be used by other file systems, and when f2fs was interested in using it, we moved it to fs/crypto. As such the fscrypto code never got a review from Al, Andrew, or you, and when I pushed it to Linus, he accepted the pull request. The difference this time is that ext4 and f2fs are interested in using common code from the beginning. > > Can you elaborate on the actual problems you think the current solution has, and > > exactly what solution you'd prefer instead? Keep in mind that (1) for large > > files the Merkle tree can be gigabytes long, (2) Linux doesn't have an API for > > file streams, and (3) when fs-verity is combined with fscrypt, it's important > > that the hashes be encrypted, so as to not leak information about the plaintext. > > Given that you alread use an ioctl as the interface what is the problem > of passing this data through the ioctl? The size of the Merkle tree is roughly size/129. So for a 100MB file (and there can be Android APK files that bug), the Merkle tree could be almost 800k. That's not really a size that we would want to push through an ioctl. We could treat the ioctl as write-like interface, but using write(2) seemed to make a lot more sense. Also, the fscrypt common code leveraged by f2fs and ext4 assume that the verity tree will be stored after the data blocks. Given that the semantics of a verity-protected file is that it is immutable, you *could* store the Merkle tree in a separate file stream, but it really doesn't buy you anything --- by definition, you can't append to a fs-verity protected file. Furthermore, it would require extra complexity in the common fsverity code --- which looks for the Merkle tree at the end of file data --- for no real benefit. Cheers, - Ted P.S. And if you've purchased a Pixel 3 device, it's already using the fsverity code, so it's quite well tested (and yes, we have xfstests).