Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4582046imu; Tue, 18 Dec 2018 18:26:06 -0800 (PST) X-Google-Smtp-Source: AFSGD/VZP5LLEsVJjL5Xx4um5slFT/TznXecMFlIgvoiNXVpQHs4Ac7+PZWCWQL9OfNxl+dPIbGr X-Received: by 2002:a17:902:a6:: with SMTP id a35mr18633651pla.201.1545186366320; Tue, 18 Dec 2018 18:26:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545186366; cv=none; d=google.com; s=arc-20160816; b=SfDznn6meISXmkkbg73U97QvjxaXpT/rV422sKVXJDIKupaOcXf0GHuvch+Z9S5kKS E3RrFuuE4lrP4KAoSLaD9EageXftedc2nbAWhWCB8NrJoGoZNNUb5qpriSYLutoErLuE WaKuH7I0/0hjvfyF9IO1NVDbPMw0e/g6y8wzqsSKPnvVcsEVTnI5zjmH/0EztyefzTrd rOA6DIqGkXgCVuU2CmO0IwMr6g6/83YYTHpoTZgIUhsZFA47vy6argdFX2vF7UNMN/FO 3M1WznU351uNmrS0pyJ4dVw15KnMHREUCMQLirb5M3mPe/w8QAjn7KYD4L1aIDRW8+DG oBvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date; bh=GDRCAHWidp6SS4FAYxHm1AHhECFtm9sCimnkvOUAvvI=; b=qf73WSVH2HLbnXFqtSxm5qAVnuYzk3PiyjUeUuubHePwFyw9UdXXXdPnvmW/khB5xS hBVEHlqlGDlQDw/5zXdw1GO5QB/ojkFejMRXGUee312gudHl93F4K/0Cv7g3ruK1j4b8 AwpJ6+e9qT7FQuMGm2CIA3RTsvx3TY1RjaODNIwCO7OkpbABdYgoGw593MFMUQJoEcsr dpPYcDsIExxhayNfxBr2txSvy9B7pwtcdQx8Owt/0bQY1kHH8nGi9zccAa2eRQBJaSE+ oXDxyKGPh2Q0Z1ZgNoSsi2DY9F3Z+WY8kkZ3mw2SeucL+5pOxUctaZqwv4qsieEWAMHr ZQVA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o11si14152681pll.160.2018.12.18.18.25.50; Tue, 18 Dec 2018 18:26:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727236AbeLSCUG (ORCPT + 99 others); Tue, 18 Dec 2018 21:20:06 -0500 Received: from ipmail01.adl6.internode.on.net ([150.101.137.136]:10775 "EHLO ipmail01.adl6.internode.on.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726744AbeLSCUF (ORCPT ); Tue, 18 Dec 2018 21:20:05 -0500 Received: from ppp59-167-129-252.static.internode.on.net (HELO dastard) ([59.167.129.252]) by ipmail01.adl6.internode.on.net with ESMTP; 19 Dec 2018 12:49:55 +1030 Received: from dave by dastard with local (Exim 4.80) (envelope-from ) id 1gZRSj-00015j-H4; Wed, 19 Dec 2018 13:19:53 +1100 Date: Wed, 19 Dec 2018 13:19:53 +1100 From: Dave Chinner To: "Theodore Y. Ts'o" , "Darrick J. Wong" , Eric Biggers , Christoph Hellwig , linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Jaegeuk Kim , Victor Hsieh , Chandan Rajendra , Linus Torvalds Subject: Re: [PATCH v2 01/12] fs-verity: add a documentation file Message-ID: <20181219021953.GD31274@dastard> References: <20181101225230.88058-1-ebiggers@kernel.org> <20181101225230.88058-2-ebiggers@kernel.org> <20181212091406.GA31723@infradead.org> <20181212202609.GA193967@gmail.com> <20181213202249.GA3797@infradead.org> <20181214044802.GA681@sol.localdomain> <20181217200039.GD8111@magnolia> <20181219001603.GD25775@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181219001603.GD25775@mit.edu> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 18, 2018 at 07:16:03PM -0500, Theodore Y. Ts'o wrote: > On Mon, Dec 17, 2018 at 12:00:39PM -0800, Darrick J. Wong wrote: > > FWIW, if I were (hypothetically) working on an xfs implementation, I > > likely would have settled on passing a reference to a merkle tree > > through a (fd, length) pair, because that allows us plenty of options > > on the back end: > > > > b) we could remap the tree into a new inode fork for merkle trees, or > > a) remap it as posteof blocks like ext4/f2fs does, or > > c) remap the blocks into the attribute fork as an (unusually large) > > extended attribute value. > > Sure, but what would be the benefit of doing different things on the > back end? I think this is a really more of a philophical objection > than anything else. Putting metadata in user files beyond EOF doesn't work with XFS's post-EOF speculative allocation algorithms. i.e. Filesystem design/algorithms often assume that the region beyond EOF in user files is a write-only region. e.g. We can allow extents beyond EOF to be uninitialised because they are in a write only region of the file and so there's no possibility of stale data exposure. Unfortunately, putting filesystem/security metadata beyond EOF breaks these assumptions - it's no longer a write-only region. IOWs, all these existing assumptions and implementation details are exposed to a new attack surface involving tricking the filesystem into thinking it has readable data beyond EOF. And because it can now read from the "write only" region beyond EOF (because that's the mechanism by which fsverity does it's verification) we no longer have a clear line of protection against exposing such data to userspace. Putting the merkel tree somewhere else in the filesystem metadata and providing a separate API to manipulate it avoids this problem. It allows filesystems to keep their internal metadata and security-related verification information in a separate channel (and trust path) that is completely out of user data/access scope. Cheers, Dave. -- Dave Chinner david@fromorbit.com