Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp836918imu; Fri, 21 Dec 2018 08:09:49 -0800 (PST) X-Google-Smtp-Source: ALg8bN4bXvKrA3pdR+zadofJWWHnMn+POBoNYZ8KH4rD6INUjXhj/zguD4lBoHSb3rQHyOhyscZU X-Received: by 2002:a63:1e56:: with SMTP id p22mr2991816pgm.126.1545408589503; Fri, 21 Dec 2018 08:09:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545408589; cv=none; d=google.com; s=arc-20160816; b=0AGOyOlLDoW3YHo9au0yuVwhtM4hc5ZO1YjGiYzJ92dg9nLZ1IFaMtRkJEcz7gpyTM 0+//amvGjIAbjCfGk3KTeLEX6L2rVAZu5tlksOUywNtDlzpTPmgPwAh1vojf4WW70kjQ yWH46HErOgiAF9NBgUV5vxhgmzIOaWOpzpBK2ZARqJtoFDvi4Ybw4YQJQK/uYqDpH0us 5I2s/MlflRRP3wbfvu96aLCUY1HXNkfm0VVpToujmriinf1l2ZAZ/vP2sXihxLAcvWBG OwCw2oKBMGPpfTJ9//ip8oDJ3WvCZNPchpeVvKKEDUljVAE6sXfZWRjiRU5njLe5vxH6 khaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=HpmFPgcL/oiwT+yjMmeKyzPtBfee/1LoUJpUeh24xR8=; b=Fbvw1XXeExhK4eGKNo/t1zqmn3yaOGFUsCKHJwjtlw3DIK6OFTMj/5LAI/r+EXyXgL iUCFRC9LLmReg7AZaSVJMJRqf44JI2FBZKE0Og18DQd7ofvytguq9wi5SXIEzyOcMAac EiCPN5AQfEQ16qM0j33ZdEzA9b9Rw+omQ+1pgPDDQ1QtjOOfR54MjZ/m9xDtpCE36X8S y9Gp4ewiD/HsC26yziuBpl3vWJ/ka53ZSpjn8ZKduqdGtT8Q666yPN9K3Isuoy8asnJc DbiimLckP0OkndblFdoQ7DmsvU6fbswRx3BRUJlOzl/t4gh6HIIsa6s34VYq2Zdzw0xO okfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GxKh+3YG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d32si12770155pla.136.2018.12.21.08.09.34; Fri, 21 Dec 2018 08:09:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GxKh+3YG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389382AbeLUKHB (ORCPT + 99 others); Fri, 21 Dec 2018 05:07:01 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:35235 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731648AbeLUKHB (ORCPT ); Fri, 21 Dec 2018 05:07:01 -0500 Received: by mail-wr1-f68.google.com with SMTP id 96so4619670wrb.2; Fri, 21 Dec 2018 02:06:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HpmFPgcL/oiwT+yjMmeKyzPtBfee/1LoUJpUeh24xR8=; b=GxKh+3YGG680fOdMY9fiUAcedv5yLCZLtTQLsKosFd1FxA8jhmzfjpwl78/5IwKjzy BqX1jbkmIEgz1IvjRXOfF9k/2J6qTtbGlQ2lwfmDktM6SjBbdVKuEi4M2zo54EJzY2O3 Mo1Lna/2JuYiSVpVHv0/3ZTeHRKKZhOVVo819qSW7Ehg42P66oMjWd1HKhORxxvWDP5a 0oq1rYRJyRRGwFHA3NkATCScIiLIoCVa12/Gg9VqijeFppkO8/Xv2FmrIMgXkzIQwMFX fxpSTlRENN4+VsnRKP24011a+zyJzeDNP8vtJZ+UDxNFEdIdzdLrWGt9qiTNgRBsDAZs 7w+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HpmFPgcL/oiwT+yjMmeKyzPtBfee/1LoUJpUeh24xR8=; b=F0iYqEOBR30iLe/1UJxiv6Tsz+Mf8Fu2vHy8uoPO8HJdkqfkfSM7j4VG9kelaU/IQa yGuXt7RadGzTA0aSVP4HpAYFMN970XBPNhIaFvIc7Y5PX3S7JL+cxV9wHkEDWERki7X6 egz3C0rhICwN5UY0BtmWh4sukjvzRPVIsxX05okksr4zkKx8LCh55X+/ODU1nBczm7IT 7CcgMYnI0edMwx2W2hZtO+6Ea6nGSdd7T8SAKdKDqOztbCBYUt1G6kJs/2GXZP1QEenY hTwCy7N/zXVaNwL6jxDQqCeg3TtioHCk0u7gpw0mwClgpY9d55b9G0QDjGjVQecQdC4l dT4g== X-Gm-Message-State: AJcUukedlZQqc7L64NlemUJezsXXVELtkovZOSlDAUHVKt3jIMbh1QTb 18YgN3y/0aN7bPVXhR+dmGWgb6MW3bn3BPHAolw= X-Received: by 2002:adf:ed46:: with SMTP id u6mr1942195wro.262.1545386817572; Fri, 21 Dec 2018 02:06:57 -0800 (PST) MIME-Version: 1.0 References: <20181219071420.GC2628@infradead.org> <20181219021953.GD31274@dastard> <20181219193005.GB6889@mit.edu> <20181219213552.GO6311@dastard> <20181220220158.GC2360@mit.edu> <20181221070447.GA21687@infradead.org> In-Reply-To: <20181221070447.GA21687@infradead.org> From: Richard Weinberger Date: Fri, 21 Dec 2018 11:06:45 +0100 Message-ID: Subject: Re: [PATCH v2 01/12] fs-verity: add a documentation file To: Christoph Hellwig Cc: "Theodore Y. Ts'o" , Dave Chinner , "Darrick J. Wong" , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-fsdevel , linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-integrity@vger.kernel.org, LKML , Jaegeuk Kim , Victor Hsieh , Chandan Rajendra , Linus Torvalds Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 21, 2018 at 9:58 AM Christoph Hellwig wrote: > > On Thu, Dec 20, 2018 at 05:01:58PM -0500, Theodore Y. Ts'o wrote: > > That's simply not true. Number one, fsverity is not mandatory for all > > file systems to implement. If XFS doesn't want to implement fscrypt > > or fsverity, it doesn't have to. Number two, we're not *making* any > > changes to the kernel code; nothing in mm/filemap.c, et. al. So > > saying that we are making changes that are impacted by /everyone/ just > > doesn't make any sense. > > Ted, I think you know yourself this isn't true. Whenever we added > useful interface to one of the major file systems we had other pick > it up, and that is a good thing because the last thing we need is > fragmentation of interfaces. And even if that wasn't the case I don't > think we should take short cuts, because even if an interface was just > for a file system or two it still needs to be properly desgined. > > There is no reason to rush interfacs in, because everytime we have done > that it has turned out to be a very bad idea in retrospective. Speaking of interfaces, one thing that needs IMHO more thought is the user facing interface. Not only in the fsverity case, in all cases. Linux has currently many different ways to implement and check (cryptographic)-integrity. Just to name a few, fsverity, UBIFS' auth feature, BTRFS csum, EVM/IMA, dm-integrity, dm-verity, ... At least for filesystems it would be good to have a common interface to query the integrity status of a file. So far we have mixture of different return codes (EPERM, EUCLEAN, EINVAL), audit events plus cryptic kernel logs. In UBIFS we return EPERM in case of an auth failure, we followed EVM/IMA. fsverity goes the EUCLEAN route, just like BTRFS for check sum failures. Before everything is set in stone, let's try to consolidate at least this. Along with that, what about the statx() interface? We have already STATX_ATTR_ENCRYPTED, why no STATX_ATTR_AUTHENTICATED? -- Thanks, //richard