Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2822745imu; Sun, 23 Dec 2018 08:34:00 -0800 (PST) X-Google-Smtp-Source: ALg8bN5DMGnRSQQULShoiYZmtvcJCM7fhm2qctrJgdBnvDu+eo9p85UmKgS6ZJx7+VeOwNjqvP/s X-Received: by 2002:a63:2263:: with SMTP id t35mr9600335pgm.69.1545582840214; Sun, 23 Dec 2018 08:34:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545582840; cv=none; d=google.com; s=arc-20160816; b=RG2ERN19u4rNkw3YaZ8m0qZIzIBDKSdAO0p+FTiBUFpe5n/UyBJw6ijfBylVbgk9CO UaR8EFrGEiYp4uy0w/Y9E/wtzidKt32uA+GB11MoPMQkQu3dyw8eC/njezGBgpAlJDd6 KvuyOk2swB09UhYeWcHvFLHTnReUfbwXPNWu7pTzQ/l/DbEMd63eKJqC7zoZi7qgATL6 M1v2ihw11JAgbscbH4IRyc+x8DaXANT0B2BHFld4L/ibBhl+ThT+Fl9hteXSiJT2HEm6 VB787/p7TsIhrIFwBGRmjjAXq8SPyzRVpg7tUw3A5UNP1z+7ou5S6jxF2HHz9PHCke/2 69Og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=iEBfvz86kZnN5D1veZ6xPnnmLmS/phSyCWvqn7AGqEc=; b=Z5trWOt4ULFlK0qqvzroZe2tXjP0Kloj6MDxVw+fqH+R57nNNi1pxlUTxUCPgdWLlz 76y9AekTBp2WsbVUREbBeghEgNp4OezVostYNzQc3NY+sjL2paGLD++DtFX+fg4YWLEz 9A/CoosYa2AIc2hIw2ENpZ+DLsCq9gM4s5rfEMthrlXpvBBimk1rIgVR9mRtIZQKsiHR NGYqQ9Z2NeVgkFLqRa75YLWDjNSWfSx6bYZfgPhAb9hQSo8dd+qa9g5Ih5eRPYDG124k xDM6K9AiZWRzcuRQB6+8sQ5ihkw9Wbtyj8nI8cVdkdp/W3uwsEVm2VY/BjoGOf21kQQo q5sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=ITYVEZ2O; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i12si24113241pgq.466.2018.12.23.08.33.44; Sun, 23 Dec 2018 08:34:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=ITYVEZ2O; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392874AbeLVWro (ORCPT + 99 others); Sat, 22 Dec 2018 17:47:44 -0500 Received: from mail-lf1-f65.google.com ([209.85.167.65]:39030 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388727AbeLVWrn (ORCPT ); Sat, 22 Dec 2018 17:47:43 -0500 Received: by mail-lf1-f65.google.com with SMTP id n18so6270782lfh.6 for ; Sat, 22 Dec 2018 14:47:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=iEBfvz86kZnN5D1veZ6xPnnmLmS/phSyCWvqn7AGqEc=; b=ITYVEZ2OZKdQ7vCcE+VbJ5MIZSZyFlelbu8fKUd1aUoNvd6GN9uYEQeJ0SjQ6ax1NF NY7w/EuATBvBtiVL4Bc+x/hQJsuySGidcRIMi5XvagPj4t1O5n/aG6tQXLuTsi6IT6w0 2MRye7XBYcKDRnulcNsRlS5HH28wYILShWylI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=iEBfvz86kZnN5D1veZ6xPnnmLmS/phSyCWvqn7AGqEc=; b=j5Pj89NdXNOnYmDxCeeUhfLEJOnoMOwU6gtxf/eiQS7B+2xk68ciw/VJYHJz0xqYaF eqnY2t/T1knwSlpNQK69n3uC51TakkzHfo2s9HYknvUe/i0UjapTLMGcLQ8TWvFZy+8D lvRwQ2/BeTexLqst622pS7yL0Jh3d/WaZcmV8wBxiCXmL2Pw8TGz4APqHD0SgGZ+us7v 5eXtyoLOGhmTLlaW19qBwprGGz2qJiPeCMydc1WbzSAdaRAcj8Z2XoJQ+NOmrOZsN9r5 8ktppXASCkLVQ5l3vOpjADKgNUzFDRtmzFsDEiZNr6Li8dYHWWQSIrFey9ZiJ9eMgmen Rb4g== X-Gm-Message-State: AA+aEWb7qgXMDDOIFUC9QhQ8nBtdR7dqeyu0qGDJJkDtm7p5Qx/wao+Y vmwau3mzq1+0iUZw5zH7oeI4K2y+oQ4= X-Received: by 2002:a19:7d42:: with SMTP id y63mr3879593lfc.47.1545518860850; Sat, 22 Dec 2018 14:47:40 -0800 (PST) Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com. [209.85.167.52]) by smtp.gmail.com with ESMTPSA id a2-v6sm5575975lji.13.2018.12.22.14.47.39 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 22 Dec 2018 14:47:39 -0800 (PST) Received: by mail-lf1-f52.google.com with SMTP id f23so6254992lfc.13 for ; Sat, 22 Dec 2018 14:47:39 -0800 (PST) X-Received: by 2002:a19:7013:: with SMTP id h19mr4334254lfc.147.1545518858888; Sat, 22 Dec 2018 14:47:38 -0800 (PST) MIME-Version: 1.0 References: <20181219071420.GC2628@infradead.org> <20181219021953.GD31274@dastard> <20181219193005.GB6889@mit.edu> <20181219213552.GO6311@dastard> <20181220220158.GC2360@mit.edu> <20181221070447.GA21687@infradead.org> <20181221154714.GA26547@mit.edu> <20181222041712.GC26547@mit.edu> In-Reply-To: <20181222041712.GC26547@mit.edu> From: Linus Torvalds Date: Sat, 22 Dec 2018 14:47:22 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 01/12] fs-verity: add a documentation file To: "Theodore Ts'o" , Christoph Hellwig , Dave Chinner , "Darrick J. Wong" , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-fsdevel , linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-integrity@vger.kernel.org, Linux List Kernel Mailing , Jaegeuk Kim , Victor Hsieh , Chandan Rajendra Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 21, 2018 at 8:20 PM Theodore Y. Ts'o wrote: > > On Fri, Dec 21, 2018 at 11:13:07AM -0800, Linus Torvalds wrote: > > > > In other words: either the model is that the file *itself* contains > > its own merkle tree that validates the file, or it isn't. You can't > > have it two ways. No silly "layout changes when you apply the hash" > > garbage. That's just crazy talk and invalidates the whole model. > > Userspace applications which are reading the file aren't going to be > expecting Merkle tree. For example, one of the use cases is Android > APK files, which are essentially ZIP files. ZIP files can be parsed > both from the front-end (streaming), or by looking for the complete > directory of all of the files in the ZIP file by starting at the end > of the file and moving backwards. If the Merkle tree was visible to > userspace programs that are opening and reading the file, it would > confuse them mightily. > > So what we do for ext4 and f2fs is make the Merkle tree invisible Again, this has nothing that is per-filesystem in it. If we were to decide to support the notion of "append merkle hashes to the file for validation" at the vfs layer, the same logic would apply: obviously the merkle data shouldn't be visible to user space. But that's not a reason to do it at a filesystem layer, quite the reverse: exactly like you say, as far as the *filesystem* is concerned, the data is there in the file. It's literally about the *view* of the file, ie the system call interface: > From the *file system's* perspective, > though, the metadata blocks are part of the file. To me that only argues that this all should be at the vfs layer, and that it shouldn't be the filesystem that hides it. Exactly because as far as the filesystem is concerned, the merkle data is there, it's just that we hide it at read (and stat) time. Preferably some way where it's namespace-dependent or whatever, so that you could still access the original file data from user space if you want to (eg some backup purpose or other). What I'm missing is any kind of sane explanation for why it was done so badly, and why it should be upstreamed despite the apparent bad implementation. It sounds like a complete hack. Again, to me either the point is that it's a generic extension of the file data, _or_ it's some filesystem-specific hidden data. The way you've done it and written the documentation, it's clearly a generic extension of normal file data, and I don't see what's fs-specific to it. > The problem is that xattrs are designed to be accessed via a set/get > interface, are currently limited, IIRC at 32k. The max size of an APK > is 300 megabytes; and the Merkle tree for a file that size will be > about 2.3 megabytes. That's way too big to store as an xattr; > certainly using the existing xattr interfaces. And it's also bigger > than most file systems can handle as xattrs today --- because they've > been optimzied for relatively small sizes, for things like SELinux > labels and ACL structures. So *this* kind of argument is what I'm looking for. That at least explains why it's not an xattr. Ugly, but understandable. > > So why is this sold as some unholy mess of "filesystem-specific" and > > "generic"? That part just annoys the hell out of me. Why isn't this > > sold as an *actual* generic model, where you just say "append the > > merkle tree to the file, then enable verity testing of the end result > > and validate the top-level hash". > > That was the original way it was sold, but Cristoph and Dave have > NACK'ed it in that form. That seems entirely irrelevant. What do Christoph and Dave have to do with it once it's generic? It would have _zero_ filesystem component if it's actually done in a generic manner. It would be a total no-op to XFS. Which makes me think "it wasn't actually sold as being filesystem-independent" at all. So I want to understand why this was made a filesystem operation in the first place. What's fs-specific about this implementation? Linus