Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3091587imc; Wed, 13 Mar 2019 08:37:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqyWAkq6sVRzL1Epc818nMeHAr5Ja+lVSveKxmyw7u6HoCkiPbjEpSP9ZE0j+p0mIP9fGYkt X-Received: by 2002:a17:902:4c08:: with SMTP id a8mr46660972ple.294.1552491464217; Wed, 13 Mar 2019 08:37:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552491464; cv=none; d=google.com; s=arc-20160816; b=gbnanTcfDNiqy7jvaA8DiXCpA0pOKrUWaVjUzIwLKlbL5T81Sc0H5/dKs9q+PAt5zf cpQgJZz/wPJJm4hsQKcMeEOx05F+SmsXgRuxQ638Qf1VHnPF8Fczd1rtDxib+vSQZluK GEs/fvxBy5ggqM/YPGAUgre+YAVZghSTIbXMEzL1Osc/xfKu17/tbrit1fa73yxAIDqI ZICRg8r8Cp/MvULofPeX9/0FgDeJzjUl8mhhGpkFa/hKTC2MOE6krpQ+NlosfI7jJGYy N6f6VmvjY40y6fOD4DUGEqwUxk5/NhaxBvNIfYVjv3BmOkg1x2JwUNURKpWBiWSNIEFJ q1rA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=Iq0LYHxgjItPLTKhL896EhICvWpD5VPG0J9Q7Ix9bQ8=; b=suP4v5sw2BU8fzFcmxouC3x1oroVE5BboXcxgENQBBJCHeKfZ1szF205PG1/uiJETB EjXlaJFTGAi4Z9iJzF3TLjW+efeKnfsrnI88ZWOToVmJio1nqIJrqWAxKPZQ9vJh9BMe imc9BVwz0WEcqF+wgPlDl9JjzXLJ/hK5T2cMHGn242dQXmraqMLLUwEztqMM1/Ps8n8p 5AlLv7NTjh2205eE9g/O5UaNEgQLE7NlMgYb7E+AX5YmuAkA9zHRR0LRKIBIEopRsaI+ LyQg1OnvgY4tp1rDrRGh7Dx2VBgXiels2PnlnIbJD3dOrjfyHHmmjNQDaNc+1VJTPJoa 92iQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=weztn0KS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h9si4909542pfj.70.2019.03.13.08.37.27; Wed, 13 Mar 2019 08:37:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=weztn0KS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726606AbfCMPgi (ORCPT + 99 others); Wed, 13 Mar 2019 11:36:38 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:35816 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725992AbfCMPgh (ORCPT ); Wed, 13 Mar 2019 11:36:37 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 39E6A8EE20E; Wed, 13 Mar 2019 08:36:37 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jtuJFV915HI0; Wed, 13 Mar 2019 08:36:37 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 97EB58EE0D2; Wed, 13 Mar 2019 08:36:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1552491397; bh=vbj6WiPS7XZRVQHT1/LSyKI9DWg3iZcxF5GCHLSgOUo=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=weztn0KSFxbAWcCwyII80c6ZjZhElY+Ftjyo2CQCg+NgNcZZbLl83CU4FZtVDn9X2 CQqDNeCD5rV3mt/aiG7UBR8wOWN+OooBzf4/jLcqLICp/BdUFu8oAHdMoZC0dZ5KOL UXAV7bVWP2CWXRjKaxjB1CT/L18rqlmOvKWQeZtE= Message-ID: <1552491394.3022.8.camel@HansenPartnership.com> Subject: Re: overlayfs vs. fscrypt From: James Bottomley To: Theodore Ts'o , Amir Goldstein Cc: Richard Weinberger , Miklos Szeredi , linux-fsdevel , linux-fscrypt@vger.kernel.org, overlayfs , linux-kernel , Paul Lawrence Date: Wed, 13 Mar 2019 08:36:34 -0700 In-Reply-To: <20190313151633.GA672@mit.edu> References: <4603533.ZIfxmiEf7K@blindfold> <1854703.ve7plDhYWt@blindfold> <4066872.KGdO14EQMx@blindfold> <20190313151633.GA672@mit.edu> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2019-03-13 at 11:16 -0400, Theodore Ts'o wrote: > So before we talk about how to make things work from a technical > perspective, we should consider what the use case happens to be, and > what are the security requirements. *Why* are we trying to use the > combination of overlayfs and fscrypt, and what are the security > properties we are trying to provide to someone who is relying on this > combination? I can give one: encrypted containers: https://github.com/opencontainers/image-spec/issues/747 The current proposal imagines that the key would be delivered to the physical node and the physical node containerd would decrypt all the layers before handing them off to to the kubelet. However, one could imagine a slightly more secure use case where the layers were constructed as an encrypted filesystem tar and so the key would go into the kernel and the layers would be constructed with encryption in place using fscrypt. Most of the desired security properties are in image at rest but one can imagine that the running image wants some protection against containment breaches by other tenants and using fscrypt could provide that. James