Received: by 2002:ac0:a874:0:0:0:0:0 with SMTP id c49csp214332ima; Fri, 15 Mar 2019 00:50:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqzK9z0iiI2pFJ1639B5zBaIBxjExB2V9WTmqE8cVsTlk24kz4L2nGRpSbx4xUDlN5Gia1Lk X-Received: by 2002:a62:4d43:: with SMTP id a64mr1039274pfb.157.1552636236600; Fri, 15 Mar 2019 00:50:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552636236; cv=none; d=google.com; s=arc-20160816; b=XtKMREfFbZ2Geet6uz7QS00czYXrVG5MdDbDEexfgnNlfF+Aghls583NGJrgxrydPS drBvfWrbyZpNUp+JYZlUT5GefUbl7dHKUwi3+feUZSi/+a8Dye8ECaLDtiNnkz30SZ65 ahohM0ejsShubLzxXVcRVmldx0wYzPdp5ebmup55p7ofaupbL26vgwIToY/98hdOTOYD AlqcJVSUkho0ZUx7NgI+KyECFizht1v3yZbr1L+8j7zxcP8MhjKDc2wBcP+SMJy8gRwK 1//hTsnRFHu1KkPA+RyAIEf6GbOsR6tl8YIEQH7QD92rfqG/tDDqXyD7TF/oL3EHLGMm RmLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=mVGgSA+4YheT6YaACtosyUws2f4Xd3MHTJl/79o2oqM=; b=I2scBJaeH0sSaa9d8ONnc3jwBDAf8g8cOxeog32r2lB6eOSPfuu8KVTHO7PlW2UCVH 1aSls79e4+s7XtHP1QV4Gl4tX/bHcSDkE8Dx3K1fLb8vGyvwVVu/ldRXYkKOr3+MTwjL nnTU5XblmxPGyn2CYwYKKzUSy2enF/9HwA7HZAyfXT5qevJt+FmrIJJdmHLETEXCUDXn tzHKYP6Tv1oGGW6vJuNcVzy5Qpc6AtF9IIGjFgaZLhCRoizP4ePongiWC0H4+P4G5Y2U NqcwvPuv/TnUM2beKzxL8OCMHdxW/g7YJa5+OV1p2EFAEjqCT3DwS/BTaaSqsmjP1t/b fqfA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t1si1117776plo.371.2019.03.15.00.50.21; Fri, 15 Mar 2019 00:50:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728504AbfCOHsP convert rfc822-to-8bit (ORCPT + 99 others); Fri, 15 Mar 2019 03:48:15 -0400 Received: from lithops.sigma-star.at ([195.201.40.130]:52616 "EHLO lithops.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728314AbfCOHsP (ORCPT ); Fri, 15 Mar 2019 03:48:15 -0400 Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id B1B2660B6295; Fri, 15 Mar 2019 08:48:12 +0100 (CET) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id xBV_RisgZVGt; Fri, 15 Mar 2019 08:48:12 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 5E0B460ED8C8; Fri, 15 Mar 2019 08:48:12 +0100 (CET) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id l45P225PbTaX; Fri, 15 Mar 2019 08:48:12 +0100 (CET) Received: from blindfold.localnet (089144193070.atnat0002.highway.a1.net [89.144.193.70]) by lithops.sigma-star.at (Postfix) with ESMTPSA id 2783A60B6295; Fri, 15 Mar 2019 08:48:11 +0100 (CET) From: Richard Weinberger To: Theodore Ts'o Cc: Eric Biggers , linux-mtd@lists.infradead.org, linux-fscrypt@vger.kernel.org, jaegeuk@kernel.org, linux-unionfs@vger.kernel.org, miklos@szeredi.hu, amir73il@gmail.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, paullawrence@google.com Subject: Re: [PATCH 4/4] ubifs: Implement new mount option, fscrypt_key_required Date: Fri, 15 Mar 2019 08:48:10 +0100 Message-ID: <3651600.xvQHXhhOD0@blindfold> In-Reply-To: <20190314230702.GE6482@mit.edu> References: <1957441.Hty6t2mpXG@blindfold> <20190314230702.GE6482@mit.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT Content-Type: text/plain; charset="iso-8859-1" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Ted, Am Freitag, 15. M?rz 2019, 00:07:02 CET schrieb Theodore Ts'o: > Richard --- stepping back for a moment, in your use case, are you > assuming that the encryption key is always going to be present while > the system is running? it is not a hard requirement, it is something what is common on embedded systems that utilize UBIFS and fscrypt. > Ubifs can't use dm-crypt, since it doesn't have a block device, but if > you could, is much more like dm-crypt, in that you have the key > *before* the file system is mounted, and you don't really expect the > key to ever be expunged from the system while it is mounted? > > If that's true, maybe the real mismatch is in using fscrypt in the > first place --- and in fact, something where you encrypt everything, > including the file system metadata (ala dm-crypt), would actually give > you much better security properties. Well, fscrypt was chosen as UBIFS encryption backend because per-file encryption with derived keys makes a lot of sense. Also the implementation was not super hard, David and I weren't keen to reinvent dm-crypt f?r UBI/MTD. That said, I'm happy with fscrypt, it works well in production. But being not able to use UBIFS as lower dir on overlayfs hurts. On embedded systems where the key is always present the proposed hack works fine. If we can get overlayfs work without that I'll be more than happy. Thanks, //richard