Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp991932rwb;
        Thu, 10 Nov 2022 09:46:57 -0800 (PST)
X-Google-Smtp-Source: AMsMyM7gEcM/nN9B02dXqrrI7/gABPPoLfwGa22lH65NHjXVbKb/hENsnoVhs17fMllJtx1r42SE
X-Received: by 2002:a63:586:0:b0:46f:75bb:cfc4 with SMTP id 128-20020a630586000000b0046f75bbcfc4mr2990502pgf.403.1668102416944;
        Thu, 10 Nov 2022 09:46:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668102416; cv=none;
        d=google.com; s=arc-20160816;
        b=bZL6YvSNxQ8oTg0JhXBerDQ456DUXtbPrmsfUm5c7Aidclv8HD+RS95hJ0xtw/7Abg
         wV0DVFjKsgwFg8L4gBt6B/j6ZIYhQvf5jr/iqYrgeK09mKBpiJpejWmFIsEkWwoWDBSP
         s+njAex5Y2/u1yIdMhYTkWFBvwWH2ehlC6H5a/vbnJOVCBgY4vAO4yqTr3h2VUZzy+3x
         5bmRyITi4jplEz7ESwBVL5rChy59t5/X6Ciz9NnhCMQtpmzmZwInqlI9UWAQVpLcnaWN
         0XcF2jW1IWbRa7zzp0qjMsMfsIf0amOe1NowNcejiHV63PByjOzrJ8+AnfDU8V1z9wTJ
         m6bw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=SFPKDxh3aAxTZxEpFem52jYuT8SA7V/A/0d7a45/TMQ=;
        b=byzO7PK2HPR6ZL6UJloo8odg1WyE6dRPlXb6hT/GNYDe8pGjWbgijPnnXyLO2YGdHB
         krhkHXMCep5ZtQbgTtC5q0ROC8bVrqgKq7DNSECNwoL/dttxLt73lW1yHoiBFyFEvR7E
         lA0sOe/ZuXxuD1zYdpbShV0EWpip0P3W69u41LVA0KSFC/VOajGEYwlAZTGFg02KauUX
         yuvhctpPDqiMjA5KvON2uGyA8nXbLRgsqcQF2Cv5gjGOFeViXKGEd4WWe1NoNXQuMEa5
         7YrVZQQjTGynidfWFaq8JTeFU7At3Ogs4nrMk0qbf8/1cf3Cgsne52TRMapf1tkCjdgK
         ZQkA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZGJ1BTl9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id y12-20020a655b4c000000b004588a5bd0bfsi21953222pgr.569.2022.11.10.09.46.44;
        Thu, 10 Nov 2022 09:46:56 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZGJ1BTl9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232207AbiKJQts (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 92 others); Thu, 10 Nov 2022 11:49:48 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49598 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232204AbiKJQtb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 Nov 2022 11:49:31 -0500
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF386B02
        for <linux-kernel@vger.kernel.org>; Thu, 10 Nov 2022 08:47:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1668098850;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=SFPKDxh3aAxTZxEpFem52jYuT8SA7V/A/0d7a45/TMQ=;
        b=ZGJ1BTl9na/Ga4kQwMZH1hgCXmhD7gOSgk909rzH4rfzjTURjt499vlN6tB9yjxWXevvn9
        ZFjvnkRaD7s4CiX1a2VY5Pfa5jSPxAeQOZ73kXxhxz0INQraOSPvPUdPCO+IkYLmtsssbG
        DMeUsJzuVAjcjO3zycu454ZUYWZT5Zw=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-298-_zPDFr08M0asX-5Zfbsrmw-1; Thu, 10 Nov 2022 11:47:12 -0500
X-MC-Unique: _zPDFr08M0asX-5Zfbsrmw-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 85ECB857F92;
        Thu, 10 Nov 2022 16:47:12 +0000 (UTC)
Received: from localhost (unknown [10.39.208.17])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 354E62166B29;
        Thu, 10 Nov 2022 16:47:11 +0000 (UTC)
Date:   Thu, 10 Nov 2022 17:47:10 +0100
From:   Niels de Vos <ndevos@redhat.com>
To:     Theodore Ts'o <tytso@mit.edu>
Cc:     linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, Xiubo Li <xiubli@redhat.com>,
        Marcel Lauhoff <marcel.lauhoff@suse.com>
Subject: Re: [RFC 0/4] fs: provide per-filesystem options to disable fscrypt
Message-ID: <Y20rDl45vSmdEo3N@ndevos-x1>
References: <20221110141225.2308856-1-ndevos@redhat.com>
 <Y20a/akbY8Wcy3qg@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Y20a/akbY8Wcy3qg@mit.edu>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Nov 10, 2022 at 10:38:37AM -0500, Theodore Ts'o wrote:
> On Thu, Nov 10, 2022 at 03:12:21PM +0100, Niels de Vos wrote:
> > While more filesystems are getting support for fscrypt, it is useful to
> > be able to disable fscrypt for a selection of filesystems, while
> > enabling it for others.
> 
> Could you say why you find it useful?  Is it because you are concerned
> about the increased binary size of a particular file system if fscrypt
> is enabled?  That hasn't been my experience, the hooks to call into
> fscrypt are small and don't add too much to any one particular file
> system; the bulk of the code is in fs/crypto.

No, this isn't really a concern. I don't think the small size difference
is worth the effort.

> Is it because people are pushing buggy code that doesn't compile if
> you enable, say, CONFIG_FS_XXX and CONFIG_FSCRYPT at the same time?

It is a little of this. Not necessarily for the compiling part, more of
a functional thing. And that is what comes next...

> Is it because a particular distribution doesn't want to support
> fscrypt with a particular file system?  If so, there have been plenty
> of file system features for say, ext4, xfs, and btrfs, which aren't
> supported by a distro, but there isn't a CONFIG_FS_XXX_YYY to disable
> that feature, nor have any distros requested such a thing --- which is
> good because it would be an explosion of new CONFIG parameters.

This is mostly why I sent this RFC. We are interested in enabling
fscrypt for CephFS (soonish) as a network filesystem, but not for local
filesystems (we recommend dm-crypt for those). The idea is that
functionality that isn't available, can also not (easily) cause
breakage.

And, there actually are options like CONFIG_EXT4_FS_POSIX_ACL and
CONFIG_EXT4_FS_SECURITY. Because these exist already, I did not expect
too much concerns with proposing a CONFIG_EXT4_FS_ENCRYPTION...

> Or is it something else?
> 
> Note that nearly all of the file systems will only enable fscrypt if
> some file system feature flag enabls it.  So I'm not sure what's the
> motivation behind adding this configuration option.  If memory serves,
> early in the fscrypt development we did have per-file system CONFIG's
> for fscrypt, but we consciously removed it, just as we no longer have
> per-file system CONFIG's to enable or disable Posix ACL's or extended
> attributes, in the name of simplifying the kernel config.

Thanks for adding some history about this. I understand that extra
options are needed while creating/tuning the filesystems. Preventing
users from setting the right options in a filesystem is not easy, even
if tools from a distribution do not offer setting the options. Disks can
be portable, or network-attached, and have options enabled that an other
distributions kernel does not (want to) support.

Note that even with the additional options, enabling only
CONFIG_FS_ENCRYPTION causes all the filesystems that support fscrypt to
have it enabled. For users there is no change, except that they now have
an option to disable fscrypt support per filesystem.

I hope this explains the intention a bit better. And as there are
existing options for many filesystems to select support for xattrs,
security or ACLs, I hope new options for (de)selecting filesystem
encryption support is not too controversial.

Thanks!
Niels