Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp2942594ybx;
        Fri, 8 Nov 2019 11:37:20 -0800 (PST)
X-Google-Smtp-Source: APXvYqz/8bkIvHcix+Qsd79lKBFDaLenVu/MlykZj16PqAw8Nn352q9OSBJ5DdeYb0rk+ss7fPPp
X-Received: by 2002:a17:906:2921:: with SMTP id v1mr10454991ejd.236.1573241840210;
        Fri, 08 Nov 2019 11:37:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573241840; cv=none;
        d=google.com; s=arc-20160816;
        b=KfSCN1OQIYQ4ZQV9n9pmLkNwyGmActemKUi0uR9GT05ayboSqjvmWFwORs35G9eogP
         plRVJxUUJqNPZLkJrXG7foSAflQM1f3Ux5yoiUFyuRAiwc+1SO3Jgsww7E7ktDQTrlZn
         W2JPkMnUUdYTSdkn1OId5dh1bqdjDF+iiYuSLW0baGbSuT35Q2Bn3X9wKVz/Xpo9NNgf
         EMPj+MMZq99333h9rZ8rTECO8rHDmxuLCqFmyFL07Qz8upfmDE61HvYO7cNsu8RnHatl
         QAMaNwJ6VEkh0VbBVzm7kmZVXWtUZfbGdShyVZWqe+4QqjzxTHLDfTu7o2DO15/4C+Ar
         61cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature;
        bh=cT9IMQmPXWmRWcPSDiG0Jc1J3JR/SC6oMnL0qIY8dVs=;
        b=E/kNxdN+E4XfvoclIYhZXy/QrjCvNnVCb2dsXlS37dG6tjdQe/d6tSOqu+z3ZoBthm
         L8hwvs7KJDUfcdj2EOsL+HZCJJNXbQxfYMDw+g8euADxvsSrYmF0XvTE8oGtz0Sky8uJ
         4STJbwLl77n77RBVMzRqPIxWGyoBcQO/Pb6tX7rINulXm5veTqzddyROfcNquTCiZgbD
         9tZSBtIAshDZq5JGAKBsLK7dKpLKC7dvb1oJV4u/0aU1TlXgeXYuiGqIALjsSMf2pPwJ
         OsGxIbndyoWK26bI4tPo7/KWRjjnzhQNYH0gKaagrUi/DzoCMtf+rqzxdwGBj8ky2LT5
         DFBQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=YL8EudJ2;
       spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-ext4-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o15si4410663ejh.124.2019.11.08.11.36.55;
        Fri, 08 Nov 2019 11:37:20 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=YL8EudJ2;
       spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732017AbfKHTgA (ORCPT <rfc822;lienze2010@gmail.com>
        + 99 others); Fri, 8 Nov 2019 14:36:00 -0500
Received: from mail.kernel.org ([198.145.29.99]:57468 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727233AbfKHTgA (ORCPT <rfc822;linux-ext4@vger.kernel.org>);
        Fri, 8 Nov 2019 14:36:00 -0500
Received: from gmail.com (unknown [104.132.1.77])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 87FDD206A3;
        Fri,  8 Nov 2019 19:35:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1573241759;
        bh=98CTD1etW9H20E3cCNEDvFQ8V8zeVFrjcPnYMXN0TNs=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=YL8EudJ2mTqL3pUp/TSoID2WBaJpPHg+ADaqLXn1jqLGmHvlaLYR3UnW2P6DQsqDy
         hV8LrIuDKB+LHVoJFh1iFtkiQLVDIi+oDuT9s4TmmuxU74xjAfDqCvjqIb+aPmQQuO
         imgrJJhWQe+dSiyRjbRkA+rBs9WhRvt9xvMGvGas=
Date:   Fri, 8 Nov 2019 11:35:58 -0800
From:   Eric Biggers <ebiggers@kernel.org>
To:     walter harms <wharms@bfs.de>
Cc:     linux-man@vger.kernel.org, darrick.wong@oracle.com,
        dhowells@redhat.com, jaegeuk@kernel.org, linux-api@vger.kernel.org,
        linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net,
        linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        tytso@mit.edu, victorhsieh@google.com
Subject: Re: [man-pages RFC PATCH] statx.2: document STATX_ATTR_VERITY
Message-ID: <20191108193557.GA12997@gmail.com>
Mail-Followup-To: walter harms <wharms@bfs.de>, linux-man@vger.kernel.org,
        darrick.wong@oracle.com, dhowells@redhat.com, jaegeuk@kernel.org,
        linux-api@vger.kernel.org, linux-ext4@vger.kernel.org,
        linux-f2fs-devel@lists.sourceforge.net,
        linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        tytso@mit.edu, victorhsieh@google.com
References: <20191107014420.GD15212@magnolia>
 <20191107220248.32025-1-ebiggers@kernel.org>
 <5DC525E8.4060705@bfs.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5DC525E8.4060705@bfs.de>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-ext4-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

On Fri, Nov 08, 2019 at 09:23:04AM +0100, walter harms wrote:
> 
> 
> Am 07.11.2019 23:02, schrieb Eric Biggers:
> > From: Eric Biggers <ebiggers@google.com>
> > 
> > Document the verity attribute for statx().
> > 
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > ---
> >  man2/statx.2 | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > RFC since the kernel patches are currently under review.
> > The kernel patches can be found here:
> > https://lkml.kernel.org/linux-fscrypt/20191029204141.145309-1-ebiggers@kernel.org/T/#u
> > 
> > diff --git a/man2/statx.2 b/man2/statx.2
> > index d2f1b07b8..713bd1260 100644
> > --- a/man2/statx.2
> > +++ b/man2/statx.2
> > @@ -461,6 +461,10 @@ See
> >  .TP
> >  .B STATX_ATTR_ENCRYPTED
> >  A key is required for the file to be encrypted by the filesystem.
> > +.TP
> > +.B STATX_ATTR_VERITY
> > +The file has fs-verity enabled.  It cannot be written to, and all reads from it
> > +will be verified against a Merkle tree.
> 
> Using "Merkle tree" opens a can of worm and what will happen when the methode will change ?
> Does it matter at all ? i would suggest "filesystem" here.
> 

Fundamentally, fs-verity guarantees that all data read is verified against a
cryptographic hash that covers the entire file.  I think it will be helpful to
convey that here, e.g. to avoid confusion with non-cryptographic, individual
block checksums supported by filesystems like btrfs and zfs.

Now, the only sane way to implement this model is with a Merkle tree, and this
is part of the fs-verity UAPI (via the file hash), so that's where I'm coming
from here.  Perhaps the phrase "Merkle tree" could be interpreted too strictly,
though, so it would be better to emphasize the more abstract model.  How about
the following?:

	The file has fs-verity enabled.  It cannot be written to, and all reads
	from it will be verified against a cryptographic hash that covers the
	entire file, e.g. via a Merkle tree.

- Eric