Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4030889ybb; Mon, 6 Apr 2020 22:32:36 -0700 (PDT) X-Google-Smtp-Source: APiQypKktfupVqV9d3uMinDGdLM/niniTrC8JNmxFsNyhZYhsbSShSTHWRZTqPXQWFkYqO3ZhYjJ X-Received: by 2002:a9d:6ad9:: with SMTP id m25mr255600otq.160.1586237556382; Mon, 06 Apr 2020 22:32:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586237556; cv=none; d=google.com; s=arc-20160816; b=Qsi7fyZam0X3hW8a85PEyMUJEsMrhbgSGZw7VyjZklEwbsXS+p+Z4YuGlQwcRRdSsi GSJUW888mxK790xmAijrqzibODkA6t+XHbzOinwHlNGjne5OEWLo+VG3z1ibM6p6GQR3 EumiSLuU6RzB9/Mo5m5go0DlEhsUhJ2WIe6SsgbiwACcM7N0BUQjHnN4ihyHKMVb5Ks6 TfW2F7EPIWyrvxCv9saXyCr3aiDP3Mw7kDY3xXnzTKAhE40QvnKfhvI3HysTHaoR2h7O Ts1/x740S8b0Y5L30qhlAGRW5HHzZLmR1SafSq7Vpd/LNdeJWrKoS2cYVXcKxxDzFAtS AuhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=CwGjuP/YayE0Hcq5h6PDtAh9UnqgQ/HrIdiuRi0u478=; b=wBKOV7TGwi0PIKamfj4g1yMNtJCtfxO+UNEL5kdmEE7tNR9aE0YcaVUZ80zsJDB1Bg T+1YNgvZ6E2GByQUV0gpgAvHPgOpRYnu7hKrvL/XAwxqqPP43bMdxVDdcUhfwbkP3QAr MNO5jcOhhBr0TSzk3IGO1MSoJxspn4HywmplVHaDh9+2lty6gihF11crhGEy9g2+kDi5 PADjV8Avs87wLxZEWhhzpDm56S1uSTSXuUTHEPtOhIvpeiU0AYtEefehwqAFa7yk38SY AOhQgA1fWowv4xd2WUe/hT1ypumdLtjuz9oJ/eJ4hqVKIcdEvndOGRibLz1f22DBT/h8 KN8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Ow/+Go8p"; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h59si737661oth.233.2020.04.06.22.32.22; Mon, 06 Apr 2020 22:32:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Ow/+Go8p"; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726030AbgDGFcP (ORCPT + 99 others); Tue, 7 Apr 2020 01:32:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:43036 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725802AbgDGFcP (ORCPT ); Tue, 7 Apr 2020 01:32:15 -0400 Received: from sol.localdomain (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C9B3720692; Tue, 7 Apr 2020 05:32:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586237534; bh=DHYXASYcZ8yXq73Zg/kE/PSoOS4WftRp2BixKT9v1FA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Ow/+Go8p0vo9JlC9GYiA0TiX59HqsUqAzdVFilUCK68/rcSIr9P/7Vv/41TsUw308 dAbTEM86GrY6RndcCytF4FWwx8Ja2flgj70XQQahDkBMhvCu5nA2CvDiGVWAhHrSwz Xe7kUKPugiT61JMeku/AAB5hK2V8jRJgH4MWVLtk= Date: Mon, 6 Apr 2020 22:32:13 -0700 From: Eric Biggers To: Andreas Dilger Cc: linux-ext4 , linux-fscrypt@vger.kernel.org Subject: Re: [PATCH 1/4] tune2fs: prevent changing UUID of fs with stable_inodes feature Message-ID: <20200407053213.GC102437@sol.localdomain> References: <20200401203239.163679-1-ebiggers@kernel.org> <20200401203239.163679-2-ebiggers@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Wed, Apr 01, 2020 at 08:19:38PM -0600, Andreas Dilger wrote: > On Apr 1, 2020, at 2:32 PM, Eric Biggers wrote: > > > > From: Eric Biggers > > > > The stable_inodes feature is intended to indicate that it's safe to use > > IV_INO_LBLK_64 encryption policies, where the encryption depends on the > > inode numbers and thus filesystem shrinking is not allowed. However > > since inode numbers are not unique across filesystems, the encryption > > also depends on the filesystem UUID, and I missed that there is a > > supported way to change the filesystem UUID (tune2fs -U). > > > > So, make 'tune2fs -U' report an error if stable_inodes is set. > > > > We could add a separate stable_uuid feature flag, but it seems unlikely > > it would be useful enough on its own to warrant another flag. > > What about having tune2fs walk the inode table checking for any inodes that > have this flag, and only refusing to clear the flag if it finds any? That > takes some time on very large filesystems, but since inode table reading is > linear it is reasonable on most filesystems. > I assume you meant to make this comment on patch 2, "tune2fs: prevent stable_inodes feature from being cleared"? It's a good suggestion, but it also applies equally to the encrypt, verity, extents, and ea_inode features. Currently tune2fs can't clear any of these, since any inode might be using them. Note that it would actually be slightly harder to implement your suggestion for stable_inodes than those four existing features, since clearing stable_inodes would require reading xattrs rather than just the inode flags. So if I have time, I can certainly look into allowing tune2fs to clear the encrypt, verity, extents, stable_inodes, and ea_inode features, by doing an inode table scan to verify that it's safe. IMO it doesn't make sense to hold up this patch on it, though. This patch just makes stable_inodes work like other ext4 features. - Eric