Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp686622ybb; Fri, 10 Apr 2020 08:06:54 -0700 (PDT) X-Google-Smtp-Source: APiQypKCDDbPHWcvvzs+s/QuVMiQ2j1bPn9VNw6gmFmKRmMG2IeyzRM6OjuS2+UiOOMYK9fZiGD4 X-Received: by 2002:a0c:8d44:: with SMTP id s4mr5530999qvb.168.1586531214246; Fri, 10 Apr 2020 08:06:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586531214; cv=none; d=google.com; s=arc-20160816; b=ZZpq7mgbdxZ3duQAaoufV3tGh3JXYgONf3TL2DOjxjNhSHG88SZahvyKr2as68VFpj RPC5ApHi+6DBzMkoSry5GnqukDnTBr+DknN7J7leXKCSuwEKFHxxDziX6W+HrNMpRgCo ecHjbMy49jULuL8zxhdoetX0kiMuay5r449vhG+Yu9zWnQdasOxYrdymo2jUtfJV2RD5 vglkjsu30Iv/IMwAdk/GZFN9xPJxXpzL3RYsexc+JomQXIixlOEXjzCxwCQf6rqDdXOi zTKgAuSXQ7lh0+h//GmKXo0TlwQ3O7y/dK9N6tTPl5bUi/PCLHJvXwnDiqkyAi9VHcYL bsjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=8ui5nmN+R1RMwUVOu67CEYKuNuwsZTIYRm+H7Orh5A0=; b=jo3v7plzQ2dNMefsf92Hx1Cym6Td3W9TSxKN45DQw+Krq58liV8YX74H7M0x/EJLRf aX8jnnPC713XfXDTbzm1SGGY6jI6mdlU5+jh9/QWO71hEaLSChAqi8pIQhN6je8zoiyx Df8ZRSio45nEWgRc+l0Q7m6BfGwQh9eJvtaq6cQs9zNwR7tL2bH3xrwZBdByIuoiPwzR zHjUqJrjbl3ZLdX15wu1/AI5EWzmC9g2oCCFXl/yV+6IqnZIW2zmhPyZIndcW9y4Hss6 SByPSfW+rOwRLqmCkwJTwfWezaDPwSHnyh59m8mjYc9xhQ9tH1jg62SxtTdekZlaHztm 47nw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d24si1242960qto.220.2020.04.10.08.06.23; Fri, 10 Apr 2020 08:06:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726049AbgDJPGK (ORCPT + 99 others); Fri, 10 Apr 2020 11:06:10 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:46095 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726009AbgDJPGK (ORCPT ); Fri, 10 Apr 2020 11:06:10 -0400 Received: from callcc.thunk.org (pool-72-93-95-157.bstnma.fios.verizon.net [72.93.95.157]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 03AF646E026127 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Apr 2020 11:06:04 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 37A8942013D; Fri, 10 Apr 2020 11:06:04 -0400 (EDT) Date: Fri, 10 Apr 2020 11:06:04 -0400 From: "Theodore Y. Ts'o" To: Andreas Dilger Cc: Eric Biggers , linux-ext4 , linux-fscrypt@vger.kernel.org Subject: Re: [PATCH 1/4] tune2fs: prevent changing UUID of fs with stable_inodes feature Message-ID: <20200410150604.GN45598@mit.edu> References: <20200401203239.163679-1-ebiggers@kernel.org> <20200401203239.163679-2-ebiggers@kernel.org> <20200407053213.GC102437@sol.localdomain> <74B95427-9FB1-4DF8-BE75-CE099EA3A9A3@dilger.ca> <20200408031149.GA852@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Fri, Apr 10, 2020 at 05:53:54AM -0600, Andreas Dilger wrote: > > Actually, I think the opposite is true here. To avoid usability problems, > users *have* to change the UUID of a cloned/snapshot filesystem to avoid > problems with mount-by-UUID (e.g. either filesystem may be mounted randomly > on each boot, depending on the device enumeration order). However, if they > try to change the UUID, that would immediately break all of the encrypted > files in the filesystem, so that means with the stable_inode feature either: > - a snapshot/clone of a filesystem may subtly break your system, or > - you can't keep a snapshot/clone of such a filesystem on the same node I don't think there is any reason why we would use IV_INO_LBLK_64 mode on anything other than tablet/mobile devices using the latest UFS or eMMC standards which support in-line crypto engines (ICE). I'm not aware of any cloud VM's, private or public, which supports ICE. And even if they did, hopefully they would use something more sane than the UFS/eMMC spec, which only supports 64 bits of IV per I/O request, and only support a small number of keys that can be loaded into the hardware. (This is what you get when you are optimizing Bill of Materials costs down to a tenth of a cent; a million devices here, retail store profit margins there, and before you know it you're talking real money...) Furthermore, on an modern x86_64, you can do AES encryption at less than a cycle per CPU clock cycle, and in cloud VM's, battery life is not a concern, so there really isn't any reason to use or implement ICE, except maybe as a testing vehicle for fscrypt (e.g., someone wanting to implement UFS 2.1 in qemu to make it easier to test the Linux kernel's ICE support). - Ted