Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp544392ybk; Wed, 20 May 2020 06:14:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw7i+A8vFqA1c13/yzepvNpREbahHbvc1ID1QtcD3hnhMHp50rJOf5bevN/poJmF5uTNrYT X-Received: by 2002:a17:906:eb02:: with SMTP id mb2mr3482334ejb.507.1589980481722; Wed, 20 May 2020 06:14:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589980481; cv=none; d=google.com; s=arc-20160816; b=d1JEOHbDUHZ+HSn6W0qLsC5lWqWCZBPSV0blA8JxBFAD7nlcmdxX5X39InTBuMYNFT 2PbYwhVAR2e7IigH4L7Vs/aRZD+aL5UwD5UdbYNf6DKa8y0bIeDAlqgvfFMTgl/1NO+H IholL+3vCK8vqH4aTRG0zIpnnrM4Z5jbm2x/g29TvM5ppJYV1M8vUrfu41wHoI3P1hc5 r3S+SR3pISEdHI6NSXsyPvH3obj1t28gU1pr0ECm5k9/SjrskDA/ZTeWQlXKlx4Afk0u wQl8WGjBE6w9uvuylDzZNskdEm8vbXYYDXebzjcX01DhYWn9DnmI4f29jnn4OtwX0cps nTUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Y8TUMFyPUp4SUUzhWGousKTkiYHgZPrbbsb9ip0vNqc=; b=zefl0E41L3W3dpJeCxz7oPo6aOJusMthMrITouw1MDBCzi3VqUhcnpIcT03y318qql BksCq5AOJg64ADXtImZAi5k8RxgvJVz306p3z/BIyFMObfxO12qoKJfdkVI1LTGUE5Tu kB9a3ba2oWxd34j13rR72FREZ3MkiSrWcZBxZPUqIPsKGIt3g1AF4Fy+iKdgQCLteTrd 0Oy39GhlnNbjECXMvm+YHoloc1rsQW9KkrQIxd4wMbRoSALgmk5D1ZAyksub9dhabojk 5RxlcKp1Cqd6PogVzTcTbBhriC5cqTl8LVJx/LBYczwYfDdbKQ07ZUlR1gvaM0qDGJ0e t65g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w20si1533910ejf.208.2020.05.20.06.14.09; Wed, 20 May 2020 06:14:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726754AbgETNLa (ORCPT + 99 others); Wed, 20 May 2020 09:11:30 -0400 Received: from mx2.suse.de ([195.135.220.15]:53668 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726435AbgETNLa (ORCPT ); Wed, 20 May 2020 09:11:30 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id C9140AF26; Wed, 20 May 2020 13:11:30 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id F00F21E126B; Wed, 20 May 2020 15:11:26 +0200 (CEST) Date: Wed, 20 May 2020 15:11:26 +0200 From: Jan Kara To: Ira Weiny Cc: Eric Biggers , linux-ext4@vger.kernel.org, Andreas Dilger , "Theodore Y. Ts'o" , Jan Kara , Al Viro , Dan Williams , Dave Chinner , Christoph Hellwig , Jeff Moyer , "Darrick J. Wong" , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 3/9] fs/ext4: Disallow encryption if inode is DAX Message-ID: <20200520131126.GA30597@quack2.suse.cz> References: <20200513054324.2138483-1-ira.weiny@intel.com> <20200513054324.2138483-4-ira.weiny@intel.com> <20200516020253.GG1009@sol.localdomain> <20200518050315.GA3025231@iweiny-DESK2.sc.intel.com> <20200518162447.GA954@sol.localdomain> <20200520020232.GA3470571@iweiny-DESK2.sc.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200520020232.GA3470571@iweiny-DESK2.sc.intel.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Tue 19-05-20 19:02:33, Ira Weiny wrote: > On Mon, May 18, 2020 at 09:24:47AM -0700, Eric Biggers wrote: > > On Sun, May 17, 2020 at 10:03:15PM -0700, Ira Weiny wrote: > > First off... OMG... > > I'm seeing some possible user pitfalls which are complicating things IMO. It > probably does not matter because most users don't care and have either enabled > DAX on _every_ mount or _not_ enabled DAX on _every_ mount. And have _not_ > used verity nor encryption while using DAX. > > Verity is a bit easier because verity is not inherited and we only need to > protect against setting it if DAX is on. > > However, it can be weird for the user thusly: > > 1) mount _without_ DAX > 2) enable verity on individual inodes > 3) unmount/mount _with_ DAX > > Now the verity files are not enabled for DAX without any indication... > This is still true with my patch. But at least it closes the hole > of trying to change the DAX flag after the fact (because verity was set). > > Also both this check and the verity need to be maintained to keep the mount > option working as it was before... > > For encryption it is more complicated because encryption can be set on > directories and inherited so the IS_DAX() check does nothing while '-o > dax' is used. Therefore users can: > > 1) mount _with_ DAX > 2) enable encryption on a directory > 3) files created in that directory will not have DAX set > > And I now understand why the WARN_ON() was there... To tell users about this > craziness. Thanks for digging into this! I agree that just not setting S_DAX where other inode features disallow that is probably the best. > > > This is, AFAICS, not going to affect correctness. It will only be confusing > > > because the user will be able to set both DAX and encryption on the directory > > > but files there will only see encryption being used... :-( > > > > > > Assuming you are correct about this call path only being valid on directories. > > > It seems this IS_DAX() needs to be changed to check for EXT4_DAX_FL in > > > "fs/ext4: Introduce DAX inode flag"? Then at that point we can prevent DAX and > > > encryption on a directory. ... and at this point IS_DAX() could be removed at > > > this point in the series??? > > > > I haven't read the whole series, but if you are indeed trying to prevent a > > directory with EXT4_DAX_FL from being encrypted, then it does look like you'd > > need to check EXT4_DAX_FL, not S_DAX. > > > > The other question is what should happen when a file is created in an encrypted > > directory when the filesystem is mounted with -o dax. Actually, I think I > > missed something there. Currently (based on reading the code) the DAX flag will > > get set first, and then ext4_set_context() will see IS_DAX() && i_size == 0 and > > clear the DAX flag when setting the encrypt flag. > > I think you are correct. > > > > > So, the i_size == 0 check is actually needed. > > Your patch (AFAICS) just makes creating an encrypted file fail > > when '-o dax'. Is that intended? > > Yes that is what I intended but it is more complicated I see now. > > The intent is that IS_DAX() should _never_ be true on an encrypted or verity > file... even if -o dax is specified. Because IS_DAX() should be a result of > the inode flags being checked. The order of the setting of those flags is a > bit odd for the encrypted case. I don't really like that DAX is set then > un-set. It is convoluted but I'm not clear right now how to fix it. > > > If not, maybe you should change it to check > > S_NEW instead of i_size == 0 to make it clearer? > > The patch is completely unnecessary. > > It is much easier to make (EXT4_ENCRYPT_FL | EXT4_VERITY_FL) incompatible > with EXT4_DAX_FL when it is introduced later in the series. Furthermore > this mutual exclusion can be done on directories in the encrypt case. > Which I think will be nicer for the user if they get an error when trying > to set one when the other is set. Agreed. Honza -- Jan Kara SUSE Labs, CR