Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp1358055pxb; Sun, 11 Apr 2021 17:04:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz6bFbeuONzLNEVHYU3pTrsAkugWGhCMbxX8VY/ojSDC/TeYbxCtLZ6UgBakC8fxt8giJ7w X-Received: by 2002:a05:6402:254c:: with SMTP id l12mr26456780edb.119.1618185841587; Sun, 11 Apr 2021 17:04:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618185841; cv=none; d=google.com; s=arc-20160816; b=myjH3fbktdV3WNEfiKL9+vt3pLxRr0RytkEObftDSn0K4KRVAUrluukc5kGbLBKalI M9adw4SWKNXofD/1QXVK/9pPTz3UxiypagwU5+An2AAhOijnefMELtLMJdB3IkVyOJFt MC+q2dz827Liqzw7PbYMMWHcypKakTSPggyGKNJobD4V9At9Kw3r/vJVqGIsnhxN02RH aGqFagUMrl0ajOZx1a/OMuEKz/l3im8NpaXUImk6UOs4w0peFXdLFdQLJ6X6qvp7W7gD IR2CNOkKqyyg4YnM3NbHbmSwKcl3V5ZYk9EyS+d7OMZvm3jPbtwn0JdwiktGoqTK5DxE JK1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=yv6nOaJpVTJ8mSpDGTj9VKQlWGgQ9uOJHEcTieMSJWE=; b=Jmdn7D8xOdbdB9m7BPYxix4ws5yQhedQ1SsZXgukQEX6U3X/DgyE++SzqrW6XPgJfE J6NbYBlAfxSZIQJ3S3lPQ9BtS+Qb3r/lzSU3aaC+MfNV3UcTG4hney5vDKSuFFZiEZKd sbNgtHNnQxoRBho0PMxVA46p1nh563khQaZmrPCCos9SbZvwTYemoVNYnhGuuL6379Ys OqMmnGOkfY7IWylA0q6rv811rK928Kuqi39+IJ773D3YUjsFdkMY+s3Xzb76q8gKtes7 B/rdNnDhKcTt0S5ioh6jzvKZXgVf68LTOGv/W9XTKh4EmUfIsXmqTUOwvMTtjfimstYn XHhA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h4si6962652ede.481.2021.04.11.17.03.32; Sun, 11 Apr 2021 17:04:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235466AbhDKXi6 (ORCPT + 99 others); Sun, 11 Apr 2021 19:38:58 -0400 Received: from mail108.syd.optusnet.com.au ([211.29.132.59]:56257 "EHLO mail108.syd.optusnet.com.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235229AbhDKXi6 (ORCPT ); Sun, 11 Apr 2021 19:38:58 -0400 Received: from dread.disaster.area (pa49-181-239-12.pa.nsw.optusnet.com.au [49.181.239.12]) by mail108.syd.optusnet.com.au (Postfix) with ESMTPS id BC4801AEC4C; Mon, 12 Apr 2021 09:38:39 +1000 (AEST) Received: from dave by dread.disaster.area with local (Exim 4.92.3) (envelope-from ) id 1lVjf4-003gwC-PB; Mon, 12 Apr 2021 09:38:38 +1000 Date: Mon, 12 Apr 2021 09:38:38 +1000 From: Dave Chinner To: Theodore Ts'o Cc: "Darrick J. Wong" , Eric Biggers , Leah Rumancik , linux-ext4@vger.kernel.org Subject: Re: [PATCH v2 1/2] ext4: wipe filename upon file deletion Message-ID: <20210411233838.GO1990290@dread.disaster.area> References: <20210407154202.1527941-1-leah.rumancik@gmail.com> <20210407154202.1527941-2-leah.rumancik@gmail.com> <20210408052155.GK1990290@dread.disaster.area> <20210409000207.GJ22091@magnolia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.3 cv=Tu+Yewfh c=1 sm=1 tr=0 cx=a_idp_f a=gO82wUwQTSpaJfP49aMSow==:117 a=gO82wUwQTSpaJfP49aMSow==:17 a=kj9zAlcOel0A:10 a=3YhXtTcJ-WEA:10 a=7-415B0cAAAA:8 a=Zwx9kvhYuoj3QZT2xbMA:9 a=CjuIK1q_8ugA:10 a=biEYGPWJfzWAr4FL6Ov7:22 Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Thu, Apr 08, 2021 at 10:51:09PM -0400, Theodore Ts'o wrote: > On Thu, Apr 08, 2021 at 05:02:07PM -0700, Darrick J. Wong wrote: > > > In the ideal world, sure, all or most of them would agree that they > > > *shouldn't* be storing any kind of PII at rest unencrypted, but they > > > can't be sure, and so from the perspective of keeping their audit and > > > I/T compliance committees happy, this requirement is desirable from a > > > "belt and suspenders" perspective. > > > > > > > This seems like a better fit for FITRIM than anything else. > > > > > > > > Ooohh. We sure do suck at APIs, don't we? FITRIM has no flags field, > > > > so we can't extend that. > > > > > > I don't have any serious objections to defining FITRIM2; OTOH, for > > > > Er, are we talking about the directory name wiping, or the journal > > discarding? > > Sorry, I was talking about journal wiping. The conflation is because > the reason why we want to wipe the journal is because of the directory > names in the journal, so the two are very much connected for our use > case, but yes, directory names in directories is very from directory > names in the journal. > > We don't actually need any kind of interface for wiping names in > directories, since it doesn't cost us anything to unconditionally wipe > the directory entries as opposed to just setting the inode number to > zero. > > > I didn't think it was any more difficult than changing xfs_removename to > > zero out the name and ftype fields at the same time it adds the whiteout > > to the dirent. But TBH I haven't thought through this too deeply. > > > > I /do/ think that if you ever want to add "secure" deletion to XFS, I'd > > want to do it by implementing FS_SECRM_FL for XFS, and not by adding > > more mount options. > > The original meaning of FS_SECRM_FL was that the data blocks would be > zero'ed --- when the inode was deleted. Sure, if discard is Good Enough(tm) for the journal, then we just treat this flag like "-o discard" was enabled for this file. Let the hardware do the "zeroing" in the background once we mark the extent as free. And if the hardware supports secure erase in place of discard, then even better. In the case of XFS, if we are to implement this directory entry zeroing then we actually need to discard the directory blocks. We may elide writeback of the directory block altogether if it is removed from the directory entirely between journal checkpoints. In that situation, we just write a whiteout for the block to the journal (we cancel the buffer) and we never actually write that buffer's contents to disk as it has been marked free by the journal commit. And, similarly short form directories aren't in blocks and can't be discarded, and we can elide inode writeback in the case where the inode clusters are freed. Hence zeroing dirents held inline in the inodes are not guaranteed to hit the disk, either. So we'd need to discard inode clusters as well. IOWs, we can do "rm -rf" of a directory with tens of thousands of entries, and the only thing that ends up hitting stable storage is a few hundred buffer invalidations in the journal. They remain unmodified in free space after the journal commit. This is why I said "good luck" to fixing XFS not to leak directory entries to disk. It's a pretty major undertaking to audit, fix and verify all the paths that remove directory entries to ensure that we do not leak dirent names anywhere. And I haven't even touched on PII in extended attributes :/ Cheers, Dave. -- Dave Chinner david@fromorbit.com