Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp1099166rwj;
        Fri, 23 Dec 2022 12:37:53 -0800 (PST)
X-Google-Smtp-Source: AMrXdXs2O8KP3VVH5168oQweGPv3gik9sS7Xq+4JeyWUvJLLMdkTw0SibEjfssaeFHqCjWRYdpuo
X-Received: by 2002:a17:906:6a0f:b0:812:d53e:1222 with SMTP id qw15-20020a1709066a0f00b00812d53e1222mr11253277ejc.31.1671827872881;
        Fri, 23 Dec 2022 12:37:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671827872; cv=none;
        d=google.com; s=arc-20160816;
        b=PSSbpdvQxJNiwnz94xcAX2FaPb+bkt8C6EMdbGqK2YscripLybZnnkWLfSkKpeSgjs
         sITqEwY7/0mES9mx3RFYgZQOBdJa9pPfH/FiA6i1Wr3j+R1FDFBrlIFeuI1v0L/Lq5Qx
         5hxn1WnVx3+kzW01QK10ao2SDhKrEIe0cQogGvKAtUmmfjifbfJKCgZ7cOYoWk/PYD6U
         tvIQx0mteTW3OpboZhIM798fKeujUzNSWfzvW5HNryaqj/3dmZmsztxPfH8owoElU9SF
         Ta+Yd0/J6FqP4TJu0HQoHoRDOTicHjeO5QtlJ8ojaQFu6QNoJzVQLe0DF8IrmNhRvMCO
         8c4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=8wiQPotQZ2G9Fw66RPEDxqUP+lv8gEWdFUv8fhYg5rM=;
        b=v7JduaiQSzapCcVEa5XsVzkZcwnsz9btz/dh6mnW8bg1DRdj3jwtouFQdP5uNdsFQ/
         yJYzYpo0yvnkiPR6pbpDhLnRdAnj89l9Kz16Dk1NUUSPMJdKWKAIlOrrDzUle5q34dOt
         Ur+Ubm1v7/MOQcGM5/adQDzsnvl7GXGHUbk1NAVZ0U2IXeJHypG6zWikpDIF9dRUIjiz
         d4yfDn3nZI/9O0dCKSU9uTk+FdovfuRwgiCTmNiMC0UgeLoNPKWTXyw8kmHVk8me6bFP
         APIzHuiIlo18hgHHVaguGRIvLBxXxgfe+3LOMEUJGOr1SsXx3NlPG4WgBjWISiRYdlwM
         EjXg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=B7Cu5MHw;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-ext4-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id ho30-20020a1709070e9e00b007be97d37b29si3662639ejc.104.2022.12.23.12.37.24;
        Fri, 23 Dec 2022 12:37:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=B7Cu5MHw;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232706AbiLWUhA (ORCPT <rfc822;aminbrickmover@gmail.com>
        + 99 others); Fri, 23 Dec 2022 15:37:00 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56414 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232555AbiLWUg6 (ORCPT
        <rfc822;linux-ext4@vger.kernel.org>); Fri, 23 Dec 2022 15:36:58 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15F581D307;
        Fri, 23 Dec 2022 12:36:56 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 95C8861D28;
        Fri, 23 Dec 2022 20:36:56 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C1111C433D2;
        Fri, 23 Dec 2022 20:36:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1671827816;
        bh=kuHoLDiwzIWt/yosaiuNbL76iPgmKQeB3oMrh4p5xhg=;
        h=From:To:Cc:Subject:Date:From;
        b=B7Cu5MHwFXyHpkWZYORJe5npw6Jrf1ax1VKcHSg3IFIcJDzGR9a97Ncit2dNZPAIn
         zchceSAsxgUW9LWZwY+Qs21W42THfLhyb73HWKYCQMD6C3nyrNmv03p6rEqIKff2vX
         rGocAZ5zYfyRKsGNeRx5kmBn6OpsxJaxvfI0pqee3hx1HNdZXebmxhO1m0ANxY9Osp
         w/RSqDNgQw3oGnoM8VKaM1pEOZnyb0VQUtFSgmrbPXZ4DFlh6cLeHnmzpgqJ0IJS7e
         oHfsWT1U3jch+XCx3vCHk3VC1pQueY3KEUpgWxfGU6DxWmkttz2NYAqCwQeIyJzmL0
         RCxP/GM9U3Qmg==
From:   Eric Biggers <ebiggers@kernel.org>
To:     linux-fscrypt@vger.kernel.org
Cc:     linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
        linux-f2fs-devel@lists.sourceforge.net,
        linux-btrfs@vger.kernel.org, linux-xfs@vger.kernel.org,
        Andrey Albershteyn <aalbersh@redhat.com>
Subject: [PATCH v2 00/11] fsverity: support for non-4K pages
Date:   Fri, 23 Dec 2022 12:36:27 -0800
Message-Id: <20221223203638.41293-1-ebiggers@kernel.org>
X-Mailer: git-send-email 2.39.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,SUSPICIOUS_RECIPS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

[This patchset applies to mainline + some fsverity cleanups I sent out
 recently.  You can get everything from tag "fsverity-non4k-v2" of
 https://git.kernel.org/pub/scm/fs/fscrypt/fscrypt.git ]

Currently, filesystems (ext4, f2fs, and btrfs) only support fsverity
when the Merkle tree block size, filesystem block size, and page size
are all the same.  In practice that means 4K, since increasing the page
size, e.g. to 16K, forces the Merkle tree block size and filesystem
block size to be increased accordingly.  That can be impractical; for
one, users want the same file signatures to work on all systems.

Therefore, this patchset reduces the coupling between these sizes.

First, patches 1-4 are cleanups.

Second, patches 5-9 allow the Merkle tree block size to be less than the
page size or filesystem block size, provided that it's not larger than
either one.  This involves, among other things, changing the way that
fs/verity/verify.c tracks which hash blocks have been verified.

Finally, patches 10-11 make ext4 support fsverity when the filesystem
block size is less than the page size.  Note, f2fs doesn't need similar
changes because f2fs always assumes that the filesystem block size and
page size are the same anyway.  I haven't looked into btrfs yet.

I've tested this patchset using the "verity" group of tests in xfstests
with the following xfstests patchset applied:
"[PATCH v2 00/10] xfstests: update verity tests for non-4K block and page size"
(https://lore.kernel.org/fstests/20221223010554.281679-1-ebiggers@kernel.org/T/#u)

Note: on the thread "[RFC PATCH 00/11] fs-verity support for XFS"
(https://lore.kernel.org/linux-xfs/20221213172935.680971-1-aalbersh@redhat.com/T/#u)
there have been many requests for other things to support, including:

  * folios in the pagecache
  * alternative Merkle tree caching methods
  * direct I/O
  * merkle_tree_block_size > page_size
  * extremely large files, using a reclaimable bitmap

We shouldn't try to boil the ocean, though, so to keep the scope of this
patchset manageable I haven't changed it significantly from v1.  This
patchset does bring us closer to many of the above, just not all the way
there.  I'd like to follow up this patchset with a change to support
folios, which should be straightforward.  Next, we can do a change to
generalize the Merkle tree interface to allow XFS to use an alternative
caching method, as that sounds like the highest priority item for XFS.

Anyway, the changelog is:

Changed in v2:
   - Rebased onto the recent fsverity cleanups.
   - Split some parts of the big "support verification" patch into
     separate patches.
   - Passed the data_pos to verify_data_block() instead of computing it
     using page->index, to make it ready for folio and DIO support.
   - Eliminated some unnecessary arithmetic in verify_data_block().
   - Changed the log_* fields in merkle_tree_params to u8.
   - Restored PageLocked and !PageUptodate checks for pagecache pages.
   - Eliminated the change to fsverity_hash_buffer().
   - Other small cleanups

Eric Biggers (11):
  fsverity: use unsigned long for level_start
  fsverity: simplify Merkle tree readahead size calculation
  fsverity: store log2(digest_size) precomputed
  fsverity: use EFBIG for file too large to enable verity
  fsverity: replace fsverity_hash_page() with fsverity_hash_block()
  fsverity: support verification with tree block size < PAGE_SIZE
  fsverity: support enabling with tree block size < PAGE_SIZE
  ext4: simplify ext4_readpage_limit()
  f2fs: simplify f2fs_readpage_limit()
  fs/buffer.c: support fsverity in block_read_full_folio()
  ext4: allow verity with fs block size < PAGE_SIZE

 Documentation/filesystems/fsverity.rst |  76 +++---
 fs/buffer.c                            |  67 ++++-
 fs/ext4/readpage.c                     |   3 +-
 fs/ext4/super.c                        |   5 -
 fs/f2fs/data.c                         |   3 +-
 fs/verity/enable.c                     | 260 ++++++++++----------
 fs/verity/fsverity_private.h           |  20 +-
 fs/verity/hash_algs.c                  |  24 +-
 fs/verity/open.c                       |  98 ++++++--
 fs/verity/verify.c                     | 325 +++++++++++++++++--------
 include/linux/fsverity.h               |  14 +-
 11 files changed, 565 insertions(+), 330 deletions(-)

-- 
2.39.0