Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp337248rwl;
        Tue, 11 Apr 2023 19:39:16 -0700 (PDT)
X-Google-Smtp-Source: AKy350axTQo5og1u0CMf1fGhXflPAPhXOIw+8BVYjUniDyejZB68VW8yLemoNwOw20wtLcrXM3kF
X-Received: by 2002:a17:906:2c14:b0:8b8:c06e:52d8 with SMTP id e20-20020a1709062c1400b008b8c06e52d8mr537376ejh.36.1681267156403;
        Tue, 11 Apr 2023 19:39:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681267156; cv=none;
        d=google.com; s=arc-20160816;
        b=vix0tqU8ofwH3B181gnbknufAqHkfl6ZFzrtELcWMC8f+dZ2ZR/TKTW16WgmoXnA0E
         SIwa+d4K8Q10e1XLNXnofkfIL1hbOkfXyV66fpkv+ZZrUu0uJIv40zZUu3++UoKq8BH2
         XS4NCXepSku3esHzw1nNBos9kknoit1uNTtxsFwpFDZWFEIVrJ2Phqp0yiN6QeGYMErc
         s4BEMm+DPX0B9Z9UkWxLW5TsUwzVHREiA/S6E774i1N4thNiJ0WZIPqB983Ed+k/PAHu
         niIbJ9kKmtbFY8f7k9rCefVKr5Rn+bF5XLD5txLts9dyepFVY+AV0BY01n064vUAb8Ym
         M9sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=M7cvxi4mXz5zjzi4JIBZ0G/0ou83kWE466Fx7kWGv6I=;
        b=Qy14dqFMAKIgPy9AMZP6LUvkIJDghVDU6pfjvK1FiM11L3Zcad+EVfrJbgo11isS1K
         Rz7pCk16tjvZsrkFvKjCUZhzKpntjNJHA5GAcAgtz5L+7JHpeiZDQd2cR8D8yQOCcKxs
         mbOr4vkjM5flf74bP61PKMUKm6hg8W85F12+96xHVXJfd9x3XDwEhvZMvfGnevSdxdUc
         VZ1L8uOcxl4I6HqlRdXA5cF1BRDY1Ded07jx1fYgADlSk/DN5o3RYVTy78ZrhA4DKw12
         df/+ZNlZGatrvYnyJ3CAA8NCPeuyIPifEDZSavIAomGcxw7HRfzP6VYkxtw9Nof5eIw7
         Gmwg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ICEWpWIH;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-ext4-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id s10-20020a1709066c8a00b0094a8b7dca8dsi2003230ejr.468.2023.04.11.19.38.50;
        Tue, 11 Apr 2023 19:39:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ICEWpWIH;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229551AbjDLCdY (ORCPT <rfc822;hamilton.enfield28@gmail.com>
        + 99 others); Tue, 11 Apr 2023 22:33:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41592 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229469AbjDLCdX (ORCPT
        <rfc822;linux-ext4@vger.kernel.org>); Tue, 11 Apr 2023 22:33:23 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 88C41172B;
        Tue, 11 Apr 2023 19:33:22 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 257C561C99;
        Wed, 12 Apr 2023 02:33:22 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0F370C433D2;
        Wed, 12 Apr 2023 02:33:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1681266801;
        bh=uWYRkl4H5QxQQyKZRkipfJYb8JT+WBT0+Wf0sQwa8R4=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=ICEWpWIHfCvZctrTa23zt5ow0V8NDHh2F1i00eVdXSsHwgqMLrkRT/XlEYlKmjHDc
         19nDnI8fLxzFqlz2xC7lWzBe/z+FLZQp9I6XnZMJNnBuVmGr4gIcbNqsErYoKb0m7p
         sxQgr5EWBTLQtP3m6ZbcVg4DVMLneqkbV0LUwwpej+ysbJ8GM6GOmxaIXmht+TVLM5
         8AoJUx4LJxeAkTKLmK+QxNTrCOzWSGGlTQai0S4osbYt1lIObyZ+GefEjAWZe5ts/v
         1DVrYg2TcXMS5rnXRentQX9hoIWFgOeiZNMnlongYGP1HyqIKramwdoHwdF+582obz
         FYYaJGFJaqEvg==
Date:   Tue, 11 Apr 2023 19:33:19 -0700
From:   Eric Biggers <ebiggers@kernel.org>
To:     Christoph Hellwig <hch@infradead.org>
Cc:     Andrey Albershteyn <aalbersh@redhat.com>, djwong@kernel.org,
        dchinner@redhat.com, linux-xfs@vger.kernel.org,
        fsverity@lists.linux.dev, rpeterso@redhat.com, agruenba@redhat.com,
        xiang@kernel.org, chao@kernel.org,
        damien.lemoal@opensource.wdc.com, jth@kernel.org,
        linux-erofs@lists.ozlabs.org, linux-btrfs@vger.kernel.org,
        linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net,
        cluster-devel@redhat.com
Subject: Re: [PATCH v2 00/23] fs-verity support for XFS
Message-ID: <20230412023319.GA5105@sol.localdomain>
References: <20230404145319.2057051-1-aalbersh@redhat.com>
 <ZDTt8jSdG72/UnXi@infradead.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZDTt8jSdG72/UnXi@infradead.org>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

On Mon, Apr 10, 2023 at 10:19:46PM -0700, Christoph Hellwig wrote:
> Dave is going to hate me for this, but..
> 
> I've been looking over some of the interfaces here, and I'm starting
> to very seriously questioning the design decisions of storing the
> fsverity hashes in xattrs.
> 
> Yes, storing them beyond i_size in the file is a bit of a hack, but
> it allows to reuse a lot of the existing infrastructure, and much
> of fsverity is based around it.  So storing them in an xattrs causes
> a lot of churn in the interface.  And the XFS side with special
> casing xattr indices also seems not exactly nice.

It seems it's really just the Merkle tree caching interface that is causing
problems, as it's currently too closely tied to the page cache?  That is just an
implementation detail that could be reworked along the lines of what is being
discussed.

But anyway, it is up to the XFS folks.  Keep in mind there is also the option of
doing what btrfs is doing, where it stores the Merkle tree separately from the
file data stream, but caches it past i_size in the page cache at runtime.

I guess there is also the issue of encryption, which hasn't come up yet since
we're talking about fsverity support only.  The Merkle tree (including the
fsverity_descriptor) is supposed to be encrypted, just like the file contents
are.  Having it be stored after the file contents accomplishes that easily...
Of course, it doesn't have to be that way; a separate key could be derived, or
the Merkle tree blocks could be encrypted with the file contents key using
indices past i_size, without them physically being stored in the data stream.

- Eric