From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F08F2C433F5 for ; Mon, 15 Nov 2021 08:49:44 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id A2A6163213 for ; Mon, 15 Nov 2021 08:49:44 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A2A6163213 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=huawei.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 407476B007E; Mon, 15 Nov 2021 03:49:44 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3B78C6B0080; Mon, 15 Nov 2021 03:49:44 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2A63D6B0081; Mon, 15 Nov 2021 03:49:44 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0004.hostedemail.com [216.40.44.4]) by kanga.kvack.org (Postfix) with ESMTP id 1A3BC6B007E for ; Mon, 15 Nov 2021 03:49:44 -0500 (EST) Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id CBBF2180C853A for ; Mon, 15 Nov 2021 08:49:43 +0000 (UTC) X-FDA: 78810541446.04.1E8A7DC Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) by imf17.hostedemail.com (Postfix) with ESMTP id 3A242F0003A3 for ; Mon, 15 Nov 2021 08:49:43 +0000 (UTC) Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Ht2pc5G6Tz67qYR; Mon, 15 Nov 2021 16:46:00 +0800 (CST) Received: from fraeml714-chm.china.huawei.com (10.206.15.33) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Mon, 15 Nov 2021 09:49:41 +0100 Received: from fraeml714-chm.china.huawei.com ([10.206.15.33]) by fraeml714-chm.china.huawei.com ([10.206.15.33]) with mapi id 15.01.2308.020; Mon, 15 Nov 2021 09:49:41 +0100 From: Roberto Sassu To: Eric Biggers CC: "tytso@mit.edu" , "corbet@lwn.net" , "viro@zeniv.linux.org.uk" , "hughd@google.com" , "akpm@linux-foundation.org" , "linux-fscrypt@vger.kernel.org" , "linux-doc@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" , "linux-integrity@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: RE: [RFC][PATCH 5/5] shmem: Add fsverity support Thread-Topic: [RFC][PATCH 5/5] shmem: Add fsverity support Thread-Index: AQHX18M/qVU4RXchik23Vn+neZuDEKwAMhaAgAQN/bA= Date: Mon, 15 Nov 2021 08:49:41 +0000 Message-ID: <6adb6da30b734213942f976745c456f6@huawei.com> References: <20211112124411.1948809-1-roberto.sassu@huawei.com> <20211112124411.1948809-6-roberto.sassu@huawei.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.204.63.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 3A242F0003A3 X-Stat-Signature: mubm3hotgnh6tb3aszaog7njfsw3ntzr Authentication-Results: imf17.hostedemail.com; dkim=none; dmarc=pass (policy=none) header.from=huawei.com; spf=pass (imf17.hostedemail.com: domain of roberto.sassu@huawei.com designates 185.176.79.56 as permitted sender) smtp.mailfrom=roberto.sassu@huawei.com X-HE-Tag: 1636966183-958796 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: > From: Eric Biggers [mailto:ebiggers@kernel.org] > Sent: Friday, November 12, 2021 8:12 PM > On Fri, Nov 12, 2021 at 01:44:11PM +0100, Roberto Sassu wrote: > > Make the necessary modifications to support fsverity in tmpfs. > > > > First, implement the fsverity operations (in a similar way of f2fs). Th= ese > > operations make use of shmem_read_mapping_page() instead of > > read_mapping_page() to handle the case where the page has been swapped > out. > > The fsverity descriptor is placed at the end of the file and its locati= on > > is stored in an xattr. > > > > Second, implement the ioctl operations to enable, measure and read fsve= rity > > metadata. > > > > Lastly, add calls to fsverity functions, to ensure that fsverity-releva= nt > > operations are checked and handled by fsverity (file open, attr set, in= ode > > evict). > > > > Fsverity support can be enabled through the kernel configuration and > > remains enabled by default for every tmpfs filesystem instantiated (the= re > > should be no overhead, unless fsverity is enabled for a file). > > > > Signed-off-by: Roberto Sassu >=20 > I don't see how this makes sense at all. The point of fs-verity is to av= oid > having to hash the whole file when verifying it. However, obviously the = whole > file still has to be hashed to build the Merkle tree in the first place. = That > makes sense for a persistent filesystem where a file can be written once = and > verified many times. I don't see how it makes sense for tmpfs, where fil= es have > to be re-created on every boot. You might as well just hash the whole fi= le. The point of adding fsverity support for tmpfs was to being able to do integrity enforcement with just one mechanism, given that I was planning to do integrity verification with reference values loaded to the kernel with DIGLIM [1]. With an LSM such as IPE [2], integrity verification would consist in querying the fsverity digest with DIGLIM and allowing the operation if the digest was found. With fsverity support in tmpfs, this can be done from the very beginning of the boot process. Using regular file digests would be also possible but this requires loading with DIGLIM both fsverity and non-fsverity reference values. It would also require two separate mechanisms for calculating the file digest depending on the filesystem. It could be done, but I thought it was easier to add support for fsverity in tmpfs. > Also, you didn't implement actually verifying the data (by calling > fsverity_verify_page()), so this patch doesn't really do anything anyway. Yes, at the end I didn't add it. Probably the only place where calling fsverity_verify_page() would make sense is when a page is swapped in (assuming that the swap device is untrusted). I tried to add a call in shmem_swapin_page() but fsverity complained due to the fact that the page was already up to date, and also rejected the page. I will check it better. Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua [1] https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto= .sassu@huawei.com/ [2] https://lore.kernel.org/linux-security-module/1634151995-16266-1-git-se= nd-email-deven.desai@linux.microsoft.com/