| Message ID | 20240206201858.952303-1-kent.overstreet@linux.dev |
|---|---|
| Headers |
Return-Path: <linux-kernel+bounces-55581-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:168b:b0:106:860b:bbdd with SMTP id
ma11csp1803447dyb;
Tue, 6 Feb 2024 12:26:52 -0800 (PST)
X-Forwarded-Encrypted: i=3;
AJvYcCX6kTRT5n+6BBg39eDYqd4MCYemESP//ItZ8XXuAlstcpG19xFpJEbKJixZPg5l3si4umbceg8SMHExWvVPlRz9frf2JQ==
X-Google-Smtp-Source:
AGHT+IFw44/JOggkRJHMQUD64Y/MrBsdv6jR3FxXsdm2BZzWo3HIerN44HuG3uThzbN1s1JRy5Vf
X-Received: by 2002:a05:6512:466:b0:511:56ef:93eb with SMTP id
x6-20020a056512046600b0051156ef93ebmr2199157lfd.30.1707251211939;
Tue, 06 Feb 2024 12:26:51 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707251211; cv=pass;
d=google.com; s=arc-20160816;
b=YNZugH9BJlN3enso0PFAthsngUBnBPn6Cai1i/C1bzMbC2zxYbAq4z/s8daTl2jY4r
FdyAKyQ7uMiCz/Lguw6ZzDe/0yAKMS4XVtBo8SSWZ7d3vbnUJTVOpbAKRn0Ktj2Nzrai
U3+v5EucNjTnuqKgqYpXbocvjhG5Wm5ywTqC7WzVV70E96ITAldK/fcO2Y3Tpw5S0ByM
bHhBAAiWC5E/LRgLan+GHORU6tP0E/KeM34iIvm1CDksbe9q/rRlzhUenT+Kw1QZ3XwD
x2anU2N3K0Vybm21NefZRnLe9+O9EG1kH/7y4So631wjaP0WUhYX0J4TzMbNWQlAhF8b
b5DA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from:dkim-signature;
bh=/Tm3QJ8ktnoQXwinKZstJfbJd1PnNWgD9rX0cMudv04=;
fh=+/LjCsxyKEmpcIKQg0G3nAQ9vxBdRdG2Po+l/7GnNcU=;
b=Yrj09u2S5aN6moixnmjuqH+HtraUws1EFE75DXvjzu9adQ1ld8rra2FFpPrcC1EecM
G0LUVtloOMVKMK4YVYyxibZKNdleiYyrGPGAEc7FHRAhpauTKktaqmnM0zguRo15k6zr
ioiw0r/JIyuegpj0Jr6ejY43dEoKOMXoeo5cmbyhj4n89UbOAkxGEa0ydbfOyQ4yak0A
2VnwaiQwqgyKzVuUGkLR+NwwlZs1gwnuuU0oiONzTsTC/2JaXL6P3WqWMQj9nMbhz3OM
sGVBMp1QGqLsboByU4jyiNFsqRYyz8F7VXudOQ1ocD3TcAqYhxSzNQ3obLZXa348OguS
Dbyg==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@linux.dev header.s=key1 header.b=bSIpDTWc;
arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev
dmarc=pass fromdomain=linux.dev);
spf=pass (google.com: domain of
linux-kernel+bounces-55581-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-55581-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
X-Forwarded-Encrypted: i=1;
AJvYcCWAmwkcdpachqRafVLbGTTbln5lwmTAcPVT+uRLvovhwGJwyqt7fqtNBpfMMRSyx/KNO8Dri75G98W3AfbwE3NVVdMxpw==
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
[2604:1380:4601:e00::3])
by mx.google.com with ESMTPS id
h11-20020a170906718b00b00a3590a9942csi1418722ejk.661.2024.02.06.12.26.51
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 06 Feb 2024 12:26:51 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-55581-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
dkim=pass header.i=@linux.dev header.s=key1 header.b=bSIpDTWc;
arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev
dmarc=pass fromdomain=linux.dev);
spf=pass (google.com: domain of
linux-kernel+bounces-55581-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-55581-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by am.mirrors.kernel.org (Postfix) with ESMTPS id 400371F26273
for <ouuuleilei@gmail.com>; Tue, 6 Feb 2024 20:19:56 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id C0D341B81D;
Tue, 6 Feb 2024 20:19:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
header.b="bSIpDTWc"
Received: from out-180.mta0.migadu.com (out-180.mta0.migadu.com
[91.218.175.180])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id A340517BA0
for <linux-kernel@vger.kernel.org>; Tue, 6 Feb 2024 20:19:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=91.218.175.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1707250751; cv=none;
b=bN5hbhyBR1RC6jTvywx6ESfGWLOo5oSc5JzneWa8GQGUj73gNDj8fxLWy8+m7sHA85i2Y5SXw0r4tpUwoAWFrvoaw8DGgzy2ChRLf6+BVyWcV5QpwywZBVA5pOrd/K2OLmQYwaRD4LaLUAPerMjt8zxW9wFNySA9G+cDrhT3Z0Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1707250751; c=relaxed/simple;
bh=CvqiEYInYd5a5l6jtW2YD1didNCDQzJwxx0JM3XNOpI=;
h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
b=BwB1PBrU3PBdlEBZFb2qV++/oxe9J0cqGvFgcPuoL52wf1NExScKNyz/L9UMvv6CaSQ1/Vol44el5g3v9hs4QM8gOFnwmA05GYio6JoPDYv5xgoFVgBoAC4g1IFU6egfmIslhNedFeZBOu9BKYNddbjI/p3PE8H9YbSsCiHcxQc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=linux.dev;
spf=pass smtp.mailfrom=linux.dev;
dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
header.b=bSIpDTWc; arc=none smtp.client-ip=91.218.175.180
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=linux.dev
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
t=1707250747;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=/Tm3QJ8ktnoQXwinKZstJfbJd1PnNWgD9rX0cMudv04=;
b=bSIpDTWcgiVydgYV6QG8ktqF9gSZ203W29s/MfAwSIZ8zMQ6TjGTpkO1EYtb1Q13YoRrMI
w1JM6fJGXavHELNfuC+9/f5A/cuSw00qaTkCbtW9iE8v8CoEr6D9MHipb0hI4EQC/YGFuq
Cu1uAayTOJ9Eq5NhFjrfGq87EkaCc9o=
From: Kent Overstreet <kent.overstreet@linux.dev>
To: brauner@kernel.org,
linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: Kent Overstreet <kent.overstreet@linux.dev>
Subject: [PATCH v2 0/7] filesystem visibililty ioctls
Date: Tue, 6 Feb 2024 15:18:48 -0500
Message-ID: <20240206201858.952303-1-kent.overstreet@linux.dev>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Migadu-Flow: FLOW_OUT
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1790182646893868850
X-GMAIL-MSGID: 1790182646893868850
|
| Series |
filesystem visibililty ioctls
|
|
Message
Kent Overstreet
Feb. 6, 2024, 8:18 p.m. UTC
previous: https://lore.kernel.org/linux-fsdevel/20240206-aufwuchs-atomkraftgegner-dc53ce1e435f@brauner/T/ Changes since v1: - super_set_uuid() helper, per Dave - nix FS_IOC_SETUUID - Al raised this and I'm in 100% agreement, changing a UUID on an existing filesystem is a rare operation that should only be done when the filesystem is offline; we'd need to audit/fix a bunch of stuff if we wanted to support this - fix iocl numberisng, no longer using btrfs's space - flags argument in struct fsuuid2 is gone; since we're no longer setting this is no longer needed. As discussed previously, this interface is only for exporting the public, user-changable UUID (and there's now a comment saying that this exports the same UUID that libblkid reports, per Darrick). Darrick also noticed that fscrypt (!) is using sb->s_uuid, which looks busted - they want to be using the "this can never change" UUID, but that is not an item for this patchset. - FS_IOC_GETSYSFSNAME -> FS_IOC_GETSYSFSPATH, per Darrick (the commit messages didn't get updated, whoops); and there's now a comment to reflect that this patch is also for finding filesystem info under debugfs, if present. Christain, if nothing else comes up, are you ready to take this? Cheers, Kent Kent Overstreet (7): fs: super_set_uuid() overlayfs: Convert to super_set_uuid() fs: FS_IOC_GETUUID fat: Hook up sb->s_uuid fs: FS_IOC_GETSYSFSNAME xfs: add support for FS_IOC_GETSYSFSNAME bcachefs: add support for FS_IOC_GETSYSFSNAME fs/bcachefs/fs.c | 3 ++- fs/ext4/super.c | 2 +- fs/f2fs/super.c | 2 +- fs/fat/inode.c | 3 +++ fs/gfs2/ops_fstype.c | 2 +- fs/ioctl.c | 33 +++++++++++++++++++++++++++++++++ fs/kernfs/mount.c | 4 +++- fs/ocfs2/super.c | 4 ++-- fs/overlayfs/util.c | 14 +++++++++----- fs/ubifs/super.c | 2 +- fs/xfs/xfs_mount.c | 4 +++- include/linux/fs.h | 10 ++++++++++ include/uapi/linux/fs.h | 27 +++++++++++++++++++++++++++ mm/shmem.c | 4 +++- 14 files changed, 99 insertions(+), 15 deletions(-)
Comments
On Tue, Feb 06, 2024 at 03:18:48PM -0500, Kent Overstreet wrote: > > Darrick also noticed that fscrypt (!) is using sb->s_uuid, which looks > busted - they want to be using the "this can never change" UUID, but > that is not an item for this patchset. > fscrypt only uses sb->s_uuid if FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 or FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32 is being used in the encryption policy. These flags are only supported by ext4 and f2fs, and they are only useful when the file contents encryption is being done with inline encryption hardware that only allows 64-bits or less of the initialization vector to be specified and that has poor performance when switching keys. This hardware is currently only known to be present on mobile and embedded systems that use eMMC or UFS storage. Note that these settings assume the inode numbers are stable as well as the UUID. So, when they are in use, filesystem shrinking is prohibited as well as changing the filesystem UUID. (In ext4, both operations are forbidden using the stable_inodes feature flag. f2fs doesn't support either operation regardless.) These restrictions are unfortunate, but so far they haven't been a problem for the only known use case for these non-default settings. In the case of s_uuid, for both ext4 and f2fs it's true that we could have used s_encrypt_pw_salt instead, or added a new general-purpose internal UUID field and used that. Maybe we even should have, considering the precedent of ext4's metadata_csum migrating away from using the UUID to its own internal seed. I do worry that relying on an internal UUID for these settings would make it easier for people to create insecure setups where they're using the same fscrypt key on multiple filesystems with the same internal UUID. With the external UUID, such misconfigurations are obvious and will be noticed and fixed. With the internal UUID, such vulnerabilities would not be noticed, as things will "just work". Which is better? It's not entirely clear to me. We do encourage the use of different fscrypt keys on different filesystems anyway, but this isn't required. Of course, even if the usability improvement outweighs that concern, switching these already-existing encryption settings over to use an internal UUID can't be done trivially; it would have to be controlled by a new filesystem feature flag. We probably shouldn't bother unless/until there's a clear use case for it. If anyone does have any new use case for these weird and non-default encryption settings (and I hope you don't!), I'd be interested to hear... - Eric
On Tue, Feb 06, 2024 at 05:47:29PM -0800, Eric Biggers wrote: > On Tue, Feb 06, 2024 at 03:18:48PM -0500, Kent Overstreet wrote: > > > > Darrick also noticed that fscrypt (!) is using sb->s_uuid, which looks > > busted - they want to be using the "this can never change" UUID, but > > that is not an item for this patchset. > > > > fscrypt only uses sb->s_uuid if FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 or > FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32 is being used in the encryption policy. > These flags are only supported by ext4 and f2fs, and they are only useful when > the file contents encryption is being done with inline encryption hardware that > only allows 64-bits or less of the initialization vector to be specified and > that has poor performance when switching keys. This hardware is currently only > known to be present on mobile and embedded systems that use eMMC or UFS storage. > > Note that these settings assume the inode numbers are stable as well as the > UUID. So, when they are in use, filesystem shrinking is prohibited as well as > changing the filesystem UUID. (In ext4, both operations are forbidden using the > stable_inodes feature flag. f2fs doesn't support either operation regardless.) > > These restrictions are unfortunate, but so far they haven't been a problem for > the only known use case for these non-default settings. > > In the case of s_uuid, for both ext4 and f2fs it's true that we could have used > s_encrypt_pw_salt instead, or added a new general-purpose internal UUID field > and used that. Maybe we even should have, considering the precedent of ext4's > metadata_csum migrating away from using the UUID to its own internal seed. I do > worry that relying on an internal UUID for these settings would make it easier > for people to create insecure setups where they're using the same fscrypt key on > multiple filesystems with the same internal UUID. With the external UUID, such > misconfigurations are obvious and will be noticed and fixed. With the internal > UUID, such vulnerabilities would not be noticed, as things will "just work". > Which is better? It's not entirely clear to me. We do encourage the use of > different fscrypt keys on different filesystems anyway, but this isn't required. *nod* nonce reuse is a thorny issue - that makes using the changeable, external UUID a bit more of a feature than a bug. > Of course, even if the usability improvement outweighs that concern, switching > these already-existing encryption settings over to use an internal UUID can't be > done trivially; it would have to be controlled by a new filesystem feature flag. > We probably shouldn't bother unless/until there's a clear use case for it. > > If anyone does have any new use case for these weird and non-default encryption > settings (and I hope you don't!), I'd be interested to hear... I just wanted to make sure I wasn't breaking fscrypt by baking-in that s_uuid is the user facing one - thanks for the info. Can we get this documented in a code comment somewhere visible? It was definitely a "wtf" moment when Darrick and I saw it, I want to make sure people know what's going on later.
On Tue, Feb 06, 2024 at 03:18:48PM -0500, Kent Overstreet wrote: > previous: > https://lore.kernel.org/linux-fsdevel/20240206-aufwuchs-atomkraftgegner-dc53ce1e435f@brauner/T/ > > Changes since v1: > - super_set_uuid() helper, per Dave > > - nix FS_IOC_SETUUID - Al raised this and I'm in 100% agreement, > changing a UUID on an existing filesystem is a rare operation that > should only be done when the filesystem is offline; we'd need to > audit/fix a bunch of stuff if we wanted to support this NAK. First, this happens every single time a VM in the cloud starts up, so it happens ZILLIONS of time a day. Secondly, there is already userspace programs --- to wit, tune2fs --- that uses this ioctl, so nixing FS_IOC_SETUUID will break userspace programs. - Ted
On Wed, Feb 07, 2024 at 12:40:09PM -0500, Theodore Ts'o wrote: > On Tue, Feb 06, 2024 at 03:18:48PM -0500, Kent Overstreet wrote: > > previous: > > https://lore.kernel.org/linux-fsdevel/20240206-aufwuchs-atomkraftgegner-dc53ce1e435f@brauner/T/ > > > > Changes since v1: > > - super_set_uuid() helper, per Dave > > > > - nix FS_IOC_SETUUID - Al raised this and I'm in 100% agreement, > > changing a UUID on an existing filesystem is a rare operation that > > should only be done when the filesystem is offline; we'd need to > > audit/fix a bunch of stuff if we wanted to support this > > NAK. First, this happens every single time a VM in the cloud starts > up, so it happens ZILLIONS of time a day. Secondly, there is already > userspace programs --- to wit, tune2fs --- that uses this ioctl, so > nixing FS_IOC_SETUUID will break userspace programs. You've still got the ext4 version, we're not taking that away. But I don't think other filesystems will want to deal with the hassle of changing UUIDs at runtime, since that's effectively used for API access via sysfs and debugfs.
> don't think other filesystems will want to deal with the hassle of > changing UUIDs at runtime, since that's effectively used for API access > via sysfs and debugfs. /me nods.
> Christain, if nothing else comes up, are you ready to take this?
I'm amazed how consistently you mistype my name. Sorry, I just read
that. Yep, I'm about to pick this up.
On Thu, Feb 08, 2024 at 10:48:31AM +0100, Christian Brauner wrote: > > Christain, if nothing else comes up, are you ready to take this? > > I'm amazed how consistently you mistype my name. Sorry, I just read > that. Yep, I'm about to pick this up. Gah, am I becoming dyslexic in my old age...
On Wed, Feb 07, 2024 at 03:26:55PM -0500, Kent Overstreet wrote: > You've still got the ext4 version, we're not taking that away. But I > don't think other filesystems will want to deal with the hassle of > changing UUIDs at runtime, since that's effectively used for API access > via sysfs and debugfs. Thanks. I misunderstood the log. I didn't realize this was just about not hoisting the ioctl to the VFS level, and dropping the generic uuid set. I'm not convinced that we should be using the UUID for kernel API access, if for no other reason that not all file systems have UUID's. Sure, modern file systems have UUID's, and individual file systems might have to have specific features that don't play well with UUID's changing while the file system is mounted. But I'm hoping that we don't add any new interfaces that rely on using the UUID for API access at the VFS layer. After all, ext2 (not just ext3 and ext4) has supported changing the UUID while the file system has been mounted for *decades*. - Ted
On Mon, Feb 12, 2024 at 05:47:40PM -0500, Theodore Ts'o wrote: > On Wed, Feb 07, 2024 at 03:26:55PM -0500, Kent Overstreet wrote: > > You've still got the ext4 version, we're not taking that away. But I > > don't think other filesystems will want to deal with the hassle of > > changing UUIDs at runtime, since that's effectively used for API access > > via sysfs and debugfs. > > Thanks. I misunderstood the log. I didn't realize this was just about > not hoisting the ioctl to the VFS level, and dropping the generic uuid > set. > > I'm not convinced that we should be using the UUID for kernel API > access, if for no other reason that not all file systems have UUID's. > Sure, modern file systems have UUID's, and individual file systems > might have to have specific features that don't play well with UUID's > changing while the file system is mounted. But I'm hoping that we > don't add any new interfaces that rely on using the UUID for API > access at the VFS layer. After all, ext2 (not just ext3 and ext4) has > supported changing the UUID while the file system has been mounted for > *decades*. *nod* The intention isn't for every filesystem to be using the UUID for API access - there's no reason to for single device filesystems, after all. The intent is rather - for filesystems that _do_ need the UUID as a stable identifier, let's try to standardize how's it's exposed and used...