On Tue, Sep 14, 2021 at 10:49:33AM -0700, Boris Burkov wrote: > On Tue, Sep 14, 2021 at 10:32:59AM -0700, Eric Biggers wrote: > > Hi Boris, > > > > On Wed, Jun 30, 2021 at 01:01:49PM -0700, Boris Burkov wrote: > > > Add support for fsverity in btrfs. To support the generic interface in > > > fs/verity, we add two new item types in the fs tree for inodes with > > > verity enabled. One stores the per-file verity descriptor and btrfs > > > verity item and the other stores the Merkle tree data itself. > > > > > > Verity checking is done in end_page_read just before a page is marked > > > uptodate. This naturally handles a variety of edge cases like holes, > > > preallocated extents, and inline extents. Some care needs to be taken to > > > not try to verity pages past the end of the file, which are accessed by > > > the generic buffered file reading code under some circumstances like > > > reading to the end of the last page and trying to read again. Direct IO > > > on a verity file falls back to buffered reads. > > > > > > Verity relies on PageChecked for the Merkle tree data itself to avoid > > > re-walking up shared paths in the tree. For this reason, we need to > > > cache the Merkle tree data. Since the file is immutable after verity is > > > turned on, we can cache it at an index past EOF. > > > > > > Use the new inode ro_flags to store verity on the inode item, so that we > > > can enable verity on a file, then rollback to an older kernel and still > > > mount the file system and read the file. Since we can't safely write the > > > file anymore without ruining the invariants of the Merkle tree, we mark > > > a ro_compat flag on the file system when a file has verity enabled. > > > > I want to mention the btrfs verity support in > > Documentation/filesystems/fsverity.rst, and I have a couple questions: > > > > 1. Is the ro_compat filesystem flag still a thing? The commit message claims it > > is, and BTRFS_FEATURE_COMPAT_RO_VERITY is defined in the code, but it doesn't > > seem to actually be used. It's not needed since you found a way to make the > > inode flags ro_compat instead, right? > > I believe it is still being used, unless I messed up the patch I sent in > the end. Taking a quick look, I think it's set at fs/btrfs/verity.c:558. > > btrfs_set_fs_compat_ro(root->fs_info, VERITY); > > I believe I still needed it because the tree checker doesn't scan every > inode on the filesystem when you mount, so it would only freak out about > a ro-compat inode later on if the inode didn't happen to be in a leaf > that was being checked at mount time. > Okay, so it is used. (Due to the macro, it didn't show up when grepping.) Doesn't it defeat the purpose of a ro_compat inode flag if the whole filesystem is marked with a ro_compat feature flag, though? I thought that the point of the ro_compat inode flag is to allow old kernels to mount the filesystem read-write, with only verity files being forced to read-only. That would be more flexible than ext4's implementation of fs-verity which forces the whole filesystem to read-only. But it seems you're forcing the whole filesystem to read-only anyway? - Eric
|