On Tue, Sep 14, 2021 at 10:56:28AM -0700, Eric Biggers wrote: > On Tue, Sep 14, 2021 at 10:49:33AM -0700, Boris Burkov wrote: > > On Tue, Sep 14, 2021 at 10:32:59AM -0700, Eric Biggers wrote: > > > Hi Boris, > > > > > > On Wed, Jun 30, 2021 at 01:01:49PM -0700, Boris Burkov wrote: > > > > Add support for fsverity in btrfs. To support the generic interface in > > > > fs/verity, we add two new item types in the fs tree for inodes with > > > > verity enabled. One stores the per-file verity descriptor and btrfs > > > > verity item and the other stores the Merkle tree data itself. > > > > > > > > Verity checking is done in end_page_read just before a page is marked > > > > uptodate. This naturally handles a variety of edge cases like holes, > > > > preallocated extents, and inline extents. Some care needs to be taken to > > > > not try to verity pages past the end of the file, which are accessed by > > > > the generic buffered file reading code under some circumstances like > > > > reading to the end of the last page and trying to read again. Direct IO > > > > on a verity file falls back to buffered reads. > > > > > > > > Verity relies on PageChecked for the Merkle tree data itself to avoid > > > > re-walking up shared paths in the tree. For this reason, we need to > > > > cache the Merkle tree data. Since the file is immutable after verity is > > > > turned on, we can cache it at an index past EOF. > > > > > > > > Use the new inode ro_flags to store verity on the inode item, so that we > > > > can enable verity on a file, then rollback to an older kernel and still > > > > mount the file system and read the file. Since we can't safely write the > > > > file anymore without ruining the invariants of the Merkle tree, we mark > > > > a ro_compat flag on the file system when a file has verity enabled. > > > > > > I want to mention the btrfs verity support in > > > Documentation/filesystems/fsverity.rst, and I have a couple questions: > > > > > > 1. Is the ro_compat filesystem flag still a thing? The commit message claims it > > > is, and BTRFS_FEATURE_COMPAT_RO_VERITY is defined in the code, but it doesn't > > > seem to actually be used. It's not needed since you found a way to make the > > > inode flags ro_compat instead, right? > > > > I believe it is still being used, unless I messed up the patch I sent in > > the end. Taking a quick look, I think it's set at fs/btrfs/verity.c:558. > > > > btrfs_set_fs_compat_ro(root->fs_info, VERITY); > > > > I believe I still needed it because the tree checker doesn't scan every > > inode on the filesystem when you mount, so it would only freak out about > > a ro-compat inode later on if the inode didn't happen to be in a leaf > > that was being checked at mount time. > > > > Okay, so it is used. (Due to the macro, it didn't show up when grepping.) > > Doesn't it defeat the purpose of a ro_compat inode flag if the whole filesystem > is marked with a ro_compat feature flag, though? I thought that the point of > the ro_compat inode flag is to allow old kernels to mount the filesystem > read-write, with only verity files being forced to read-only. That would be > more flexible than ext4's implementation of fs-verity which forces the whole > filesystem to read-only. But it seems you're forcing the whole filesystem to > read-only anyway? > > - Eric I was thinking of it in terms of "RO compat is the goal" and having new inode flags totally broke that and was treated as a corruption of the inode regardless of the fs being ro/rw. I think a check on a live fs would just flip the fs ro, which was the goal anyway, but a check that happened during mount would fail the mount, even for a read-only fs. Making it fully per file would be pretty cool! The only thing really missing as far as I can tell is a way to mark a file read only with the same semantics fsverity uses from within btrfs. Boris
|