Re: RFC: what to do about fscrypt vs block device interaction

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jul 21, 2022 at 02:59:29PM +0200, Christoph Hellwig wrote:
> Hi Eric,
> 
> fscrypt is the last major user of request_queues in file system code.
> A lot of this would be easy to fix, and I have some pending patches,
> but the major roadblocker is that the fscrypt_blk_crypto_key tries
> to hold it's own refefrences to the request_queue.  The reason for
> that is documented in the code, as in that the master key can outlive
> the super_block.  But can you explain why we need to do that?  I
> think evicting the key on unmount would be very much the expected
> behavior.  With that we could rework how fscrypt interacts with the
> file systems for inline encryption and avoid the nasty returning
> of the devics in the get_devices method.  See my draft patch below,
> for which I'm stuck at how to find a super_block for the evict side,
> which seems to require larger logic changes.

Yes, evicting the blk-crypto keys at unmount is the expected behavior.  And it
basically is the actual behavior as well, but as currently implemented there can
be a slight delay.  There are two reasons for the delay, both probably solvable.

The first is that ->s_master_keys isn't released until __put_super().  It
probably should be moved earlier, maybe to generic_shutdown_super().

The second reason is that the keyrings subsystem is being used to keep track of
the superblock's master keys (for several reasons, such as integrating with the
key quotas), and a side effect of that we get the delay of the keyring's
subsystem garbage collector before the destroy callbacks of the keys actually
run.  That delays the eviction of the blk-crypto keys.

To avoid that, I think we could go through and evict all the blk_crypto_keys
(i.e. call fscrypt_destroy_prepared_key() on the fscrypt_prepared_keys embedded
in each fscrypt_master_key) during the unmount itself, separating it from the
destruction of the key objects from the keyring subsystem's perspective.
That could happen in the moved call to fscrypt_sb_free().

I don't remember any specific reason why this wasn't done originally.
blk-crypto support was added later on, so when it was added I think we just
defaulted to keeping the same lifecycle for everything as before.

- Eric
[Index of Archives]     [linux Cryptography]     [Asterisk App Development]     [PJ SIP]     [Gnu Gatekeeper]     [IETF Sipping]     [Info Cyrus]     [ALSA User]     [Fedora Linux Users]     [Linux SCTP]     [DCCP]     [Gimp]     [Yosemite News]     [Deep Creek Hot Springs]     [Yosemite Campsites]     [ISDN Cause Codes]

  Powered by Linux