Re: [PATCH] fscrypt: track master key presence separately from secret

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Oct 16, 2023 at 02:23:37PM -0400, Josef Bacik wrote:
> On Sat, Oct 14, 2023 at 11:10:55PM -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> > 
> > Master keys can be in one of three states: present, incompletely
> > removed, and absent (as per FSCRYPT_KEY_STATUS_* used in the UAPI).
> > Currently, the way that "present" is distinguished from "incompletely
> > removed" internally is by whether ->mk_secret exists or not.
> > 
> > With extent-based encryption, it will be necessary to allow per-extent
> > keys to be derived while the master key is incompletely removed, so that
> > I/O on open files will reliably continue working after removal of the
> > key has been initiated.  (We could allow I/O to sometimes fail in that
> > case, but that seems problematic for reasons such as writes getting
> > silently thrown away and diverging from the existing fscrypt semantics.)
> > Therefore, when the filesystem is using extent-based encryption,
> > ->mk_secret can't be wiped when the key becomes incompletely removed.
> > 
> > As a prerequisite for doing that, this patch makes the "present" state
> > be tracked using a new field, ->mk_present.  No behavior is changed yet.
> > 
> > The basic idea here is borrowed from Josef Bacik's patch
> > "fscrypt: use a flag to indicate that the master key is being evicted"
> > (https://lore.kernel.org/r/e86c16dddc049ff065f877d793ad773e4c6bfad9.1696970227.git.josef@xxxxxxxxxxxxxx).
> > I reimplemented it using a "present" bool instead of an "evicted" flag,
> > fixed a couple bugs, and tried to update everything to be consistent.
> > 
> > Note: I considered adding a ->mk_status field instead, holding one of
> > FSCRYPT_KEY_STATUS_*.  At first that seemed nice, but it ended up being
> > more complex (despite simplifying FS_IOC_GET_ENCRYPTION_KEY_STATUS),
> > since it would have introduced redundancy and had weird locking rules.
> > 
> > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> 
> Based my fscrypt patches ontop of this one, ran tests with both btrfs and ext4
> with it applied, in addition to my normal review stuff.  You can add
> 
> Reviewed-by: Josef Bacik <josef@xxxxxxxxxxxxxx>
> 

Thanks.  I went ahead and applied this patch to the fscrypt tree.

- Eric
[Index of Archives]     [linux Cryptography]     [Asterisk App Development]     [PJ SIP]     [Gnu Gatekeeper]     [IETF Sipping]     [Info Cyrus]     [ALSA User]     [Fedora Linux Users]     [Linux SCTP]     [DCCP]     [Gimp]     [Yosemite News]     [Deep Creek Hot Springs]     [Yosemite Campsites]     [ISDN Cause Codes]

  Powered by Linux