On Sat, Jan 27, 2018 at 08:19:19AM -0800, James Bottomley wrote: > I certainly buy this approach, and it fits well with the limited data > size there is in xattrs but Ted said in the initial proposal the entire > tree would be present in the file. I can't see a need for supplying > the entire tree rather than reconstructing it but maybe there's an > android use case I'm not seeing (Like not wanting to waste limited CPU > power). You can certainly reconstruct the Merkle tree at install time, but it does need to be saved on disk. My assumption was that Merkle tree would be written to disk by userspace, along with the fs-verity header, simply because it would make things much simpler for the kernel, and in my view you *have* to modify userspace in some way. > Just so I understand the mechanics: The xattr would contain the head > node. When this is written, the tree would be reconstructed from the > file and verified. If it verifies, it must be stored in the filesystem > data somehow (or at least the lowest layer), so all subsequent uses of > the file can proceed from the per page hash even after unmount and > remount? Then I certainly think it suits both cases. Yes.... in theory we could store the bare root hash (and some other bare minmum information, such as the PKCS7 signature and the elments of a fs-verity header) in an xattr, and setting that xattr would magically cause the merkle tree to be reconstructed and stored on disk. But most of the file sytem developers have considered the use of setting or clearing xattrs to cause magically code paths to be executed to be an extremely bad idea. And since I don't really care about the use case, I can let *you* try to convince Cristoph and Al Viro that his is a good idea, despite the general agreemnt by all file system developers that we've been there, done that, decided it was a really bad idea, and let's never ever do that again. (And then you can get some of the "the IMA people are insane" taint on yourself. :-) - Ted