On Sat, Jan 27, 2018 at 08:19:19AM -0800, James Bottomley wrote:
> I certainly buy this approach, and it fits well with the limited data
> size there is in xattrs but Ted said in the initial proposal the entire
> tree would be present in the file. I can't see a need for supplying
> the entire tree rather than reconstructing it but maybe there's an
> android use case I'm not seeing (Like not wanting to waste limited CPU
> power).
You can certainly reconstruct the Merkle tree at install time, but it
does need to be saved on disk. My assumption was that Merkle tree
would be written to disk by userspace, along with the fs-verity
header, simply because it would make things much simpler for the
kernel, and in my view you *have* to modify userspace in some way.
> Just so I understand the mechanics: The xattr would contain the head
> node. When this is written, the tree would be reconstructed from the
> file and verified. If it verifies, it must be stored in the filesystem
> data somehow (or at least the lowest layer), so all subsequent uses of
> the file can proceed from the per page hash even after unmount and
> remount? Then I certainly think it suits both cases.
Yes.... in theory we could store the bare root hash (and some other
bare minmum information, such as the PKCS7 signature and the elments
of a fs-verity header) in an xattr, and setting that xattr would
magically cause the merkle tree to be reconstructed and stored on
disk. But most of the file sytem developers have considered the use
of setting or clearing xattrs to cause magically code paths to be
executed to be an extremely bad idea. And since I don't really care
about the use case, I can let *you* try to convince Cristoph and Al
Viro that his is a good idea, despite the general agreemnt by all file
system developers that we've been there, done that, decided it was a
really bad idea, and let's never ever do that again. (And then you
can get some of the "the IMA people are insane" taint on yourself. :-)
- Ted
