On Thu, Aug 08, 2019 at 06:16:47PM +1000, Dave Chinner wrote: > On Wed, Aug 07, 2019 at 10:49:36PM -0700, Eric Biggers wrote: > > FWIW, the only order that actually makes sense is decrypt->decompress->verity. > > *nod* > > Especially once we get the inline encryption support for fscrypt so > the storage layer can offload the encrypt/decrypt to hardware via > the bio containing plaintext. That pretty much forces fscrypt to be > the lowest layer of the filesystem transformation stack. This > hardware offload capability also places lots of limits on what you > can do with block-based verity layers below the filesystem. e.g. > using dm-verity when you don't know if there's hardware encryption > below or software encryption on top becomes problematic... Add a word, I was just talking benefits between "decrypt->decompress-> verity" and "decrypt->verity->decompress", I think both forms are compatible with inline en/decryption. I don't care which level "decrypt" is at... But maybe some user cares. Am I missing something? Thanks, Gao Xiang
