On Thu, Mar 07, 2024 at 07:46:50PM -0800, Darrick J. Wong wrote: > > BTW, is xfs_repair planned to do anything about any such extra blocks? > > Sorry to answer your question with a question, but how much checking is > $filesystem expected to do for merkle trees? > > In theory xfs_repair could learn how to interpret the verity descriptor, > walk the merkle tree blocks, and even read the file data to confirm > intactness. If the descriptor specifies the highest block address then > we could certainly trim off excess blocks. But I don't know how much of > libfsverity actually lets you do that; I haven't looked into that > deeply. :/ > > For xfs_scrub I guess the job is theoretically simpler, since we only > need to stream reads of the verity files through the page cache and let > verity tell us if the file data are consistent. > > For both tools, if something finds errors in the merkle tree structure > itself, do we turn off verity? Or do we do something nasty like > truncate the file? As far as I know (I haven't been following btrfs-progs, but I'm familiar with e2fsprogs and f2fs-tools), there isn't yet any precedent for fsck actually validating the data of verity inodes against their Merkle trees. e2fsck does delete the verity metadata of inodes that don't have the verity flag enabled. That handles cleaning up after a crash during FS_IOC_ENABLE_VERITY. I suppose that ideally, if an inode's verity metadata is invalid, then fsck should delete that inode's verity metadata and remove the verity flag from the inode. Checking for a missing or obviously corrupt fsverity_descriptor would be fairly straightforward, but it probably wouldn't catch much compared to actually validating the data against the Merkle tree. And actually validating the data against the Merkle tree would be complex and expensive. Note, none of this would work on files that are encrypted. Re: libfsverity, I think it would be possible to validate a Merkle tree using libfsverity_compute_digest() and the callbacks that it supports. But that's not quite what it was designed for. > Is there an ioctl or something that allows userspace to validate an > entire file's contents? Sort of like what BLKVERIFY would have done for > block devices, except that we might believe its answers? Just reading the whole file and seeing whether you get an error would do it. Though if you want to make sure it's really re-reading the on-disk data, it's necessary to drop the file's pagecache first. > Also -- inconsistencies between the file data and the merkle tree aren't > something that xfs can self-heal, right? Similar to file data itself, only way to self-heal would be via mechanisms that provide redundancy. There's been some interest in adding support forward error correction (FEC) to fsverity similar to what dm-verity has, but this would be complex, and it's not something that anyone has gotten around to yet. - Eric
