> On Sep 16, 2019, at 9:16 AM, Janne Karhunen <janne.karhunen@xxxxxxxxx> wrote: > > On Wed, Aug 28, 2019 at 8:36 PM Chuck Lever <chuck.lever@xxxxxxxxxx> wrote: > >> My thought was to use an ephemeral Merkle tree for NFS (and >> possibly other remote filesystems, like FUSE, until these >> filesystems support durable per-file Merkle trees). A tree would >> be constructed when the client measures a file, but it would not >> saved to the filesystem. Instead of a hash of the file's contents, >> the tree's root signature is stored as the IMA metadata. > > So the attack you are trying to guard against is that the pages that > were evicted once and that are read back could still be integrity > verified? Yes, the idea would be to provide a generic mechanism for constructing ephemeral trees such that it can be used for the purpose you describe on behalf of file systems besides NFS; eg. FUSE, or other remote file systems such as SMB. In addition, I hope the mechanism would also be able to reconstruct a partially evicted Merkle tree as well (in the cases where there is no durable tree available). > Handling this properly would be awesome. I don't think we have > anything against this now, the pages that were once evicted are really > not checked when read back. -- Chuck Lever
