tag name | fsverity_2024-04-23 (07b2d776a8aaa980f8c1d3f3ae151d4398bef186) |
tag date | 2024-04-23 20:53:25 -0700 |
tagged by | Darrick J. Wong <djwong@kernel.org> |
tagged object | commit a309bd4fc7... |
download | xfs-linux-fsverity_2024-04-23.tar.gz |
---|
xfs: fs-verity support [v5.5 48/54]
This patchset adds support for fsverity to XFS. In keeping with
Andrey's original design, XFS stores all fsverity metadata in the
extended attribute data. However, I've made a few changes to the code:
First, it now caches merkle tree blocks directly instead of abusing the
buffer cache. This reduces lookup overhead quite a bit, at a cost of
needing a new shrinker for cached merkle tree blocks.
To reduce the ondisk footprint further, I also made the verity
enablement code detect trailing zeroes whenever fsverity tells us to
write a buffer, and elide storing the zeroes. To further reduce the
footprint of sparse files, I also skip writing merkle tree blocks if the
block contents are entirely hashes of zeroes.
Next, I implemented more of the tooling around verity, such as debugger
support, as much fsck support as I can manage without knowing the
internal format of the fsverity information; and added support for
xfs_scrub to read fsverity files to validate the consistency of the data
against the merkle tree.
Finally, I add the ability for administrators to turn off fsverity,
which might help recovering damaged data from an inconsistent file.
From Andrey Albershteyn:
Here's v5 of my patchset of adding fs-verity support to XFS.
This implementation uses extended attributes to store fs-verity
metadata. The Merkle tree blocks are stored in the remote extended
attributes. The names are offsets into the tree.
A few key points of this patchset:
- fs-verity can work with Merkle tree blocks based caching (xfs) and
PAGE caching (ext4, f2fs, btrfs)
- iomap does fs-verity verification
- In XFS, fs-verity metadata is stored in extended attributes
- per-sb workqueue for verification processing
- Inodes with fs-verity have new on-disk diflag
- xfs_attr_get() can return a buffer with an extended attribute
- xfs_buf can allocate double space for Merkle tree blocks. Part of
the space is used to store the extended attribute data without
leaf headers
- xfs_buf tracks verified status of merkle tree blocks
Testing:
The patchset is tested with xfstests -g verity on xfs_1k, xfs_4k,
xfs_1k_quota, xfs_4k_quota, ext4_4k, and ext4_4k_quota. With
KMEMLEAK and KASAN enabled. More testing on the way.
Changes from V4:
- Mainly fs-verity changes; removed unnecessary functions
- Replace XFS workqueue with per-sb workqueue created in
fsverity_set_ops()
- Drop patch with readahead calculation in bytes
Changes from V3:
- redone changes to fs-verity core as previous version had an issue
on ext4
- add blocks invalidation interface to fs-verity
- move memory ordering primitives out of block status check to fs
read block function
- add fs-verity verification to iomap instead of general post read
processing
Changes from V2:
- FS_XFLAG_VERITY extended attribute flag
- Change fs-verity to use Merkle tree blocks instead of expecting
PAGE references from filesystem
- Change approach in iomap to filesystem provided bio_set and
submit_io instead of just callouts to filesystem
- Add possibility for xfs_buf allocate more space for fs-verity
extended attributes
- Make xfs_attr module to copy fs-verity blocks inside the xfs_buf,
so XFS can get data without leaf headers
- Add Merkle tree removal for error path
- Makae scrub aware of new dinode flag
Changes from V1:
- Added parent pointer patches for easier testing
- Many issues and refactoring points fixed from the V1 review
- Adjusted for recent changes in fs-verity core (folios, non-4k)
- Dropped disabling of large folios
- Completely new fsverity patches (fix, callout, log_blocksize)
- Change approach to verification in iomap to the same one as in
write path. Callouts to fs instead of direct fs-verity use.
- New XFS workqueue for post read folio verification
- xfs_attr_get() can return underlying xfs_buf
- xfs_bufs are marked with XBF_VERITY_CHECKED to track verified
blocks
This has been running on the djcloud for months with no problems. Enjoy!
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQ2qTKExjcn+O1o2YRKO3ySh0YRpgUCZiiCNQAKCRBKO3ySh0YR
pmlJAQDNGH/UJhkokHfHefHfFH5v+2qJFya3loSxP4jCLU06AwD/UsjTPmmA99jb
sMOhZPaaGiZDdVyBkmJJcvRsp5tTHAg=
=im8P
-----END PGP SIGNATURE-----