From: "Darrick J. Wong" <djwong@kernel.org>
To: aalbersh@redhat.com, djwong@kernel.org, cem@kernel.org,
ebiggers@kernel.org
Cc: Mark Tinguely <tinguely@sgi.com>,
"Darrick J. Wong" <djwong@djwong.org>,
Dave Chinner <dchinner@redhat.com>,
Allison Henderson <allison.henderson@oracle.com>,
fsverity@lists.linux.dev, linux-fsdevel@vger.kernel.org,
linux-xfs@vger.kernel.org
Subject: [PATCHSET v5.3] fs-verity support for XFS
Date: Sun, 17 Mar 2024 09:23:07 -0700 [thread overview]
Message-ID: <171069247657.2685643.11583844772215446491.stgit@frogsfrogsfrogs> (raw)
In-Reply-To: <20240317161954.GC1927156@frogsfrogsfrogs>
Hi all,
From Darrick J. Wong:
This v5.3 patchset builds upon v5.2 of Andrey's patchset to implement
fsverity for XFS.
The biggest thing that I didn't like in the v5 patchset is the abuse of
the data device's buffer cache to store the incore version of the merkle
tree blocks. Not only do verity state flags end up in xfs_buf, but the
double-alloc flag wastes memory and doesn't remain internally consistent
if the xattrs shift around.
I replaced all of that with a per-inode xarray that indexes incore
merkle tree blocks. For cache hits, this dramatically reduces the
amount of work that xfs has to do to feed fsverity. The per-block
overhead is much lower (8 bytes instead of ~300 for xfs_bufs), and we no
longer have to entertain layering violations in the buffer cache. I
also added a per-filesystem shrinker so that reclaim can cull cached
merkle tree blocks, starting with the leaf tree nodes.
I've also rolled in some changes recommended by the fsverity maintainer,
fixed some organization and naming problems in the xfs code, fixed a
collision in the xfs_inode iflags, and improved dead merkle tree cleanup
per the discussion of the v5 series. At this point I'm happy enough
with this code to start integrating and testing it in my trees, so it's
time to send it out a coherent patchset for comments.
For v5.3, I've added bits and pieces of online and offline repair
support, reduced the size of partially filled merkle tree blocks by
removing trailing zeroes, changed the xattr hash function to better
avoid collisions between merkle tree keys, made the fsverity
invalidation bitmap unnecessary, and made it so that we can save space
on sparse verity files by not storing merkle tree blocks that hash
totally zeroed data blocks.
From Andrey Albershteyn:
Here's v5 of my patchset of adding fs-verity support to XFS.
This implementation uses extended attributes to store fs-verity
metadata. The Merkle tree blocks are stored in the remote extended
attributes. The names are offsets into the tree.
A few key points of this patchset:
- fs-verity can work with Merkle tree blocks based caching (xfs) and
PAGE caching (ext4, f2fs, btrfs)
- iomap does fs-verity verification
- In XFS, fs-verity metadata is stored in extended attributes
- per-sb workqueue for verification processing
- Inodes with fs-verity have new on-disk diflag
- xfs_attr_get() can return a buffer with an extended attribute
- xfs_buf can allocate double space for Merkle tree blocks. Part of
the space is used to store the extended attribute data without
leaf headers
- xfs_buf tracks verified status of merkle tree blocks
The patchset consists of five parts:
- [1]: fs-verity spinlock removal pending in fsverity/for-next
- [2..4]: Parent pointers adding binary xattr names
- [5]: Expose FS_XFLAG_VERITY for fs-verity files
- [6..9]: Changes to fs-verity core
- [10]: Integrate fs-verity to iomap
- [11-24]: Add fs-verity support to XFS
Testing:
The patchset is tested with xfstests -g verity on xfs_1k, xfs_4k,
xfs_1k_quota, xfs_4k_quota, ext4_4k, and ext4_4k_quota. With
KMEMLEAK and KASAN enabled. More testing on the way.
Changes from V4:
- Mainly fs-verity changes; removed unnecessary functions
- Replace XFS workqueue with per-sb workqueue created in
fsverity_set_ops()
- Drop patch with readahead calculation in bytes
Changes from V3:
- redone changes to fs-verity core as previous version had an issue
on ext4
- add blocks invalidation interface to fs-verity
- move memory ordering primitives out of block status check to fs
read block function
- add fs-verity verification to iomap instead of general post read
processing
Changes from V2:
- FS_XFLAG_VERITY extended attribute flag
- Change fs-verity to use Merkle tree blocks instead of expecting
PAGE references from filesystem
- Change approach in iomap to filesystem provided bio_set and
submit_io instead of just callouts to filesystem
- Add possibility for xfs_buf allocate more space for fs-verity
extended attributes
- Make xfs_attr module to copy fs-verity blocks inside the xfs_buf,
so XFS can get data without leaf headers
- Add Merkle tree removal for error path
- Makae scrub aware of new dinode flag
Changes from V1:
- Added parent pointer patches for easier testing
- Many issues and refactoring points fixed from the V1 review
- Adjusted for recent changes in fs-verity core (folios, non-4k)
- Dropped disabling of large folios
- Completely new fsverity patches (fix, callout, log_blocksize)
- Change approach to verification in iomap to the same one as in
write path. Callouts to fs instead of direct fs-verity use.
- New XFS workqueue for post read folio verification
- xfs_attr_get() can return underlying xfs_buf
- xfs_bufs are marked with XBF_VERITY_CHECKED to track verified
blocks
If you're going to start using this code, I strongly recommend pulling
from my git trees, which are linked below.
This has been running on the djcloud for months with no problems. Enjoy!
Comments and questions are, as always, welcome.
--D
kernel git tree:
https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=fsverity-xfs
xfsprogs git tree:
https://git.kernel.org/cgit/linux/kernel/git/djwong/xfsprogs-dev.git/log/?h=fsverity-xfs
---
Commits in this patchset:
* xfsprogs: add parent pointer support to attribute code
* xfsprogs: define parent pointer xattr format
* xfsprogs: Add xfs_verify_pptr
* fs: add FS_XFLAG_VERITY for verity files
* xfs: add attribute type for fs-verity
* xfs: add fs-verity ro-compat flag
* xfs: add inode on-disk VERITY flag
* xfs: add fs-verity support
* xfs: advertise fs-verity being available on filesystem
* xfs: create separate name hash function for xattrs
* xfs: use merkle tree offset as attr hash
* xfs: enable ro-compat fs-verity flag
* libfrog: add fsverity to xfs_report_geom output
* xfs_db: introduce attr_modify command
* xfs_db: make attr_set/remove/modify be able to handle fs-verity attrs
* man: document attr_modify command
* xfs_db: dump verity features and metadata
* xfs_db: dump merkle tree data
* xfs_repair: junk fsverity xattrs when unnecessary
* mkfs.xfs: add verity parameter
---
db/attr.c | 94 +++++++++++++++++++
db/attrset.c | 226 +++++++++++++++++++++++++++++++++++++++++++++-
db/attrshort.c | 22 ++++
db/hash.c | 4 -
db/metadump.c | 26 +++--
db/sb.c | 2
db/write.c | 2
db/write.h | 1
include/linux.h | 4 +
include/xfs_mount.h | 2
libfrog/fsgeom.c | 4 +
libxfs/libxfs_api_defs.h | 2
libxfs/xfs_attr.c | 86 ++++++++++++++++--
libxfs/xfs_attr.h | 6 +
libxfs/xfs_attr_leaf.c | 4 -
libxfs/xfs_da_format.h | 80 ++++++++++++++++
libxfs/xfs_format.h | 14 ++-
libxfs/xfs_fs.h | 1
libxfs/xfs_log_format.h | 2
libxfs/xfs_ondisk.h | 4 +
libxfs/xfs_sb.c | 4 +
man/man8/mkfs.xfs.8.in | 4 +
man/man8/xfs_db.8 | 34 +++++++
mkfs/xfs_mkfs.c | 19 +++-
repair/attr_repair.c | 52 +++++++++--
25 files changed, 651 insertions(+), 48 deletions(-)
next prev parent reply other threads:[~2024-03-17 16:23 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-17 16:19 [PATCHBOMB v5.3] fs-verity support for XFS Darrick J. Wong
2024-03-17 16:22 ` [PATCHSET " Darrick J. Wong
2024-03-17 16:23 ` [PATCH 01/40] fsverity: remove hash page spin lock Darrick J. Wong
2024-03-17 16:23 ` [PATCH 02/40] xfs: add parent pointer support to attribute code Darrick J. Wong
2024-03-17 16:24 ` [PATCH 03/40] xfs: define parent pointer ondisk extended attribute format Darrick J. Wong
2024-03-17 16:24 ` [PATCH 04/40] xfs: add parent pointer validator functions Darrick J. Wong
2024-03-17 16:24 ` [PATCH 05/40] fs: add FS_XFLAG_VERITY for verity files Darrick J. Wong
2024-03-17 16:24 ` [PATCH 06/40] fsverity: pass tree_blocksize to end_enable_verity() Darrick J. Wong
2024-03-17 16:25 ` [PATCH 07/40] fsverity: support block-based Merkle tree caching Darrick J. Wong
2024-03-17 16:25 ` [PATCH 08/40] fsverity: add per-sb workqueue for post read processing Darrick J. Wong
2024-03-17 16:25 ` [PATCH 09/40] fsverity: add tracepoints Darrick J. Wong
2024-03-17 16:26 ` [PATCH 10/40] fsverity: fix "support block-based Merkle tree caching" Darrick J. Wong
2024-03-17 16:26 ` [PATCH 11/40] fsverity: send the level of the merkle tree block to ->read_merkle_tree_block Darrick J. Wong
2024-03-17 16:26 ` [PATCH 12/40] fsverity: pass the new tree size and block size to ->begin_enable_verity Darrick J. Wong
2024-03-17 16:26 ` [PATCH 13/40] fsverity: expose merkle tree geometry to callers Darrick J. Wong
2024-03-17 16:27 ` [PATCH 14/40] fsverity: rely on cached block callers to retain verified state Darrick J. Wong
2024-03-17 16:27 ` [PATCH 15/40] fsverity: box up the write_merkle_tree_block parameters too Darrick J. Wong
2024-03-17 16:27 ` [PATCH 16/40] fsverity: pass the zero-hash value to the implementation Darrick J. Wong
2024-03-18 16:38 ` Eric Biggers
2024-03-18 21:04 ` Darrick J. Wong
2024-03-17 16:27 ` [PATCH 17/40] fsverity: report validation errors back to the filesystem Darrick J. Wong
2024-03-17 16:28 ` [PATCH 18/40] iomap: integrate fs-verity verification into iomap's read path Darrick J. Wong
2024-03-17 16:28 ` [PATCH 19/40] xfs: add attribute type for fs-verity Darrick J. Wong
2024-03-17 16:28 ` [PATCH 20/40] xfs: add fs-verity ro-compat flag Darrick J. Wong
2024-03-17 16:28 ` [PATCH 21/40] xfs: add inode on-disk VERITY flag Darrick J. Wong
2024-03-17 16:29 ` [PATCH 22/40] xfs: initialize fs-verity on file open and cleanup on inode destruction Darrick J. Wong
2024-03-17 16:29 ` [PATCH 23/40] xfs: don't allow to enable DAX on fs-verity sealed inode Darrick J. Wong
2024-03-17 16:29 ` [PATCH 24/40] xfs: disable direct read path for fs-verity files Darrick J. Wong
2024-03-18 19:48 ` Andrey Albershteyn
2024-03-19 21:17 ` Darrick J. Wong
2024-03-17 16:29 ` [PATCH 25/40] xfs: widen flags argument to the xfs_iflags_* helpers Darrick J. Wong
2024-03-17 16:30 ` [PATCH 26/40] xfs: add fs-verity support Darrick J. Wong
2024-03-18 1:43 ` Christoph Hellwig
2024-03-18 4:34 ` Darrick J. Wong
2024-03-18 4:39 ` Christoph Hellwig
2024-03-18 4:56 ` Darrick J. Wong
2024-03-17 16:30 ` [PATCH 27/40] xfs: create a per-mount shrinker for verity inodes merkle tree blocks Darrick J. Wong
2024-03-17 16:30 ` [PATCH 28/40] xfs: create an icache tag for files with cached " Darrick J. Wong
2024-03-17 16:30 ` [PATCH 29/40] xfs: shrink verity blob cache Darrick J. Wong
2024-03-17 16:31 ` [PATCH 30/40] xfs: clean up stale fsverity metadata before starting Darrick J. Wong
2024-03-18 17:50 ` Andrey Albershteyn
2024-03-17 16:31 ` [PATCH 31/40] xfs: better reporting and error handling in xfs_drop_merkle_tree Darrick J. Wong
2024-03-18 17:51 ` Andrey Albershteyn
2024-03-17 16:31 ` [PATCH 32/40] xfs: make scrub aware of verity dinode flag Darrick J. Wong
2024-03-17 16:32 ` [PATCH 33/40] xfs: add fs-verity ioctls Darrick J. Wong
2024-03-17 16:32 ` [PATCH 34/40] xfs: advertise fs-verity being available on filesystem Darrick J. Wong
2024-03-17 16:32 ` [PATCH 35/40] xfs: teach online repair to evaluate fsverity xattrs Darrick J. Wong
2024-03-18 17:34 ` Andrey Albershteyn
2024-03-19 21:27 ` Darrick J. Wong
2024-03-17 16:32 ` [PATCH 36/40] xfs: don't store trailing zeroes of merkle tree blocks Darrick J. Wong
2024-03-18 17:52 ` Andrey Albershteyn
2024-03-17 16:33 ` [PATCH 37/40] xfs: create separate name hash function for xattrs Darrick J. Wong
2024-03-18 17:53 ` Andrey Albershteyn
2024-03-17 16:33 ` [PATCH 38/40] xfs: use merkle tree offset as attr hash Darrick J. Wong
2024-03-18 17:55 ` Andrey Albershteyn
2024-03-17 16:33 ` [PATCH 39/40] xfs: don't bother storing merkle tree blocks for zeroed data blocks Darrick J. Wong
2024-03-18 17:56 ` Andrey Albershteyn
2024-03-17 16:33 ` [PATCH 40/40] xfs: enable ro-compat fs-verity flag Darrick J. Wong
2024-03-18 16:35 ` [PATCHSET v5.3] fs-verity support for XFS Eric Biggers
2024-03-19 22:07 ` Darrick J. Wong
2024-03-19 23:21 ` Darrick J. Wong
2024-03-20 10:16 ` Andrey Albershteyn
2024-03-20 15:11 ` Darrick J. Wong
2024-03-17 16:23 ` Darrick J. Wong [this message]
2024-03-17 16:34 ` [PATCH 01/20] xfsprogs: add parent pointer support to attribute code Darrick J. Wong
2024-03-17 16:34 ` [PATCH 02/20] xfsprogs: define parent pointer xattr format Darrick J. Wong
2024-03-17 16:34 ` [PATCH 03/20] xfsprogs: Add xfs_verify_pptr Darrick J. Wong
2024-03-17 16:34 ` [PATCH 04/20] fs: add FS_XFLAG_VERITY for verity files Darrick J. Wong
2024-03-17 16:35 ` [PATCH 05/20] xfs: add attribute type for fs-verity Darrick J. Wong
2024-03-17 16:35 ` [PATCH 06/20] xfs: add fs-verity ro-compat flag Darrick J. Wong
2024-03-17 16:35 ` [PATCH 07/20] xfs: add inode on-disk VERITY flag Darrick J. Wong
2024-03-17 16:35 ` [PATCH 08/20] xfs: add fs-verity support Darrick J. Wong
2024-03-17 16:36 ` [PATCH 09/20] xfs: advertise fs-verity being available on filesystem Darrick J. Wong
2024-03-17 16:36 ` [PATCH 10/20] xfs: create separate name hash function for xattrs Darrick J. Wong
2024-03-17 16:36 ` [PATCH 11/20] xfs: use merkle tree offset as attr hash Darrick J. Wong
2024-03-17 16:36 ` [PATCH 12/20] xfs: enable ro-compat fs-verity flag Darrick J. Wong
2024-03-17 16:37 ` [PATCH 13/20] libfrog: add fsverity to xfs_report_geom output Darrick J. Wong
2024-03-17 16:37 ` [PATCH 14/20] xfs_db: introduce attr_modify command Darrick J. Wong
2024-03-17 16:37 ` [PATCH 15/20] xfs_db: make attr_set/remove/modify be able to handle fs-verity attrs Darrick J. Wong
2024-03-17 16:37 ` [PATCH 16/20] man: document attr_modify command Darrick J. Wong
2024-03-17 16:38 ` [PATCH 17/20] xfs_db: dump verity features and metadata Darrick J. Wong
2024-03-17 16:38 ` [PATCH 18/20] xfs_db: dump merkle tree data Darrick J. Wong
2024-03-17 16:38 ` [PATCH 19/20] xfs_repair: junk fsverity xattrs when unnecessary Darrick J. Wong
2024-03-17 16:39 ` [PATCH 20/20] mkfs.xfs: add verity parameter Darrick J. Wong
2024-03-17 16:23 ` [PATCHSET v5.3] fstests: fs-verity support for XFS Darrick J. Wong
2024-03-17 16:39 ` [PATCH 1/3] common/verity: enable fsverity " Darrick J. Wong
2024-03-17 16:39 ` [PATCH 2/3] xfs/{021,122}: adapt to fsverity xattrs Darrick J. Wong
2024-03-19 14:59 ` Andrey Albershteyn
2024-03-19 19:25 ` Darrick J. Wong
2024-03-17 16:39 ` [PATCH 3/3] common/populate: add verity files to populate xfs images Darrick J. Wong
2024-03-18 1:39 ` [PATCHBOMB v5.3] fs-verity support for XFS Christoph Hellwig
2024-03-18 4:30 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=171069247657.2685643.11583844772215446491.stgit@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=aalbersh@redhat.com \
--cc=allison.henderson@oracle.com \
--cc=cem@kernel.org \
--cc=dchinner@redhat.com \
--cc=djwong@djwong.org \
--cc=ebiggers@kernel.org \
--cc=fsverity@lists.linux.dev \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=tinguely@sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).