[v12,08/54] ceph: add a has_stable_inodes operation for ceph

Commit Message

Jeffrey Layton March 31, 2022, 3:30 p.m. UTC

...and just have it return true. It should never change inode numbers
out from under us, as they are baked into the object names.

Tested-by: Luís Henriques <lhenriques@suse.de>
Reviewed-by: Luís Henriques <lhenriques@suse.de>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
 fs/ceph/crypto.c     | 11 +++++++++
 fs/ceph/file.c       |  2 ++
 fs/ceph/inode.c      | 18 +++++++++++++-
 fs/ceph/mds_client.c | 57 ++++++++++++++++++++++++++++++++++++++++++++
 fs/ceph/mds_client.h |  4 ++++
 fs/ceph/super.h      |  6 +++++
 6 files changed, 97 insertions(+), 1 deletion(-)

Comments

Eric Biggers March 31, 2022, 8:03 p.m. UTC | #1

On Thu, Mar 31, 2022 at 11:30:44AM -0400, Jeff Layton wrote:
>  static struct fscrypt_operations ceph_fscrypt_ops = {
>  	.key_prefix		= "ceph:",
>  	.get_context		= ceph_crypt_get_context,
>  	.set_context		= ceph_crypt_set_context,
>  	.empty_dir		= ceph_crypt_empty_dir,
> +	.has_stable_inodes	= ceph_crypt_has_stable_inodes,
>  };

What is the use case for implementing this?  Note the comment in the struct
definition:

       /*
         * Check whether the filesystem's inode numbers and UUID are stable,
         * meaning that they will never be changed even by offline operations
         * such as filesystem shrinking and therefore can be used in the
         * encryption without the possibility of files becoming unreadable.
         *
         * Filesystems only need to implement this function if they want to
         * support the FSCRYPT_POLICY_FLAG_IV_INO_LBLK_{32,64} flags.  These
         * flags are designed to work around the limitations of UFS and eMMC
         * inline crypto hardware, and they shouldn't be used in scenarios where
         * such hardware isn't being used.
         *
         * Leaving this NULL is equivalent to always returning false.
         */
        bool (*has_stable_inodes)(struct super_block *sb);

I think you should just leave this NULL for now.

- Eric

Jeffrey Layton April 1, 2022, 10:37 a.m. UTC | #2

On Thu, 2022-03-31 at 20:03 +0000, Eric Biggers wrote:
> On Thu, Mar 31, 2022 at 11:30:44AM -0400, Jeff Layton wrote:
> >  static struct fscrypt_operations ceph_fscrypt_ops = {
> >  	.key_prefix		= "ceph:",
> >  	.get_context		= ceph_crypt_get_context,
> >  	.set_context		= ceph_crypt_set_context,
> >  	.empty_dir		= ceph_crypt_empty_dir,
> > +	.has_stable_inodes	= ceph_crypt_has_stable_inodes,
> >  };
> 
> What is the use case for implementing this?  Note the comment in the struct
> definition:
> 
>        /*
>          * Check whether the filesystem's inode numbers and UUID are stable,
>          * meaning that they will never be changed even by offline operations
>          * such as filesystem shrinking and therefore can be used in the
>          * encryption without the possibility of files becoming unreadable.
>          *
>          * Filesystems only need to implement this function if they want to
>          * support the FSCRYPT_POLICY_FLAG_IV_INO_LBLK_{32,64} flags.  These
>          * flags are designed to work around the limitations of UFS and eMMC
>          * inline crypto hardware, and they shouldn't be used in scenarios where
>          * such hardware isn't being used.
>          *
>          * Leaving this NULL is equivalent to always returning false.
>          */
>         bool (*has_stable_inodes)(struct super_block *sb);
> 
> I think you should just leave this NULL for now.
> 

Mostly we were just looking for ways to make all of the -g encrypt
xfstests pass. I'll plan to drop this patch and 07/54. I don't see any
need to support legacy modes or stuff that involves special storage hw.
-
Jeff Layton <jlayton@kernel.org>

Eric Biggers April 1, 2022, 6:16 p.m. UTC | #3

On Fri, Apr 01, 2022 at 06:37:10AM -0400, Jeff Layton wrote:
> On Thu, 2022-03-31 at 20:03 +0000, Eric Biggers wrote:
> > On Thu, Mar 31, 2022 at 11:30:44AM -0400, Jeff Layton wrote:
> > >  static struct fscrypt_operations ceph_fscrypt_ops = {
> > >  	.key_prefix		= "ceph:",
> > >  	.get_context		= ceph_crypt_get_context,
> > >  	.set_context		= ceph_crypt_set_context,
> > >  	.empty_dir		= ceph_crypt_empty_dir,
> > > +	.has_stable_inodes	= ceph_crypt_has_stable_inodes,
> > >  };
> > 
> > What is the use case for implementing this?  Note the comment in the struct
> > definition:
> > 
> >        /*
> >          * Check whether the filesystem's inode numbers and UUID are stable,
> >          * meaning that they will never be changed even by offline operations
> >          * such as filesystem shrinking and therefore can be used in the
> >          * encryption without the possibility of files becoming unreadable.
> >          *
> >          * Filesystems only need to implement this function if they want to
> >          * support the FSCRYPT_POLICY_FLAG_IV_INO_LBLK_{32,64} flags.  These
> >          * flags are designed to work around the limitations of UFS and eMMC
> >          * inline crypto hardware, and they shouldn't be used in scenarios where
> >          * such hardware isn't being used.
> >          *
> >          * Leaving this NULL is equivalent to always returning false.
> >          */
> >         bool (*has_stable_inodes)(struct super_block *sb);
> > 
> > I think you should just leave this NULL for now.
> > 
> 
> Mostly we were just looking for ways to make all of the -g encrypt
> xfstests pass. I'll plan to drop this patch and 07/54. I don't see any
> need to support legacy modes or stuff that involves special storage hw.

Do generic/592 and generic/602 fail without this patch?  If so, that would be a
test bug, since they should be skipped if the filesystem doesn't support
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_{64,32}.  I think that
_require_encryption_policy_support() should be already taking care of that,
though?

- Eric

Jeffrey Layton April 1, 2022, 6:51 p.m. UTC | #4

On Fri, 2022-04-01 at 18:16 +0000, Eric Biggers wrote:
> On Fri, Apr 01, 2022 at 06:37:10AM -0400, Jeff Layton wrote:
> > On Thu, 2022-03-31 at 20:03 +0000, Eric Biggers wrote:
> > > On Thu, Mar 31, 2022 at 11:30:44AM -0400, Jeff Layton wrote:
> > > >  static struct fscrypt_operations ceph_fscrypt_ops = {
> > > >  	.key_prefix		= "ceph:",
> > > >  	.get_context		= ceph_crypt_get_context,
> > > >  	.set_context		= ceph_crypt_set_context,
> > > >  	.empty_dir		= ceph_crypt_empty_dir,
> > > > +	.has_stable_inodes	= ceph_crypt_has_stable_inodes,
> > > >  };
> > > 
> > > What is the use case for implementing this?  Note the comment in the struct
> > > definition:
> > > 
> > >        /*
> > >          * Check whether the filesystem's inode numbers and UUID are stable,
> > >          * meaning that they will never be changed even by offline operations
> > >          * such as filesystem shrinking and therefore can be used in the
> > >          * encryption without the possibility of files becoming unreadable.
> > >          *
> > >          * Filesystems only need to implement this function if they want to
> > >          * support the FSCRYPT_POLICY_FLAG_IV_INO_LBLK_{32,64} flags.  These
> > >          * flags are designed to work around the limitations of UFS and eMMC
> > >          * inline crypto hardware, and they shouldn't be used in scenarios where
> > >          * such hardware isn't being used.
> > >          *
> > >          * Leaving this NULL is equivalent to always returning false.
> > >          */
> > >         bool (*has_stable_inodes)(struct super_block *sb);
> > > 
> > > I think you should just leave this NULL for now.
> > > 
> > 
> > Mostly we were just looking for ways to make all of the -g encrypt
> > xfstests pass. I'll plan to drop this patch and 07/54. I don't see any
> > need to support legacy modes or stuff that involves special storage hw.
> 
> Do generic/592 and generic/602 fail without this patch?  If so, that would be a
> test bug, since they should be skipped if the filesystem doesn't support
> FSCRYPT_POLICY_FLAG_IV_INO_LBLK_{64,32}.  I think that
> _require_encryption_policy_support() should be already taking care of that,
> though?
> 


My mistake. Those are just skipped with that patch dropped.

Thanks,

Patch

diff --git a/fs/ceph/crypto.c b/fs/ceph/crypto.c
index d1a6595a810f..3ec01702e7be 100644
--- a/fs/ceph/crypto.c
+++ b/fs/ceph/crypto.c
@@ -57,6 +57,11 @@  static int ceph_crypt_set_context(struct inode *inode, const void *ctx, size_t l
 	return ret;
 }
 
+static const union fscrypt_policy *ceph_get_dummy_policy(struct super_block *sb)
+{
+	return ceph_sb_to_client(sb)->dummy_enc_policy.policy;
+}
+
 static bool ceph_crypt_empty_dir(struct inode *inode)
 {
 	struct ceph_inode_info *ci = ceph_inode(inode);
@@ -64,11 +69,17 @@  static bool ceph_crypt_empty_dir(struct inode *inode)
 	return ci->i_rsubdirs + ci->i_rfiles == 1;
 }
 
+static bool ceph_crypt_has_stable_inodes(struct super_block *sb)
+{
+	return true;
+}
+
 static struct fscrypt_operations ceph_fscrypt_ops = {
 	.key_prefix		= "ceph:",
 	.get_context		= ceph_crypt_get_context,
 	.set_context		= ceph_crypt_set_context,
 	.empty_dir		= ceph_crypt_empty_dir,
+	.has_stable_inodes	= ceph_crypt_has_stable_inodes,
 };
 
 void ceph_fscrypt_set_ops(struct super_block *sb)
diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index cccf729b55a8..5832dcea2d8c 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -629,6 +629,8 @@  static int ceph_finish_async_create(struct inode *dir, struct inode *inode,
 	iinfo.xattr_data = xattr_buf;
 	memset(iinfo.xattr_data, 0, iinfo.xattr_len);
 
+	/* FIXME: set fscrypt_auth and fscrypt_file */
+
 	in.ino = cpu_to_le64(vino.ino);
 	in.snapid = cpu_to_le64(CEPH_NOSNAP);
 	in.version = cpu_to_le64(1);	// ???
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index 9b333e9966f0..216e90779a55 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -615,7 +615,10 @@  struct inode *ceph_alloc_inode(struct super_block *sb)
 	INIT_WORK(&ci->i_work, ceph_inode_work);
 	ci->i_work_mask = 0;
 	memset(&ci->i_btime, '\0', sizeof(ci->i_btime));
-
+#ifdef CONFIG_FS_ENCRYPTION
+	ci->fscrypt_auth = NULL;
+	ci->fscrypt_auth_len = 0;
+#endif
 	ceph_fscache_inode_init(ci);
 
 	return &ci->vfs_inode;
@@ -626,6 +629,9 @@  void ceph_free_inode(struct inode *inode)
 	struct ceph_inode_info *ci = ceph_inode(inode);
 
 	kfree(ci->i_symlink);
+#ifdef CONFIG_FS_ENCRYPTION
+	kfree(ci->fscrypt_auth);
+#endif
 	kmem_cache_free(ceph_inode_cachep, ci);
 }
 
@@ -1026,6 +1032,16 @@  int ceph_fill_inode(struct inode *inode, struct page *locked_page,
 		xattr_blob = NULL;
 	}
 
+#ifdef CONFIG_FS_ENCRYPTION
+	if (iinfo->fscrypt_auth_len && !ci->fscrypt_auth) {
+		ci->fscrypt_auth_len = iinfo->fscrypt_auth_len;
+		ci->fscrypt_auth = iinfo->fscrypt_auth;
+		iinfo->fscrypt_auth = NULL;
+		iinfo->fscrypt_auth_len = 0;
+		inode_set_flags(inode, S_ENCRYPTED, S_ENCRYPTED);
+	}
+#endif
+
 	/* finally update i_version */
 	if (le64_to_cpu(info->version) > ci->i_version)
 		ci->i_version = le64_to_cpu(info->version);
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 7aa253be7edc..cd7ad033492b 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -184,8 +184,52 @@  static int parse_reply_info_in(void **p, void *end,
 			info->rsnaps = 0;
 		}
 
+		if (struct_v >= 5) {
+			u32 alen;
+
+			ceph_decode_32_safe(p, end, alen, bad);
+
+			while (alen--) {
+				u32 len;
+
+				/* key */
+				ceph_decode_32_safe(p, end, len, bad);
+				ceph_decode_skip_n(p, end, len, bad);
+				/* value */
+				ceph_decode_32_safe(p, end, len, bad);
+				ceph_decode_skip_n(p, end, len, bad);
+			}
+		}
+
+		/* fscrypt flag -- ignore */
+		if (struct_v >= 6)
+			ceph_decode_skip_8(p, end, bad);
+
+		info->fscrypt_auth = NULL;
+		info->fscrypt_auth_len = 0;
+		info->fscrypt_file = NULL;
+		info->fscrypt_file_len = 0;
+		if (struct_v >= 7) {
+			ceph_decode_32_safe(p, end, info->fscrypt_auth_len, bad);
+			if (info->fscrypt_auth_len) {
+				info->fscrypt_auth = kmalloc(info->fscrypt_auth_len, GFP_KERNEL);
+				if (!info->fscrypt_auth)
+					return -ENOMEM;
+				ceph_decode_copy_safe(p, end, info->fscrypt_auth,
+						      info->fscrypt_auth_len, bad);
+			}
+			ceph_decode_32_safe(p, end, info->fscrypt_file_len, bad);
+			if (info->fscrypt_file_len) {
+				info->fscrypt_file = kmalloc(info->fscrypt_file_len, GFP_KERNEL);
+				if (!info->fscrypt_file)
+					return -ENOMEM;
+				ceph_decode_copy_safe(p, end, info->fscrypt_file,
+						      info->fscrypt_file_len, bad);
+			}
+		}
 		*p = end;
 	} else {
+		/* legacy (unversioned) struct */
 		if (features & CEPH_FEATURE_MDS_INLINE_DATA) {
 			ceph_decode_64_safe(p, end, info->inline_version, bad);
 			ceph_decode_32_safe(p, end, info->inline_len, bad);
@@ -650,8 +694,21 @@  static int parse_reply_info(struct ceph_mds_session *s, struct ceph_msg *msg,
 
 static void destroy_reply_info(struct ceph_mds_reply_info_parsed *info)
 {
+	int i;
+
+	kfree(info->diri.fscrypt_auth);
+	kfree(info->diri.fscrypt_file);
+	kfree(info->targeti.fscrypt_auth);
+	kfree(info->targeti.fscrypt_file);
 	if (!info->dir_entries)
 		return;
+
+	for (i = 0; i < info->dir_nr; i++) {
+		struct ceph_mds_reply_dir_entry *rde = info->dir_entries + i;
+
+		kfree(rde->inode.fscrypt_auth);
+		kfree(rde->inode.fscrypt_file);
+	}
 	free_pages((unsigned long)info->dir_entries, get_order(info->dir_buf_size));
 }
 
diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
index 2e945979a2e0..96d726ee5250 100644
--- a/fs/ceph/mds_client.h
+++ b/fs/ceph/mds_client.h
@@ -88,6 +88,10 @@  struct ceph_mds_reply_info_in {
 	s32 dir_pin;
 	struct ceph_timespec btime;
 	struct ceph_timespec snap_btime;
+	u8 *fscrypt_auth;
+	u8 *fscrypt_file;
+	u32 fscrypt_auth_len;
+	u32 fscrypt_file_len;
 	u64 rsnaps;
 	u64 change_attr;
 };
diff --git a/fs/ceph/super.h b/fs/ceph/super.h
index f23e49f46440..e12e5b484564 100644
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -438,6 +438,12 @@  struct ceph_inode_info {
 	struct work_struct i_work;
 	unsigned long  i_work_mask;
 
+#ifdef CONFIG_FS_ENCRYPTION
+	u32 fscrypt_auth_len;
+	u32 fscrypt_file_len;
+	u8 *fscrypt_auth;
+	u8 *fscrypt_file;
+#endif
 #ifdef CONFIG_CEPH_FSCACHE
 	struct fscache_cookie *fscache;
 #endif