From patchwork Wed Apr 1 20:32:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11469529 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 490DF14DD for ; Wed, 1 Apr 2020 20:35:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1E0A421556 for ; Wed, 1 Apr 2020 20:35:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585773312; bh=5e/Y+DpQuAnaUyh7Fynhd3HWaNOkr6/qj0jz1CifLP4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=1CwI16FTEhwMmx+EbTVCTmXnZcAXto5viSmE5grBX4o/yPllrP1dFUj5hFYIODb2s etWMG7ZdUsnOcuezeya8McJGBZp67jwa1D9tnQ3E09s+Ab9GbZHOD38fWwyBTMNmkv n5EgAJeuteB0OZd9j/cT6M7TUblGrTX87RfzD3E4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733065AbgDAUe7 (ORCPT ); Wed, 1 Apr 2020 16:34:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:54402 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733008AbgDAUe4 (ORCPT ); Wed, 1 Apr 2020 16:34:56 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E3BA1208FE; Wed, 1 Apr 2020 20:34:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585773296; bh=5e/Y+DpQuAnaUyh7Fynhd3HWaNOkr6/qj0jz1CifLP4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=u6ei9k92ro9BSBgwA/aBAWTLPBkDZQOrDOUe+O/JUn7Ij35Qx/ZtCaDclMSQ6gwAL hplacUVQW29LYFuXOg4diN2AKRytaD2yf0teOXqEms7RP9U9F3rkV9PMNAjMcfUQH5 /gX+fEaPOHfvueBVws2FLK3Zi2mObxKqCmAwkZEA= From: Eric Biggers To: linux-ext4@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org Subject: [PATCH 1/4] tune2fs: prevent changing UUID of fs with stable_inodes feature Date: Wed, 1 Apr 2020 13:32:36 -0700 Message-Id: <20200401203239.163679-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.26.0.rc2.310.g2932bb562d-goog In-Reply-To: <20200401203239.163679-1-ebiggers@kernel.org> References: <20200401203239.163679-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers The stable_inodes feature is intended to indicate that it's safe to use IV_INO_LBLK_64 encryption policies, where the encryption depends on the inode numbers and thus filesystem shrinking is not allowed. However since inode numbers are not unique across filesystems, the encryption also depends on the filesystem UUID, and I missed that there is a supported way to change the filesystem UUID (tune2fs -U). So, make 'tune2fs -U' report an error if stable_inodes is set. We could add a separate stable_uuid feature flag, but it seems unlikely it would be useful enough on its own to warrant another flag. Signed-off-by: Eric Biggers --- misc/tune2fs.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/misc/tune2fs.c b/misc/tune2fs.c index 314cc0d0..ca06c98b 100644 --- a/misc/tune2fs.c +++ b/misc/tune2fs.c @@ -3236,6 +3236,13 @@ _("Warning: The journal is dirty. You may wish to replay the journal like:\n\n" char buf[SUPERBLOCK_SIZE] __attribute__ ((aligned(8))); __u8 old_uuid[UUID_SIZE]; + if (ext2fs_has_feature_stable_inodes(fs->super)) { + fputs(_("Cannot change the UUID of this filesystem " + "because it has the stable_inodes feature " + "flag.\n"), stderr); + exit(1); + } + if (!ext2fs_has_feature_csum_seed(fs->super) && (ext2fs_has_feature_metadata_csum(fs->super) || ext2fs_has_feature_ea_inode(fs->super))) { From patchwork Wed Apr 1 20:32:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11469531 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7CDFB1392 for ; Wed, 1 Apr 2020 20:35:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 532E621556 for ; Wed, 1 Apr 2020 20:35:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585773312; bh=lULBR8F0SU6L1eL9eCxVWhUwtdadVqkQZEXiE+fSBDg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=N6phZr0/ygBfSIX9hUKeG033i0laf45hC3F+/8bAPhnQPhYPZ2E93vUwiXv7tUec6 plBCpNPopZoWr6XY3Dj2XXDqax+LXT4ueEP0/yoCXUOvDsYftIEVB082XxGy1s/IA6 +FvlJ84e6ne8QBuGSt94lypB/6Ew7ihegY6/vfqk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733021AbgDAUe6 (ORCPT ); Wed, 1 Apr 2020 16:34:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:54404 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732786AbgDAUe4 (ORCPT ); Wed, 1 Apr 2020 16:34:56 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2571920B1F; Wed, 1 Apr 2020 20:34:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585773296; bh=lULBR8F0SU6L1eL9eCxVWhUwtdadVqkQZEXiE+fSBDg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LG9xQxSpDvgM5C/4tfXsZaQVf7bcZTBuaqmrlaAkHfkkaRxIqcP8UleAOy5gEF0U6 8jUqGj7rDE/o2uunhqjLEg0duip2YOZgEziQYH18PlNUgTHXYDadQYvCG+B8LR7fba aI/GRP0n1aZSplg3ulxPWSeULykq6P/bt+65PTTU= From: Eric Biggers To: linux-ext4@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org Subject: [PATCH 2/4] tune2fs: prevent stable_inodes feature from being cleared Date: Wed, 1 Apr 2020 13:32:37 -0700 Message-Id: <20200401203239.163679-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.26.0.rc2.310.g2932bb562d-goog In-Reply-To: <20200401203239.163679-1-ebiggers@kernel.org> References: <20200401203239.163679-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers Similar to encrypt and verity, once the stable_inodes feature has been enabled there may be files anywhere on the filesystem that require this feature. Therefore, in general it's unsafe to allow clearing it. Don't allow tune2fs to do so. Like encrypt and verity, it can still be cleared with debugfs if someone really knows what they're doing. Signed-off-by: Eric Biggers --- misc/tune2fs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/misc/tune2fs.c b/misc/tune2fs.c index ca06c98b..81f90cbf 100644 --- a/misc/tune2fs.c +++ b/misc/tune2fs.c @@ -181,8 +181,7 @@ static __u32 clear_ok_features[3] = { EXT3_FEATURE_COMPAT_HAS_JOURNAL | EXT2_FEATURE_COMPAT_RESIZE_INODE | EXT2_FEATURE_COMPAT_DIR_INDEX | - EXT4_FEATURE_COMPAT_FAST_COMMIT | - EXT4_FEATURE_COMPAT_STABLE_INODES, + EXT4_FEATURE_COMPAT_FAST_COMMIT, /* Incompat */ EXT2_FEATURE_INCOMPAT_FILETYPE | EXT4_FEATURE_INCOMPAT_FLEX_BG | From patchwork Wed Apr 1 20:32:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11469533 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B455D1805 for ; Wed, 1 Apr 2020 20:35:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 876392137B for ; Wed, 1 Apr 2020 20:35:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585773312; bh=asV0FOHdhlZH5ZrfsvPkfpWgqdAVrxpW3yMEjV5dxJ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=1+OOuMuVb4PSUV2mDz0/2rkE3M7FweOL9dmLea7vcqu48M1KwzqB81wj6uF425f+K 0Lx4k81TZNrb7JMy4StPOaSdC4xg3WlDboJyMNdz8AH4Ug35H8HMzNmwmuNza/AomZ aVrik2SNNPtnMF0rLjiXhLoAkbBmif8pmm+cU6WI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733044AbgDAUe6 (ORCPT ); Wed, 1 Apr 2020 16:34:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:54406 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733018AbgDAUe5 (ORCPT ); Wed, 1 Apr 2020 16:34:57 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5B10A20BED; Wed, 1 Apr 2020 20:34:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585773296; bh=asV0FOHdhlZH5ZrfsvPkfpWgqdAVrxpW3yMEjV5dxJ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IbnBYal/8lTLmc4T5JqZG811IKIJIvFd+mt1bHZJ6avPcHMh1s2+feqKAkpBLah99 N1ci+2tv4x3FpvtcrC9MCHI8pUZjgvWxIJceQzpBV+wkvkRIvU4+NnfgVEdmB593eP sHzbtmvCyto5Z1oqswH1R4AQQmzf7SSIK0kdFAx8= From: Eric Biggers To: linux-ext4@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org Subject: [PATCH 3/4] ext4.5: document the stable_inodes feature Date: Wed, 1 Apr 2020 13:32:38 -0700 Message-Id: <20200401203239.163679-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.26.0.rc2.310.g2932bb562d-goog In-Reply-To: <20200401203239.163679-1-ebiggers@kernel.org> References: <20200401203239.163679-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers Signed-off-by: Eric Biggers --- misc/ext4.5.in | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/misc/ext4.5.in b/misc/ext4.5.in index 1db61a5f..90bc4f88 100644 --- a/misc/ext4.5.in +++ b/misc/ext4.5.in @@ -299,6 +299,20 @@ feature is essentially a more extreme version of sparse_super and is designed to allow a much larger percentage of the disk to have contiguous blocks available for data files. .TP +.B stable_inodes +.br +Marks the filesystem's inode numbers and UUID as stable. +.BR resize2fs (8) +will not allow shrinking a filesystem with this feature, nor +will +.BR tune2fs (8) +allow changing its UUID. This feature allows the use of specialized encryption +settings that make use of the inode numbers and UUID. Note that the +.B encrypt +feature still needs to be enabled separately. +.B stable_inodes +is a "compat" feature, so old kernels will allow it. +.TP .B uninit_bg .br This ext4 file system feature indicates that the block group descriptors @@ -788,6 +802,8 @@ ext4, 4.13 ext4, 5.2 .IP "\fBverity\fR" 2i ext4, 5.4 +.IP "\fBstable_inodes\fR" 2i +ext4, 5.5 .SH SEE ALSO .BR mke2fs (8), .BR mke2fs.conf (5), From patchwork Wed Apr 1 20:32:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11469535 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E6B8D17EA for ; Wed, 1 Apr 2020 20:35:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BC0AB2137B for ; Wed, 1 Apr 2020 20:35:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585773312; bh=+1NW6Mkzb7xHuLjpEh9AxTsAlZnBD98KP1zGLJyrNp0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ssUKPFn2NFqKMD/JNulCFC1505FpLathxPoLpa4NvdGCzEmx2Ld/PkNSTlp+BWGVL x68QlcthNa/Qk9udl9AVqVGQkiujUfqY4/o9T1Qxt6vdCzS335pTBn/pksZJDF8Onh oOS3F5HE3ZVS27xw3Sxo+xayRaAmFgBYSkuvIZ3E= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733028AbgDAUe6 (ORCPT ); Wed, 1 Apr 2020 16:34:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:54408 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733021AbgDAUe5 (ORCPT ); Wed, 1 Apr 2020 16:34:57 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 916E92082F; Wed, 1 Apr 2020 20:34:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585773296; bh=+1NW6Mkzb7xHuLjpEh9AxTsAlZnBD98KP1zGLJyrNp0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AqHoq1ighwkpVcshZ5YOjoAvrC09TNdJZ7b2h12P3Ev2MJuQQHm4sZgvnESK/64v/ WtuePhrsNA4fAHrtPvCFlLnRoQBOU0ejGI6psT4KFFpfUXBcqEiwbmEv/96fQRruWC awizldlvg7/cIKcu5GJuX5G1tVWQZvXXKiMFvic8= From: Eric Biggers To: linux-ext4@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org Subject: [PATCH 4/4] tune2fs.8: document the stable_inodes feature Date: Wed, 1 Apr 2020 13:32:39 -0700 Message-Id: <20200401203239.163679-5-ebiggers@kernel.org> X-Mailer: git-send-email 2.26.0.rc2.310.g2932bb562d-goog In-Reply-To: <20200401203239.163679-1-ebiggers@kernel.org> References: <20200401203239.163679-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers Signed-off-by: Eric Biggers Reviewed-by: Andreas Dilger --- misc/tune2fs.8.in | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/misc/tune2fs.8.in b/misc/tune2fs.8.in index 3cf1f5ed..582d1da5 100644 --- a/misc/tune2fs.8.in +++ b/misc/tune2fs.8.in @@ -630,6 +630,13 @@ Limit the number of backup superblocks to save space on large filesystems. .B Tune2fs currently only supports setting this filesystem feature. .TP +.B stable_inodes +Prevent the filesystem from being shrunk or having its UUID changed, in order to +allow the use of specialized encryption settings that make use of the inode +numbers and UUID. +.B Tune2fs +currently only supports setting this filesystem feature. +.TP .B uninit_bg Allow the kernel to initialize bitmaps and inode tables lazily, and to keep a high watermark for the unused inodes in a filesystem, to reduce