| Message ID | 20211209153647.58953-1-jlayton@kernel.org |
|---|---|
| Headers | show |
| Series | ceph+fscrypt: context, filename, symlink and size handling support | expand |
On 12/9/21 11:36 PM, Jeff Layton wrote: > I've not posted this in a while, so I figured it was a good time to do > so. This patchset is a pile of the mostly settled parts of the fscrypt > integration series. With this, pretty much everything but the actual > content encryption in files now works. > > This series is also in the wip-fscrypt-size branch of the ceph-client > tree: > > https://github.com/ceph/ceph-client/tree/wip-fscrypt-size > > It would also be nice to have an ack from Al Viro on patch #1, and from > Eric Biggers on #2-5. Those touch code outside of the ceph parts. If > they aren't acceptable for some reason, I'll need to find other ways to > handle them. > > Jeff Layton (31): > vfs: export new_inode_pseudo > fscrypt: export fscrypt_base64url_encode and fscrypt_base64url_decode > fscrypt: export fscrypt_fname_encrypt and fscrypt_fname_encrypted_size > fscrypt: add fscrypt_context_for_new_inode > fscrypt: uninline and export fscrypt_require_key > ceph: preallocate inode for ops that may create one > ceph: crypto context handling for ceph > ceph: parse new fscrypt_auth and fscrypt_file fields in inode traces > ceph: add fscrypt_* handling to caps.c > ceph: add ability to set fscrypt_auth via setattr > ceph: implement -o test_dummy_encryption mount option > ceph: decode alternate_name in lease info > ceph: add fscrypt ioctls > ceph: make ceph_msdc_build_path use ref-walk > ceph: add encrypted fname handling to ceph_mdsc_build_path > ceph: send altname in MClientRequest > ceph: encode encrypted name in dentry release > ceph: properly set DCACHE_NOKEY_NAME flag in lookup > ceph: make d_revalidate call fscrypt revalidator for encrypted > dentries > ceph: add helpers for converting names for userland presentation > ceph: add fscrypt support to ceph_fill_trace > ceph: add support to readdir for encrypted filenames > ceph: create symlinks with encrypted and base64-encoded targets > ceph: make ceph_get_name decrypt filenames > ceph: add a new ceph.fscrypt.auth vxattr > ceph: add some fscrypt guardrails > libceph: add CEPH_OSD_OP_ASSERT_VER support > ceph: size handling for encrypted inodes in cap updates > ceph: fscrypt_file field handling in MClientRequest messages > ceph: get file size from fscrypt_file when present in inode traces > ceph: handle fscrypt fields in cap messages from MDS > > Luis Henriques (1): > ceph: don't allow changing layout on encrypted files/directories > > Xiubo Li (4): > ceph: add __ceph_get_caps helper support > ceph: add __ceph_sync_read helper support > ceph: add object version support for sync read > ceph: add truncate size handling support for fscrypt > > fs/ceph/Makefile | 1 + > fs/ceph/acl.c | 4 +- > fs/ceph/caps.c | 211 ++++++++++-- > fs/ceph/crypto.c | 253 ++++++++++++++ > fs/ceph/crypto.h | 154 +++++++++ > fs/ceph/dir.c | 209 +++++++++--- > fs/ceph/export.c | 44 ++- > fs/ceph/file.c | 125 ++++--- > fs/ceph/inode.c | 566 +++++++++++++++++++++++++++++--- > fs/ceph/ioctl.c | 87 +++++ > fs/ceph/mds_client.c | 349 +++++++++++++++++--- > fs/ceph/mds_client.h | 24 +- > fs/ceph/super.c | 82 ++++- > fs/ceph/super.h | 42 ++- > fs/ceph/xattr.c | 29 ++ > fs/crypto/fname.c | 40 ++- > fs/crypto/fscrypt_private.h | 35 +- > fs/crypto/hooks.c | 6 +- > fs/crypto/keysetup.c | 27 ++ > fs/crypto/policy.c | 34 +- > fs/inode.c | 1 + > include/linux/ceph/ceph_fs.h | 21 +- > include/linux/ceph/osd_client.h | 6 +- > include/linux/ceph/rados.h | 4 + > include/linux/fscrypt.h | 15 + > net/ceph/osd_client.c | 5 + > 26 files changed, 2087 insertions(+), 287 deletions(-) > create mode 100644 fs/ceph/crypto.c > create mode 100644 fs/ceph/crypto.h > I have test this series together with ceph side PR#1 and worked well for me. LGTM. 1), https://github.com/ceph/ceph/pull/43588 Reviewed-by: Xiubo Li <xiubli@redhat.com> BRs
On Thu, Dec 09, 2021 at 10:36:13AM -0500, Jeff Layton wrote: > Ceph is going to add fscrypt support, but we still want encrypted > filenames to be composed of printable characters, so we can maintain > compatibility with clients that don't support fscrypt. > > We could just adopt fscrypt's current nokey name format, but that is > subject to change in the future, and it also contains dirhash fields > that we don't need for cephfs. Because of this, we're going to concoct > our own scheme for encoding encrypted filenames. It's very similar to > fscrypt's current scheme, but doesn't bother with the dirhash fields. > > The ceph encoding scheme will use base64 encoding as well, and we also > want it to avoid characters that are illegal in filenames. Export the > fscrypt base64 encoding/decoding routines so we can use them in ceph's > fscrypt implementation. > > Signed-off-by: Jeff Layton <jlayton@kernel.org> > --- > fs/crypto/fname.c | 8 ++++---- > include/linux/fscrypt.h | 5 +++++ > 2 files changed, 9 insertions(+), 4 deletions(-) Acked-by: Eric Biggers <ebiggers@google.com> - Eric
On Thu, Dec 09, 2021 at 10:36:11AM -0500, Jeff Layton wrote: > I've not posted this in a while, so I figured it was a good time to do > so. This patchset is a pile of the mostly settled parts of the fscrypt > integration series. With this, pretty much everything but the actual > content encryption in files now works. There have been a lot of versions of this sent out without contents encryption support, which is the most important part. Is there a path forward for that? - Eric
I've not posted this in a while, so I figured it was a good time to do so. This patchset is a pile of the mostly settled parts of the fscrypt integration series. With this, pretty much everything but the actual content encryption in files now works. This series is also in the wip-fscrypt-size branch of the ceph-client tree: https://github.com/ceph/ceph-client/tree/wip-fscrypt-size It would also be nice to have an ack from Al Viro on patch #1, and from Eric Biggers on #2-5. Those touch code outside of the ceph parts. If they aren't acceptable for some reason, I'll need to find other ways to handle them. Jeff Layton (31): vfs: export new_inode_pseudo fscrypt: export fscrypt_base64url_encode and fscrypt_base64url_decode fscrypt: export fscrypt_fname_encrypt and fscrypt_fname_encrypted_size fscrypt: add fscrypt_context_for_new_inode fscrypt: uninline and export fscrypt_require_key ceph: preallocate inode for ops that may create one ceph: crypto context handling for ceph ceph: parse new fscrypt_auth and fscrypt_file fields in inode traces ceph: add fscrypt_* handling to caps.c ceph: add ability to set fscrypt_auth via setattr ceph: implement -o test_dummy_encryption mount option ceph: decode alternate_name in lease info ceph: add fscrypt ioctls ceph: make ceph_msdc_build_path use ref-walk ceph: add encrypted fname handling to ceph_mdsc_build_path ceph: send altname in MClientRequest ceph: encode encrypted name in dentry release ceph: properly set DCACHE_NOKEY_NAME flag in lookup ceph: make d_revalidate call fscrypt revalidator for encrypted dentries ceph: add helpers for converting names for userland presentation ceph: add fscrypt support to ceph_fill_trace ceph: add support to readdir for encrypted filenames ceph: create symlinks with encrypted and base64-encoded targets ceph: make ceph_get_name decrypt filenames ceph: add a new ceph.fscrypt.auth vxattr ceph: add some fscrypt guardrails libceph: add CEPH_OSD_OP_ASSERT_VER support ceph: size handling for encrypted inodes in cap updates ceph: fscrypt_file field handling in MClientRequest messages ceph: get file size from fscrypt_file when present in inode traces ceph: handle fscrypt fields in cap messages from MDS Luis Henriques (1): ceph: don't allow changing layout on encrypted files/directories Xiubo Li (4): ceph: add __ceph_get_caps helper support ceph: add __ceph_sync_read helper support ceph: add object version support for sync read ceph: add truncate size handling support for fscrypt fs/ceph/Makefile | 1 + fs/ceph/acl.c | 4 +- fs/ceph/caps.c | 211 ++++++++++-- fs/ceph/crypto.c | 253 ++++++++++++++ fs/ceph/crypto.h | 154 +++++++++ fs/ceph/dir.c | 209 +++++++++--- fs/ceph/export.c | 44 ++- fs/ceph/file.c | 125 ++++--- fs/ceph/inode.c | 566 +++++++++++++++++++++++++++++--- fs/ceph/ioctl.c | 87 +++++ fs/ceph/mds_client.c | 349 +++++++++++++++++--- fs/ceph/mds_client.h | 24 +- fs/ceph/super.c | 82 ++++- fs/ceph/super.h | 42 ++- fs/ceph/xattr.c | 29 ++ fs/crypto/fname.c | 40 ++- fs/crypto/fscrypt_private.h | 35 +- fs/crypto/hooks.c | 6 +- fs/crypto/keysetup.c | 27 ++ fs/crypto/policy.c | 34 +- fs/inode.c | 1 + include/linux/ceph/ceph_fs.h | 21 +- include/linux/ceph/osd_client.h | 6 +- include/linux/ceph/rados.h | 4 + include/linux/fscrypt.h | 15 + net/ceph/osd_client.c | 5 + 26 files changed, 2087 insertions(+), 287 deletions(-) create mode 100644 fs/ceph/crypto.c create mode 100644 fs/ceph/crypto.h