Ceph » Linux kernel client

At this point there are already a few open points requiring some investigation, namely:

• How to handle encrypted filenames, which may contain illegal characters ('\0' and '/')
  This may require changes to the MDS:
  - MDS needs to either handle these characters itself. But how would clients not supporting fscrypt handle these? Or
  - Have the filenames sent to the MDS already base64-encoded. The problem here is that in this case we may have filenames > NAME_MAX. The MDS doesn't seem to care (this needs confirmation), but are other clients able handle it gracefully?

• Have an xattr containing fscrypt context (contain data such as a nonce randomly generated) sent in cleartext to the MDS
  I'm not sure how sensitive is the data stored in this xattr. Having it sent in cleartext isn't desirable, but is it really critical from a cryptographic point of view? This fscrypt doesn't really need to be stored as an extended attribute, but what would the alternatives be, and would those be safer?

• Setting the crypt xattr needs to be atomic with checking if a dir is empty
  Setting a directory as encrypted can only be done if that directory is empty. Thus, when a user sets a directory as encrypted we need to atomically check if it's empty and, if it is, set the xattr. The easiest solution would be to offload this to the MDS, as it's done with setting the quotas and the file/dir layouts. But it should also be doable with caps on the client.

NOTE: for obvious reasons, it would be great if we could handle everything on the client side without involving the MDS. Even if it involves some extra complexity, it may be worth the trouble so that we don't need to had things like feature bits and all the required paraphernalia.

Patrick Donnelly wrote:

If the client has the feature bit set but doesn't have the encryption keys, it just passes the file name truncated to the kernel/userspace so that the userspace tools continue to work. In particular, you can rmr an encrypted tree without the keys.

We can't use truncated names because those could easily collide. What we'd probably want to do is have the MDS use the fscrypt_nokey_name with those clients. From fs/crypto/fname.c in the kernel sources:

 * To meet all these requirements, we base64-encode the following                                   
 * variable-length structure.  It contains the dirhash, or 0's if the filesystem                    
 * didn't provide one; up to 149 bytes of the ciphertext name; and for                              
 * ciphertexts longer than 149 bytes, also the SHA-256 of the remaining bytes.                      
 *                                                                                                  
 * This ensures that each no-key name contains everything needed to find the                        
 * directory entry again, contains only legal characters, doesn't exceed                            
 * NAME_MAX, is unambiguous unless there's a SHA-256 collision, and that we only                    
 * take the performance hit of SHA-256 on very long filenames (which are rare).
 */                                                                                                 
struct fscrypt_nokey_name {                                                                         
        u32 dirhash[2];                                                                             
        u8 bytes[149];                                                                              
        u8 sha256[SHA256_DIGEST_SIZE];                                                              
}; /* 189 bytes => 252 bytes base64-encoded, which is <= NAME_MAX (255) */                                               

We'd have to reimplement that code in the MDS, but that should be relatively easy.

One problem though that the existing fscrypt-enabled fs' don't need to contend with is subtree mounts. With ceph we can mount at some point down in the tree rather than at the root of the fs, but that's much less common with local fs's.

Most of the existing tooling seems to be set up to mount first and then just make sure the key is instantiated before you do any activity in the encrypted dirs.

We could require that people mount the ciphertext path, as that should (presumably) work. Another idea might be to just ban subtree mounts on volumes with encryption enabled.

Patrick Donnelly wrote:

[...]

If the client has the feature bit set but doesn't have the encryption keys, it just passes the file name truncated to the kernel/userspace so that the userspace tools continue to work. In particular, you can rmr an encrypted tree without the keys.

The MDS needs to always send the full filename to the client if that client has supports for fscrypt. If it does support fscrypt but the key isn't loaded (yet), the client will handle the filename truncation locally. If later on the key is loaded, the client is already able to decrypt the real filename.

Jeff Layton wrote:

[...]

We'd have to reimplement that code in the MDS, but that should be relatively easy.

So, the MDS will always receive the full filename base64 encoded, which will need to be decoded to build the truncated name for clients that don't support file encryption. Which means that the MDS will need to:

• know if a specific file is encrypted or not
• know if a client has support for encrypted files, and
• handle 2 different filenames for each (encrypted) file.

Won't this require more deep changes in file lookups on the MDS side?

Luis Henriques wrote:

The MDS needs to always send the full filename to the client if that client has supports for fscrypt. If it does support fscrypt but the key isn't loaded (yet), the client will handle the filename truncation locally. If later on the key is loaded, the client is already able to decrypt the real filename.

There are 3 different cases we need to handle:
- client that has the decryption key
- client that does not have the decryption key
- legacy clients (or those that do not support fscrypt)

The MDS will need to send full filenames to the first two and they can be taught to send the full filenames to the MDS. legacy clients should be sent fscrypt_nokey_names. That is more work on the MDS, but it should allow legacy clients to operate in encrypted directories in more or less the same way that new clients w/o the key would.

So, the MDS will always receive the full filename base64 encoded, which will need to be decoded to build the truncated name for clients that don't support file encryption. Which means that the MDS will need to:

• know if a specific file is encrypted or not

It will already need to track this. encrypted files have an attached context (usually stored in a hidden xattr).

• know if a client has support for encrypted files, and

We'll need a feature bit for this.

• handle 2 different filenames for each (encrypted) file.

Won't this require more deep changes in file lookups on the MDS side?

The only real change we'd need is for legacy clients sending long filenames (>149 bytes). In that case, you might have to walk the whole omap for a directory to find the file. I don't think we'd want to store two versions of each name. It's probably best to just take the performance hit in the (rare) case of long filenames.

The first step is to figure out how we store the encryption contexts. An xattr seems like an obvious choice but we could use a dedicated field in the inode too. Assuming we go with an xattr, at a high level:

- declare a separate "encryption" xattr namespace in which to store the encryption contexts. We can have newer clients filter those out in listxattr on their own, but we'd need to have the MDS filter them for legacy clients. It should also not be fetchable by legacy clients.

- MDS will need to vet that directories are empty before allowing the 'encryption.context' xattr to be set (special handling for the encryption.context xattr when the client doesn't hold caps).

- add a new feature bit for fscrypt

- ensure that the MDS can store names larger than NAME_MAX

- implement fscrypt callback operations (get_context, set_context, etc.)

Jeff Layton wrote:

The first step is to figure out how we store the encryption contexts. An xattr seems like an obvious choice but we could use a dedicated field in the inode too. Assuming we go with an xattr, at a high level:

- declare a separate "encryption" xattr namespace in which to store the encryption contexts. We can have newer clients filter those out in listxattr on their own, but we'd need to have the MDS filter them for legacy clients. It should also not be fetchable by legacy clients.

Another (obvious) thing that needs to be denied to legacy clients is to read encrypted files. This will require the MDS to only give these clients the caps to read metadata (PIN, AUTH, LINK, XATTR caps), but not to modify or read data (FILE cap).

- MDS will need to vet that directories are empty before allowing the 'encryption.context' xattr to be set (special handling for the encryption.context xattr when the client doesn't hold caps).

- add a new feature bit for fscrypt

- ensure that the MDS can store names larger than NAME_MAX

- implement fscrypt callback operations (get_context, set_context, etc.)

Ok, I've made some progress on this. I have a patchset that handles encrypting/decrypting filenames, but the contents are still cleartext currently. I've started looking at the content encryption, and that offers up a new and interesting problem:

The content encryption is done via block cipher where the blocks are FS_CRYPTO_BLOCK_SIZE (16 bytes). We can't deal in blocks that are smaller than that.

Block-based filesystems generally have 2 modes that they operate in -- either buffered I/O that goes through the pagecache or direct I/O which doesn't. Generally, DIO requires a certain alignment anyway, so this limitation is not an issue for them.

cephfs though has a 3rd mode -- when you don't have Fcb caps, then we just write straight through to the server. That's fine in most cases, but if the file is encrypted then we have a problem in this mode. Any I/O not aligned to 16 byte blocks would require a read/modify/write cycle and we can't really do that in a non-racy way.

The upshot is that we may need to return -EINVAL on write calls in this situation, even for "buffered" writes...which is weird because this entirely depends on whether we have caps or not, and that's impossible for userland applications to predict.

Fortunately, the read side shouldn't have any such restriction, but this will need to be carefully documented. For reads we can just extend the read to cover a complete block, and discard whatever we don't end up sending back to userland. It'll probably require some fiddly code, but that should be ok in principle.

Jeff Layton wrote:

cephfs though has a 3rd mode -- when you don't have Fcb caps, then we just write straight through to the server. That's fine in most cases, but if the file is encrypted then we have a problem in this mode. Any I/O not aligned to 16 byte blocks would require a read/modify/write cycle and we can't really do that in a non-racy way.

Technically you could utilize CMPEXT RADOS ops combined with the WRITE to ensure any unaligned data from a RMW cycle hasn't been updated since you last read it, correct?

Jason Dillaman wrote:

Technically you could utilize CMPEXT RADOS ops combined with the WRITE to ensure any unaligned data from a RMW cycle hasn't been updated since you last read it, correct?

Good idea, that would actually work. It could be slow in contended cases, but that's probably ok.

Either way, I have to plumb this into several codepaths, and I'll probably start with the pagecache-based ops and DIO. Hopefully by the time I get to that point, the way forward will be clear.

Another potential issue: fscrypt encrypts data by block in the pagecache. The blocksize for ceph is usually set to the size of a stripe chunk (with it set to 4M max object size for default layouts). We'll need to reduce that to PAGE_SIZE for fscrypted inodes.

That part is fairly simple, but we have to also deal with the fact that we will need to have the MDS round up to PAGE_SIZE blocks when tracking the size of the inode. The MDS can truncate off extents that are beyond EOF (a'la do_truncate_range), but we need to take care that we always round the size up to the next page boundary.

We may need to track the "real" i_size for crypted inodes in a secondary field in the MDS. Basically, keep the rounded-up i_size in the normal MDS size field and track the real i_size separately.

A simpler option might be to just have the MDS round up to the next page boundary on a truncate for encrypted inodes, but still store and transmit the i_size as usual. That will mean that the client and MDS will need to agree on blocksize == PAGE_SIZE, but that's probably ok.

Oh, and I was wrong about FS_CRYPTO_BLOCK_SIZE. We need to work in blocks that are the same size that the underlying I/O path uses. For ceph, the blocks are PAGE_SIZE.

No, I take it back again:

 * @len:       Size of block to decrypt.  Doesn't need to be a multiple of the
 *              fs block size, but must be a multiple of FS_CRYPTO_BLOCK_SIZE.

For the record:

#define FS_CRYPTO_BLOCK_SIZE            16                                                          

So, we'd need to have the MDS round up the i_size to the next 16-byte block when truncating or hole punching.

I've made quite a bit of progress on this, and I'm trying to tackle the data path part now, starting with the non-buffered I/O codepaths. This is the place where we need to potentially do a RMW cycle for writes.

When we do that, we'll end up with an array of pages. We'll need to be able to read in the first and last crypto blocks so that we can populate the parts of the page array that we're not writing to.

We'll need to allocate the same number of pages, regardless, but is it better to do a read over a single extent that covers all of the blocks being written (including those that will be completely replaced), or is it better to just read the extents at the beginning and end of the range?

I'm assuming that we'll want to do the latter...

Jeff Layton wrote:

We'll need to allocate the same number of pages, regardless, but is it better to do a read over a single extent that covers all of the blocks being written (including those that will be completely replaced), or is it better to just read the extents at the beginning and end of the range?

To be honest, the usage of 'extent' in this context is confusing me.

Picking an example: doing a write of 18 bytes across 3 blocks of FS_CRYPTO_BLOCK_SIZE:

0     15     31     47
+------+------+------+
|     *|******|*     |
+------+------+------+

Since the 2nd block will be completely overwritten, only the first and third block need to be read. Or were you referring to objects and object layouts and I totally misunderstood your question?

I meant "extent" as in the extents to be read/written in the OSD call. IOW, the ones added by osd_req_op_extent_osd_data_pages and the like. In practice, I think we'll want to use larger blocks than FS_CRYPTO_BLOCK_SIZE, which is a minimum value. I'm probably going to use 4k blocks, though we may want to make it tunable eventually.

Anyway, that is my question:

When I need to do a non-buffered, non-aligned write, I'll need to do a RMW cycle. Should I batch up a read that has extents covering the first and last crypto blocks that will be partially written, or just read in the whole thing?

It looks like you can add discontiguous extents to read and write operations, and I think they'll probably work. If I do that though, then it makes it a bit harder to share read helpers with the sync read code, but maybe that's ok.

Jeff Layton wrote:

Handing this to Xiubo now, since he's taking over maintainership and the bulk of the work is already done.

Hi Jeff,

BTW, what's the test status of the patches in wip-fscrypt branch ? Is it ready to pull the patches to testing branch now ?

Thanks!

Xiubo Li wrote:

BTW, what's the test status of the patches in wip-fscrypt branch ? Is it ready to pull the patches to testing branch now ?

I think we can probably merge the filename encryption changes, but the content encryption really needs to wait until the netfs write helper changes are in place. David H. is still working on those at the moment.

Jeff Layton wrote:

Xiubo Li wrote:

BTW, what's the test status of the patches in wip-fscrypt branch ? Is it ready to pull the patches to testing branch now ?

I think we can probably merge the filename encryption changes, but the content encryption really needs to wait until the netfs write helper changes are in place. David H. is still working on those at the moment.

Okay, let's pull the filename related patches first. Thanks!