mbox series

[RFC,v11,00/51] ceph+fscrypt : full support

Message ID 20220322141316.41325-1-jlayton@kernel.org
Headers show
Series ceph+fscrypt : full support | expand

Message

Jeff Layton March 22, 2022, 2:12 p.m. UTC
This patchset represents a (mostly) working prototype of the
ceph+fscrypt work. With this, I'm able run xfstests with
test_dummy_encryption, and most of the tests that pass on ceph without
fscrypt now pass on it.

When I made the last posting of this series [1], I mentioned that proper
support for sparse read support would be necessary to do this. Thus, the
biggest difference from the v10 set is that this is now based on top of
the patch series that I posted yesterday to implement sparse reads [2].

Aside from that, there are also numerous cleanups all over the tree, as
well as an overhaul of the readdir handling by Xiubo.

This series is not yet bug-free, but it's at a point where it is quite
usable, providing you're running against the Quincy release of ceph
(which should ship sometime in the next few months).

Next Steps:
===========
I'm not going to sugar-coat it. This is a huge, invasive patch series
that touches a lot of the most sensitive code in ceph.

Eric Biggers has acked the changes we need in fscrypt infrastructure. I
still need Al to ack exporting the new_inode_pseudo symbol. The rest is
pretty much all ceph and libceph code.

The main piece missing at this point is support for sparse reads with
ms_mode settings other than "crc". Once that's complete, I want to merge
that and this series into the ceph "testing" branch so we can start
running tests against it in teuthology with fscrypt enabled.

If that goes well, I think we could probably merge this into mainline
for v5.20 or v5.21. There is also some incoming support for netfs write
and DIO read helpers that we may want to convert to as well [3]. That
may alter the timing as well.

Review, comments and questions are welcome...

[1]: https://lore.kernel.org/ceph-devel/20220111191608.88762-1-jlayton@kernel.org/

[2]: https://lore.kernel.org/ceph-devel/20220318135013.43934-1-jlayton@kernel.org/

[3]: https://lore.kernel.org/ceph-devel/YixWLJXyWtD+STvl@codewreck.org/T/#maec7e3579f13a45171ad23d7a49183d169fcfcca

Jeff Layton (41):
  vfs: export new_inode_pseudo
  fscrypt: export fscrypt_base64url_encode and fscrypt_base64url_decode
  fscrypt: export fscrypt_fname_encrypt and fscrypt_fname_encrypted_size
  fscrypt: add fscrypt_context_for_new_inode
  ceph: preallocate inode for ops that may create one
  ceph: crypto context handling for ceph
  ceph: parse new fscrypt_auth and fscrypt_file fields in inode traces
  ceph: add support for fscrypt_auth/fscrypt_file to cap messages
  ceph: add ability to set fscrypt_auth via setattr
  ceph: implement -o test_dummy_encryption mount option
  ceph: decode alternate_name in lease info
  ceph: add fscrypt ioctls
  ceph: make ceph_msdc_build_path use ref-walk
  ceph: add encrypted fname handling to ceph_mdsc_build_path
  ceph: send altname in MClientRequest
  ceph: encode encrypted name in dentry release
  ceph: properly set DCACHE_NOKEY_NAME flag in lookup
  ceph: make d_revalidate call fscrypt revalidator for encrypted
    dentries
  ceph: add helpers for converting names for userland presentation
  ceph: add fscrypt support to ceph_fill_trace
  ceph: create symlinks with encrypted and base64-encoded targets
  ceph: make ceph_get_name decrypt filenames
  ceph: add a new ceph.fscrypt.auth vxattr
  ceph: add some fscrypt guardrails
  libceph: add CEPH_OSD_OP_ASSERT_VER support
  ceph: size handling for encrypted inodes in cap updates
  ceph: fscrypt_file field handling in MClientRequest messages
  ceph: get file size from fscrypt_file when present in inode traces
  ceph: handle fscrypt fields in cap messages from MDS
  ceph: add infrastructure for file encryption and decryption
  libceph: allow ceph_osdc_new_request to accept a multi-op read
  ceph: disable fallocate for encrypted inodes
  ceph: disable copy offload on encrypted inodes
  ceph: don't use special DIO path for encrypted inodes
  ceph: align data in pages in ceph_sync_write
  ceph: add read/modify/write to ceph_sync_write
  ceph: plumb in decryption during sync reads
  ceph: add fscrypt decryption support to ceph_netfs_issue_op
  ceph: set i_blkbits to crypto block size for encrypted inodes
  ceph: add encryption support to writepage
  ceph: fscrypt support for writepages

Luis Henriques (1):
  ceph: don't allow changing layout on encrypted files/directories

Xiubo Li (9):
  ceph: make the ioctl cmd more readable in debug log
  ceph: fix base64 encoded name's length check in ceph_fname_to_usr()
  ceph: pass the request to parse_reply_info_readdir()
  ceph: add ceph_encode_encrypted_dname() helper
  ceph: add support to readdir for encrypted filenames
  ceph: add __ceph_get_caps helper support
  ceph: add __ceph_sync_read helper support
  ceph: add object version support for sync read
  ceph: add truncate size handling support for fscrypt

 fs/ceph/Makefile                |   1 +
 fs/ceph/acl.c                   |   4 +-
 fs/ceph/addr.c                  | 128 ++++++--
 fs/ceph/caps.c                  | 212 +++++++++++--
 fs/ceph/crypto.c                | 432 +++++++++++++++++++++++++
 fs/ceph/crypto.h                | 256 +++++++++++++++
 fs/ceph/dir.c                   | 182 ++++++++---
 fs/ceph/export.c                |  44 ++-
 fs/ceph/file.c                  | 530 ++++++++++++++++++++++++++-----
 fs/ceph/inode.c                 | 546 +++++++++++++++++++++++++++++---
 fs/ceph/ioctl.c                 | 126 +++++++-
 fs/ceph/mds_client.c            | 455 ++++++++++++++++++++++----
 fs/ceph/mds_client.h            |  24 +-
 fs/ceph/super.c                 |  91 +++++-
 fs/ceph/super.h                 |  43 ++-
 fs/ceph/xattr.c                 |  29 ++
 fs/crypto/fname.c               |  44 ++-
 fs/crypto/fscrypt_private.h     |   9 +-
 fs/crypto/hooks.c               |   6 +-
 fs/crypto/policy.c              |  35 +-
 fs/inode.c                      |   1 +
 include/linux/ceph/ceph_fs.h    |  21 +-
 include/linux/ceph/osd_client.h |   6 +-
 include/linux/ceph/rados.h      |   4 +
 include/linux/fscrypt.h         |  10 +
 net/ceph/osd_client.c           |  32 +-
 26 files changed, 2907 insertions(+), 364 deletions(-)
 create mode 100644 fs/ceph/crypto.c
 create mode 100644 fs/ceph/crypto.h

Comments

Jeff Layton March 23, 2022, 4:55 p.m. UTC | #1
On Tue, 2022-03-22 at 10:12 -0400, Jeff Layton wrote:
> Add support for new version 12 cap messages that carry the new
> fscrypt_auth and fscrypt_file fields from the inode.
> 
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
> ---
>  fs/ceph/caps.c | 76 +++++++++++++++++++++++++++++++++++++++++---------
>  1 file changed, 63 insertions(+), 13 deletions(-)
> 
> diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
> index 7d8ef67a1032..b0b7688331b4 100644
> --- a/fs/ceph/caps.c
> +++ b/fs/ceph/caps.c
> @@ -13,6 +13,7 @@
>  #include "super.h"
>  #include "mds_client.h"
>  #include "cache.h"
> +#include "crypto.h"
>  #include <linux/ceph/decode.h>
>  #include <linux/ceph/messenger.h>
>  
> @@ -1214,15 +1215,12 @@ struct cap_msg_args {
>  	umode_t			mode;
>  	bool			inline_data;
>  	bool			wake;
> +	u32			fscrypt_auth_len;
> +	u32			fscrypt_file_len;
> +	u8			fscrypt_auth[sizeof(struct ceph_fscrypt_auth)]; // for context
> +	u8			fscrypt_file[sizeof(u64)]; // for size
>  };
>  
> -/*
> - * cap struct size + flock buffer size + inline version + inline data size +
> - * osd_epoch_barrier + oldest_flush_tid
> - */
> -#define CAP_MSG_SIZE (sizeof(struct ceph_mds_caps) + \
> -		      4 + 8 + 4 + 4 + 8 + 4 + 4 + 4 + 8 + 8 + 4)
> -
>  /* Marshal up the cap msg to the MDS */
>  static void encode_cap_msg(struct ceph_msg *msg, struct cap_msg_args *arg)
>  {
> @@ -1238,7 +1236,7 @@ static void encode_cap_msg(struct ceph_msg *msg, struct cap_msg_args *arg)
>  	     arg->size, arg->max_size, arg->xattr_version,
>  	     arg->xattr_buf ? (int)arg->xattr_buf->vec.iov_len : 0);
>  
> -	msg->hdr.version = cpu_to_le16(10);
> +	msg->hdr.version = cpu_to_le16(12);
>  	msg->hdr.tid = cpu_to_le64(arg->flush_tid);
>  
>  	fc = msg->front.iov_base;
> @@ -1309,6 +1307,21 @@ static void encode_cap_msg(struct ceph_msg *msg, struct cap_msg_args *arg)
>  
>  	/* Advisory flags (version 10) */
>  	ceph_encode_32(&p, arg->flags);
> +
> +	/* dirstats (version 11) - these are r/o on the client */
> +	ceph_encode_64(&p, 0);
> +	ceph_encode_64(&p, 0);
> +
> +#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
> +	/* fscrypt_auth and fscrypt_file (version 12) */
> +	ceph_encode_32(&p, arg->fscrypt_auth_len);
> +	ceph_encode_copy(&p, arg->fscrypt_auth, arg->fscrypt_auth_len);
> +	ceph_encode_32(&p, arg->fscrypt_file_len);
> +	ceph_encode_copy(&p, arg->fscrypt_file, arg->fscrypt_file_len);
> +#else /* CONFIG_FS_ENCRYPTION */
> +	ceph_encode_32(&p, 0);
> +	ceph_encode_32(&p, 0);
> +#endif /* CONFIG_FS_ENCRYPTION */
>  }
>  
>  /*
> @@ -1430,8 +1443,37 @@ static void __prep_cap(struct cap_msg_args *arg, struct ceph_cap *cap,
>  		}
>  	}
>  	arg->flags = flags;
> +#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
> +	if (ci->fscrypt_auth_len &&
> +	    WARN_ON_ONCE(ci->fscrypt_auth_len != sizeof(struct ceph_fscrypt_auth))) {

The above WARN_ON_ONCE is too strict, and causes the client to reject v1
fscrypt contexts (as well as throw the warning). That should be a ">"
instead. I've fixed this in my tree and pushed the fix into wip-fscrypt.


> +		/* Don't set this if it isn't right size */
> +		arg->fscrypt_auth_len = 0;
> +	} else {
> +		arg->fscrypt_auth_len = ci->fscrypt_auth_len;
> +		memcpy(arg->fscrypt_auth, ci->fscrypt_auth,
> +			min_t(size_t, ci->fscrypt_auth_len, sizeof(arg->fscrypt_auth)));
> +	}
> +	/* FIXME: use this to track "real" size */
> +	arg->fscrypt_file_len = 0;
> +#endif /* CONFIG_FS_ENCRYPTION */
>  }
>  
> +#define CAP_MSG_FIXED_FIELDS (sizeof(struct ceph_mds_caps) + \
> +		      4 + 8 + 4 + 4 + 8 + 4 + 4 + 4 + 8 + 8 + 4 + 8 + 8 + 4 + 4)
> +
> +#if IS_ENABLED(CONFIG_FS_ENCRYPTION)
> +static inline int cap_msg_size(struct cap_msg_args *arg)
> +{
> +	return CAP_MSG_FIXED_FIELDS + arg->fscrypt_auth_len +
> +			arg->fscrypt_file_len;
> +}
> +#else
> +static inline int cap_msg_size(struct cap_msg_args *arg)
> +{
> +	return CAP_MSG_FIXED_FIELDS;
> +}
> +#endif /* CONFIG_FS_ENCRYPTION */
> +
>  /*
>   * Send a cap msg on the given inode.
>   *
> @@ -1442,7 +1484,7 @@ static void __send_cap(struct cap_msg_args *arg, struct ceph_inode_info *ci)
>  	struct ceph_msg *msg;
>  	struct inode *inode = &ci->vfs_inode;
>  
> -	msg = ceph_msg_new(CEPH_MSG_CLIENT_CAPS, CAP_MSG_SIZE, GFP_NOFS, false);
> +	msg = ceph_msg_new(CEPH_MSG_CLIENT_CAPS, cap_msg_size(arg), GFP_NOFS, false);
>  	if (!msg) {
>  		pr_err("error allocating cap msg: ino (%llx.%llx) flushing %s tid %llu, requeuing cap.\n",
>  		       ceph_vinop(inode), ceph_cap_string(arg->dirty),
> @@ -1468,10 +1510,6 @@ static inline int __send_flush_snap(struct inode *inode,
>  	struct cap_msg_args	arg;
>  	struct ceph_msg		*msg;
>  
> -	msg = ceph_msg_new(CEPH_MSG_CLIENT_CAPS, CAP_MSG_SIZE, GFP_NOFS, false);
> -	if (!msg)
> -		return -ENOMEM;
> -
>  	arg.session = session;
>  	arg.ino = ceph_vino(inode).ino;
>  	arg.cid = 0;
> @@ -1509,6 +1547,18 @@ static inline int __send_flush_snap(struct inode *inode,
>  	arg.flags = 0;
>  	arg.wake = false;
>  
> +	/*
> +	 * No fscrypt_auth changes from a capsnap. It will need
> +	 * to update fscrypt_file on size changes (TODO).
> +	 */
> +	arg.fscrypt_auth_len = 0;
> +	arg.fscrypt_file_len = 0;
> +
> +	msg = ceph_msg_new(CEPH_MSG_CLIENT_CAPS, cap_msg_size(&arg),
> +			   GFP_NOFS, false);
> +	if (!msg)
> +		return -ENOMEM;
> +
>  	encode_cap_msg(msg, &arg);
>  	ceph_con_send(&arg.session->s_con, msg);
>  	return 0;
Jeff Layton March 25, 2022, 9:57 a.m. UTC | #2
On Tue, 2022-03-22 at 10:12 -0400, Jeff Layton wrote:
> This patchset represents a (mostly) working prototype of the
> ceph+fscrypt work. With this, I'm able run xfstests with
> test_dummy_encryption, and most of the tests that pass on ceph without
> fscrypt now pass on it.
> 
> When I made the last posting of this series [1], I mentioned that proper
> support for sparse read support would be necessary to do this. Thus, the
> biggest difference from the v10 set is that this is now based on top of
> the patch series that I posted yesterday to implement sparse reads [2].
> 
> Aside from that, there are also numerous cleanups all over the tree, as
> well as an overhaul of the readdir handling by Xiubo.
> 
> This series is not yet bug-free, but it's at a point where it is quite
> usable, providing you're running against the Quincy release of ceph
> (which should ship sometime in the next few months).
> 
> Next Steps:
> ===========
> I'm not going to sugar-coat it. This is a huge, invasive patch series
> that touches a lot of the most sensitive code in ceph.
> 
> Eric Biggers has acked the changes we need in fscrypt infrastructure. I
> still need Al to ack exporting the new_inode_pseudo symbol. The rest is
> pretty much all ceph and libceph code.
> 
> The main piece missing at this point is support for sparse reads with
> ms_mode settings other than "crc". Once that's complete, I want to merge
> that and this series into the ceph "testing" branch so we can start
> running tests against it in teuthology with fscrypt enabled.
> 
> If that goes well, I think we could probably merge this into mainline
> for v5.20 or v5.21. There is also some incoming support for netfs write
> and DIO read helpers that we may want to convert to as well [3]. That
> may alter the timing as well.
> 
> Review, comments and questions are welcome...
> 
> [1]: https://lore.kernel.org/ceph-devel/20220111191608.88762-1-jlayton@kernel.org/
> 
> [2]: https://lore.kernel.org/ceph-devel/20220318135013.43934-1-jlayton@kernel.org/
> 
> [3]: https://lore.kernel.org/ceph-devel/YixWLJXyWtD+STvl@codewreck.org/T/#maec7e3579f13a45171ad23d7a49183d169fcfcca
> 
> Jeff Layton (41):
>   vfs: export new_inode_pseudo
>   fscrypt: export fscrypt_base64url_encode and fscrypt_base64url_decode
>   fscrypt: export fscrypt_fname_encrypt and fscrypt_fname_encrypted_size
>   fscrypt: add fscrypt_context_for_new_inode
>   ceph: preallocate inode for ops that may create one
>   ceph: crypto context handling for ceph
>   ceph: parse new fscrypt_auth and fscrypt_file fields in inode traces
>   ceph: add support for fscrypt_auth/fscrypt_file to cap messages
>   ceph: add ability to set fscrypt_auth via setattr
>   ceph: implement -o test_dummy_encryption mount option
>   ceph: decode alternate_name in lease info
>   ceph: add fscrypt ioctls
>   ceph: make ceph_msdc_build_path use ref-walk
>   ceph: add encrypted fname handling to ceph_mdsc_build_path
>   ceph: send altname in MClientRequest
>   ceph: encode encrypted name in dentry release
>   ceph: properly set DCACHE_NOKEY_NAME flag in lookup
>   ceph: make d_revalidate call fscrypt revalidator for encrypted
>     dentries
>   ceph: add helpers for converting names for userland presentation
>   ceph: add fscrypt support to ceph_fill_trace
>   ceph: create symlinks with encrypted and base64-encoded targets
>   ceph: make ceph_get_name decrypt filenames
>   ceph: add a new ceph.fscrypt.auth vxattr
>   ceph: add some fscrypt guardrails
>   libceph: add CEPH_OSD_OP_ASSERT_VER support
>   ceph: size handling for encrypted inodes in cap updates
>   ceph: fscrypt_file field handling in MClientRequest messages
>   ceph: get file size from fscrypt_file when present in inode traces
>   ceph: handle fscrypt fields in cap messages from MDS
>   ceph: add infrastructure for file encryption and decryption
>   libceph: allow ceph_osdc_new_request to accept a multi-op read
>   ceph: disable fallocate for encrypted inodes
>   ceph: disable copy offload on encrypted inodes
>   ceph: don't use special DIO path for encrypted inodes
>   ceph: align data in pages in ceph_sync_write
>   ceph: add read/modify/write to ceph_sync_write
>   ceph: plumb in decryption during sync reads
>   ceph: add fscrypt decryption support to ceph_netfs_issue_op
>   ceph: set i_blkbits to crypto block size for encrypted inodes
>   ceph: add encryption support to writepage
>   ceph: fscrypt support for writepages
> 
> Luis Henriques (1):
>   ceph: don't allow changing layout on encrypted files/directories
> 
> Xiubo Li (9):
>   ceph: make the ioctl cmd more readable in debug log
>   ceph: fix base64 encoded name's length check in ceph_fname_to_usr()
>   ceph: pass the request to parse_reply_info_readdir()
>   ceph: add ceph_encode_encrypted_dname() helper
>   ceph: add support to readdir for encrypted filenames
>   ceph: add __ceph_get_caps helper support
>   ceph: add __ceph_sync_read helper support
>   ceph: add object version support for sync read
>   ceph: add truncate size handling support for fscrypt
> 
>  fs/ceph/Makefile                |   1 +
>  fs/ceph/acl.c                   |   4 +-
>  fs/ceph/addr.c                  | 128 ++++++--
>  fs/ceph/caps.c                  | 212 +++++++++++--
>  fs/ceph/crypto.c                | 432 +++++++++++++++++++++++++
>  fs/ceph/crypto.h                | 256 +++++++++++++++
>  fs/ceph/dir.c                   | 182 ++++++++---
>  fs/ceph/export.c                |  44 ++-
>  fs/ceph/file.c                  | 530 ++++++++++++++++++++++++++-----
>  fs/ceph/inode.c                 | 546 +++++++++++++++++++++++++++++---
>  fs/ceph/ioctl.c                 | 126 +++++++-
>  fs/ceph/mds_client.c            | 455 ++++++++++++++++++++++----
>  fs/ceph/mds_client.h            |  24 +-
>  fs/ceph/super.c                 |  91 +++++-
>  fs/ceph/super.h                 |  43 ++-
>  fs/ceph/xattr.c                 |  29 ++
>  fs/crypto/fname.c               |  44 ++-
>  fs/crypto/fscrypt_private.h     |   9 +-
>  fs/crypto/hooks.c               |   6 +-
>  fs/crypto/policy.c              |  35 +-
>  fs/inode.c                      |   1 +
>  include/linux/ceph/ceph_fs.h    |  21 +-
>  include/linux/ceph/osd_client.h |   6 +-
>  include/linux/ceph/rados.h      |   4 +
>  include/linux/fscrypt.h         |  10 +
>  net/ceph/osd_client.c           |  32 +-
>  26 files changed, 2907 insertions(+), 364 deletions(-)
>  create mode 100644 fs/ceph/crypto.c
>  create mode 100644 fs/ceph/crypto.h
> 


I was able to get the sparse reads working on other transports
yesterday, and I've gone ahead and updated the wip-fscrypt branch with
the newest sparse read and fscrypt changes.

For the record, the final diffstat with both patch series is:

 30 files changed, 3706 insertions(+), 400 deletions(-)

I'll probably plan to move these into the testing branch next week,
after I do bit more testing locally today. Another thing we'll need to
sort out is how to enable fscrypt for teuthology tests.

As always, more testing and review would definitely be welcome.

Thanks!