Re: [PATCH RFC 2/8] fs/ext4: Disallow verity if inode is DAX

From: Ira Weiny
Date: Wed Apr 15 2020 - 15:21:39 EST


On Wed, Apr 15, 2020 at 11:55:25AM -0400, Theodore Y. Ts'o wrote:
> On Wed, Apr 15, 2020 at 02:00:02PM +0200, Jan Kara wrote:
> > On Mon 13-04-20 21:00:24, ira.weiny@xxxxxxxxx wrote:
> > > From: Ira Weiny <ira.weiny@xxxxxxxxx>
> > >
> > > Verity and DAX are incompatible. Changing the DAX mode due to a verity
> > > flag change is wrong without a corresponding address_space_operations
> > > update.
> > >
> > > Make the 2 options mutually exclusive by returning an error if DAX was
> > > set first.
> > >
> > > (Setting DAX is already disabled if Verity is set first.)
> > >
> > > Signed-off-by: Ira Weiny <ira.weiny@xxxxxxxxx>
> > > ---
> > > fs/ext4/verity.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/fs/ext4/verity.c b/fs/ext4/verity.c
> > > index dc5ec724d889..ce3f9a198d3b 100644
> > > --- a/fs/ext4/verity.c
> > > +++ b/fs/ext4/verity.c
> > > @@ -113,6 +113,9 @@ static int ext4_begin_enable_verity(struct file *filp)
> > > handle_t *handle;
> > > int err;
> > >
> > > + if (WARN_ON_ONCE(IS_DAX(inode)))
> > > + return -EINVAL;
> > > +
> >
> > Hum, one question, is there a reason for WARN_ON_ONCE()? If I understand
> > correctly, user could normally trigger this, couldn't he?
>
> Tes, the WARN_ON_ONCE isn't appropriate here. We should also disallow
> setting the DAX flag if the inode has the verity flag set already.

This is taken care of and is part of ext4_enable_dax() after this series.

>
> And if we need to decide what to if the file system is mounted with
> "-o dax=always" and the verity file system feature is enabled. We
> could either (a) reject the mount with if the mount option is given
> and the file system can have verity files, or (b) make "-o dax=always"
> mean "-o dax=mostly_always" and treat verity files as not using dax
> even when dax=always is selected.

The later is implemented in this series... Not the most explicit thing. :-(

>
> Also, in theory, we *could* support dax and verity files, but
> verifying the crypto checksums of all of the pages when the file is
> first accessed, and then marking that in a flag in the in-inode flag.
> Or we could have a per-page flag stored somewhere that indicates that
> the page has been verified, so that we can on-demand verify the
> integrity of the page. Given that verity files are read-only, the
> main reason why someone might want to use dax && verity would be to
> reduce page cache overhead of system files; if executing out of dax
> pages doesn't have significant performance impacts, this might be
> something which might be a nice-to-have. I don't think we need to
> worry about this for now; if there are use cases where mobile devices
> want to use dax && verity, we can let them figure out how to make it
> work. I'm just pointing out that it's not really a completely insane
> combination.

Fair enough. The main issue I need to correct here is to keep the 2 mutually
exclusive. Which AFAICT is not true today. This makes it so even without the
per-file enablement.

Ira

>
> Cheers,
>
> - Ted