| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140613033029.GS4453@dastard> Date: Fri, 13 Jun 2014 13:30:29 +1000 From: Dave Chinner <david@...morbit.com> To: Eric Sandeen <sandeen@...hat.com> Cc: JP Abgrall <jpa@...gle.com>, linux-ext4@...r.kernel.org, gcondra@...gle.com, "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org> Subject: Re: [PATCH] ext4: Add support for SFITRIM, an ioctl for secure FITRIM. On Fri, Jun 13, 2014 at 01:15:38PM +1000, Dave Chinner wrote: > On Thu, Jun 12, 2014 at 09:36:49PM -0500, Eric Sandeen wrote: > > On 6/12/14, 9:14 PM, JP Abgrall wrote: > > > This provides an interface for issuing secure trims to parallel > > > the existing interface for non-secure trim. > > > > Which does what? A bit of digging through git history tells > > me, but an idiot reader like myself doesn't know what a > > "secure trim" is. ;) Would be nice to have that info, > > and the reason for elevating it from a block-level ioctl > > to an fs-level ioctl in the commit log. > > > > IOWS: your commit log says what, but not why. > > "Secure discard" is only "secure" if every discard that is issued is > secure. Filesystems optimise away repeated discards for freed > regions, so FITRIM followed by SFITRIM means the regions trimmed by > the initial FITRIM are not securely erased from the underlying > media, and you can't get then to be securely erased until > <hand-wave> stuff happens. > > Indeed, mixing -o discard and SFITRIM is a recipe for > confusion and leakage - "but I used secure trim on the device!" - > and so all discards either have to be secure or not. > > Further, some filesystems may other copies of stale data in the > discarded ranges (e.g. data from unlinked files in the journal or > even in unused portions of metadata blocks), so you can't really say > that secure TRIM provides any sort of security against leakage at > the filesystem layer... Oh, and while I think of it secure discard at the filesystem level isn't even a guarantee that you'll get rid of all stale references to a sector - if the filesystem has freed and then re-allocated a block without having gone through a discard cycle on that block, then the underlying device may have old copies of the block that it hasn't garbage collected and SFITRIM won't clean those up because it won't ask to trim in-use blocks.... So, really, secure trim from a filesystem perspective can leak stale data at multiple layers.... Cheers, Dave. -- Dave Chinner david@...morbit.com -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists