lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YG/BHfB3arzT4x6W@mit.edu>
Date:   Thu, 8 Apr 2021 22:51:09 -0400
From:   "Theodore Ts'o" <tytso@....edu>
To:     "Darrick J. Wong" <djwong@...nel.org>
Cc:     Dave Chinner <david@...morbit.com>,
        Eric Biggers <ebiggers@...nel.org>,
        Leah Rumancik <leah.rumancik@...il.com>,
        linux-ext4@...r.kernel.org
Subject: Re: [PATCH v2 1/2] ext4: wipe filename upon file deletion

On Thu, Apr 08, 2021 at 05:02:07PM -0700, Darrick J. Wong wrote:
> > In the ideal world, sure, all or most of them would agree that they
> > *shouldn't* be storing any kind of PII at rest unencrypted, but they
> > can't be sure, and so from the perspective of keeping their audit and
> > I/T compliance committees happy, this requirement is desirable from a
> > "belt and suspenders" perspective.
> > 
> > > This seems like a better fit for FITRIM than anything else.
> > > 
> > > Ooohh. We sure do suck at APIs, don't we? FITRIM has no flags field,
> > > so we can't extend that.
> > 
> > I don't have any serious objections to defining FITRIM2; OTOH, for
> 
> Er, are we talking about the directory name wiping, or the journal
> discarding?

Sorry, I was talking about journal wiping.  The conflation is because
the reason why we want to wipe the journal is because of the directory
names in the journal, so the two are very much connected for our use
case, but yes, directory names in directories is very from directory
names in the journal.

We don't actually need any kind of interface for wiping names in
directories, since it doesn't cost us anything to unconditionally wipe
the directory entries as opposed to just setting the inode number to
zero.

> I didn't think it was any more difficult than changing xfs_removename to
> zero out the name and ftype fields at the same time it adds the whiteout
> to the dirent.  But TBH I haven't thought through this too deeply.
> 
> I /do/ think that if you ever want to add "secure" deletion to XFS, I'd
> want to do it by implementing FS_SECRM_FL for XFS, and not by adding
> more mount options.

The original meaning of FS_SECRM_FL was that the data blocks would be
zero'ed --- when the inode was deleted.  We don't intend to have a
mount option for ext4 for zero'ing the directory entry, since it
really doesn't cost us anything to memset the directory entry to zero
at unlink time.  I guess for a DAX file system, zero'ing the directory
entry might cost a an extra cache line write, but for block-oriented
devices, for us it's essentially cost-free --- so why add an extra
mount option, and instead just zero the directory entry of everything
other than rec_len?

> Question -- does e2image have the ability to obscure names like
> xfs_metadump will do if you don't pass it "-o" ?

Yes, e2image has had the -s option to scramble file names since
E2fsprogs 1.36 (February, 2005).

						- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ