tag name | fsverity_2024-04-29 (0d1fd30b6b200db928a105b90463bc80f64ddb3a) |
tag date | 2024-04-29 19:58:02 -0700 |
tagged by | Darrick J. Wong <djwong@kernel.org> |
tagged object | commit d38006575f... |
download | xfsprogs-dev-fsverity_2024-04-29.tar.gz |
---|
xfsprogs: fs-verity support for XFS [v5.6 59/62]
This patchset adds support for fsverity to XFS. In keeping with
Andrey's original design, XFS stores all fsverity metadata in the
extended attribute data. However, I've made a few changes to the code:
First, it now caches merkle tree blocks directly instead of abusing the
buffer cache. This reduces lookup overhead quite a bit, at a cost of
needing a new shrinker for cached merkle tree blocks.
To reduce the ondisk footprint further, I also made the verity
enablement code detect trailing zeroes whenever fsverity tells us to
write a buffer, and elide storing the zeroes. To further reduce the
footprint of sparse files, I also skip writing merkle tree blocks if the
block contents are entirely hashes of zeroes.
Next, I implemented more of the tooling around verity, such as debugger
support, as much fsck support as I can manage without knowing the
internal format of the fsverity information; and added support for
xfs_scrub to read fsverity files to validate the consistency of the data
against the merkle tree.
Finally, I add the ability for administrators to turn off fsverity,
which might help recovering damaged data from an inconsistent file.
From Andrey Albershteyn:
Here's v5 of my patchset of adding fs-verity support to XFS.
This implementation uses extended attributes to store fs-verity
metadata. The Merkle tree blocks are stored in the remote extended
attributes. The names are offsets into the tree.
This has been running on the djcloud for months with no problems. Enjoy!
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQ2qTKExjcn+O1o2YRKO3ySh0YRpgUCZjBeOgAKCRBKO3ySh0YR
pjE+APsEBQTr4spbdxkcVqPKAREX4+iBc/oo8VOlF9i2a5BS6QEAkyun5alKw5L2
nVXlEeblvRjXl7BQzbhipcUtKYt9ZAo=
=bBpd
-----END PGP SIGNATURE-----