tech-crypto archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Re: [patch] cgd
On Thu, Dec 02, 2010 at 11:27:39AM +0100, Pawel Jakub Dawidek wrote:
>
> GELI in FreeBSD does support integrity verification and you don't need
> three writes. This best works when you increase sector size of the
> decrypted disk-like device to eg. 4kB - this way you don't waste too
> much space.
>
> Let me paste comment of how it works from g_eli_integrity.c:
>
> One of the most important assumption here is that authenticated data and its
> HMAC has to be stored in the same place (namely in the same sector) to make it
> work reliable.
Hmmm, this scheme does ensure that you do not lose data with half writes
but I am not sure that it preserves the atomicity of sector writes. That
is, if I write a sector to the disk then if I suffer a crash the entire
sector should be written or none of the sector should be written.
IIRC, directory and inode manipulation on FFS relies on sector
writes being atomic and if the atomicity of sector writes is
compromised then a crash can leave the filesystem in an inconsistent
state.
Looking it up: page 247 of ``The Design and Implementation of the
4.4BSD Operating System'' states:
Directories are allocated in units called chunks; ... The
size of a chunk is chosen such that each allocation can be
transferred to disk in a single operation; the ability to
change a directory in a single operation makes directory
updates atomic.
If we look at the data structure defined on that page and the next,
we can see that if a single chunk update is split into two separate
operations and only one of them succeeds then the file system could
be left in an inconsistent state[1].
I didn't look at the inode section in detail but I would imagine
that you could derive similar such [or worse] inconsistencies with
partial inode writes.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
Home |
Main Index |
Thread Index |
Old Index