Re: overlayfs vs. fscrypt

From: James Bottomley
Date: Wed Mar 13 2019 - 11:36:40 EST

Next message: Mark Brown: "Applied "ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate" to the asoc tree"
Previous message: Luca Ceresoli: "[PATCH 2/2] drm/doc: fix missing verb"
In reply to: Richard Weinberger: "Re: overlayfs vs. fscrypt"
Next in thread: Eric Biggers: "Re: overlayfs vs. fscrypt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2019-03-13 at 11:16 -0400, Theodore Ts'o wrote:
> So before we talk about how to make things work from a technical
> perspective, we should consider what the use case happens to be, and
> what are the security requirements. *Why* are we trying to use the
> combination of overlayfs and fscrypt, and what are the security
> properties we are trying to provide to someone who is relying on this
> combination?

I can give one: encrypted containers:

https://github.com/opencontainers/image-spec/issues/747

The current proposal imagines that the key would be delivered to the
physical node and the physical node containerd would decrypt all the
layers before handing them off to to the kubelet. However, one could
imagine a slightly more secure use case where the layers were
constructed as an encrypted filesystem tar and so the key would go into
the kernel and the layers would be constructed with encryption in place
using fscrypt.

Most of the desired security properties are in image at rest but one
can imagine that the running image wants some protection against
containment breaches by other tenants and using fscrypt could provide
that.

James

Next message: Mark Brown: "Applied "ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate" to the asoc tree"
Previous message: Luca Ceresoli: "[PATCH 2/2] drm/doc: fix missing verb"
In reply to: Richard Weinberger: "Re: overlayfs vs. fscrypt"
Next in thread: Eric Biggers: "Re: overlayfs vs. fscrypt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]