Re: ext4, f2fs: fscrypt_has_permitted_context() check in file open

From: Theodore Ts'o
Date: Thu Sep 22 2016 - 12:03:35 EST

On Thu, Sep 22, 2016 at 04:21:30PM +0200, Richard Weinberger wrote:
> Got it. So, the use case is preventing off-line attacks.
> But I fear this is only a drop in the bucket. What we really need is
> meta data authentication.

True security requires a system-wide design, sure. For example, you
might want a locked bootloader that will only boot signed kernels.
The kernel might then require to use a read-only root file system with
dm-verity to make sure the system software can't be trojan'ed. And
then you want the system software to enforce that the top-level
directories which contain encrypted information are protected using
the correct keys, perhaps using some trusted hardware store where the
user's keys are stored (and only released when the proper password /
pin is given).

Given all of those induction steps, *then* the file system level
checks that require that all subdirectories and files in an encrypted
directories must be encrypted using the same key as their parent will
provide the security you need.


- Ted