From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id A488E11DD1; Sat, 14 Jun 2025 08:23:09 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 274FC11D72; Sat, 14 Jun 2025 08:23:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-b1-smtp.messagingengine.com (fout-b1-smtp.messagingengine.com [202.12.124.144]) by atuin.qyliss.net (Postfix) with ESMTPS id 77B4311D70 for ; Sat, 14 Jun 2025 08:23:05 +0000 (UTC) Received: from phl-compute-02.internal (phl-compute-02.phl.internal [10.202.2.42]) by mailfout.stl.internal (Postfix) with ESMTP id 34AA01140189; Sat, 14 Jun 2025 04:23:04 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-02.internal (MEProxy); Sat, 14 Jun 2025 04:23:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1749889384; x=1749975784; bh=w8L2+j2Zlt Iauqc5Onw2lUbGBMyf8x4TsRULOgS+2Os=; b=Bc2NkJWXg3NUg46viKRpUqHslR wAAhuvhaPFiyT6QDaluO9oc+BEKpeTn5azPGdAh75wjA4+S+UtYwV3t5bJOqg2+l gLdam0d6OVmNCeSz2gQhTnvqOHz9kiC6l2FDv3sNtIrHMYQIVZ5xCOUEk+4R/JtH YqzQusJWQd8H5yGtojFss55sPSe6nRNOuCtayqxqTpnl+BntWZD66o1KIbY/75nB ZT92zvCVIhVAYGmcKc2tUVcDO1L3lPC7D+/jvvI6sMMaJXJFZ4O5mhdLQkIf+jlj HPnoKCNrAmKd8dvNS5EYGVW6Ln7vSzTvql/2bQ++H2HojSHvJsYl5RKkaDSQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1749889384; x=1749975784; bh=w8L2+j2ZltIauqc5Onw2lUbGBMyf8x4TsRU LOgS+2Os=; b=EPucAX6vf3fVZiNmJHYOv2PdKSyTHVAMVbrbEQAXIgalzMUQOFa k+HFWnRn2VrQGTKSRdyfHi7Sy9FZVsO7eeKx4tYkuinFrk0og5MuTwFS9H7Uuiai /kc/msZ5L9VP3JCe3/ygQYT9nluXAz1Rk86gT7vzNX9o+PezgJYFnu3jz5V1OSTh UFtqDNZZ8YY5mzHPUpSaCYxibJZGz48ZDxbFsbHM0jc4arA5TEk5aUkYgmZwmGCg M79NUsR+MEqVUxq4pWhg6nMyeeJMH4W0nyRUGgzEqHVJr7p7tQjHR+c2X6xwTrB2 fIk63FOHNk9FdKQa8aDZKH41sMA62o/fdhg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugddvtdefgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivg hnthhsucdlqddutddtmdenucfjughrpefhvffujghffffkgggtsehgtderredttdejnecu hfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtf frrghtthgvrhhnpeffudduffeuffegheeigeejtdekhfduheehfeduheelffettdekiedt geefgfelheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhht phhouhhtpdhrtghpthhtohepuggvmhhiohgsvghnohhurhesghhmrghilhdrtghomhdprh gtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 14 Jun 2025 04:23:03 -0400 (EDT) Received: by sf.qyliss.net (Postfix, from userid 1000) id ADA912462C681; Sat, 14 Jun 2025 10:23:02 +0200 (CEST) From: Alyssa Ross To: Demi Marie Obenour , devel@spectrum-os.org Subject: Re: Verified boot and filesystem choices In-Reply-To: <38bffd12-26ba-47cb-a425-1326e3400c8b@gmail.com> References: <38bffd12-26ba-47cb-a425-1326e3400c8b@gmail.com> Date: Sat, 14 Jun 2025 10:23:01 +0200 Message-ID: <8734c2d95m.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: VQB7TQWMVWU7NHQOBDCVHTDJDMBUXGXE X-Message-ID-Hash: VQB7TQWMVWU7NHQOBDCVHTDJDMBUXGXE X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > Bcachefs is not very stable right now, Neither is Spectrum! Given that changing filesystem later if it doesn't work out will be a very easy change to make (up to a point), we can afford to wait. It's an approach that has served us well so far =E2=80=94 sometimes focusing on other things means that by the time we have to look at something, the problem has been solved by somebody else. Filesystems are always going to have bugs, so in my opinion the most important thing is to make having good backups easy, so that recovery is possible when something goes wrong, regardless of choice of filesystem. I am very keen for Spectrum to have an integrated backup solution, ideally as easy to use as Time Machine. > and BTRFS is not a good choice > from a verified boot perspective. f2fs is what is used in Android > and ext4 is used in Chromebooks, so they at least have the backing of > Google's security team when it comes to vulnerabilities involving > maliciously crafted filesystem images. BTRFS doesn't. > > The reason this matters for Spectrum is that verified boot aims to > prevent system compromise from persisting across reboots, and an > attacker who has compromised a Spectrum system can craft whatever > image they want on the writable volume. > > Would it make sense to use f2fs or ext4? That means no reflinks > and no snapshots, which would be annoying at least. Another option > might be to use FUSE for the writable volume, with kernel filesystems > only used for the (signed and dm-verity protected) root volume. > This is the only option supported by Linux's upstream maintainers, > who (with the notable exception of Kent Overstreet) appear to have > no interest in hardening filesystems against maliciously crafted > images. I think snapshots are going to be very important for us to do things like the aforementioned integrated backups, and it would be very unfortunate to have to limit ourselves to out of date filesystems that lack modern features like that. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaE0xZQAKCRBbRZGEIw/w olG+AP9bDLvkooBLY83u87Ct2Z0dMPPznmkpuQms2ExXLVMCawD/esClxNTNas9d K8giYQYezELPyzrFu+YHiet8BJurIQY= =420Y -----END PGP SIGNATURE----- --=-=-=--