Sep 7, 2010

XTS support in pefs

I've replaced CTR encryption mode with XTS. Salsa20 stream cipher was also removed. CTR mode was inappropriate design for a filesystem, and allowed encrypted data to be easily manipulated by attacker and could even reveal plantext in cases when previous encrypted data snapshots where available to attacker, i.e. filesystem level snapshots. There should be no visible performance degradation because of switching to XTS.

CTR mode compatibility is not available to prevent further misuse, thus upgrade by hand would be necessary.

Besides I've also commited real support for sparse files and file extending, it should make filesystem faster in generic use cases. New version also contains fix for a race in rename operation.

I would like to ask people interested in getting such functionality in FreeBSD to give pefs a try, any feedback is welcome.

Installation instructions may be found in my message to freebsd-current maillist.

May 6, 2010

Projects status

The oldest project l2filter is almost certainly doomed. Patch no longer apply after ipfw3 was imported to -CURRENT and then merged to 8-STABLE. It still applies to 7-STABLE, but I don't use 7-STABLE. Merging only support for layer2 filtering with pfil and pf should be rather trivial. I'd like to keep patches in sync with recent -CURRENT but.. no time, no testers.

pefs looks much better. I keep using it myself, it looks pretty stable with my workload, although I've once got a pefs-related panic but wasn't able to get a dump. I'd like to implement lazy file extend (lazily write encrypted zero ranges to file after extend) and post it on freebsd-hackers@ once again.

This summer I'll work on namecache. Project is rather ambitious and innovative, in few words it's about generalizing UFS' dirhash and exposing it to upper layers so that it can be used for reliable full path lookup.