Subject: Re: cgd and replay
To: Roland Dowdeswell <>
From: Pawel Jakub Dawidek <>
List: tech-security
Date: 08/24/2005 23:41:57
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 24, 2005 at 06:45:14AM +1000, Daniel Carosone wrote:
+> The filesystem on da0.auth has no use for an 8kb sector with partial
+> contents from old and new versions, regardless of whether those parts
+> are legitimate in isolation. No such combination represents a valid
+> 8kb sector state.

Yes, but when new or old MAC matches, I'll just return data which fsck
can handle. When MACs doesn't match data, I'll return EIO, which is
much harder to handle by file system or fsck.

+> A transaction must happen completely or not at all.

That's jurnailing and it's not my goal.
I just want user to know, that data weren't modified (except for
limitations discussed) and leave the rest for fsck, file system or
journal layer to handle above da0.auth.

+> You're relying on an assumption that the equivalent of this problem
+> doesn't happen for the 512-byte sectors of the underlying disk, and
+> *introducing* exactly the same problem for your upper layers.  This is
+> precisely the reverse of the desired solution, which would provide
+> integrity even where the underlying disk doesn't have that property.

That is not the integrity I want to achive.
Things you are discussing here are not related. For a file system,
a valid block could be, eg. 64kB or 16kB here and 32kB there.
da0.auth has no way to know this and doesn't have to.

Pawel Jakub Dawidek                              
FreeBSD committer                         Am I Evil? Yes, I Am!

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.1 (FreeBSD)