Subject: Re: RFC: backporting GEOM to the 4.x branch
To: Maxim Sobolev <sobomax@FreeBSD.org>
From: Roland Dowdeswell <elric@imrryr.org>
List: tech-security
Date: 02/28/2005 00:28:11
On 1109549715 seconds since the Beginning of the UNIX epoch
Maxim Sobolev wrote:
>

>> Each disk write involves two writes to the disk.  Where is the
>> journal?  I do not see any talk about a journal in the paper, or
>> the GBDE source code.  Hence, if the OS crashes or if a removable
>> disk is removed at the wrong time, etc. etc. it is possible that
>> only one of those writes would succeed.  I think that we can all
>> see where this is going.
>
>So what? If the write fails in the middle, reading sector will just 
>produce garbage. I don't think that it's different from plain old HDD 
>which has been powered down in the middle of doing disk write. Disk 
>encryption layer is definitely not the level at which journaling should 
>be implemented. It's task of file system to do this. The task of 
>encryption layer is merely to inform the file system when transaction 
>(i.e. both of those two writes in this case) have been completed 
>successfully, so that FS can adjust its journal accordingly.

[this is a different respond than the one that I sent to freebsd-hackers,
 because Maxim sent his response individually to the different
 lists.]

The file systems have the fundamental assumption that either sector
writes completely succeed or completely fail.  That is if sector
n contains A and I try to write A' then if the system crashes when
it comes back the sector will contain either A or A', but not A''.
It would be reasonably difficult and perhaps pointless to design
a filesystem which could deal with this kind of lossage, because
this is not the typical failure case of hard drives.

None of the file systems in any of the BSDs [to my knowledge at
least, and if this has changed it will have been reasonably recently]
can deal with the situation that a write might completely corrupt
a sector.  You might think that, e.g. LFS, might be able to.  But
if you look at it closely, you will realise that it in fact cannot.
File systems with journals generally still make the assumption that
sector writes are atomic.  Breaking this will break your file
systems.

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/