This has been a problem with disk encryption since the dawn of time: there is no (at least AFAIK) scheme that allows efficiently hosting the MAC for an encrypted block in a way that meets various efficiency and robustness requirements.

Emulating an unencrypted disk means allowing updates at (traditionally) 512-byte sector granularity. Assuming we store a SHA256 MAC for the sector's ciphertext, for a 1TiB drive that means storing 64GiB of hashes.

In order to preserve alignment (required by various layers of the hardware and software stack), it's not possible to locate these hashes inline with the sectors they represent. In traditional media that meant adding an extra seek to every read or flush, or in other words at least halving the throughput of your drive.

This situation doesn't magically disappear with SSDs, the same performance problem just exhibits in a different way.

There's a bunch of other reasons full disk encryption isn't authenticated, but the above is a good starting point

edit: I have no idea how hardware disk encryption (e.g. TCG OPAL) functions, I guess it's at least vendor-dependent, but at least there is a possibility within traditional spinning rust drives to interleave authentication data more efficiently. In any case at that point, the attacker would need to physically disassemble the drive in order to perform an attack, so OPAL is probably a step up from plain software encryption if you're paranoid enough, yet somehow still trust your drive firmware

But this isn't disk encryption! Filesystems have metadata: which is where a MAC can go, next to the filename.

There's just no way this should be unauthenticated XTS, this is simply the wrong mode to use, you should use an AEAD. ChaCha20_Poly1305 - RFC7539: https://datatracker.ietf.org/doc/rfc7539/ - makes much more sense. Faster, too, on the target mobile devices which have poor crypt performance.

I don't think this should be merged early or as-is. Unauthenticated encryption is against good advice and a bad idea. Standardising that is an even worse idea.

Edit: I do see that they're intending this as a minimum viable patch for Android 'M' and they intend to add GCM support later (again, I'd point to CC20 as a newer, better alternative), they're just waiting on a transactional update first. I do question whether shipping it broadly with this design as-is should happen in the vanilla kernel, however: Android uses its own patches anyway. Maybe let this one mature a bit first before merging upstream?

> Filesystems have metadata: which is where a MAC can go, next to the filename.

File-level MACs would require reading/writing the entire file in one go, andpreclude efficient in-place modification of files. The alternative, lots of per-block MACs stored in extended attributes, wouldn't work for ext4 because of the 4 kb extended attribute size limitation, and would also have problems that the grandparent listed (lots of seeks).

A fair point. btrfs would have a much easier time of it. We then have the interesting consequence that we can observe times and sizes of COW updates, but in truth SSDs have that anyway.

ChaCha20 may be better in the abstract, but as a practical matter AES-GCM can take advantage of AESNI. I don't think a patch adding support for ChaCha20 would be particularly controversial anyway.

_wmd explains pretty well why FDE with authentication is technically challenging.

To be clear, the reason unauthenticated encryption is considered reasonable here is because the threat model is: Someone steals your laptop, you don't expect you'll ever get it back, but you don't want them to be able to extract any data.

On the other hand, if your threat model were "Someone secretly grabs your laptop when you're not looking, pulls out the hard drive, flips some bits, then puts it back, without you ever noticing.", then FDE can't protect you.

For a laptop or phone, the latter case seems reasonably implausible and so FDE is worthwhile. OTOH, for cloud storage use cases where you don't necessarily trust the storage machines, FDE as-is is basically worthless.

> So ext4 encryption can protect a lost or stolen device, but protecting a device that has been covertly modified is beyond its threat model.

Yeah, this is beyond worrying. If someone edits my disk and I mount it, I want a BIG RED WARNING thanks.

It might be an oblique reference to the fact that the filesystem code hasn't been specifically hardened with respect to a maliciously-crafted filesystem image.

Traditionally this was not seen as an attack vector, because only root could mount filesystems anyway (and without filesystem encryption, someone who could modify your filesystem image could just modify any binary to add a backdoor).

This is why only specifically whitelisted filesystem types can be mounted in unprivileged containers.

I think a better use case for this might be for the full partition to be encrypted with dm-crypt and then applications or users encrypt their data directories with ext4 directory encryption, though I could be wrong.

Yes, in all of these cases you can modify the initrd to steal credentials.

That's not totally a given anymore with so many UEFI laptops capable of Secure Boot. They additionally mentioned android as a use case for this which also generally comes with a locked bootloader among other boot chain security features.

You can build the kernel as an EFI module (using EFISTUB) and have EFI verify its signature. Most new laptops do support this and an increasing number of desktops and servers do too. In this case, some users may be surprised to find that even though they used ext4's encryption on /, someone can still modify the inode table since it remains unencrypted (though I could be reading the article wrong).

No, you boot from trusted boot media. A usb stick that's always on you, for example.