On Tue, Aug 12, 2025 at 07:11:24PM +0200, Andrey Albershteyn wrote: > On 2025-08-12 09:44:15, Christoph Hellwig wrote: > > On Mon, Aug 11, 2025 at 09:00:29PM +0200, Andrey Albershteyn wrote: > > > Mostly because it was already implemented. But looking for benefits, > > > attr can be inode LOCAL so a bit of saved space? Also, seems like a > > > better interface than to look at a magic offset > > > > Well, can you document the rationale somewhere? > > > > We discussed this a bit with Darrick, and it probably makes more > sense to have descriptor in data fork if fscrypt is added. As > descriptor has root hash of the tree (and on small files this is > just a file hash), and fscrypt expects merkle tree to be encrpyted > as it's hash of plaintext data. To cite my own sources, the last Q in the Q&A in https://docs.kernel.org/filesystems/fsverity.html#faq states that: "ext4 and f2fs encryption doesn’t encrypt xattrs, yet the Merkle tree must be encrypted when the file contents are, because it stores hashes of the plaintext file contents." So on the grounds that we're following the ext4/f2fs merkle tree layout model to keep our options open for fscrypt later, I think we need the verity descriptor to be in the posteof file data, not an xattr. --D
