Greetings, * Bruce Momjian (br...@momjian.us) wrote: > On Tue, May 25, 2021 at 01:54:21PM -0700, Andres Freund wrote: > > On 2021-05-25 15:34:04 -0400, Bruce Momjian wrote: > > > My point is that we have to full-page-write cases where we change the > > > nonce --- we get a new LSN/nonce for free if we are using the LSN as the > > > nonce. What has made this approach much easier is that you basically > > > tie a change of the nonce to require a change of LSN, since you are WAL > > > logging it and every nonce change has to be full-page-write WAL logged. > > > This makes the LSN-as-nonce less fragile to breakage than a custom > > > nonce, in my opinion, which may explain why my patch is so small. > > > > This disregards that we need to be able to increment nonces on standbys > > / during crash recovery. > > > > It may look like that's not needed, with an (wrong!) argument like: The > > only writes come from crash recovery, which always are associated with a > > WAL record, guaranteeing nonce increases. Hint bits are not an issue > > because they don't mark the buffer dirty. > > > > But unfortunately that analysis is wrong. Consider the following > > sequence: > > > > 1) replay record LSN X affecting page Y (FPI replay) > > 2) write out Y, encrypt Y using X as nonce > > 3) crash > > 4) replay record LSN X affecting page Y (FPI replay) > > 5) hint bit update to Y, resulting in Y' > > 6) write out Y', encrypt Y' using X as nonce > > > > While 5) did not mark the page as dirty, it still modified the page > > contents. Which means that we'd encrypt different content with the same > > nonce - which is not allowed. > > > > I'm pretty sure that there's several other ways to end up with page > > contents that differ, despite the LSN not changing. > > Yes, I can see that happening. I think occasional leakage of hint bit > changes to be acceptable. We might decide they are all acceptable.
I don't think that I agree with the idea that this would ultimately only leak the hint bits- I'm fairly sure that this would make it relatively trivial for an attacker to be able to deduce the contents of the entire 8k page. I don't know that we should be willing to accept that as a part of regular operation (which we generally view crashes as being). I had thought there was something in place to address this though. If not, it does seem like there should be. Thanks, Stephen
signature.asc
Description: PGP signature