Re: storing an explicit nonce
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Bruce Momjian <bruce@momjian.us>
Cc: Andres Freund <andres@anarazel.de>, Robert Haas <robertmhaas@gmail.com>, Alvaro Herrera <alvherre@alvh.no-ip.org>, Masahiko Sawada <sawada.mshk@gmail.com>, Tom Kincaid <tomjohnkincaid@gmail.com>, Amit Kapila <amit.kapila16@gmail.com>, Thomas Munro <thomas.munro@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>, Masahiko Sawada <masahiko.sawada@2ndquadrant.com>
Date: 2021-05-25T21:14:24Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Rethink method for assigning OIDs to the template0 and postgres DBs.
- 2cb1272445d2 15.0 landed
-
pg_upgrade: Preserve database OIDs.
- aa01051418f1 15.0 landed
-
pg_upgrade: Preserve relfilenodes and tablespace OIDs.
- 9a974cbcba00 15.0 landed
-
Fix for new Boolean node
- cf925936ecc0 15.0 cited
-
Improve error handling of HMAC computations
- 5513dc6a304d 15.0 cited
-
Add macro RelationIsPermanent() to report relation permanence
- 95d77149c535 14.0 landed
-
Enhance nbtree index tuple deletion.
- d168b666823b 14.0 cited
Greetings, * Bruce Momjian (bruce@momjian.us) wrote: > On Tue, May 25, 2021 at 01:54:21PM -0700, Andres Freund wrote: > > On 2021-05-25 15:34:04 -0400, Bruce Momjian wrote: > > > My point is that we have to full-page-write cases where we change the > > > nonce --- we get a new LSN/nonce for free if we are using the LSN as the > > > nonce. What has made this approach much easier is that you basically > > > tie a change of the nonce to require a change of LSN, since you are WAL > > > logging it and every nonce change has to be full-page-write WAL logged. > > > This makes the LSN-as-nonce less fragile to breakage than a custom > > > nonce, in my opinion, which may explain why my patch is so small. > > > > This disregards that we need to be able to increment nonces on standbys > > / during crash recovery. > > > > It may look like that's not needed, with an (wrong!) argument like: The > > only writes come from crash recovery, which always are associated with a > > WAL record, guaranteeing nonce increases. Hint bits are not an issue > > because they don't mark the buffer dirty. > > > > But unfortunately that analysis is wrong. Consider the following > > sequence: > > > > 1) replay record LSN X affecting page Y (FPI replay) > > 2) write out Y, encrypt Y using X as nonce > > 3) crash > > 4) replay record LSN X affecting page Y (FPI replay) > > 5) hint bit update to Y, resulting in Y' > > 6) write out Y', encrypt Y' using X as nonce > > > > While 5) did not mark the page as dirty, it still modified the page > > contents. Which means that we'd encrypt different content with the same > > nonce - which is not allowed. > > > > I'm pretty sure that there's several other ways to end up with page > > contents that differ, despite the LSN not changing. > > Yes, I can see that happening. I think occasional leakage of hint bit > changes to be acceptable. We might decide they are all acceptable. I don't think that I agree with the idea that this would ultimately only leak the hint bits- I'm fairly sure that this would make it relatively trivial for an attacker to be able to deduce the contents of the entire 8k page. I don't know that we should be willing to accept that as a part of regular operation (which we generally view crashes as being). I had thought there was something in place to address this though. If not, it does seem like there should be. Thanks, Stephen