hoakley June 1, 2023 Macs, Technology

How should we check the integrity of important files?

As APFS doesn’t offer any feature to verify the integrity of data in our important files, the only option is to design an app to handle that. As I’ve already done that, this article steps through my rationale and design decisions.

Choosing the digest

There’s a wide range of methods for computing message digests, single figures that can be used as a ‘fingerprint’ or ‘summary’ of the contents of a complete file. These fall into two main categories: checksums and cryptographic hashes. Although checksums can be much faster to calculate, they can also suffer some surprising shortcomings. For example, according to Wikipedia:
“The Fletcher checksum cannot distinguish between blocks of all 0 bits and blocks of all 1 bits. For example, if a 16-bit block in the data word changes from 0x0000 to 0xFFFF, the Fletcher-32 checksum remains the same. This also means a sequence of all 00 bytes has the same checksum as a sequence (of the same size) of all FF bytes.”

Properties of cryptographic hashes have been explored more extensively, and those based on the SHA-2 standards are generally accepted as being thoroughly reliable. Apple provides support for three implementations: SHA-256, SHA-384 and SHA-512 in its Common Crypto (macOS 10.14 and earlier) and CryptoKit (macOS 10.15 and later) APIs.

Two characteristics are of particular importance here: speed and the size of the resulting digest. To compare these, tests were performed using files of 1 and 10 GB size on the M1 Max chip in a Mac Studio. SHA-256 in CryptoKit consistently delivered a hashing speed of 2.1 GB/s, for a digest length of 32 bytes; SHA-512 delivered a significantly lower speed of only 1.3 GB/s and a larger digest of 64 bytes. As SHA-384 uses the same algorithm as SHA-512, it too delivered 1.3 GB/s.

While modern substitutes for SHA-256 might deliver higher speeds, lack of support in both Common Crypto and CryptoKit is a deterrent to their adoption in macOS. I therefore decided to use SHA-256 throughout.

Storing hashes

As a general principle, important metadata such as message digests of files should be associated with the files themselves, in the form of an extended attribute. Storing hashes in a separate directory manifest makes them dependent on the contents of directories remaining unchanged, which might work well on read-only storage media, but isn’t suitable when directory contents can be changed and verified files moved around.

To make the extended attribute of type co.eclecticlight.dintch.hash as persistent as possible, the flag #S should be attached.

Performance

Three functions are required as a minimum: add a freshly computed hash to each file, check whether an existing hash matches that of the file data, and update hashes so that each matches its current file data. In all three cases, the rate-limiting step is identical, the computation of the SHA-256 hash for the file data. No significant differences were seen between performance of those three features in Dintch, when all files were stored on the internal SSD of the Mac Studio.

Tuning the size of the buffer to be used makes relatively little difference to overall performance: when checking a single 10 GB file, time required varied little with buffer sizes from 512 KB to 2 MB.

Overall processing speed, including all operations for any of the three features, when run at either of the faster speed settings in Dintch were:

single 10 GB file – 2.1 GB/s
five 1 GB files – 2.0 GB/s
15 files totalling 10.7 GB – 2.0 GB/s
121 files averaging 263 KB each – 114 MB/s, or 434 files/s.

When run exclusively on E cores, at the slowest speed setting, speeds fell to 0.6 GB/s for larger files, and 22 MB/s (85 files/s) for the last, small-file test group.

Error correction

Detecting errors by checking message digests is important and useful, but only part of the solution. Should a discrepancy arise between the SHA-256 hash of a file and its previous value, wouldn’t it be more helpful if the error could be corrected too?

Unfortunately, although the problems don’t appear too dissimilar, error-correcting codes are considerably more complex, and require substantial amounts of additional storage if they are to be effective against anything more than the most trivial of errors. The great majority of work on error-correction has concentrated on streams of data transmitted in radio signals, or over networks, and little has been devoted to files in storage.

The worst case for any file is total loss, either because all the data has been deleted, or it has been damaged throughout. In signal transmission, that situation would normally be handled by requesting retransmission, an option not open when the only intact copy of a file has been lost or destroyed.

Conventional redundancy techniques for files store multiple copies, for example in RAID 1 mirrors. These are inefficient, as each redundant copy requires the full size of the original. One more efficient alternative for files that don’t change frequently is to store redundant copies using non-lossy compression. Some forms of compression readily available in macOS, such as Apple Archive, preserve extended attributes, so can accommodate message digests, use multiple cores efficiently, and preserve special formats such as sparse files. They appear best-suited to such redundant storage schemes.

Summary

Message digests should be SHA-256 hashes, computed using CryptoKit where available, or Common Crypto where that’s not supported.
Message digests should be saved as extended attributes, made persistent using the #S flag.
On larger files, this should see processing at a rate of about 2 GB/s on faster Apple silicon Macs.
An option for background processing should yield up to 0.6 GB/s on larger files.
Error-correction is best achieved using redundant copies, complete with message digests, and compressed using Apple Archive for greatest efficiency.

19Comments

Add yours

1

Frizlab on June 1, 2023 at 6:59 am

Interesting.

I created a small command-line tool (https://github.com/Frizlab/lts-check) to do exactly that, except I store the hashes in a separate db.

The rationale for this is I got a catastrophic hard drive failure where some file simply vanished via any notice of any kind (I’m convinced it was an APFS bug honestly), so storing the hashes in the extended attributes of the file would have been useless…

LikeLiked by 1 person
- 2
  
  hoakley on June 1, 2023 at 8:56 am
  
  Erm, you are aware that APFS doesn’t store extended attributes in the file that owns them, but in a file system object, within the file system metadata? And, like all file system objects, it protects them with Fletcher 64 checksums?
  What if your database was corrupted or lost?
  Howard.
  
  LikeLike
3

John Gilbert on June 1, 2023 at 7:17 am

I imagine an automated process attached to Time Machine, which checks digests/checksums and in the event of an error it retrieves (from TM backup) the newest version of the file for which the digest is correct. Or maybe alerts the user and offers to retrieve a backup copy.

LikeLiked by 1 person
- 4
  
  hoakley on June 1, 2023 at 9:00 am
  
  “an automated process attached to Time Machine”
  Do you see Apple implementing that? There has been a special checksummed backup available in TM, although I’m not sure of its current status. But all that does is verifies the backup.
  TM also has some serious issues – such as the fact that you can’t make copies of its backup store, which is I think its most serious limitation at present.
  Protecting integrity is less about backups, and more about archives, for which TM is quite unsuitable.
  Howard.
  
  LikeLike
5

Joss on June 1, 2023 at 8:35 am

Too bad Blake3 isn’t part of CryptoKit. (Yet?)

LikeLiked by 1 person
- 6
  
  hoakley on June 1, 2023 at 9:02 am
  
  I doubt whether it will be added, unless it becomes a recognised and recommended standard. Apple uses SHA-256 in the SSV’s tree of hashes.
  Howard.
  
  LikeLike
7

kapitainsky on June 1, 2023 at 5:57 pm

It is very interesting that SHA512 is slower than SHA256 on 64 bits architecture. But this is theoretical curiosity I will do my research:) Both hashes are perfectly fine for the purpose.

LikeLiked by 1 person
- 8
  
  hoakley on June 1, 2023 at 6:56 pm
  
  I haven’t run any timings on Intel, but I’m fairly sure the comparison will be similar. Mind you, Apple will have put a lot of effort into optimising SHA-256 in particular, as it’s what it uses for hashes in SSVs.
  Howard.
  
  LikeLiked by 1 person
9

Andrew Reilly on June 2, 2023 at 1:58 am

Regarding your comment “The great majority of work on error-correction has concentrated on streams of data transmitted in radio signals, or over networks, and little has been devoted to files in storage.” this isn’t strictly true. Indeed long-distance (satellite) communication and storage have some fairly similar characteristics and constraints, so it isn’t too surprising that forward error correction (FEC) is used extensively in both. Both (spinning rust) hard drives and CD-ROM (optical) drives (and tape drives) use it always. The fact that you hardly notice it is because the quoted error rates are after error recovery (and detection). This is also why storage media can magically move damaged sector contents to different locations, which is also why hard drives slow down with age: that movement is invisible to the file system, which thinks that it is doing sequential operations. Because they’re pushing the limits of density/bandwidth communications channels and storage devices have frighteningly high “native” error rates. It’s somewhat surprising that both work as well as they do. (This is an extension of the previous discussion about ECC memory, which is just another use-case for forward error correction.)

OK, sure. This all happens below the level of file system objects and files. Perhaps that’s the point you were getting at.

LikeLiked by 2 people
- 10
  
  hoakley on June 2, 2023 at 6:42 am
  
  Thank you.
  “this isn’t strictly true”
  I’m sorry that you’re unfamiliar with the extensive literature on the subject. What I have written is correct, and a cursory examination of Reed-Solomon codes and almost anything else in this area reveals the approach that has been taken has almost without exception considered streams of data, whether read from CD or transmitted over a serial medium. The terminology is deeply rooted in this approach – RS codes refer to ‘burst’ errors, which are a stream of errors. Indeed, you don’t even have to open a book on error-correction to see where its foundations and approach have come from, as they’re published in series like “Signals and Communication Technology” (Springer). This even applies to formats like parchive, which were developed to deal with errors in files transmitted over the internet, and perform extremely well considering their cost in terms of overhead.
  This is very important here, because none of those approaches considers what happens when whole files are mangled throughout, or missing – something simply not in their remit. Yet for many of us, that’s the common disaster we have to cater for in data storage. The only approach to tackle that is redundancy, and the ability to replace the whole file, not fiddle around replacing sectors or transmission blocks. Thus, the worst-case error isn’t something you can correct using a code, but requires a copy of the original.
  There is no error-correcting code capable of replacing the entire contents of a missing file.
  Howard.
  
  LikeLike
  - 11
    
    Andrew Reilly on June 2, 2023 at 7:10 am
    
    I am indeed familiar with the literature. The distinction you’re attempting to draw is not one of kind, but of extent, I think. All of these codes are examples of increasing robustness through added redundancy. There is a spectrum, with single or pair bit-corrections per word on one end (actually, detection without correction comes lower on the spectrum), and full-file duplication (or retransmission, or multi-path) at the other. To be sure, RAID of any order, all the way up to mirror, won’t replace a file that has been deleted: that’s what backups are for. They all trade degrees of redundancy for ability to replace data. The 72-bit word of ECC memory will fix a single bit in the underlying 64. A 4+1 RAID-Z array will keep the whole thing going if one of the drives gives up, at a cost of 25% overhead. A mirror will do the same at the cost of 100% overhead. Mirrors are usually simpler: the others typically use explicit redundancy codes. The codes used by parchive (thanks, I just looked it up) are part of the same family of forward error correction codes. A file missing because of data-loss in the file system structure? That’s covered by the RAID redundancy. A file missing because of malice or user-error, or program error? RAID won’t help with that, but backup schedules will. File systems are essentially communication systems: communication with the future, where it’s much harder to use the re-transmit technique.
    
    LikeLiked by 2 people
12

Ingo on June 3, 2023 at 9:18 am

The optimum implementation of forward error correction depends on the medium. That’s why it’s implemented on protocol level 2 next to the hardware, not in the file system.

LikeLiked by 1 person
13

Ingo on June 3, 2023 at 9:30 am

Correction to my previous post: it happens on protocol level 1 next to the hardware.

LikeLiked by 1 person
14

Raoul on June 6, 2023 at 1:00 pm

If only Apple were willing to stick with it a little bit longer and entertain the idea of ZFS after Oracle dirtied the water… Sure would be an interesting world to have ZFS on every “n” OS device out there…

Using ZFS with zVol files on top of APFS is a neat trick to achieve what you’ve touched on in this article, being consistency on disk.
Not only do you get self healing, compression and thus faster checksum calculations than you measured, (ZFS compresses first then does checksums), you can also push a snapshot of your data to any server via ssh to achieve simple disaster recovery.
The server doesn’t even have to know about ZFS as the snapshots can be sent as files representing incremental changes and be ingested back into a ZFS aware machine at a later date. You’re obviously not trying to create a filesystem but it looks like you’re wanting some of the same features with your endeavours to me. Good luck with that.

In addition to the above, some years ago I wanted to take advantage of using multiple cloud based storage concurrently, and have them all presented as one large single entity that I could simply double click to access on the desktop.
I dabbled with making a mirrored ZFS dataset with one zVol sitting on GoogleDrive and another on Dropbox… Obviously speed wasn’t the goal here but rather more storage presented as a unified object. Worked okay but can’t do it now because Apple requires cloud service software to utilise Apple’s own APIs for cloud storage access, which means ~/Library/ can cache/store your cloud data which defeats the purpose if you have cloud data nearing even ½ your local storage.

Anyway, good to see another file-based checksum option for macOS. For me, it will take a lot of effort (especially for an individual) to come close to what’s already tried tested and available as a macOS double clickable package.
Love your ethic though Howard, if only I had a splinter of your undertaking.

LikeLiked by 1 person
- 15
  
  hoakley on June 6, 2023 at 5:23 pm
  
  Do you seriously think that ZFS would work well, and usefully, on an Apple Watch or AppleTV?
  Howard.
  
  LikeLike
16

Raoul on June 7, 2023 at 3:10 am

Absolutely!
The ability to take a snapshot before upgrading macOS, watchOS, iOS, tvOS, iPadOS and now visionOS so that you can rollback if something goes wrong is invaluable.
The fork that Apple would no doubt have created (to negate the whole Oracle aspect like everyone else did) would have clearly taken and used the best/ most appropriate features developed for ZFS and optimise them for each platform.

I think a lot of what Apple learnt with ZFS back then was applied to APFS anyway… We now have metadata checksums, snapshots and clones for example and I’d love to look at the source code of each and compare them… ;))
Compression on iPhones alone has saved me hundreds of hours over the years considering we have 1762 of the damn things in our fleet.

Don Brady (who originally worked on ZFS at Apple) later did his own thing with Zevo on macOS via Ten’s Complement and later with GreenBytes who bought him out. If he could make ZFS purr on macOS after leaving Apple, I have no doubt that Apple could integrate and optimise it far more effectively given it would be internally developed and able to access private frameworks that external developers cannot/should not.

All water under the bridge now though. We now have APFS with hardly any way to interact with its features in comparison to ZFS. Kind’ve sad knowing what is possible when looking at ZFS’s extensibility.

LikeLiked by 1 person
- 17
  
  hoakley on June 7, 2023 at 7:24 am
  
  Thank you.
  “We now have APFS with hardly any way to interact with its features”
  I think that’s wholly intentional. As with snapshots, Apple intends that its powerful features are wrapped in friendly apps, etc., and not presented raw to the user.
  Howard.
  
  LikeLike
18

Raoul on June 7, 2023 at 9:57 am

Agreed.
This is Apple after all.

Thinking more about your efforts…

An example of how ZFS keeps evolving and improving: NOPWrite.
“… This feature enables the use of the Edon-R hash algorithm for checksum, including for nopwrite (if compression is also enabled, an overwrite of a block whose checksum matches the data being written will be ignored) …”
from: https://openzfs.github.io/openzfs-docs/man/7/zpool-features.7.html

I think this is similar to how Apple can instantly duplicate files in the Finder faster than the copy dialog UI can be called up.

Perhaps looks at this for your development instead of SHA-256?
I’m beyond stale when it comes to programming now, but I do wonder if Apple’s Neural Engine could help to offload checksum off the CPU. I recall there was chatter about using GPUs to do ZFS checksums, but the path off the CPU, over the PCIe bus to the GPU and back again negated any benefits. That’s no longer the case with Apple’s SoC. 😉

Back to the world ZFS/APFS similarities, imagine this.
Rather than downloading a ~13GB macOS installer file, in the NTDF wouldn’t it be nice to just that Apple push macOS updates and upgrades as snapshots which are just the delta between each release… MMmmmm
I’ve always wondered just how many blocks actually differ from one macOS version to the next in the SSV volume. Only Apple’s internal versioning system would reveal that I suppose Already happening on BSD/Linux distros that have adopted ZFS for the boot volume with GRUB.

Fun times.

LikeLiked by 1 person
- 19
  
  hoakley on June 7, 2023 at 12:27 pm
  
  Thank you.
  No, making clone files is really simple: a new file system object is created for the clone, which points to the same extents as the original.
  I have explained why I am using SHA-256. Apple has put a lot of work into optimising how it computes that, as it’s used in the system as the standard crypto hash.
  Since the SSV, macOS installers and updaters are much more than just diffs – they have to bring all their own tools with them. So a snapshot diff wouldn’t work, I’m afraid. APFS can also create snapshot deltas, and does so for Time Machine backups, although they’re not exposed to third-parties.
  Howard.
  
  LikeLike