1*eda14cbcSMatt Macy /* 2*eda14cbcSMatt Macy * CDDL HEADER START 3*eda14cbcSMatt Macy * 4*eda14cbcSMatt Macy * This file and its contents are supplied under the terms of the 5*eda14cbcSMatt Macy * Common Development and Distribution License ("CDDL"), version 1.0. 6*eda14cbcSMatt Macy * You may only use this file in accordance with the terms of version 7*eda14cbcSMatt Macy * 1.0 of the CDDL. 8*eda14cbcSMatt Macy * 9*eda14cbcSMatt Macy * A full copy of the text of the CDDL should have accompanied this 10*eda14cbcSMatt Macy * source. A copy of the CDDL is also available via the Internet at 11*eda14cbcSMatt Macy * http://www.illumos.org/license/CDDL. 12*eda14cbcSMatt Macy * 13*eda14cbcSMatt Macy * CDDL HEADER END 14*eda14cbcSMatt Macy */ 15*eda14cbcSMatt Macy 16*eda14cbcSMatt Macy /* 17*eda14cbcSMatt Macy * Copyright (c) 2017, Datto, Inc. All rights reserved. 18*eda14cbcSMatt Macy * Copyright (c) 2018 by Delphix. All rights reserved. 19*eda14cbcSMatt Macy */ 20*eda14cbcSMatt Macy 21*eda14cbcSMatt Macy #include <sys/dsl_crypt.h> 22*eda14cbcSMatt Macy #include <sys/dsl_pool.h> 23*eda14cbcSMatt Macy #include <sys/zap.h> 24*eda14cbcSMatt Macy #include <sys/zil.h> 25*eda14cbcSMatt Macy #include <sys/dsl_dir.h> 26*eda14cbcSMatt Macy #include <sys/dsl_prop.h> 27*eda14cbcSMatt Macy #include <sys/spa_impl.h> 28*eda14cbcSMatt Macy #include <sys/dmu_objset.h> 29*eda14cbcSMatt Macy #include <sys/zvol.h> 30*eda14cbcSMatt Macy 31*eda14cbcSMatt Macy /* 32*eda14cbcSMatt Macy * This file's primary purpose is for managing master encryption keys in 33*eda14cbcSMatt Macy * memory and on disk. For more info on how these keys are used, see the 34*eda14cbcSMatt Macy * block comment in zio_crypt.c. 35*eda14cbcSMatt Macy * 36*eda14cbcSMatt Macy * All master keys are stored encrypted on disk in the form of the DSL 37*eda14cbcSMatt Macy * Crypto Key ZAP object. The binary key data in this object is always 38*eda14cbcSMatt Macy * randomly generated and is encrypted with the user's wrapping key. This 39*eda14cbcSMatt Macy * layer of indirection allows the user to change their key without 40*eda14cbcSMatt Macy * needing to re-encrypt the entire dataset. The ZAP also holds on to the 41*eda14cbcSMatt Macy * (non-encrypted) encryption algorithm identifier, IV, and MAC needed to 42*eda14cbcSMatt Macy * safely decrypt the master key. For more info on the user's key see the 43*eda14cbcSMatt Macy * block comment in libzfs_crypto.c 44*eda14cbcSMatt Macy * 45*eda14cbcSMatt Macy * In-memory encryption keys are managed through the spa_keystore. The 46*eda14cbcSMatt Macy * keystore consists of 3 AVL trees, which are as follows: 47*eda14cbcSMatt Macy * 48*eda14cbcSMatt Macy * The Wrapping Key Tree: 49*eda14cbcSMatt Macy * The wrapping key (wkey) tree stores the user's keys that are fed into the 50*eda14cbcSMatt Macy * kernel through 'zfs load-key' and related commands. Datasets inherit their 51*eda14cbcSMatt Macy * parent's wkey by default, so these structures are refcounted. The wrapping 52*eda14cbcSMatt Macy * keys remain in memory until they are explicitly unloaded (with 53*eda14cbcSMatt Macy * "zfs unload-key"). Unloading is only possible when no datasets are using 54*eda14cbcSMatt Macy * them (refcount=0). 55*eda14cbcSMatt Macy * 56*eda14cbcSMatt Macy * The DSL Crypto Key Tree: 57*eda14cbcSMatt Macy * The DSL Crypto Keys (DCK) are the in-memory representation of decrypted 58*eda14cbcSMatt Macy * master keys. They are used by the functions in zio_crypt.c to perform 59*eda14cbcSMatt Macy * encryption, decryption, and authentication. Snapshots and clones of a given 60*eda14cbcSMatt Macy * dataset will share a DSL Crypto Key, so they are also refcounted. Once the 61*eda14cbcSMatt Macy * refcount on a key hits zero, it is immediately zeroed out and freed. 62*eda14cbcSMatt Macy * 63*eda14cbcSMatt Macy * The Crypto Key Mapping Tree: 64*eda14cbcSMatt Macy * The zio layer needs to lookup master keys by their dataset object id. Since 65*eda14cbcSMatt Macy * the DSL Crypto Keys can belong to multiple datasets, we maintain a tree of 66*eda14cbcSMatt Macy * dsl_key_mapping_t's which essentially just map the dataset object id to its 67*eda14cbcSMatt Macy * appropriate DSL Crypto Key. The management for creating and destroying these 68*eda14cbcSMatt Macy * mappings hooks into the code for owning and disowning datasets. Usually, 69*eda14cbcSMatt Macy * there will only be one active dataset owner, but there are times 70*eda14cbcSMatt Macy * (particularly during dataset creation and destruction) when this may not be 71*eda14cbcSMatt Macy * true or the dataset may not be initialized enough to own. As a result, this 72*eda14cbcSMatt Macy * object is also refcounted. 73*eda14cbcSMatt Macy */ 74*eda14cbcSMatt Macy 75*eda14cbcSMatt Macy /* 76*eda14cbcSMatt Macy * This tunable allows datasets to be raw received even if the stream does 77*eda14cbcSMatt Macy * not include IVset guids or if the guids don't match. This is used as part 78*eda14cbcSMatt Macy * of the resolution for ZPOOL_ERRATA_ZOL_8308_ENCRYPTION. 79*eda14cbcSMatt Macy */ 80*eda14cbcSMatt Macy int zfs_disable_ivset_guid_check = 0; 81*eda14cbcSMatt Macy 82*eda14cbcSMatt Macy static void 83*eda14cbcSMatt Macy dsl_wrapping_key_hold(dsl_wrapping_key_t *wkey, void *tag) 84*eda14cbcSMatt Macy { 85*eda14cbcSMatt Macy (void) zfs_refcount_add(&wkey->wk_refcnt, tag); 86*eda14cbcSMatt Macy } 87*eda14cbcSMatt Macy 88*eda14cbcSMatt Macy static void 89*eda14cbcSMatt Macy dsl_wrapping_key_rele(dsl_wrapping_key_t *wkey, void *tag) 90*eda14cbcSMatt Macy { 91*eda14cbcSMatt Macy (void) zfs_refcount_remove(&wkey->wk_refcnt, tag); 92*eda14cbcSMatt Macy } 93*eda14cbcSMatt Macy 94*eda14cbcSMatt Macy static void 95*eda14cbcSMatt Macy dsl_wrapping_key_free(dsl_wrapping_key_t *wkey) 96*eda14cbcSMatt Macy { 97*eda14cbcSMatt Macy ASSERT0(zfs_refcount_count(&wkey->wk_refcnt)); 98*eda14cbcSMatt Macy 99*eda14cbcSMatt Macy if (wkey->wk_key.ck_data) { 100*eda14cbcSMatt Macy bzero(wkey->wk_key.ck_data, 101*eda14cbcSMatt Macy CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 102*eda14cbcSMatt Macy kmem_free(wkey->wk_key.ck_data, 103*eda14cbcSMatt Macy CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 104*eda14cbcSMatt Macy } 105*eda14cbcSMatt Macy 106*eda14cbcSMatt Macy zfs_refcount_destroy(&wkey->wk_refcnt); 107*eda14cbcSMatt Macy kmem_free(wkey, sizeof (dsl_wrapping_key_t)); 108*eda14cbcSMatt Macy } 109*eda14cbcSMatt Macy 110*eda14cbcSMatt Macy static void 111*eda14cbcSMatt Macy dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat, 112*eda14cbcSMatt Macy uint64_t salt, uint64_t iters, dsl_wrapping_key_t **wkey_out) 113*eda14cbcSMatt Macy { 114*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey; 115*eda14cbcSMatt Macy 116*eda14cbcSMatt Macy /* allocate the wrapping key */ 117*eda14cbcSMatt Macy wkey = kmem_alloc(sizeof (dsl_wrapping_key_t), KM_SLEEP); 118*eda14cbcSMatt Macy 119*eda14cbcSMatt Macy /* allocate and initialize the underlying crypto key */ 120*eda14cbcSMatt Macy wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP); 121*eda14cbcSMatt Macy 122*eda14cbcSMatt Macy wkey->wk_key.ck_format = CRYPTO_KEY_RAW; 123*eda14cbcSMatt Macy wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN); 124*eda14cbcSMatt Macy bcopy(wkeydata, wkey->wk_key.ck_data, WRAPPING_KEY_LEN); 125*eda14cbcSMatt Macy 126*eda14cbcSMatt Macy /* initialize the rest of the struct */ 127*eda14cbcSMatt Macy zfs_refcount_create(&wkey->wk_refcnt); 128*eda14cbcSMatt Macy wkey->wk_keyformat = keyformat; 129*eda14cbcSMatt Macy wkey->wk_salt = salt; 130*eda14cbcSMatt Macy wkey->wk_iters = iters; 131*eda14cbcSMatt Macy 132*eda14cbcSMatt Macy *wkey_out = wkey; 133*eda14cbcSMatt Macy } 134*eda14cbcSMatt Macy 135*eda14cbcSMatt Macy int 136*eda14cbcSMatt Macy dsl_crypto_params_create_nvlist(dcp_cmd_t cmd, nvlist_t *props, 137*eda14cbcSMatt Macy nvlist_t *crypto_args, dsl_crypto_params_t **dcp_out) 138*eda14cbcSMatt Macy { 139*eda14cbcSMatt Macy int ret; 140*eda14cbcSMatt Macy uint64_t crypt = ZIO_CRYPT_INHERIT; 141*eda14cbcSMatt Macy uint64_t keyformat = ZFS_KEYFORMAT_NONE; 142*eda14cbcSMatt Macy uint64_t salt = 0, iters = 0; 143*eda14cbcSMatt Macy dsl_crypto_params_t *dcp = NULL; 144*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey = NULL; 145*eda14cbcSMatt Macy uint8_t *wkeydata = NULL; 146*eda14cbcSMatt Macy uint_t wkeydata_len = 0; 147*eda14cbcSMatt Macy char *keylocation = NULL; 148*eda14cbcSMatt Macy 149*eda14cbcSMatt Macy dcp = kmem_zalloc(sizeof (dsl_crypto_params_t), KM_SLEEP); 150*eda14cbcSMatt Macy dcp->cp_cmd = cmd; 151*eda14cbcSMatt Macy 152*eda14cbcSMatt Macy /* get relevant arguments from the nvlists */ 153*eda14cbcSMatt Macy if (props != NULL) { 154*eda14cbcSMatt Macy (void) nvlist_lookup_uint64(props, 155*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt); 156*eda14cbcSMatt Macy (void) nvlist_lookup_uint64(props, 157*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat); 158*eda14cbcSMatt Macy (void) nvlist_lookup_string(props, 159*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation); 160*eda14cbcSMatt Macy (void) nvlist_lookup_uint64(props, 161*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), &salt); 162*eda14cbcSMatt Macy (void) nvlist_lookup_uint64(props, 163*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters); 164*eda14cbcSMatt Macy 165*eda14cbcSMatt Macy dcp->cp_crypt = crypt; 166*eda14cbcSMatt Macy } 167*eda14cbcSMatt Macy 168*eda14cbcSMatt Macy if (crypto_args != NULL) { 169*eda14cbcSMatt Macy (void) nvlist_lookup_uint8_array(crypto_args, "wkeydata", 170*eda14cbcSMatt Macy &wkeydata, &wkeydata_len); 171*eda14cbcSMatt Macy } 172*eda14cbcSMatt Macy 173*eda14cbcSMatt Macy /* check for valid command */ 174*eda14cbcSMatt Macy if (dcp->cp_cmd >= DCP_CMD_MAX) { 175*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 176*eda14cbcSMatt Macy goto error; 177*eda14cbcSMatt Macy } else { 178*eda14cbcSMatt Macy dcp->cp_cmd = cmd; 179*eda14cbcSMatt Macy } 180*eda14cbcSMatt Macy 181*eda14cbcSMatt Macy /* check for valid crypt */ 182*eda14cbcSMatt Macy if (dcp->cp_crypt >= ZIO_CRYPT_FUNCTIONS) { 183*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 184*eda14cbcSMatt Macy goto error; 185*eda14cbcSMatt Macy } else { 186*eda14cbcSMatt Macy dcp->cp_crypt = crypt; 187*eda14cbcSMatt Macy } 188*eda14cbcSMatt Macy 189*eda14cbcSMatt Macy /* check for valid keyformat */ 190*eda14cbcSMatt Macy if (keyformat >= ZFS_KEYFORMAT_FORMATS) { 191*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 192*eda14cbcSMatt Macy goto error; 193*eda14cbcSMatt Macy } 194*eda14cbcSMatt Macy 195*eda14cbcSMatt Macy /* check for a valid keylocation (of any kind) and copy it in */ 196*eda14cbcSMatt Macy if (keylocation != NULL) { 197*eda14cbcSMatt Macy if (!zfs_prop_valid_keylocation(keylocation, B_FALSE)) { 198*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 199*eda14cbcSMatt Macy goto error; 200*eda14cbcSMatt Macy } 201*eda14cbcSMatt Macy 202*eda14cbcSMatt Macy dcp->cp_keylocation = spa_strdup(keylocation); 203*eda14cbcSMatt Macy } 204*eda14cbcSMatt Macy 205*eda14cbcSMatt Macy /* check wrapping key length, if given */ 206*eda14cbcSMatt Macy if (wkeydata != NULL && wkeydata_len != WRAPPING_KEY_LEN) { 207*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 208*eda14cbcSMatt Macy goto error; 209*eda14cbcSMatt Macy } 210*eda14cbcSMatt Macy 211*eda14cbcSMatt Macy /* if the user asked for the default crypt, determine that now */ 212*eda14cbcSMatt Macy if (dcp->cp_crypt == ZIO_CRYPT_ON) 213*eda14cbcSMatt Macy dcp->cp_crypt = ZIO_CRYPT_ON_VALUE; 214*eda14cbcSMatt Macy 215*eda14cbcSMatt Macy /* create the wrapping key from the raw data */ 216*eda14cbcSMatt Macy if (wkeydata != NULL) { 217*eda14cbcSMatt Macy /* create the wrapping key with the verified parameters */ 218*eda14cbcSMatt Macy dsl_wrapping_key_create(wkeydata, keyformat, salt, 219*eda14cbcSMatt Macy iters, &wkey); 220*eda14cbcSMatt Macy dcp->cp_wkey = wkey; 221*eda14cbcSMatt Macy } 222*eda14cbcSMatt Macy 223*eda14cbcSMatt Macy /* 224*eda14cbcSMatt Macy * Remove the encryption properties from the nvlist since they are not 225*eda14cbcSMatt Macy * maintained through the DSL. 226*eda14cbcSMatt Macy */ 227*eda14cbcSMatt Macy (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION)); 228*eda14cbcSMatt Macy (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 229*eda14cbcSMatt Macy (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 230*eda14cbcSMatt Macy (void) nvlist_remove_all(props, 231*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 232*eda14cbcSMatt Macy 233*eda14cbcSMatt Macy *dcp_out = dcp; 234*eda14cbcSMatt Macy 235*eda14cbcSMatt Macy return (0); 236*eda14cbcSMatt Macy 237*eda14cbcSMatt Macy error: 238*eda14cbcSMatt Macy if (wkey != NULL) 239*eda14cbcSMatt Macy dsl_wrapping_key_free(wkey); 240*eda14cbcSMatt Macy if (dcp != NULL) 241*eda14cbcSMatt Macy kmem_free(dcp, sizeof (dsl_crypto_params_t)); 242*eda14cbcSMatt Macy 243*eda14cbcSMatt Macy *dcp_out = NULL; 244*eda14cbcSMatt Macy return (ret); 245*eda14cbcSMatt Macy } 246*eda14cbcSMatt Macy 247*eda14cbcSMatt Macy void 248*eda14cbcSMatt Macy dsl_crypto_params_free(dsl_crypto_params_t *dcp, boolean_t unload) 249*eda14cbcSMatt Macy { 250*eda14cbcSMatt Macy if (dcp == NULL) 251*eda14cbcSMatt Macy return; 252*eda14cbcSMatt Macy 253*eda14cbcSMatt Macy if (dcp->cp_keylocation != NULL) 254*eda14cbcSMatt Macy spa_strfree(dcp->cp_keylocation); 255*eda14cbcSMatt Macy if (unload && dcp->cp_wkey != NULL) 256*eda14cbcSMatt Macy dsl_wrapping_key_free(dcp->cp_wkey); 257*eda14cbcSMatt Macy 258*eda14cbcSMatt Macy kmem_free(dcp, sizeof (dsl_crypto_params_t)); 259*eda14cbcSMatt Macy } 260*eda14cbcSMatt Macy 261*eda14cbcSMatt Macy static int 262*eda14cbcSMatt Macy spa_crypto_key_compare(const void *a, const void *b) 263*eda14cbcSMatt Macy { 264*eda14cbcSMatt Macy const dsl_crypto_key_t *dcka = a; 265*eda14cbcSMatt Macy const dsl_crypto_key_t *dckb = b; 266*eda14cbcSMatt Macy 267*eda14cbcSMatt Macy if (dcka->dck_obj < dckb->dck_obj) 268*eda14cbcSMatt Macy return (-1); 269*eda14cbcSMatt Macy if (dcka->dck_obj > dckb->dck_obj) 270*eda14cbcSMatt Macy return (1); 271*eda14cbcSMatt Macy return (0); 272*eda14cbcSMatt Macy } 273*eda14cbcSMatt Macy 274*eda14cbcSMatt Macy static int 275*eda14cbcSMatt Macy spa_key_mapping_compare(const void *a, const void *b) 276*eda14cbcSMatt Macy { 277*eda14cbcSMatt Macy const dsl_key_mapping_t *kma = a; 278*eda14cbcSMatt Macy const dsl_key_mapping_t *kmb = b; 279*eda14cbcSMatt Macy 280*eda14cbcSMatt Macy if (kma->km_dsobj < kmb->km_dsobj) 281*eda14cbcSMatt Macy return (-1); 282*eda14cbcSMatt Macy if (kma->km_dsobj > kmb->km_dsobj) 283*eda14cbcSMatt Macy return (1); 284*eda14cbcSMatt Macy return (0); 285*eda14cbcSMatt Macy } 286*eda14cbcSMatt Macy 287*eda14cbcSMatt Macy static int 288*eda14cbcSMatt Macy spa_wkey_compare(const void *a, const void *b) 289*eda14cbcSMatt Macy { 290*eda14cbcSMatt Macy const dsl_wrapping_key_t *wka = a; 291*eda14cbcSMatt Macy const dsl_wrapping_key_t *wkb = b; 292*eda14cbcSMatt Macy 293*eda14cbcSMatt Macy if (wka->wk_ddobj < wkb->wk_ddobj) 294*eda14cbcSMatt Macy return (-1); 295*eda14cbcSMatt Macy if (wka->wk_ddobj > wkb->wk_ddobj) 296*eda14cbcSMatt Macy return (1); 297*eda14cbcSMatt Macy return (0); 298*eda14cbcSMatt Macy } 299*eda14cbcSMatt Macy 300*eda14cbcSMatt Macy void 301*eda14cbcSMatt Macy spa_keystore_init(spa_keystore_t *sk) 302*eda14cbcSMatt Macy { 303*eda14cbcSMatt Macy rw_init(&sk->sk_dk_lock, NULL, RW_DEFAULT, NULL); 304*eda14cbcSMatt Macy rw_init(&sk->sk_km_lock, NULL, RW_DEFAULT, NULL); 305*eda14cbcSMatt Macy rw_init(&sk->sk_wkeys_lock, NULL, RW_DEFAULT, NULL); 306*eda14cbcSMatt Macy avl_create(&sk->sk_dsl_keys, spa_crypto_key_compare, 307*eda14cbcSMatt Macy sizeof (dsl_crypto_key_t), 308*eda14cbcSMatt Macy offsetof(dsl_crypto_key_t, dck_avl_link)); 309*eda14cbcSMatt Macy avl_create(&sk->sk_key_mappings, spa_key_mapping_compare, 310*eda14cbcSMatt Macy sizeof (dsl_key_mapping_t), 311*eda14cbcSMatt Macy offsetof(dsl_key_mapping_t, km_avl_link)); 312*eda14cbcSMatt Macy avl_create(&sk->sk_wkeys, spa_wkey_compare, sizeof (dsl_wrapping_key_t), 313*eda14cbcSMatt Macy offsetof(dsl_wrapping_key_t, wk_avl_link)); 314*eda14cbcSMatt Macy } 315*eda14cbcSMatt Macy 316*eda14cbcSMatt Macy void 317*eda14cbcSMatt Macy spa_keystore_fini(spa_keystore_t *sk) 318*eda14cbcSMatt Macy { 319*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey; 320*eda14cbcSMatt Macy void *cookie = NULL; 321*eda14cbcSMatt Macy 322*eda14cbcSMatt Macy ASSERT(avl_is_empty(&sk->sk_dsl_keys)); 323*eda14cbcSMatt Macy ASSERT(avl_is_empty(&sk->sk_key_mappings)); 324*eda14cbcSMatt Macy 325*eda14cbcSMatt Macy while ((wkey = avl_destroy_nodes(&sk->sk_wkeys, &cookie)) != NULL) 326*eda14cbcSMatt Macy dsl_wrapping_key_free(wkey); 327*eda14cbcSMatt Macy 328*eda14cbcSMatt Macy avl_destroy(&sk->sk_wkeys); 329*eda14cbcSMatt Macy avl_destroy(&sk->sk_key_mappings); 330*eda14cbcSMatt Macy avl_destroy(&sk->sk_dsl_keys); 331*eda14cbcSMatt Macy rw_destroy(&sk->sk_wkeys_lock); 332*eda14cbcSMatt Macy rw_destroy(&sk->sk_km_lock); 333*eda14cbcSMatt Macy rw_destroy(&sk->sk_dk_lock); 334*eda14cbcSMatt Macy } 335*eda14cbcSMatt Macy 336*eda14cbcSMatt Macy static int 337*eda14cbcSMatt Macy dsl_dir_get_encryption_root_ddobj(dsl_dir_t *dd, uint64_t *rddobj) 338*eda14cbcSMatt Macy { 339*eda14cbcSMatt Macy if (dd->dd_crypto_obj == 0) 340*eda14cbcSMatt Macy return (SET_ERROR(ENOENT)); 341*eda14cbcSMatt Macy 342*eda14cbcSMatt Macy return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 343*eda14cbcSMatt Macy DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, rddobj)); 344*eda14cbcSMatt Macy } 345*eda14cbcSMatt Macy 346*eda14cbcSMatt Macy static int 347*eda14cbcSMatt Macy dsl_dir_get_encryption_version(dsl_dir_t *dd, uint64_t *version) 348*eda14cbcSMatt Macy { 349*eda14cbcSMatt Macy *version = 0; 350*eda14cbcSMatt Macy 351*eda14cbcSMatt Macy if (dd->dd_crypto_obj == 0) 352*eda14cbcSMatt Macy return (SET_ERROR(ENOENT)); 353*eda14cbcSMatt Macy 354*eda14cbcSMatt Macy /* version 0 is implied by ENOENT */ 355*eda14cbcSMatt Macy (void) zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 356*eda14cbcSMatt Macy DSL_CRYPTO_KEY_VERSION, 8, 1, version); 357*eda14cbcSMatt Macy 358*eda14cbcSMatt Macy return (0); 359*eda14cbcSMatt Macy } 360*eda14cbcSMatt Macy 361*eda14cbcSMatt Macy boolean_t 362*eda14cbcSMatt Macy dsl_dir_incompatible_encryption_version(dsl_dir_t *dd) 363*eda14cbcSMatt Macy { 364*eda14cbcSMatt Macy int ret; 365*eda14cbcSMatt Macy uint64_t version = 0; 366*eda14cbcSMatt Macy 367*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_version(dd, &version); 368*eda14cbcSMatt Macy if (ret != 0) 369*eda14cbcSMatt Macy return (B_FALSE); 370*eda14cbcSMatt Macy 371*eda14cbcSMatt Macy return (version != ZIO_CRYPT_KEY_CURRENT_VERSION); 372*eda14cbcSMatt Macy } 373*eda14cbcSMatt Macy 374*eda14cbcSMatt Macy static int 375*eda14cbcSMatt Macy spa_keystore_wkey_hold_ddobj_impl(spa_t *spa, uint64_t ddobj, 376*eda14cbcSMatt Macy void *tag, dsl_wrapping_key_t **wkey_out) 377*eda14cbcSMatt Macy { 378*eda14cbcSMatt Macy int ret; 379*eda14cbcSMatt Macy dsl_wrapping_key_t search_wkey; 380*eda14cbcSMatt Macy dsl_wrapping_key_t *found_wkey; 381*eda14cbcSMatt Macy 382*eda14cbcSMatt Macy ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_wkeys_lock)); 383*eda14cbcSMatt Macy 384*eda14cbcSMatt Macy /* init the search wrapping key */ 385*eda14cbcSMatt Macy search_wkey.wk_ddobj = ddobj; 386*eda14cbcSMatt Macy 387*eda14cbcSMatt Macy /* lookup the wrapping key */ 388*eda14cbcSMatt Macy found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &search_wkey, NULL); 389*eda14cbcSMatt Macy if (!found_wkey) { 390*eda14cbcSMatt Macy ret = SET_ERROR(ENOENT); 391*eda14cbcSMatt Macy goto error; 392*eda14cbcSMatt Macy } 393*eda14cbcSMatt Macy 394*eda14cbcSMatt Macy /* increment the refcount */ 395*eda14cbcSMatt Macy dsl_wrapping_key_hold(found_wkey, tag); 396*eda14cbcSMatt Macy 397*eda14cbcSMatt Macy *wkey_out = found_wkey; 398*eda14cbcSMatt Macy return (0); 399*eda14cbcSMatt Macy 400*eda14cbcSMatt Macy error: 401*eda14cbcSMatt Macy *wkey_out = NULL; 402*eda14cbcSMatt Macy return (ret); 403*eda14cbcSMatt Macy } 404*eda14cbcSMatt Macy 405*eda14cbcSMatt Macy static int 406*eda14cbcSMatt Macy spa_keystore_wkey_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag, 407*eda14cbcSMatt Macy dsl_wrapping_key_t **wkey_out) 408*eda14cbcSMatt Macy { 409*eda14cbcSMatt Macy int ret; 410*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey; 411*eda14cbcSMatt Macy uint64_t rddobj; 412*eda14cbcSMatt Macy boolean_t locked = B_FALSE; 413*eda14cbcSMatt Macy 414*eda14cbcSMatt Macy if (!RW_WRITE_HELD(&spa->spa_keystore.sk_wkeys_lock)) { 415*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_READER); 416*eda14cbcSMatt Macy locked = B_TRUE; 417*eda14cbcSMatt Macy } 418*eda14cbcSMatt Macy 419*eda14cbcSMatt Macy /* get the ddobj that the keylocation property was inherited from */ 420*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 421*eda14cbcSMatt Macy if (ret != 0) 422*eda14cbcSMatt Macy goto error; 423*eda14cbcSMatt Macy 424*eda14cbcSMatt Macy /* lookup the wkey in the avl tree */ 425*eda14cbcSMatt Macy ret = spa_keystore_wkey_hold_ddobj_impl(spa, rddobj, tag, &wkey); 426*eda14cbcSMatt Macy if (ret != 0) 427*eda14cbcSMatt Macy goto error; 428*eda14cbcSMatt Macy 429*eda14cbcSMatt Macy /* unlock the wkey tree if we locked it */ 430*eda14cbcSMatt Macy if (locked) 431*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_wkeys_lock); 432*eda14cbcSMatt Macy 433*eda14cbcSMatt Macy *wkey_out = wkey; 434*eda14cbcSMatt Macy return (0); 435*eda14cbcSMatt Macy 436*eda14cbcSMatt Macy error: 437*eda14cbcSMatt Macy if (locked) 438*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_wkeys_lock); 439*eda14cbcSMatt Macy 440*eda14cbcSMatt Macy *wkey_out = NULL; 441*eda14cbcSMatt Macy return (ret); 442*eda14cbcSMatt Macy } 443*eda14cbcSMatt Macy 444*eda14cbcSMatt Macy int 445*eda14cbcSMatt Macy dsl_crypto_can_set_keylocation(const char *dsname, const char *keylocation) 446*eda14cbcSMatt Macy { 447*eda14cbcSMatt Macy int ret = 0; 448*eda14cbcSMatt Macy dsl_dir_t *dd = NULL; 449*eda14cbcSMatt Macy dsl_pool_t *dp = NULL; 450*eda14cbcSMatt Macy uint64_t rddobj; 451*eda14cbcSMatt Macy 452*eda14cbcSMatt Macy /* hold the dsl dir */ 453*eda14cbcSMatt Macy ret = dsl_pool_hold(dsname, FTAG, &dp); 454*eda14cbcSMatt Macy if (ret != 0) 455*eda14cbcSMatt Macy goto out; 456*eda14cbcSMatt Macy 457*eda14cbcSMatt Macy ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 458*eda14cbcSMatt Macy if (ret != 0) { 459*eda14cbcSMatt Macy dd = NULL; 460*eda14cbcSMatt Macy goto out; 461*eda14cbcSMatt Macy } 462*eda14cbcSMatt Macy 463*eda14cbcSMatt Macy /* if dd is not encrypted, the value may only be "none" */ 464*eda14cbcSMatt Macy if (dd->dd_crypto_obj == 0) { 465*eda14cbcSMatt Macy if (strcmp(keylocation, "none") != 0) { 466*eda14cbcSMatt Macy ret = SET_ERROR(EACCES); 467*eda14cbcSMatt Macy goto out; 468*eda14cbcSMatt Macy } 469*eda14cbcSMatt Macy 470*eda14cbcSMatt Macy ret = 0; 471*eda14cbcSMatt Macy goto out; 472*eda14cbcSMatt Macy } 473*eda14cbcSMatt Macy 474*eda14cbcSMatt Macy /* check for a valid keylocation for encrypted datasets */ 475*eda14cbcSMatt Macy if (!zfs_prop_valid_keylocation(keylocation, B_TRUE)) { 476*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 477*eda14cbcSMatt Macy goto out; 478*eda14cbcSMatt Macy } 479*eda14cbcSMatt Macy 480*eda14cbcSMatt Macy /* check that this is an encryption root */ 481*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 482*eda14cbcSMatt Macy if (ret != 0) 483*eda14cbcSMatt Macy goto out; 484*eda14cbcSMatt Macy 485*eda14cbcSMatt Macy if (rddobj != dd->dd_object) { 486*eda14cbcSMatt Macy ret = SET_ERROR(EACCES); 487*eda14cbcSMatt Macy goto out; 488*eda14cbcSMatt Macy } 489*eda14cbcSMatt Macy 490*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 491*eda14cbcSMatt Macy dsl_pool_rele(dp, FTAG); 492*eda14cbcSMatt Macy 493*eda14cbcSMatt Macy return (0); 494*eda14cbcSMatt Macy 495*eda14cbcSMatt Macy out: 496*eda14cbcSMatt Macy if (dd != NULL) 497*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 498*eda14cbcSMatt Macy if (dp != NULL) 499*eda14cbcSMatt Macy dsl_pool_rele(dp, FTAG); 500*eda14cbcSMatt Macy 501*eda14cbcSMatt Macy return (ret); 502*eda14cbcSMatt Macy } 503*eda14cbcSMatt Macy 504*eda14cbcSMatt Macy static void 505*eda14cbcSMatt Macy dsl_crypto_key_free(dsl_crypto_key_t *dck) 506*eda14cbcSMatt Macy { 507*eda14cbcSMatt Macy ASSERT(zfs_refcount_count(&dck->dck_holds) == 0); 508*eda14cbcSMatt Macy 509*eda14cbcSMatt Macy /* destroy the zio_crypt_key_t */ 510*eda14cbcSMatt Macy zio_crypt_key_destroy(&dck->dck_key); 511*eda14cbcSMatt Macy 512*eda14cbcSMatt Macy /* free the refcount, wrapping key, and lock */ 513*eda14cbcSMatt Macy zfs_refcount_destroy(&dck->dck_holds); 514*eda14cbcSMatt Macy if (dck->dck_wkey) 515*eda14cbcSMatt Macy dsl_wrapping_key_rele(dck->dck_wkey, dck); 516*eda14cbcSMatt Macy 517*eda14cbcSMatt Macy /* free the key */ 518*eda14cbcSMatt Macy kmem_free(dck, sizeof (dsl_crypto_key_t)); 519*eda14cbcSMatt Macy } 520*eda14cbcSMatt Macy 521*eda14cbcSMatt Macy static void 522*eda14cbcSMatt Macy dsl_crypto_key_rele(dsl_crypto_key_t *dck, void *tag) 523*eda14cbcSMatt Macy { 524*eda14cbcSMatt Macy if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) 525*eda14cbcSMatt Macy dsl_crypto_key_free(dck); 526*eda14cbcSMatt Macy } 527*eda14cbcSMatt Macy 528*eda14cbcSMatt Macy static int 529*eda14cbcSMatt Macy dsl_crypto_key_open(objset_t *mos, dsl_wrapping_key_t *wkey, 530*eda14cbcSMatt Macy uint64_t dckobj, void *tag, dsl_crypto_key_t **dck_out) 531*eda14cbcSMatt Macy { 532*eda14cbcSMatt Macy int ret; 533*eda14cbcSMatt Macy uint64_t crypt = 0, guid = 0, version = 0; 534*eda14cbcSMatt Macy uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 535*eda14cbcSMatt Macy uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 536*eda14cbcSMatt Macy uint8_t iv[WRAPPING_IV_LEN]; 537*eda14cbcSMatt Macy uint8_t mac[WRAPPING_MAC_LEN]; 538*eda14cbcSMatt Macy dsl_crypto_key_t *dck; 539*eda14cbcSMatt Macy 540*eda14cbcSMatt Macy /* allocate and initialize the key */ 541*eda14cbcSMatt Macy dck = kmem_zalloc(sizeof (dsl_crypto_key_t), KM_SLEEP); 542*eda14cbcSMatt Macy 543*eda14cbcSMatt Macy /* fetch all of the values we need from the ZAP */ 544*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 545*eda14cbcSMatt Macy &crypt); 546*eda14cbcSMatt Macy if (ret != 0) 547*eda14cbcSMatt Macy goto error; 548*eda14cbcSMatt Macy 549*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &guid); 550*eda14cbcSMatt Macy if (ret != 0) 551*eda14cbcSMatt Macy goto error; 552*eda14cbcSMatt Macy 553*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 554*eda14cbcSMatt Macy MASTER_KEY_MAX_LEN, raw_keydata); 555*eda14cbcSMatt Macy if (ret != 0) 556*eda14cbcSMatt Macy goto error; 557*eda14cbcSMatt Macy 558*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 559*eda14cbcSMatt Macy SHA512_HMAC_KEYLEN, raw_hmac_keydata); 560*eda14cbcSMatt Macy if (ret != 0) 561*eda14cbcSMatt Macy goto error; 562*eda14cbcSMatt Macy 563*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 564*eda14cbcSMatt Macy iv); 565*eda14cbcSMatt Macy if (ret != 0) 566*eda14cbcSMatt Macy goto error; 567*eda14cbcSMatt Macy 568*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 569*eda14cbcSMatt Macy mac); 570*eda14cbcSMatt Macy if (ret != 0) 571*eda14cbcSMatt Macy goto error; 572*eda14cbcSMatt Macy 573*eda14cbcSMatt Macy /* the initial on-disk format for encryption did not have a version */ 574*eda14cbcSMatt Macy (void) zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 575*eda14cbcSMatt Macy 576*eda14cbcSMatt Macy /* 577*eda14cbcSMatt Macy * Unwrap the keys. If there is an error return EACCES to indicate 578*eda14cbcSMatt Macy * an authentication failure. 579*eda14cbcSMatt Macy */ 580*eda14cbcSMatt Macy ret = zio_crypt_key_unwrap(&wkey->wk_key, crypt, version, guid, 581*eda14cbcSMatt Macy raw_keydata, raw_hmac_keydata, iv, mac, &dck->dck_key); 582*eda14cbcSMatt Macy if (ret != 0) { 583*eda14cbcSMatt Macy ret = SET_ERROR(EACCES); 584*eda14cbcSMatt Macy goto error; 585*eda14cbcSMatt Macy } 586*eda14cbcSMatt Macy 587*eda14cbcSMatt Macy /* finish initializing the dsl_crypto_key_t */ 588*eda14cbcSMatt Macy zfs_refcount_create(&dck->dck_holds); 589*eda14cbcSMatt Macy dsl_wrapping_key_hold(wkey, dck); 590*eda14cbcSMatt Macy dck->dck_wkey = wkey; 591*eda14cbcSMatt Macy dck->dck_obj = dckobj; 592*eda14cbcSMatt Macy zfs_refcount_add(&dck->dck_holds, tag); 593*eda14cbcSMatt Macy 594*eda14cbcSMatt Macy *dck_out = dck; 595*eda14cbcSMatt Macy return (0); 596*eda14cbcSMatt Macy 597*eda14cbcSMatt Macy error: 598*eda14cbcSMatt Macy if (dck != NULL) { 599*eda14cbcSMatt Macy bzero(dck, sizeof (dsl_crypto_key_t)); 600*eda14cbcSMatt Macy kmem_free(dck, sizeof (dsl_crypto_key_t)); 601*eda14cbcSMatt Macy } 602*eda14cbcSMatt Macy 603*eda14cbcSMatt Macy *dck_out = NULL; 604*eda14cbcSMatt Macy return (ret); 605*eda14cbcSMatt Macy } 606*eda14cbcSMatt Macy 607*eda14cbcSMatt Macy static int 608*eda14cbcSMatt Macy spa_keystore_dsl_key_hold_impl(spa_t *spa, uint64_t dckobj, void *tag, 609*eda14cbcSMatt Macy dsl_crypto_key_t **dck_out) 610*eda14cbcSMatt Macy { 611*eda14cbcSMatt Macy int ret; 612*eda14cbcSMatt Macy dsl_crypto_key_t search_dck; 613*eda14cbcSMatt Macy dsl_crypto_key_t *found_dck; 614*eda14cbcSMatt Macy 615*eda14cbcSMatt Macy ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_dk_lock)); 616*eda14cbcSMatt Macy 617*eda14cbcSMatt Macy /* init the search key */ 618*eda14cbcSMatt Macy search_dck.dck_obj = dckobj; 619*eda14cbcSMatt Macy 620*eda14cbcSMatt Macy /* find the matching key in the keystore */ 621*eda14cbcSMatt Macy found_dck = avl_find(&spa->spa_keystore.sk_dsl_keys, &search_dck, NULL); 622*eda14cbcSMatt Macy if (!found_dck) { 623*eda14cbcSMatt Macy ret = SET_ERROR(ENOENT); 624*eda14cbcSMatt Macy goto error; 625*eda14cbcSMatt Macy } 626*eda14cbcSMatt Macy 627*eda14cbcSMatt Macy /* increment the refcount */ 628*eda14cbcSMatt Macy zfs_refcount_add(&found_dck->dck_holds, tag); 629*eda14cbcSMatt Macy 630*eda14cbcSMatt Macy *dck_out = found_dck; 631*eda14cbcSMatt Macy return (0); 632*eda14cbcSMatt Macy 633*eda14cbcSMatt Macy error: 634*eda14cbcSMatt Macy *dck_out = NULL; 635*eda14cbcSMatt Macy return (ret); 636*eda14cbcSMatt Macy } 637*eda14cbcSMatt Macy 638*eda14cbcSMatt Macy static int 639*eda14cbcSMatt Macy spa_keystore_dsl_key_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag, 640*eda14cbcSMatt Macy dsl_crypto_key_t **dck_out) 641*eda14cbcSMatt Macy { 642*eda14cbcSMatt Macy int ret; 643*eda14cbcSMatt Macy avl_index_t where; 644*eda14cbcSMatt Macy dsl_crypto_key_t *dck_io = NULL, *dck_ks = NULL; 645*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey = NULL; 646*eda14cbcSMatt Macy uint64_t dckobj = dd->dd_crypto_obj; 647*eda14cbcSMatt Macy 648*eda14cbcSMatt Macy /* Lookup the key in the tree of currently loaded keys */ 649*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_dk_lock, RW_READER); 650*eda14cbcSMatt Macy ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 651*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_dk_lock); 652*eda14cbcSMatt Macy if (ret == 0) { 653*eda14cbcSMatt Macy *dck_out = dck_ks; 654*eda14cbcSMatt Macy return (0); 655*eda14cbcSMatt Macy } 656*eda14cbcSMatt Macy 657*eda14cbcSMatt Macy /* Lookup the wrapping key from the keystore */ 658*eda14cbcSMatt Macy ret = spa_keystore_wkey_hold_dd(spa, dd, FTAG, &wkey); 659*eda14cbcSMatt Macy if (ret != 0) { 660*eda14cbcSMatt Macy *dck_out = NULL; 661*eda14cbcSMatt Macy return (SET_ERROR(EACCES)); 662*eda14cbcSMatt Macy } 663*eda14cbcSMatt Macy 664*eda14cbcSMatt Macy /* Read the key from disk */ 665*eda14cbcSMatt Macy ret = dsl_crypto_key_open(spa->spa_meta_objset, wkey, dckobj, 666*eda14cbcSMatt Macy tag, &dck_io); 667*eda14cbcSMatt Macy if (ret != 0) { 668*eda14cbcSMatt Macy dsl_wrapping_key_rele(wkey, FTAG); 669*eda14cbcSMatt Macy *dck_out = NULL; 670*eda14cbcSMatt Macy return (ret); 671*eda14cbcSMatt Macy } 672*eda14cbcSMatt Macy 673*eda14cbcSMatt Macy /* 674*eda14cbcSMatt Macy * Add the key to the keystore. It may already exist if it was 675*eda14cbcSMatt Macy * added while performing the read from disk. In this case discard 676*eda14cbcSMatt Macy * it and return the key from the keystore. 677*eda14cbcSMatt Macy */ 678*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 679*eda14cbcSMatt Macy ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 680*eda14cbcSMatt Macy if (ret != 0) { 681*eda14cbcSMatt Macy avl_find(&spa->spa_keystore.sk_dsl_keys, dck_io, &where); 682*eda14cbcSMatt Macy avl_insert(&spa->spa_keystore.sk_dsl_keys, dck_io, where); 683*eda14cbcSMatt Macy *dck_out = dck_io; 684*eda14cbcSMatt Macy } else { 685*eda14cbcSMatt Macy dsl_crypto_key_free(dck_io); 686*eda14cbcSMatt Macy *dck_out = dck_ks; 687*eda14cbcSMatt Macy } 688*eda14cbcSMatt Macy 689*eda14cbcSMatt Macy /* Release the wrapping key (the dsl key now has a reference to it) */ 690*eda14cbcSMatt Macy dsl_wrapping_key_rele(wkey, FTAG); 691*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_dk_lock); 692*eda14cbcSMatt Macy 693*eda14cbcSMatt Macy return (0); 694*eda14cbcSMatt Macy } 695*eda14cbcSMatt Macy 696*eda14cbcSMatt Macy void 697*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa_t *spa, dsl_crypto_key_t *dck, void *tag) 698*eda14cbcSMatt Macy { 699*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 700*eda14cbcSMatt Macy 701*eda14cbcSMatt Macy if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) { 702*eda14cbcSMatt Macy avl_remove(&spa->spa_keystore.sk_dsl_keys, dck); 703*eda14cbcSMatt Macy dsl_crypto_key_free(dck); 704*eda14cbcSMatt Macy } 705*eda14cbcSMatt Macy 706*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_dk_lock); 707*eda14cbcSMatt Macy } 708*eda14cbcSMatt Macy 709*eda14cbcSMatt Macy int 710*eda14cbcSMatt Macy spa_keystore_load_wkey_impl(spa_t *spa, dsl_wrapping_key_t *wkey) 711*eda14cbcSMatt Macy { 712*eda14cbcSMatt Macy int ret; 713*eda14cbcSMatt Macy avl_index_t where; 714*eda14cbcSMatt Macy dsl_wrapping_key_t *found_wkey; 715*eda14cbcSMatt Macy 716*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 717*eda14cbcSMatt Macy 718*eda14cbcSMatt Macy /* insert the wrapping key into the keystore */ 719*eda14cbcSMatt Macy found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 720*eda14cbcSMatt Macy if (found_wkey != NULL) { 721*eda14cbcSMatt Macy ret = SET_ERROR(EEXIST); 722*eda14cbcSMatt Macy goto error_unlock; 723*eda14cbcSMatt Macy } 724*eda14cbcSMatt Macy avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 725*eda14cbcSMatt Macy 726*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_wkeys_lock); 727*eda14cbcSMatt Macy 728*eda14cbcSMatt Macy return (0); 729*eda14cbcSMatt Macy 730*eda14cbcSMatt Macy error_unlock: 731*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_wkeys_lock); 732*eda14cbcSMatt Macy return (ret); 733*eda14cbcSMatt Macy } 734*eda14cbcSMatt Macy 735*eda14cbcSMatt Macy int 736*eda14cbcSMatt Macy spa_keystore_load_wkey(const char *dsname, dsl_crypto_params_t *dcp, 737*eda14cbcSMatt Macy boolean_t noop) 738*eda14cbcSMatt Macy { 739*eda14cbcSMatt Macy int ret; 740*eda14cbcSMatt Macy dsl_dir_t *dd = NULL; 741*eda14cbcSMatt Macy dsl_crypto_key_t *dck = NULL; 742*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey = dcp->cp_wkey; 743*eda14cbcSMatt Macy dsl_pool_t *dp = NULL; 744*eda14cbcSMatt Macy uint64_t rddobj, keyformat, salt, iters; 745*eda14cbcSMatt Macy 746*eda14cbcSMatt Macy /* 747*eda14cbcSMatt Macy * We don't validate the wrapping key's keyformat, salt, or iters 748*eda14cbcSMatt Macy * since they will never be needed after the DCK has been wrapped. 749*eda14cbcSMatt Macy */ 750*eda14cbcSMatt Macy if (dcp->cp_wkey == NULL || 751*eda14cbcSMatt Macy dcp->cp_cmd != DCP_CMD_NONE || 752*eda14cbcSMatt Macy dcp->cp_crypt != ZIO_CRYPT_INHERIT || 753*eda14cbcSMatt Macy dcp->cp_keylocation != NULL) 754*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 755*eda14cbcSMatt Macy 756*eda14cbcSMatt Macy ret = dsl_pool_hold(dsname, FTAG, &dp); 757*eda14cbcSMatt Macy if (ret != 0) 758*eda14cbcSMatt Macy goto error; 759*eda14cbcSMatt Macy 760*eda14cbcSMatt Macy if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 761*eda14cbcSMatt Macy ret = SET_ERROR(ENOTSUP); 762*eda14cbcSMatt Macy goto error; 763*eda14cbcSMatt Macy } 764*eda14cbcSMatt Macy 765*eda14cbcSMatt Macy /* hold the dsl dir */ 766*eda14cbcSMatt Macy ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 767*eda14cbcSMatt Macy if (ret != 0) { 768*eda14cbcSMatt Macy dd = NULL; 769*eda14cbcSMatt Macy goto error; 770*eda14cbcSMatt Macy } 771*eda14cbcSMatt Macy 772*eda14cbcSMatt Macy /* confirm that dd is the encryption root */ 773*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 774*eda14cbcSMatt Macy if (ret != 0 || rddobj != dd->dd_object) { 775*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 776*eda14cbcSMatt Macy goto error; 777*eda14cbcSMatt Macy } 778*eda14cbcSMatt Macy 779*eda14cbcSMatt Macy /* initialize the wkey's ddobj */ 780*eda14cbcSMatt Macy wkey->wk_ddobj = dd->dd_object; 781*eda14cbcSMatt Macy 782*eda14cbcSMatt Macy /* verify that the wkey is correct by opening its dsl key */ 783*eda14cbcSMatt Macy ret = dsl_crypto_key_open(dp->dp_meta_objset, wkey, 784*eda14cbcSMatt Macy dd->dd_crypto_obj, FTAG, &dck); 785*eda14cbcSMatt Macy if (ret != 0) 786*eda14cbcSMatt Macy goto error; 787*eda14cbcSMatt Macy 788*eda14cbcSMatt Macy /* initialize the wkey encryption parameters from the DSL Crypto Key */ 789*eda14cbcSMatt Macy ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 790*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &keyformat); 791*eda14cbcSMatt Macy if (ret != 0) 792*eda14cbcSMatt Macy goto error; 793*eda14cbcSMatt Macy 794*eda14cbcSMatt Macy ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 795*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 796*eda14cbcSMatt Macy if (ret != 0) 797*eda14cbcSMatt Macy goto error; 798*eda14cbcSMatt Macy 799*eda14cbcSMatt Macy ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 800*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 801*eda14cbcSMatt Macy if (ret != 0) 802*eda14cbcSMatt Macy goto error; 803*eda14cbcSMatt Macy 804*eda14cbcSMatt Macy ASSERT3U(keyformat, <, ZFS_KEYFORMAT_FORMATS); 805*eda14cbcSMatt Macy ASSERT3U(keyformat, !=, ZFS_KEYFORMAT_NONE); 806*eda14cbcSMatt Macy IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, iters != 0); 807*eda14cbcSMatt Macy IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, salt != 0); 808*eda14cbcSMatt Macy IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, iters == 0); 809*eda14cbcSMatt Macy IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, salt == 0); 810*eda14cbcSMatt Macy 811*eda14cbcSMatt Macy wkey->wk_keyformat = keyformat; 812*eda14cbcSMatt Macy wkey->wk_salt = salt; 813*eda14cbcSMatt Macy wkey->wk_iters = iters; 814*eda14cbcSMatt Macy 815*eda14cbcSMatt Macy /* 816*eda14cbcSMatt Macy * At this point we have verified the wkey and confirmed that it can 817*eda14cbcSMatt Macy * be used to decrypt a DSL Crypto Key. We can simply cleanup and 818*eda14cbcSMatt Macy * return if this is all the user wanted to do. 819*eda14cbcSMatt Macy */ 820*eda14cbcSMatt Macy if (noop) 821*eda14cbcSMatt Macy goto error; 822*eda14cbcSMatt Macy 823*eda14cbcSMatt Macy /* insert the wrapping key into the keystore */ 824*eda14cbcSMatt Macy ret = spa_keystore_load_wkey_impl(dp->dp_spa, wkey); 825*eda14cbcSMatt Macy if (ret != 0) 826*eda14cbcSMatt Macy goto error; 827*eda14cbcSMatt Macy 828*eda14cbcSMatt Macy dsl_crypto_key_rele(dck, FTAG); 829*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 830*eda14cbcSMatt Macy dsl_pool_rele(dp, FTAG); 831*eda14cbcSMatt Macy 832*eda14cbcSMatt Macy /* create any zvols under this ds */ 833*eda14cbcSMatt Macy zvol_create_minors_recursive(dsname); 834*eda14cbcSMatt Macy 835*eda14cbcSMatt Macy return (0); 836*eda14cbcSMatt Macy 837*eda14cbcSMatt Macy error: 838*eda14cbcSMatt Macy if (dck != NULL) 839*eda14cbcSMatt Macy dsl_crypto_key_rele(dck, FTAG); 840*eda14cbcSMatt Macy if (dd != NULL) 841*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 842*eda14cbcSMatt Macy if (dp != NULL) 843*eda14cbcSMatt Macy dsl_pool_rele(dp, FTAG); 844*eda14cbcSMatt Macy 845*eda14cbcSMatt Macy return (ret); 846*eda14cbcSMatt Macy } 847*eda14cbcSMatt Macy 848*eda14cbcSMatt Macy int 849*eda14cbcSMatt Macy spa_keystore_unload_wkey_impl(spa_t *spa, uint64_t ddobj) 850*eda14cbcSMatt Macy { 851*eda14cbcSMatt Macy int ret; 852*eda14cbcSMatt Macy dsl_wrapping_key_t search_wkey; 853*eda14cbcSMatt Macy dsl_wrapping_key_t *found_wkey; 854*eda14cbcSMatt Macy 855*eda14cbcSMatt Macy /* init the search wrapping key */ 856*eda14cbcSMatt Macy search_wkey.wk_ddobj = ddobj; 857*eda14cbcSMatt Macy 858*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 859*eda14cbcSMatt Macy 860*eda14cbcSMatt Macy /* remove the wrapping key from the keystore */ 861*eda14cbcSMatt Macy found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, 862*eda14cbcSMatt Macy &search_wkey, NULL); 863*eda14cbcSMatt Macy if (!found_wkey) { 864*eda14cbcSMatt Macy ret = SET_ERROR(EACCES); 865*eda14cbcSMatt Macy goto error_unlock; 866*eda14cbcSMatt Macy } else if (zfs_refcount_count(&found_wkey->wk_refcnt) != 0) { 867*eda14cbcSMatt Macy ret = SET_ERROR(EBUSY); 868*eda14cbcSMatt Macy goto error_unlock; 869*eda14cbcSMatt Macy } 870*eda14cbcSMatt Macy avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 871*eda14cbcSMatt Macy 872*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_wkeys_lock); 873*eda14cbcSMatt Macy 874*eda14cbcSMatt Macy /* free the wrapping key */ 875*eda14cbcSMatt Macy dsl_wrapping_key_free(found_wkey); 876*eda14cbcSMatt Macy 877*eda14cbcSMatt Macy return (0); 878*eda14cbcSMatt Macy 879*eda14cbcSMatt Macy error_unlock: 880*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_wkeys_lock); 881*eda14cbcSMatt Macy return (ret); 882*eda14cbcSMatt Macy } 883*eda14cbcSMatt Macy 884*eda14cbcSMatt Macy int 885*eda14cbcSMatt Macy spa_keystore_unload_wkey(const char *dsname) 886*eda14cbcSMatt Macy { 887*eda14cbcSMatt Macy int ret = 0; 888*eda14cbcSMatt Macy dsl_dir_t *dd = NULL; 889*eda14cbcSMatt Macy dsl_pool_t *dp = NULL; 890*eda14cbcSMatt Macy spa_t *spa = NULL; 891*eda14cbcSMatt Macy 892*eda14cbcSMatt Macy ret = spa_open(dsname, &spa, FTAG); 893*eda14cbcSMatt Macy if (ret != 0) 894*eda14cbcSMatt Macy return (ret); 895*eda14cbcSMatt Macy 896*eda14cbcSMatt Macy /* 897*eda14cbcSMatt Macy * Wait for any outstanding txg IO to complete, releasing any 898*eda14cbcSMatt Macy * remaining references on the wkey. 899*eda14cbcSMatt Macy */ 900*eda14cbcSMatt Macy if (spa_mode(spa) != SPA_MODE_READ) 901*eda14cbcSMatt Macy txg_wait_synced(spa->spa_dsl_pool, 0); 902*eda14cbcSMatt Macy 903*eda14cbcSMatt Macy spa_close(spa, FTAG); 904*eda14cbcSMatt Macy 905*eda14cbcSMatt Macy /* hold the dsl dir */ 906*eda14cbcSMatt Macy ret = dsl_pool_hold(dsname, FTAG, &dp); 907*eda14cbcSMatt Macy if (ret != 0) 908*eda14cbcSMatt Macy goto error; 909*eda14cbcSMatt Macy 910*eda14cbcSMatt Macy if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 911*eda14cbcSMatt Macy ret = (SET_ERROR(ENOTSUP)); 912*eda14cbcSMatt Macy goto error; 913*eda14cbcSMatt Macy } 914*eda14cbcSMatt Macy 915*eda14cbcSMatt Macy ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 916*eda14cbcSMatt Macy if (ret != 0) { 917*eda14cbcSMatt Macy dd = NULL; 918*eda14cbcSMatt Macy goto error; 919*eda14cbcSMatt Macy } 920*eda14cbcSMatt Macy 921*eda14cbcSMatt Macy /* unload the wkey */ 922*eda14cbcSMatt Macy ret = spa_keystore_unload_wkey_impl(dp->dp_spa, dd->dd_object); 923*eda14cbcSMatt Macy if (ret != 0) 924*eda14cbcSMatt Macy goto error; 925*eda14cbcSMatt Macy 926*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 927*eda14cbcSMatt Macy dsl_pool_rele(dp, FTAG); 928*eda14cbcSMatt Macy 929*eda14cbcSMatt Macy /* remove any zvols under this ds */ 930*eda14cbcSMatt Macy zvol_remove_minors(dp->dp_spa, dsname, B_TRUE); 931*eda14cbcSMatt Macy 932*eda14cbcSMatt Macy return (0); 933*eda14cbcSMatt Macy 934*eda14cbcSMatt Macy error: 935*eda14cbcSMatt Macy if (dd != NULL) 936*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 937*eda14cbcSMatt Macy if (dp != NULL) 938*eda14cbcSMatt Macy dsl_pool_rele(dp, FTAG); 939*eda14cbcSMatt Macy 940*eda14cbcSMatt Macy return (ret); 941*eda14cbcSMatt Macy } 942*eda14cbcSMatt Macy 943*eda14cbcSMatt Macy void 944*eda14cbcSMatt Macy key_mapping_add_ref(dsl_key_mapping_t *km, void *tag) 945*eda14cbcSMatt Macy { 946*eda14cbcSMatt Macy ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 947*eda14cbcSMatt Macy zfs_refcount_add(&km->km_refcnt, tag); 948*eda14cbcSMatt Macy } 949*eda14cbcSMatt Macy 950*eda14cbcSMatt Macy /* 951*eda14cbcSMatt Macy * The locking here is a little tricky to ensure we don't cause unnecessary 952*eda14cbcSMatt Macy * performance problems. We want to release a key mapping whenever someone 953*eda14cbcSMatt Macy * decrements the refcount to 0, but freeing the mapping requires removing 954*eda14cbcSMatt Macy * it from the spa_keystore, which requires holding sk_km_lock as a writer. 955*eda14cbcSMatt Macy * Most of the time we don't want to hold this lock as a writer, since the 956*eda14cbcSMatt Macy * same lock is held as a reader for each IO that needs to encrypt / decrypt 957*eda14cbcSMatt Macy * data for any dataset and in practice we will only actually free the 958*eda14cbcSMatt Macy * mapping after unmounting a dataset. 959*eda14cbcSMatt Macy */ 960*eda14cbcSMatt Macy void 961*eda14cbcSMatt Macy key_mapping_rele(spa_t *spa, dsl_key_mapping_t *km, void *tag) 962*eda14cbcSMatt Macy { 963*eda14cbcSMatt Macy ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 964*eda14cbcSMatt Macy 965*eda14cbcSMatt Macy if (zfs_refcount_remove(&km->km_refcnt, tag) != 0) 966*eda14cbcSMatt Macy return; 967*eda14cbcSMatt Macy 968*eda14cbcSMatt Macy /* 969*eda14cbcSMatt Macy * We think we are going to need to free the mapping. Add a 970*eda14cbcSMatt Macy * reference to prevent most other releasers from thinking 971*eda14cbcSMatt Macy * this might be their responsibility. This is inherently 972*eda14cbcSMatt Macy * racy, so we will confirm that we are legitimately the 973*eda14cbcSMatt Macy * last holder once we have the sk_km_lock as a writer. 974*eda14cbcSMatt Macy */ 975*eda14cbcSMatt Macy zfs_refcount_add(&km->km_refcnt, FTAG); 976*eda14cbcSMatt Macy 977*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 978*eda14cbcSMatt Macy if (zfs_refcount_remove(&km->km_refcnt, FTAG) != 0) { 979*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_km_lock); 980*eda14cbcSMatt Macy return; 981*eda14cbcSMatt Macy } 982*eda14cbcSMatt Macy 983*eda14cbcSMatt Macy avl_remove(&spa->spa_keystore.sk_key_mappings, km); 984*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_km_lock); 985*eda14cbcSMatt Macy 986*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, km->km_key, km); 987*eda14cbcSMatt Macy zfs_refcount_destroy(&km->km_refcnt); 988*eda14cbcSMatt Macy kmem_free(km, sizeof (dsl_key_mapping_t)); 989*eda14cbcSMatt Macy } 990*eda14cbcSMatt Macy 991*eda14cbcSMatt Macy int 992*eda14cbcSMatt Macy spa_keystore_create_mapping(spa_t *spa, dsl_dataset_t *ds, void *tag, 993*eda14cbcSMatt Macy dsl_key_mapping_t **km_out) 994*eda14cbcSMatt Macy { 995*eda14cbcSMatt Macy int ret; 996*eda14cbcSMatt Macy avl_index_t where; 997*eda14cbcSMatt Macy dsl_key_mapping_t *km, *found_km; 998*eda14cbcSMatt Macy boolean_t should_free = B_FALSE; 999*eda14cbcSMatt Macy 1000*eda14cbcSMatt Macy /* Allocate and initialize the mapping */ 1001*eda14cbcSMatt Macy km = kmem_zalloc(sizeof (dsl_key_mapping_t), KM_SLEEP); 1002*eda14cbcSMatt Macy zfs_refcount_create(&km->km_refcnt); 1003*eda14cbcSMatt Macy 1004*eda14cbcSMatt Macy ret = spa_keystore_dsl_key_hold_dd(spa, ds->ds_dir, km, &km->km_key); 1005*eda14cbcSMatt Macy if (ret != 0) { 1006*eda14cbcSMatt Macy zfs_refcount_destroy(&km->km_refcnt); 1007*eda14cbcSMatt Macy kmem_free(km, sizeof (dsl_key_mapping_t)); 1008*eda14cbcSMatt Macy 1009*eda14cbcSMatt Macy if (km_out != NULL) 1010*eda14cbcSMatt Macy *km_out = NULL; 1011*eda14cbcSMatt Macy return (ret); 1012*eda14cbcSMatt Macy } 1013*eda14cbcSMatt Macy 1014*eda14cbcSMatt Macy km->km_dsobj = ds->ds_object; 1015*eda14cbcSMatt Macy 1016*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 1017*eda14cbcSMatt Macy 1018*eda14cbcSMatt Macy /* 1019*eda14cbcSMatt Macy * If a mapping already exists, simply increment its refcount and 1020*eda14cbcSMatt Macy * cleanup the one we made. We want to allocate / free outside of 1021*eda14cbcSMatt Macy * the lock because this lock is also used by the zio layer to lookup 1022*eda14cbcSMatt Macy * key mappings. Otherwise, use the one we created. Normally, there will 1023*eda14cbcSMatt Macy * only be one active reference at a time (the objset owner), but there 1024*eda14cbcSMatt Macy * are times when there could be multiple async users. 1025*eda14cbcSMatt Macy */ 1026*eda14cbcSMatt Macy found_km = avl_find(&spa->spa_keystore.sk_key_mappings, km, &where); 1027*eda14cbcSMatt Macy if (found_km != NULL) { 1028*eda14cbcSMatt Macy should_free = B_TRUE; 1029*eda14cbcSMatt Macy zfs_refcount_add(&found_km->km_refcnt, tag); 1030*eda14cbcSMatt Macy if (km_out != NULL) 1031*eda14cbcSMatt Macy *km_out = found_km; 1032*eda14cbcSMatt Macy } else { 1033*eda14cbcSMatt Macy zfs_refcount_add(&km->km_refcnt, tag); 1034*eda14cbcSMatt Macy avl_insert(&spa->spa_keystore.sk_key_mappings, km, where); 1035*eda14cbcSMatt Macy if (km_out != NULL) 1036*eda14cbcSMatt Macy *km_out = km; 1037*eda14cbcSMatt Macy } 1038*eda14cbcSMatt Macy 1039*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_km_lock); 1040*eda14cbcSMatt Macy 1041*eda14cbcSMatt Macy if (should_free) { 1042*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, km->km_key, km); 1043*eda14cbcSMatt Macy zfs_refcount_destroy(&km->km_refcnt); 1044*eda14cbcSMatt Macy kmem_free(km, sizeof (dsl_key_mapping_t)); 1045*eda14cbcSMatt Macy } 1046*eda14cbcSMatt Macy 1047*eda14cbcSMatt Macy return (0); 1048*eda14cbcSMatt Macy } 1049*eda14cbcSMatt Macy 1050*eda14cbcSMatt Macy int 1051*eda14cbcSMatt Macy spa_keystore_remove_mapping(spa_t *spa, uint64_t dsobj, void *tag) 1052*eda14cbcSMatt Macy { 1053*eda14cbcSMatt Macy int ret; 1054*eda14cbcSMatt Macy dsl_key_mapping_t search_km; 1055*eda14cbcSMatt Macy dsl_key_mapping_t *found_km; 1056*eda14cbcSMatt Macy 1057*eda14cbcSMatt Macy /* init the search key mapping */ 1058*eda14cbcSMatt Macy search_km.km_dsobj = dsobj; 1059*eda14cbcSMatt Macy 1060*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1061*eda14cbcSMatt Macy 1062*eda14cbcSMatt Macy /* find the matching mapping */ 1063*eda14cbcSMatt Macy found_km = avl_find(&spa->spa_keystore.sk_key_mappings, 1064*eda14cbcSMatt Macy &search_km, NULL); 1065*eda14cbcSMatt Macy if (found_km == NULL) { 1066*eda14cbcSMatt Macy ret = SET_ERROR(ENOENT); 1067*eda14cbcSMatt Macy goto error_unlock; 1068*eda14cbcSMatt Macy } 1069*eda14cbcSMatt Macy 1070*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_km_lock); 1071*eda14cbcSMatt Macy 1072*eda14cbcSMatt Macy key_mapping_rele(spa, found_km, tag); 1073*eda14cbcSMatt Macy 1074*eda14cbcSMatt Macy return (0); 1075*eda14cbcSMatt Macy 1076*eda14cbcSMatt Macy error_unlock: 1077*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_km_lock); 1078*eda14cbcSMatt Macy return (ret); 1079*eda14cbcSMatt Macy } 1080*eda14cbcSMatt Macy 1081*eda14cbcSMatt Macy /* 1082*eda14cbcSMatt Macy * This function is primarily used by the zio and arc layer to lookup 1083*eda14cbcSMatt Macy * DSL Crypto Keys for encryption. Callers must release the key with 1084*eda14cbcSMatt Macy * spa_keystore_dsl_key_rele(). The function may also be called with 1085*eda14cbcSMatt Macy * dck_out == NULL and tag == NULL to simply check that a key exists 1086*eda14cbcSMatt Macy * without getting a reference to it. 1087*eda14cbcSMatt Macy */ 1088*eda14cbcSMatt Macy int 1089*eda14cbcSMatt Macy spa_keystore_lookup_key(spa_t *spa, uint64_t dsobj, void *tag, 1090*eda14cbcSMatt Macy dsl_crypto_key_t **dck_out) 1091*eda14cbcSMatt Macy { 1092*eda14cbcSMatt Macy int ret; 1093*eda14cbcSMatt Macy dsl_key_mapping_t search_km; 1094*eda14cbcSMatt Macy dsl_key_mapping_t *found_km; 1095*eda14cbcSMatt Macy 1096*eda14cbcSMatt Macy ASSERT((tag != NULL && dck_out != NULL) || 1097*eda14cbcSMatt Macy (tag == NULL && dck_out == NULL)); 1098*eda14cbcSMatt Macy 1099*eda14cbcSMatt Macy /* init the search key mapping */ 1100*eda14cbcSMatt Macy search_km.km_dsobj = dsobj; 1101*eda14cbcSMatt Macy 1102*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1103*eda14cbcSMatt Macy 1104*eda14cbcSMatt Macy /* remove the mapping from the tree */ 1105*eda14cbcSMatt Macy found_km = avl_find(&spa->spa_keystore.sk_key_mappings, &search_km, 1106*eda14cbcSMatt Macy NULL); 1107*eda14cbcSMatt Macy if (found_km == NULL) { 1108*eda14cbcSMatt Macy ret = SET_ERROR(ENOENT); 1109*eda14cbcSMatt Macy goto error_unlock; 1110*eda14cbcSMatt Macy } 1111*eda14cbcSMatt Macy 1112*eda14cbcSMatt Macy if (found_km && tag) 1113*eda14cbcSMatt Macy zfs_refcount_add(&found_km->km_key->dck_holds, tag); 1114*eda14cbcSMatt Macy 1115*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_km_lock); 1116*eda14cbcSMatt Macy 1117*eda14cbcSMatt Macy if (dck_out != NULL) 1118*eda14cbcSMatt Macy *dck_out = found_km->km_key; 1119*eda14cbcSMatt Macy return (0); 1120*eda14cbcSMatt Macy 1121*eda14cbcSMatt Macy error_unlock: 1122*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_km_lock); 1123*eda14cbcSMatt Macy 1124*eda14cbcSMatt Macy if (dck_out != NULL) 1125*eda14cbcSMatt Macy *dck_out = NULL; 1126*eda14cbcSMatt Macy return (ret); 1127*eda14cbcSMatt Macy } 1128*eda14cbcSMatt Macy 1129*eda14cbcSMatt Macy static int 1130*eda14cbcSMatt Macy dmu_objset_check_wkey_loaded(dsl_dir_t *dd) 1131*eda14cbcSMatt Macy { 1132*eda14cbcSMatt Macy int ret; 1133*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey = NULL; 1134*eda14cbcSMatt Macy 1135*eda14cbcSMatt Macy ret = spa_keystore_wkey_hold_dd(dd->dd_pool->dp_spa, dd, FTAG, 1136*eda14cbcSMatt Macy &wkey); 1137*eda14cbcSMatt Macy if (ret != 0) 1138*eda14cbcSMatt Macy return (SET_ERROR(EACCES)); 1139*eda14cbcSMatt Macy 1140*eda14cbcSMatt Macy dsl_wrapping_key_rele(wkey, FTAG); 1141*eda14cbcSMatt Macy 1142*eda14cbcSMatt Macy return (0); 1143*eda14cbcSMatt Macy } 1144*eda14cbcSMatt Macy 1145*eda14cbcSMatt Macy static zfs_keystatus_t 1146*eda14cbcSMatt Macy dsl_dataset_get_keystatus(dsl_dir_t *dd) 1147*eda14cbcSMatt Macy { 1148*eda14cbcSMatt Macy /* check if this dd has a has a dsl key */ 1149*eda14cbcSMatt Macy if (dd->dd_crypto_obj == 0) 1150*eda14cbcSMatt Macy return (ZFS_KEYSTATUS_NONE); 1151*eda14cbcSMatt Macy 1152*eda14cbcSMatt Macy return (dmu_objset_check_wkey_loaded(dd) == 0 ? 1153*eda14cbcSMatt Macy ZFS_KEYSTATUS_AVAILABLE : ZFS_KEYSTATUS_UNAVAILABLE); 1154*eda14cbcSMatt Macy } 1155*eda14cbcSMatt Macy 1156*eda14cbcSMatt Macy static int 1157*eda14cbcSMatt Macy dsl_dir_get_crypt(dsl_dir_t *dd, uint64_t *crypt) 1158*eda14cbcSMatt Macy { 1159*eda14cbcSMatt Macy if (dd->dd_crypto_obj == 0) { 1160*eda14cbcSMatt Macy *crypt = ZIO_CRYPT_OFF; 1161*eda14cbcSMatt Macy return (0); 1162*eda14cbcSMatt Macy } 1163*eda14cbcSMatt Macy 1164*eda14cbcSMatt Macy return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 1165*eda14cbcSMatt Macy DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, crypt)); 1166*eda14cbcSMatt Macy } 1167*eda14cbcSMatt Macy 1168*eda14cbcSMatt Macy static void 1169*eda14cbcSMatt Macy dsl_crypto_key_sync_impl(objset_t *mos, uint64_t dckobj, uint64_t crypt, 1170*eda14cbcSMatt Macy uint64_t root_ddobj, uint64_t guid, uint8_t *iv, uint8_t *mac, 1171*eda14cbcSMatt Macy uint8_t *keydata, uint8_t *hmac_keydata, uint64_t keyformat, 1172*eda14cbcSMatt Macy uint64_t salt, uint64_t iters, dmu_tx_t *tx) 1173*eda14cbcSMatt Macy { 1174*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 1175*eda14cbcSMatt Macy &crypt, tx)); 1176*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1177*eda14cbcSMatt Macy &root_ddobj, tx)); 1178*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, 1179*eda14cbcSMatt Macy &guid, tx)); 1180*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 1181*eda14cbcSMatt Macy iv, tx)); 1182*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 1183*eda14cbcSMatt Macy mac, tx)); 1184*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 1185*eda14cbcSMatt Macy MASTER_KEY_MAX_LEN, keydata, tx)); 1186*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 1187*eda14cbcSMatt Macy SHA512_HMAC_KEYLEN, hmac_keydata, tx)); 1188*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 1189*eda14cbcSMatt Macy 8, 1, &keyformat, tx)); 1190*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 1191*eda14cbcSMatt Macy 8, 1, &salt, tx)); 1192*eda14cbcSMatt Macy VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 1193*eda14cbcSMatt Macy 8, 1, &iters, tx)); 1194*eda14cbcSMatt Macy } 1195*eda14cbcSMatt Macy 1196*eda14cbcSMatt Macy static void 1197*eda14cbcSMatt Macy dsl_crypto_key_sync(dsl_crypto_key_t *dck, dmu_tx_t *tx) 1198*eda14cbcSMatt Macy { 1199*eda14cbcSMatt Macy zio_crypt_key_t *key = &dck->dck_key; 1200*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey = dck->dck_wkey; 1201*eda14cbcSMatt Macy uint8_t keydata[MASTER_KEY_MAX_LEN]; 1202*eda14cbcSMatt Macy uint8_t hmac_keydata[SHA512_HMAC_KEYLEN]; 1203*eda14cbcSMatt Macy uint8_t iv[WRAPPING_IV_LEN]; 1204*eda14cbcSMatt Macy uint8_t mac[WRAPPING_MAC_LEN]; 1205*eda14cbcSMatt Macy 1206*eda14cbcSMatt Macy ASSERT(dmu_tx_is_syncing(tx)); 1207*eda14cbcSMatt Macy ASSERT3U(key->zk_crypt, <, ZIO_CRYPT_FUNCTIONS); 1208*eda14cbcSMatt Macy 1209*eda14cbcSMatt Macy /* encrypt and store the keys along with the IV and MAC */ 1210*eda14cbcSMatt Macy VERIFY0(zio_crypt_key_wrap(&dck->dck_wkey->wk_key, key, iv, mac, 1211*eda14cbcSMatt Macy keydata, hmac_keydata)); 1212*eda14cbcSMatt Macy 1213*eda14cbcSMatt Macy /* update the ZAP with the obtained values */ 1214*eda14cbcSMatt Macy dsl_crypto_key_sync_impl(tx->tx_pool->dp_meta_objset, dck->dck_obj, 1215*eda14cbcSMatt Macy key->zk_crypt, wkey->wk_ddobj, key->zk_guid, iv, mac, keydata, 1216*eda14cbcSMatt Macy hmac_keydata, wkey->wk_keyformat, wkey->wk_salt, wkey->wk_iters, 1217*eda14cbcSMatt Macy tx); 1218*eda14cbcSMatt Macy } 1219*eda14cbcSMatt Macy 1220*eda14cbcSMatt Macy typedef struct spa_keystore_change_key_args { 1221*eda14cbcSMatt Macy const char *skcka_dsname; 1222*eda14cbcSMatt Macy dsl_crypto_params_t *skcka_cp; 1223*eda14cbcSMatt Macy } spa_keystore_change_key_args_t; 1224*eda14cbcSMatt Macy 1225*eda14cbcSMatt Macy static int 1226*eda14cbcSMatt Macy spa_keystore_change_key_check(void *arg, dmu_tx_t *tx) 1227*eda14cbcSMatt Macy { 1228*eda14cbcSMatt Macy int ret; 1229*eda14cbcSMatt Macy dsl_dir_t *dd = NULL; 1230*eda14cbcSMatt Macy dsl_pool_t *dp = dmu_tx_pool(tx); 1231*eda14cbcSMatt Macy spa_keystore_change_key_args_t *skcka = arg; 1232*eda14cbcSMatt Macy dsl_crypto_params_t *dcp = skcka->skcka_cp; 1233*eda14cbcSMatt Macy uint64_t rddobj; 1234*eda14cbcSMatt Macy 1235*eda14cbcSMatt Macy /* check for the encryption feature */ 1236*eda14cbcSMatt Macy if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 1237*eda14cbcSMatt Macy ret = SET_ERROR(ENOTSUP); 1238*eda14cbcSMatt Macy goto error; 1239*eda14cbcSMatt Macy } 1240*eda14cbcSMatt Macy 1241*eda14cbcSMatt Macy /* check for valid key change command */ 1242*eda14cbcSMatt Macy if (dcp->cp_cmd != DCP_CMD_NEW_KEY && 1243*eda14cbcSMatt Macy dcp->cp_cmd != DCP_CMD_INHERIT && 1244*eda14cbcSMatt Macy dcp->cp_cmd != DCP_CMD_FORCE_NEW_KEY && 1245*eda14cbcSMatt Macy dcp->cp_cmd != DCP_CMD_FORCE_INHERIT) { 1246*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1247*eda14cbcSMatt Macy goto error; 1248*eda14cbcSMatt Macy } 1249*eda14cbcSMatt Macy 1250*eda14cbcSMatt Macy /* hold the dd */ 1251*eda14cbcSMatt Macy ret = dsl_dir_hold(dp, skcka->skcka_dsname, FTAG, &dd, NULL); 1252*eda14cbcSMatt Macy if (ret != 0) { 1253*eda14cbcSMatt Macy dd = NULL; 1254*eda14cbcSMatt Macy goto error; 1255*eda14cbcSMatt Macy } 1256*eda14cbcSMatt Macy 1257*eda14cbcSMatt Macy /* verify that the dataset is encrypted */ 1258*eda14cbcSMatt Macy if (dd->dd_crypto_obj == 0) { 1259*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1260*eda14cbcSMatt Macy goto error; 1261*eda14cbcSMatt Macy } 1262*eda14cbcSMatt Macy 1263*eda14cbcSMatt Macy /* clones must always use their origin's key */ 1264*eda14cbcSMatt Macy if (dsl_dir_is_clone(dd)) { 1265*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1266*eda14cbcSMatt Macy goto error; 1267*eda14cbcSMatt Macy } 1268*eda14cbcSMatt Macy 1269*eda14cbcSMatt Macy /* lookup the ddobj we are inheriting the keylocation from */ 1270*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 1271*eda14cbcSMatt Macy if (ret != 0) 1272*eda14cbcSMatt Macy goto error; 1273*eda14cbcSMatt Macy 1274*eda14cbcSMatt Macy /* Handle inheritance */ 1275*eda14cbcSMatt Macy if (dcp->cp_cmd == DCP_CMD_INHERIT || 1276*eda14cbcSMatt Macy dcp->cp_cmd == DCP_CMD_FORCE_INHERIT) { 1277*eda14cbcSMatt Macy /* no other encryption params should be given */ 1278*eda14cbcSMatt Macy if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1279*eda14cbcSMatt Macy dcp->cp_keylocation != NULL || 1280*eda14cbcSMatt Macy dcp->cp_wkey != NULL) { 1281*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1282*eda14cbcSMatt Macy goto error; 1283*eda14cbcSMatt Macy } 1284*eda14cbcSMatt Macy 1285*eda14cbcSMatt Macy /* check that this is an encryption root */ 1286*eda14cbcSMatt Macy if (dd->dd_object != rddobj) { 1287*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1288*eda14cbcSMatt Macy goto error; 1289*eda14cbcSMatt Macy } 1290*eda14cbcSMatt Macy 1291*eda14cbcSMatt Macy /* check that the parent is encrypted */ 1292*eda14cbcSMatt Macy if (dd->dd_parent->dd_crypto_obj == 0) { 1293*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1294*eda14cbcSMatt Macy goto error; 1295*eda14cbcSMatt Macy } 1296*eda14cbcSMatt Macy 1297*eda14cbcSMatt Macy /* if we are rewrapping check that both keys are loaded */ 1298*eda14cbcSMatt Macy if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1299*eda14cbcSMatt Macy ret = dmu_objset_check_wkey_loaded(dd); 1300*eda14cbcSMatt Macy if (ret != 0) 1301*eda14cbcSMatt Macy goto error; 1302*eda14cbcSMatt Macy 1303*eda14cbcSMatt Macy ret = dmu_objset_check_wkey_loaded(dd->dd_parent); 1304*eda14cbcSMatt Macy if (ret != 0) 1305*eda14cbcSMatt Macy goto error; 1306*eda14cbcSMatt Macy } 1307*eda14cbcSMatt Macy 1308*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 1309*eda14cbcSMatt Macy return (0); 1310*eda14cbcSMatt Macy } 1311*eda14cbcSMatt Macy 1312*eda14cbcSMatt Macy /* handle forcing an encryption root without rewrapping */ 1313*eda14cbcSMatt Macy if (dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1314*eda14cbcSMatt Macy /* no other encryption params should be given */ 1315*eda14cbcSMatt Macy if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1316*eda14cbcSMatt Macy dcp->cp_keylocation != NULL || 1317*eda14cbcSMatt Macy dcp->cp_wkey != NULL) { 1318*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1319*eda14cbcSMatt Macy goto error; 1320*eda14cbcSMatt Macy } 1321*eda14cbcSMatt Macy 1322*eda14cbcSMatt Macy /* check that this is not an encryption root */ 1323*eda14cbcSMatt Macy if (dd->dd_object == rddobj) { 1324*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1325*eda14cbcSMatt Macy goto error; 1326*eda14cbcSMatt Macy } 1327*eda14cbcSMatt Macy 1328*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 1329*eda14cbcSMatt Macy return (0); 1330*eda14cbcSMatt Macy } 1331*eda14cbcSMatt Macy 1332*eda14cbcSMatt Macy /* crypt cannot be changed after creation */ 1333*eda14cbcSMatt Macy if (dcp->cp_crypt != ZIO_CRYPT_INHERIT) { 1334*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1335*eda14cbcSMatt Macy goto error; 1336*eda14cbcSMatt Macy } 1337*eda14cbcSMatt Macy 1338*eda14cbcSMatt Macy /* we are not inheritting our parent's wkey so we need one ourselves */ 1339*eda14cbcSMatt Macy if (dcp->cp_wkey == NULL) { 1340*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1341*eda14cbcSMatt Macy goto error; 1342*eda14cbcSMatt Macy } 1343*eda14cbcSMatt Macy 1344*eda14cbcSMatt Macy /* check for a valid keyformat for the new wrapping key */ 1345*eda14cbcSMatt Macy if (dcp->cp_wkey->wk_keyformat >= ZFS_KEYFORMAT_FORMATS || 1346*eda14cbcSMatt Macy dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_NONE) { 1347*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1348*eda14cbcSMatt Macy goto error; 1349*eda14cbcSMatt Macy } 1350*eda14cbcSMatt Macy 1351*eda14cbcSMatt Macy /* 1352*eda14cbcSMatt Macy * If this dataset is not currently an encryption root we need a new 1353*eda14cbcSMatt Macy * keylocation for this dataset's new wrapping key. Otherwise we can 1354*eda14cbcSMatt Macy * just keep the one we already had. 1355*eda14cbcSMatt Macy */ 1356*eda14cbcSMatt Macy if (dd->dd_object != rddobj && dcp->cp_keylocation == NULL) { 1357*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1358*eda14cbcSMatt Macy goto error; 1359*eda14cbcSMatt Macy } 1360*eda14cbcSMatt Macy 1361*eda14cbcSMatt Macy /* check that the keylocation is valid if it is not NULL */ 1362*eda14cbcSMatt Macy if (dcp->cp_keylocation != NULL && 1363*eda14cbcSMatt Macy !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) { 1364*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1365*eda14cbcSMatt Macy goto error; 1366*eda14cbcSMatt Macy } 1367*eda14cbcSMatt Macy 1368*eda14cbcSMatt Macy /* passphrases require pbkdf2 salt and iters */ 1369*eda14cbcSMatt Macy if (dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_PASSPHRASE) { 1370*eda14cbcSMatt Macy if (dcp->cp_wkey->wk_salt == 0 || 1371*eda14cbcSMatt Macy dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) { 1372*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1373*eda14cbcSMatt Macy goto error; 1374*eda14cbcSMatt Macy } 1375*eda14cbcSMatt Macy } else { 1376*eda14cbcSMatt Macy if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) { 1377*eda14cbcSMatt Macy ret = SET_ERROR(EINVAL); 1378*eda14cbcSMatt Macy goto error; 1379*eda14cbcSMatt Macy } 1380*eda14cbcSMatt Macy } 1381*eda14cbcSMatt Macy 1382*eda14cbcSMatt Macy /* make sure the dd's wkey is loaded */ 1383*eda14cbcSMatt Macy ret = dmu_objset_check_wkey_loaded(dd); 1384*eda14cbcSMatt Macy if (ret != 0) 1385*eda14cbcSMatt Macy goto error; 1386*eda14cbcSMatt Macy 1387*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 1388*eda14cbcSMatt Macy 1389*eda14cbcSMatt Macy return (0); 1390*eda14cbcSMatt Macy 1391*eda14cbcSMatt Macy error: 1392*eda14cbcSMatt Macy if (dd != NULL) 1393*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 1394*eda14cbcSMatt Macy 1395*eda14cbcSMatt Macy return (ret); 1396*eda14cbcSMatt Macy } 1397*eda14cbcSMatt Macy 1398*eda14cbcSMatt Macy /* 1399*eda14cbcSMatt Macy * This function deals with the intricacies of updating wrapping 1400*eda14cbcSMatt Macy * key references and encryption roots recursively in the event 1401*eda14cbcSMatt Macy * of a call to 'zfs change-key' or 'zfs promote'. The 'skip' 1402*eda14cbcSMatt Macy * parameter should always be set to B_FALSE when called 1403*eda14cbcSMatt Macy * externally. 1404*eda14cbcSMatt Macy */ 1405*eda14cbcSMatt Macy static void 1406*eda14cbcSMatt Macy spa_keystore_change_key_sync_impl(uint64_t rddobj, uint64_t ddobj, 1407*eda14cbcSMatt Macy uint64_t new_rddobj, dsl_wrapping_key_t *wkey, boolean_t skip, 1408*eda14cbcSMatt Macy dmu_tx_t *tx) 1409*eda14cbcSMatt Macy { 1410*eda14cbcSMatt Macy int ret; 1411*eda14cbcSMatt Macy zap_cursor_t *zc; 1412*eda14cbcSMatt Macy zap_attribute_t *za; 1413*eda14cbcSMatt Macy dsl_pool_t *dp = dmu_tx_pool(tx); 1414*eda14cbcSMatt Macy dsl_dir_t *dd = NULL; 1415*eda14cbcSMatt Macy dsl_crypto_key_t *dck = NULL; 1416*eda14cbcSMatt Macy uint64_t curr_rddobj; 1417*eda14cbcSMatt Macy 1418*eda14cbcSMatt Macy ASSERT(RW_WRITE_HELD(&dp->dp_spa->spa_keystore.sk_wkeys_lock)); 1419*eda14cbcSMatt Macy 1420*eda14cbcSMatt Macy /* hold the dd */ 1421*eda14cbcSMatt Macy VERIFY0(dsl_dir_hold_obj(dp, ddobj, NULL, FTAG, &dd)); 1422*eda14cbcSMatt Macy 1423*eda14cbcSMatt Macy /* ignore special dsl dirs */ 1424*eda14cbcSMatt Macy if (dd->dd_myname[0] == '$' || dd->dd_myname[0] == '%') { 1425*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 1426*eda14cbcSMatt Macy return; 1427*eda14cbcSMatt Macy } 1428*eda14cbcSMatt Macy 1429*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1430*eda14cbcSMatt Macy VERIFY(ret == 0 || ret == ENOENT); 1431*eda14cbcSMatt Macy 1432*eda14cbcSMatt Macy /* 1433*eda14cbcSMatt Macy * Stop recursing if this dsl dir didn't inherit from the root 1434*eda14cbcSMatt Macy * or if this dd is a clone. 1435*eda14cbcSMatt Macy */ 1436*eda14cbcSMatt Macy if (ret == ENOENT || 1437*eda14cbcSMatt Macy (!skip && (curr_rddobj != rddobj || dsl_dir_is_clone(dd)))) { 1438*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 1439*eda14cbcSMatt Macy return; 1440*eda14cbcSMatt Macy } 1441*eda14cbcSMatt Macy 1442*eda14cbcSMatt Macy /* 1443*eda14cbcSMatt Macy * If we don't have a wrapping key just update the dck to reflect the 1444*eda14cbcSMatt Macy * new encryption root. Otherwise rewrap the entire dck and re-sync it 1445*eda14cbcSMatt Macy * to disk. If skip is set, we don't do any of this work. 1446*eda14cbcSMatt Macy */ 1447*eda14cbcSMatt Macy if (!skip) { 1448*eda14cbcSMatt Macy if (wkey == NULL) { 1449*eda14cbcSMatt Macy VERIFY0(zap_update(dp->dp_meta_objset, 1450*eda14cbcSMatt Macy dd->dd_crypto_obj, 1451*eda14cbcSMatt Macy DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1452*eda14cbcSMatt Macy &new_rddobj, tx)); 1453*eda14cbcSMatt Macy } else { 1454*eda14cbcSMatt Macy VERIFY0(spa_keystore_dsl_key_hold_dd(dp->dp_spa, dd, 1455*eda14cbcSMatt Macy FTAG, &dck)); 1456*eda14cbcSMatt Macy dsl_wrapping_key_hold(wkey, dck); 1457*eda14cbcSMatt Macy dsl_wrapping_key_rele(dck->dck_wkey, dck); 1458*eda14cbcSMatt Macy dck->dck_wkey = wkey; 1459*eda14cbcSMatt Macy dsl_crypto_key_sync(dck, tx); 1460*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(dp->dp_spa, dck, FTAG); 1461*eda14cbcSMatt Macy } 1462*eda14cbcSMatt Macy } 1463*eda14cbcSMatt Macy 1464*eda14cbcSMatt Macy zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP); 1465*eda14cbcSMatt Macy za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP); 1466*eda14cbcSMatt Macy 1467*eda14cbcSMatt Macy /* Recurse into all child dsl dirs. */ 1468*eda14cbcSMatt Macy for (zap_cursor_init(zc, dp->dp_meta_objset, 1469*eda14cbcSMatt Macy dsl_dir_phys(dd)->dd_child_dir_zapobj); 1470*eda14cbcSMatt Macy zap_cursor_retrieve(zc, za) == 0; 1471*eda14cbcSMatt Macy zap_cursor_advance(zc)) { 1472*eda14cbcSMatt Macy spa_keystore_change_key_sync_impl(rddobj, 1473*eda14cbcSMatt Macy za->za_first_integer, new_rddobj, wkey, B_FALSE, tx); 1474*eda14cbcSMatt Macy } 1475*eda14cbcSMatt Macy zap_cursor_fini(zc); 1476*eda14cbcSMatt Macy 1477*eda14cbcSMatt Macy /* 1478*eda14cbcSMatt Macy * Recurse into all dsl dirs of clones. We utilize the skip parameter 1479*eda14cbcSMatt Macy * here so that we don't attempt to process the clones directly. This 1480*eda14cbcSMatt Macy * is because the clone and its origin share the same dck, which has 1481*eda14cbcSMatt Macy * already been updated. 1482*eda14cbcSMatt Macy */ 1483*eda14cbcSMatt Macy for (zap_cursor_init(zc, dp->dp_meta_objset, 1484*eda14cbcSMatt Macy dsl_dir_phys(dd)->dd_clones); 1485*eda14cbcSMatt Macy zap_cursor_retrieve(zc, za) == 0; 1486*eda14cbcSMatt Macy zap_cursor_advance(zc)) { 1487*eda14cbcSMatt Macy dsl_dataset_t *clone; 1488*eda14cbcSMatt Macy 1489*eda14cbcSMatt Macy VERIFY0(dsl_dataset_hold_obj(dp, za->za_first_integer, 1490*eda14cbcSMatt Macy FTAG, &clone)); 1491*eda14cbcSMatt Macy spa_keystore_change_key_sync_impl(rddobj, 1492*eda14cbcSMatt Macy clone->ds_dir->dd_object, new_rddobj, wkey, B_TRUE, tx); 1493*eda14cbcSMatt Macy dsl_dataset_rele(clone, FTAG); 1494*eda14cbcSMatt Macy } 1495*eda14cbcSMatt Macy zap_cursor_fini(zc); 1496*eda14cbcSMatt Macy 1497*eda14cbcSMatt Macy kmem_free(za, sizeof (zap_attribute_t)); 1498*eda14cbcSMatt Macy kmem_free(zc, sizeof (zap_cursor_t)); 1499*eda14cbcSMatt Macy 1500*eda14cbcSMatt Macy dsl_dir_rele(dd, FTAG); 1501*eda14cbcSMatt Macy } 1502*eda14cbcSMatt Macy 1503*eda14cbcSMatt Macy static void 1504*eda14cbcSMatt Macy spa_keystore_change_key_sync(void *arg, dmu_tx_t *tx) 1505*eda14cbcSMatt Macy { 1506*eda14cbcSMatt Macy dsl_dataset_t *ds; 1507*eda14cbcSMatt Macy avl_index_t where; 1508*eda14cbcSMatt Macy dsl_pool_t *dp = dmu_tx_pool(tx); 1509*eda14cbcSMatt Macy spa_t *spa = dp->dp_spa; 1510*eda14cbcSMatt Macy spa_keystore_change_key_args_t *skcka = arg; 1511*eda14cbcSMatt Macy dsl_crypto_params_t *dcp = skcka->skcka_cp; 1512*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey = NULL, *found_wkey; 1513*eda14cbcSMatt Macy dsl_wrapping_key_t wkey_search; 1514*eda14cbcSMatt Macy char *keylocation = dcp->cp_keylocation; 1515*eda14cbcSMatt Macy uint64_t rddobj, new_rddobj; 1516*eda14cbcSMatt Macy 1517*eda14cbcSMatt Macy /* create and initialize the wrapping key */ 1518*eda14cbcSMatt Macy VERIFY0(dsl_dataset_hold(dp, skcka->skcka_dsname, FTAG, &ds)); 1519*eda14cbcSMatt Macy ASSERT(!ds->ds_is_snapshot); 1520*eda14cbcSMatt Macy 1521*eda14cbcSMatt Macy if (dcp->cp_cmd == DCP_CMD_NEW_KEY || 1522*eda14cbcSMatt Macy dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1523*eda14cbcSMatt Macy /* 1524*eda14cbcSMatt Macy * We are changing to a new wkey. Set additional properties 1525*eda14cbcSMatt Macy * which can be sent along with this ioctl. Note that this 1526*eda14cbcSMatt Macy * command can set keylocation even if it can't normally be 1527*eda14cbcSMatt Macy * set via 'zfs set' due to a non-local keylocation. 1528*eda14cbcSMatt Macy */ 1529*eda14cbcSMatt Macy if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1530*eda14cbcSMatt Macy wkey = dcp->cp_wkey; 1531*eda14cbcSMatt Macy wkey->wk_ddobj = ds->ds_dir->dd_object; 1532*eda14cbcSMatt Macy } else { 1533*eda14cbcSMatt Macy keylocation = "prompt"; 1534*eda14cbcSMatt Macy } 1535*eda14cbcSMatt Macy 1536*eda14cbcSMatt Macy if (keylocation != NULL) { 1537*eda14cbcSMatt Macy dsl_prop_set_sync_impl(ds, 1538*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1539*eda14cbcSMatt Macy ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 1540*eda14cbcSMatt Macy keylocation, tx); 1541*eda14cbcSMatt Macy } 1542*eda14cbcSMatt Macy 1543*eda14cbcSMatt Macy VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj)); 1544*eda14cbcSMatt Macy new_rddobj = ds->ds_dir->dd_object; 1545*eda14cbcSMatt Macy } else { 1546*eda14cbcSMatt Macy /* 1547*eda14cbcSMatt Macy * We are inheritting the parent's wkey. Unset any local 1548*eda14cbcSMatt Macy * keylocation and grab a reference to the wkey. 1549*eda14cbcSMatt Macy */ 1550*eda14cbcSMatt Macy if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1551*eda14cbcSMatt Macy VERIFY0(spa_keystore_wkey_hold_dd(spa, 1552*eda14cbcSMatt Macy ds->ds_dir->dd_parent, FTAG, &wkey)); 1553*eda14cbcSMatt Macy } 1554*eda14cbcSMatt Macy 1555*eda14cbcSMatt Macy dsl_prop_set_sync_impl(ds, 1556*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_KEYLOCATION), ZPROP_SRC_NONE, 1557*eda14cbcSMatt Macy 0, 0, NULL, tx); 1558*eda14cbcSMatt Macy 1559*eda14cbcSMatt Macy rddobj = ds->ds_dir->dd_object; 1560*eda14cbcSMatt Macy VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir->dd_parent, 1561*eda14cbcSMatt Macy &new_rddobj)); 1562*eda14cbcSMatt Macy } 1563*eda14cbcSMatt Macy 1564*eda14cbcSMatt Macy if (wkey == NULL) { 1565*eda14cbcSMatt Macy ASSERT(dcp->cp_cmd == DCP_CMD_FORCE_INHERIT || 1566*eda14cbcSMatt Macy dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY); 1567*eda14cbcSMatt Macy } 1568*eda14cbcSMatt Macy 1569*eda14cbcSMatt Macy rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1570*eda14cbcSMatt Macy 1571*eda14cbcSMatt Macy /* recurse through all children and rewrap their keys */ 1572*eda14cbcSMatt Macy spa_keystore_change_key_sync_impl(rddobj, ds->ds_dir->dd_object, 1573*eda14cbcSMatt Macy new_rddobj, wkey, B_FALSE, tx); 1574*eda14cbcSMatt Macy 1575*eda14cbcSMatt Macy /* 1576*eda14cbcSMatt Macy * All references to the old wkey should be released now (if it 1577*eda14cbcSMatt Macy * existed). Replace the wrapping key. 1578*eda14cbcSMatt Macy */ 1579*eda14cbcSMatt Macy wkey_search.wk_ddobj = ds->ds_dir->dd_object; 1580*eda14cbcSMatt Macy found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &wkey_search, NULL); 1581*eda14cbcSMatt Macy if (found_wkey != NULL) { 1582*eda14cbcSMatt Macy ASSERT0(zfs_refcount_count(&found_wkey->wk_refcnt)); 1583*eda14cbcSMatt Macy avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 1584*eda14cbcSMatt Macy dsl_wrapping_key_free(found_wkey); 1585*eda14cbcSMatt Macy } 1586*eda14cbcSMatt Macy 1587*eda14cbcSMatt Macy if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1588*eda14cbcSMatt Macy avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 1589*eda14cbcSMatt Macy avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 1590*eda14cbcSMatt Macy } else if (wkey != NULL) { 1591*eda14cbcSMatt Macy dsl_wrapping_key_rele(wkey, FTAG); 1592*eda14cbcSMatt Macy } 1593*eda14cbcSMatt Macy 1594*eda14cbcSMatt Macy rw_exit(&spa->spa_keystore.sk_wkeys_lock); 1595*eda14cbcSMatt Macy 1596*eda14cbcSMatt Macy dsl_dataset_rele(ds, FTAG); 1597*eda14cbcSMatt Macy } 1598*eda14cbcSMatt Macy 1599*eda14cbcSMatt Macy int 1600*eda14cbcSMatt Macy spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp) 1601*eda14cbcSMatt Macy { 1602*eda14cbcSMatt Macy spa_keystore_change_key_args_t skcka; 1603*eda14cbcSMatt Macy 1604*eda14cbcSMatt Macy /* initialize the args struct */ 1605*eda14cbcSMatt Macy skcka.skcka_dsname = dsname; 1606*eda14cbcSMatt Macy skcka.skcka_cp = dcp; 1607*eda14cbcSMatt Macy 1608*eda14cbcSMatt Macy /* 1609*eda14cbcSMatt Macy * Perform the actual work in syncing context. The blocks modified 1610*eda14cbcSMatt Macy * here could be calculated but it would require holding the pool 1611*eda14cbcSMatt Macy * lock and traversing all of the datasets that will have their keys 1612*eda14cbcSMatt Macy * changed. 1613*eda14cbcSMatt Macy */ 1614*eda14cbcSMatt Macy return (dsl_sync_task(dsname, spa_keystore_change_key_check, 1615*eda14cbcSMatt Macy spa_keystore_change_key_sync, &skcka, 15, 1616*eda14cbcSMatt Macy ZFS_SPACE_CHECK_RESERVED)); 1617*eda14cbcSMatt Macy } 1618*eda14cbcSMatt Macy 1619*eda14cbcSMatt Macy int 1620*eda14cbcSMatt Macy dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent) 1621*eda14cbcSMatt Macy { 1622*eda14cbcSMatt Macy int ret; 1623*eda14cbcSMatt Macy uint64_t curr_rddobj, parent_rddobj; 1624*eda14cbcSMatt Macy 1625*eda14cbcSMatt Macy if (dd->dd_crypto_obj == 0) 1626*eda14cbcSMatt Macy return (0); 1627*eda14cbcSMatt Macy 1628*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1629*eda14cbcSMatt Macy if (ret != 0) 1630*eda14cbcSMatt Macy goto error; 1631*eda14cbcSMatt Macy 1632*eda14cbcSMatt Macy /* 1633*eda14cbcSMatt Macy * if this is not an encryption root, we must make sure we are not 1634*eda14cbcSMatt Macy * moving dd to a new encryption root 1635*eda14cbcSMatt Macy */ 1636*eda14cbcSMatt Macy if (dd->dd_object != curr_rddobj) { 1637*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(newparent, 1638*eda14cbcSMatt Macy &parent_rddobj); 1639*eda14cbcSMatt Macy if (ret != 0) 1640*eda14cbcSMatt Macy goto error; 1641*eda14cbcSMatt Macy 1642*eda14cbcSMatt Macy if (parent_rddobj != curr_rddobj) { 1643*eda14cbcSMatt Macy ret = SET_ERROR(EACCES); 1644*eda14cbcSMatt Macy goto error; 1645*eda14cbcSMatt Macy } 1646*eda14cbcSMatt Macy } 1647*eda14cbcSMatt Macy 1648*eda14cbcSMatt Macy return (0); 1649*eda14cbcSMatt Macy 1650*eda14cbcSMatt Macy error: 1651*eda14cbcSMatt Macy return (ret); 1652*eda14cbcSMatt Macy } 1653*eda14cbcSMatt Macy 1654*eda14cbcSMatt Macy /* 1655*eda14cbcSMatt Macy * Check to make sure that a promote from targetdd to origindd will not require 1656*eda14cbcSMatt Macy * any key rewraps. 1657*eda14cbcSMatt Macy */ 1658*eda14cbcSMatt Macy int 1659*eda14cbcSMatt Macy dsl_dataset_promote_crypt_check(dsl_dir_t *target, dsl_dir_t *origin) 1660*eda14cbcSMatt Macy { 1661*eda14cbcSMatt Macy int ret; 1662*eda14cbcSMatt Macy uint64_t rddobj, op_rddobj, tp_rddobj; 1663*eda14cbcSMatt Macy 1664*eda14cbcSMatt Macy /* If the dataset is not encrypted we don't need to check anything */ 1665*eda14cbcSMatt Macy if (origin->dd_crypto_obj == 0) 1666*eda14cbcSMatt Macy return (0); 1667*eda14cbcSMatt Macy 1668*eda14cbcSMatt Macy /* 1669*eda14cbcSMatt Macy * If we are not changing the first origin snapshot in a chain 1670*eda14cbcSMatt Macy * the encryption root won't change either. 1671*eda14cbcSMatt Macy */ 1672*eda14cbcSMatt Macy if (dsl_dir_is_clone(origin)) 1673*eda14cbcSMatt Macy return (0); 1674*eda14cbcSMatt Macy 1675*eda14cbcSMatt Macy /* 1676*eda14cbcSMatt Macy * If the origin is the encryption root we will update 1677*eda14cbcSMatt Macy * the DSL Crypto Key to point to the target instead. 1678*eda14cbcSMatt Macy */ 1679*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(origin, &rddobj); 1680*eda14cbcSMatt Macy if (ret != 0) 1681*eda14cbcSMatt Macy return (ret); 1682*eda14cbcSMatt Macy 1683*eda14cbcSMatt Macy if (rddobj == origin->dd_object) 1684*eda14cbcSMatt Macy return (0); 1685*eda14cbcSMatt Macy 1686*eda14cbcSMatt Macy /* 1687*eda14cbcSMatt Macy * The origin is inheriting its encryption root from its parent. 1688*eda14cbcSMatt Macy * Check that the parent of the target has the same encryption root. 1689*eda14cbcSMatt Macy */ 1690*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(origin->dd_parent, &op_rddobj); 1691*eda14cbcSMatt Macy if (ret == ENOENT) 1692*eda14cbcSMatt Macy return (SET_ERROR(EACCES)); 1693*eda14cbcSMatt Macy else if (ret != 0) 1694*eda14cbcSMatt Macy return (ret); 1695*eda14cbcSMatt Macy 1696*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(target->dd_parent, &tp_rddobj); 1697*eda14cbcSMatt Macy if (ret == ENOENT) 1698*eda14cbcSMatt Macy return (SET_ERROR(EACCES)); 1699*eda14cbcSMatt Macy else if (ret != 0) 1700*eda14cbcSMatt Macy return (ret); 1701*eda14cbcSMatt Macy 1702*eda14cbcSMatt Macy if (op_rddobj != tp_rddobj) 1703*eda14cbcSMatt Macy return (SET_ERROR(EACCES)); 1704*eda14cbcSMatt Macy 1705*eda14cbcSMatt Macy return (0); 1706*eda14cbcSMatt Macy } 1707*eda14cbcSMatt Macy 1708*eda14cbcSMatt Macy void 1709*eda14cbcSMatt Macy dsl_dataset_promote_crypt_sync(dsl_dir_t *target, dsl_dir_t *origin, 1710*eda14cbcSMatt Macy dmu_tx_t *tx) 1711*eda14cbcSMatt Macy { 1712*eda14cbcSMatt Macy uint64_t rddobj; 1713*eda14cbcSMatt Macy dsl_pool_t *dp = target->dd_pool; 1714*eda14cbcSMatt Macy dsl_dataset_t *targetds; 1715*eda14cbcSMatt Macy dsl_dataset_t *originds; 1716*eda14cbcSMatt Macy char *keylocation; 1717*eda14cbcSMatt Macy 1718*eda14cbcSMatt Macy if (origin->dd_crypto_obj == 0) 1719*eda14cbcSMatt Macy return; 1720*eda14cbcSMatt Macy if (dsl_dir_is_clone(origin)) 1721*eda14cbcSMatt Macy return; 1722*eda14cbcSMatt Macy 1723*eda14cbcSMatt Macy VERIFY0(dsl_dir_get_encryption_root_ddobj(origin, &rddobj)); 1724*eda14cbcSMatt Macy 1725*eda14cbcSMatt Macy if (rddobj != origin->dd_object) 1726*eda14cbcSMatt Macy return; 1727*eda14cbcSMatt Macy 1728*eda14cbcSMatt Macy /* 1729*eda14cbcSMatt Macy * If the target is being promoted to the encryption root update the 1730*eda14cbcSMatt Macy * DSL Crypto Key and keylocation to reflect that. We also need to 1731*eda14cbcSMatt Macy * update the DSL Crypto Keys of all children inheritting their 1732*eda14cbcSMatt Macy * encryption root to point to the new target. Otherwise, the check 1733*eda14cbcSMatt Macy * function ensured that the encryption root will not change. 1734*eda14cbcSMatt Macy */ 1735*eda14cbcSMatt Macy keylocation = kmem_alloc(ZAP_MAXVALUELEN, KM_SLEEP); 1736*eda14cbcSMatt Macy 1737*eda14cbcSMatt Macy VERIFY0(dsl_dataset_hold_obj(dp, 1738*eda14cbcSMatt Macy dsl_dir_phys(target)->dd_head_dataset_obj, FTAG, &targetds)); 1739*eda14cbcSMatt Macy VERIFY0(dsl_dataset_hold_obj(dp, 1740*eda14cbcSMatt Macy dsl_dir_phys(origin)->dd_head_dataset_obj, FTAG, &originds)); 1741*eda14cbcSMatt Macy 1742*eda14cbcSMatt Macy VERIFY0(dsl_prop_get_dd(origin, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1743*eda14cbcSMatt Macy 1, ZAP_MAXVALUELEN, keylocation, NULL, B_FALSE)); 1744*eda14cbcSMatt Macy dsl_prop_set_sync_impl(targetds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1745*eda14cbcSMatt Macy ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, keylocation, tx); 1746*eda14cbcSMatt Macy dsl_prop_set_sync_impl(originds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1747*eda14cbcSMatt Macy ZPROP_SRC_NONE, 0, 0, NULL, tx); 1748*eda14cbcSMatt Macy 1749*eda14cbcSMatt Macy rw_enter(&dp->dp_spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1750*eda14cbcSMatt Macy spa_keystore_change_key_sync_impl(rddobj, origin->dd_object, 1751*eda14cbcSMatt Macy target->dd_object, NULL, B_FALSE, tx); 1752*eda14cbcSMatt Macy rw_exit(&dp->dp_spa->spa_keystore.sk_wkeys_lock); 1753*eda14cbcSMatt Macy 1754*eda14cbcSMatt Macy dsl_dataset_rele(targetds, FTAG); 1755*eda14cbcSMatt Macy dsl_dataset_rele(originds, FTAG); 1756*eda14cbcSMatt Macy kmem_free(keylocation, ZAP_MAXVALUELEN); 1757*eda14cbcSMatt Macy } 1758*eda14cbcSMatt Macy 1759*eda14cbcSMatt Macy int 1760*eda14cbcSMatt Macy dmu_objset_create_crypt_check(dsl_dir_t *parentdd, dsl_crypto_params_t *dcp, 1761*eda14cbcSMatt Macy boolean_t *will_encrypt) 1762*eda14cbcSMatt Macy { 1763*eda14cbcSMatt Macy int ret; 1764*eda14cbcSMatt Macy uint64_t pcrypt, crypt; 1765*eda14cbcSMatt Macy dsl_crypto_params_t dummy_dcp = { 0 }; 1766*eda14cbcSMatt Macy 1767*eda14cbcSMatt Macy if (will_encrypt != NULL) 1768*eda14cbcSMatt Macy *will_encrypt = B_FALSE; 1769*eda14cbcSMatt Macy 1770*eda14cbcSMatt Macy if (dcp == NULL) 1771*eda14cbcSMatt Macy dcp = &dummy_dcp; 1772*eda14cbcSMatt Macy 1773*eda14cbcSMatt Macy if (dcp->cp_cmd != DCP_CMD_NONE) 1774*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1775*eda14cbcSMatt Macy 1776*eda14cbcSMatt Macy if (parentdd != NULL) { 1777*eda14cbcSMatt Macy ret = dsl_dir_get_crypt(parentdd, &pcrypt); 1778*eda14cbcSMatt Macy if (ret != 0) 1779*eda14cbcSMatt Macy return (ret); 1780*eda14cbcSMatt Macy } else { 1781*eda14cbcSMatt Macy pcrypt = ZIO_CRYPT_OFF; 1782*eda14cbcSMatt Macy } 1783*eda14cbcSMatt Macy 1784*eda14cbcSMatt Macy crypt = (dcp->cp_crypt == ZIO_CRYPT_INHERIT) ? pcrypt : dcp->cp_crypt; 1785*eda14cbcSMatt Macy 1786*eda14cbcSMatt Macy ASSERT3U(pcrypt, !=, ZIO_CRYPT_INHERIT); 1787*eda14cbcSMatt Macy ASSERT3U(crypt, !=, ZIO_CRYPT_INHERIT); 1788*eda14cbcSMatt Macy 1789*eda14cbcSMatt Macy /* check for valid dcp with no encryption (inherited or local) */ 1790*eda14cbcSMatt Macy if (crypt == ZIO_CRYPT_OFF) { 1791*eda14cbcSMatt Macy /* Must not specify encryption params */ 1792*eda14cbcSMatt Macy if (dcp->cp_wkey != NULL || 1793*eda14cbcSMatt Macy (dcp->cp_keylocation != NULL && 1794*eda14cbcSMatt Macy strcmp(dcp->cp_keylocation, "none") != 0)) 1795*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1796*eda14cbcSMatt Macy 1797*eda14cbcSMatt Macy return (0); 1798*eda14cbcSMatt Macy } 1799*eda14cbcSMatt Macy 1800*eda14cbcSMatt Macy if (will_encrypt != NULL) 1801*eda14cbcSMatt Macy *will_encrypt = B_TRUE; 1802*eda14cbcSMatt Macy 1803*eda14cbcSMatt Macy /* 1804*eda14cbcSMatt Macy * We will now definitely be encrypting. Check the feature flag. When 1805*eda14cbcSMatt Macy * creating the pool the caller will check this for us since we won't 1806*eda14cbcSMatt Macy * technically have the feature activated yet. 1807*eda14cbcSMatt Macy */ 1808*eda14cbcSMatt Macy if (parentdd != NULL && 1809*eda14cbcSMatt Macy !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1810*eda14cbcSMatt Macy SPA_FEATURE_ENCRYPTION)) { 1811*eda14cbcSMatt Macy return (SET_ERROR(EOPNOTSUPP)); 1812*eda14cbcSMatt Macy } 1813*eda14cbcSMatt Macy 1814*eda14cbcSMatt Macy /* Check for errata #4 (encryption enabled, bookmark_v2 disabled) */ 1815*eda14cbcSMatt Macy if (parentdd != NULL && 1816*eda14cbcSMatt Macy !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1817*eda14cbcSMatt Macy SPA_FEATURE_BOOKMARK_V2)) { 1818*eda14cbcSMatt Macy return (SET_ERROR(EOPNOTSUPP)); 1819*eda14cbcSMatt Macy } 1820*eda14cbcSMatt Macy 1821*eda14cbcSMatt Macy /* handle inheritance */ 1822*eda14cbcSMatt Macy if (dcp->cp_wkey == NULL) { 1823*eda14cbcSMatt Macy ASSERT3P(parentdd, !=, NULL); 1824*eda14cbcSMatt Macy 1825*eda14cbcSMatt Macy /* key must be fully unspecified */ 1826*eda14cbcSMatt Macy if (dcp->cp_keylocation != NULL) 1827*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1828*eda14cbcSMatt Macy 1829*eda14cbcSMatt Macy /* parent must have a key to inherit */ 1830*eda14cbcSMatt Macy if (pcrypt == ZIO_CRYPT_OFF) 1831*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1832*eda14cbcSMatt Macy 1833*eda14cbcSMatt Macy /* check for parent key */ 1834*eda14cbcSMatt Macy ret = dmu_objset_check_wkey_loaded(parentdd); 1835*eda14cbcSMatt Macy if (ret != 0) 1836*eda14cbcSMatt Macy return (ret); 1837*eda14cbcSMatt Macy 1838*eda14cbcSMatt Macy return (0); 1839*eda14cbcSMatt Macy } 1840*eda14cbcSMatt Macy 1841*eda14cbcSMatt Macy /* At this point we should have a fully specified key. Check location */ 1842*eda14cbcSMatt Macy if (dcp->cp_keylocation == NULL || 1843*eda14cbcSMatt Macy !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) 1844*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1845*eda14cbcSMatt Macy 1846*eda14cbcSMatt Macy /* Must have fully specified keyformat */ 1847*eda14cbcSMatt Macy switch (dcp->cp_wkey->wk_keyformat) { 1848*eda14cbcSMatt Macy case ZFS_KEYFORMAT_HEX: 1849*eda14cbcSMatt Macy case ZFS_KEYFORMAT_RAW: 1850*eda14cbcSMatt Macy /* requires no pbkdf2 iters and salt */ 1851*eda14cbcSMatt Macy if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) 1852*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1853*eda14cbcSMatt Macy break; 1854*eda14cbcSMatt Macy case ZFS_KEYFORMAT_PASSPHRASE: 1855*eda14cbcSMatt Macy /* requires pbkdf2 iters and salt */ 1856*eda14cbcSMatt Macy if (dcp->cp_wkey->wk_salt == 0 || 1857*eda14cbcSMatt Macy dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) 1858*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1859*eda14cbcSMatt Macy break; 1860*eda14cbcSMatt Macy case ZFS_KEYFORMAT_NONE: 1861*eda14cbcSMatt Macy default: 1862*eda14cbcSMatt Macy /* keyformat must be specified and valid */ 1863*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1864*eda14cbcSMatt Macy } 1865*eda14cbcSMatt Macy 1866*eda14cbcSMatt Macy return (0); 1867*eda14cbcSMatt Macy } 1868*eda14cbcSMatt Macy 1869*eda14cbcSMatt Macy void 1870*eda14cbcSMatt Macy dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd, 1871*eda14cbcSMatt Macy dsl_dataset_t *origin, dsl_crypto_params_t *dcp, dmu_tx_t *tx) 1872*eda14cbcSMatt Macy { 1873*eda14cbcSMatt Macy dsl_pool_t *dp = dd->dd_pool; 1874*eda14cbcSMatt Macy uint64_t crypt; 1875*eda14cbcSMatt Macy dsl_wrapping_key_t *wkey; 1876*eda14cbcSMatt Macy 1877*eda14cbcSMatt Macy /* clones always use their origin's wrapping key */ 1878*eda14cbcSMatt Macy if (dsl_dir_is_clone(dd)) { 1879*eda14cbcSMatt Macy ASSERT3P(dcp, ==, NULL); 1880*eda14cbcSMatt Macy 1881*eda14cbcSMatt Macy /* 1882*eda14cbcSMatt Macy * If this is an encrypted clone we just need to clone the 1883*eda14cbcSMatt Macy * dck into dd. Zapify the dd so we can do that. 1884*eda14cbcSMatt Macy */ 1885*eda14cbcSMatt Macy if (origin->ds_dir->dd_crypto_obj != 0) { 1886*eda14cbcSMatt Macy dmu_buf_will_dirty(dd->dd_dbuf, tx); 1887*eda14cbcSMatt Macy dsl_dir_zapify(dd, tx); 1888*eda14cbcSMatt Macy 1889*eda14cbcSMatt Macy dd->dd_crypto_obj = 1890*eda14cbcSMatt Macy dsl_crypto_key_clone_sync(origin->ds_dir, tx); 1891*eda14cbcSMatt Macy VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1892*eda14cbcSMatt Macy DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, 1893*eda14cbcSMatt Macy &dd->dd_crypto_obj, tx)); 1894*eda14cbcSMatt Macy } 1895*eda14cbcSMatt Macy 1896*eda14cbcSMatt Macy return; 1897*eda14cbcSMatt Macy } 1898*eda14cbcSMatt Macy 1899*eda14cbcSMatt Macy /* 1900*eda14cbcSMatt Macy * A NULL dcp at this point indicates this is the origin dataset 1901*eda14cbcSMatt Macy * which does not have an objset to encrypt. Raw receives will handle 1902*eda14cbcSMatt Macy * encryption separately later. In both cases we can simply return. 1903*eda14cbcSMatt Macy */ 1904*eda14cbcSMatt Macy if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV) 1905*eda14cbcSMatt Macy return; 1906*eda14cbcSMatt Macy 1907*eda14cbcSMatt Macy crypt = dcp->cp_crypt; 1908*eda14cbcSMatt Macy wkey = dcp->cp_wkey; 1909*eda14cbcSMatt Macy 1910*eda14cbcSMatt Macy /* figure out the effective crypt */ 1911*eda14cbcSMatt Macy if (crypt == ZIO_CRYPT_INHERIT && dd->dd_parent != NULL) 1912*eda14cbcSMatt Macy VERIFY0(dsl_dir_get_crypt(dd->dd_parent, &crypt)); 1913*eda14cbcSMatt Macy 1914*eda14cbcSMatt Macy /* if we aren't doing encryption just return */ 1915*eda14cbcSMatt Macy if (crypt == ZIO_CRYPT_OFF || crypt == ZIO_CRYPT_INHERIT) 1916*eda14cbcSMatt Macy return; 1917*eda14cbcSMatt Macy 1918*eda14cbcSMatt Macy /* zapify the dd so that we can add the crypto key obj to it */ 1919*eda14cbcSMatt Macy dmu_buf_will_dirty(dd->dd_dbuf, tx); 1920*eda14cbcSMatt Macy dsl_dir_zapify(dd, tx); 1921*eda14cbcSMatt Macy 1922*eda14cbcSMatt Macy /* use the new key if given or inherit from the parent */ 1923*eda14cbcSMatt Macy if (wkey == NULL) { 1924*eda14cbcSMatt Macy VERIFY0(spa_keystore_wkey_hold_dd(dp->dp_spa, 1925*eda14cbcSMatt Macy dd->dd_parent, FTAG, &wkey)); 1926*eda14cbcSMatt Macy } else { 1927*eda14cbcSMatt Macy wkey->wk_ddobj = dd->dd_object; 1928*eda14cbcSMatt Macy } 1929*eda14cbcSMatt Macy 1930*eda14cbcSMatt Macy ASSERT3P(wkey, !=, NULL); 1931*eda14cbcSMatt Macy 1932*eda14cbcSMatt Macy /* Create or clone the DSL crypto key and activate the feature */ 1933*eda14cbcSMatt Macy dd->dd_crypto_obj = dsl_crypto_key_create_sync(crypt, wkey, tx); 1934*eda14cbcSMatt Macy VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1935*eda14cbcSMatt Macy DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, &dd->dd_crypto_obj, 1936*eda14cbcSMatt Macy tx)); 1937*eda14cbcSMatt Macy dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, 1938*eda14cbcSMatt Macy (void *)B_TRUE, tx); 1939*eda14cbcSMatt Macy 1940*eda14cbcSMatt Macy /* 1941*eda14cbcSMatt Macy * If we inherited the wrapping key we release our reference now. 1942*eda14cbcSMatt Macy * Otherwise, this is a new key and we need to load it into the 1943*eda14cbcSMatt Macy * keystore. 1944*eda14cbcSMatt Macy */ 1945*eda14cbcSMatt Macy if (dcp->cp_wkey == NULL) { 1946*eda14cbcSMatt Macy dsl_wrapping_key_rele(wkey, FTAG); 1947*eda14cbcSMatt Macy } else { 1948*eda14cbcSMatt Macy VERIFY0(spa_keystore_load_wkey_impl(dp->dp_spa, wkey)); 1949*eda14cbcSMatt Macy } 1950*eda14cbcSMatt Macy } 1951*eda14cbcSMatt Macy 1952*eda14cbcSMatt Macy typedef struct dsl_crypto_recv_key_arg { 1953*eda14cbcSMatt Macy uint64_t dcrka_dsobj; 1954*eda14cbcSMatt Macy uint64_t dcrka_fromobj; 1955*eda14cbcSMatt Macy dmu_objset_type_t dcrka_ostype; 1956*eda14cbcSMatt Macy nvlist_t *dcrka_nvl; 1957*eda14cbcSMatt Macy boolean_t dcrka_do_key; 1958*eda14cbcSMatt Macy } dsl_crypto_recv_key_arg_t; 1959*eda14cbcSMatt Macy 1960*eda14cbcSMatt Macy static int 1961*eda14cbcSMatt Macy dsl_crypto_recv_raw_objset_check(dsl_dataset_t *ds, dsl_dataset_t *fromds, 1962*eda14cbcSMatt Macy dmu_objset_type_t ostype, nvlist_t *nvl, dmu_tx_t *tx) 1963*eda14cbcSMatt Macy { 1964*eda14cbcSMatt Macy int ret; 1965*eda14cbcSMatt Macy objset_t *os; 1966*eda14cbcSMatt Macy dnode_t *mdn; 1967*eda14cbcSMatt Macy uint8_t *buf = NULL; 1968*eda14cbcSMatt Macy uint_t len; 1969*eda14cbcSMatt Macy uint64_t intval, nlevels, blksz, ibs; 1970*eda14cbcSMatt Macy uint64_t nblkptr, maxblkid; 1971*eda14cbcSMatt Macy 1972*eda14cbcSMatt Macy if (ostype != DMU_OST_ZFS && ostype != DMU_OST_ZVOL) 1973*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1974*eda14cbcSMatt Macy 1975*eda14cbcSMatt Macy /* raw receives also need info about the structure of the metadnode */ 1976*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval); 1977*eda14cbcSMatt Macy if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS) 1978*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1979*eda14cbcSMatt Macy 1980*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval); 1981*eda14cbcSMatt Macy if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS) 1982*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1983*eda14cbcSMatt Macy 1984*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels); 1985*eda14cbcSMatt Macy if (ret != 0 || nlevels > DN_MAX_LEVELS) 1986*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1987*eda14cbcSMatt Macy 1988*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz); 1989*eda14cbcSMatt Macy if (ret != 0 || blksz < SPA_MINBLOCKSIZE) 1990*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 1991*eda14cbcSMatt Macy else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa)) 1992*eda14cbcSMatt Macy return (SET_ERROR(ENOTSUP)); 1993*eda14cbcSMatt Macy 1994*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs); 1995*eda14cbcSMatt Macy if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT || ibs > DN_MAX_INDBLKSHIFT) 1996*eda14cbcSMatt Macy return (SET_ERROR(ENOTSUP)); 1997*eda14cbcSMatt Macy 1998*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr); 1999*eda14cbcSMatt Macy if (ret != 0 || nblkptr != DN_MAX_NBLKPTR) 2000*eda14cbcSMatt Macy return (SET_ERROR(ENOTSUP)); 2001*eda14cbcSMatt Macy 2002*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, "mdn_maxblkid", &maxblkid); 2003*eda14cbcSMatt Macy if (ret != 0) 2004*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2005*eda14cbcSMatt Macy 2006*eda14cbcSMatt Macy ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len); 2007*eda14cbcSMatt Macy if (ret != 0 || len != ZIO_OBJSET_MAC_LEN) 2008*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2009*eda14cbcSMatt Macy 2010*eda14cbcSMatt Macy ret = dmu_objset_from_ds(ds, &os); 2011*eda14cbcSMatt Macy if (ret != 0) 2012*eda14cbcSMatt Macy return (ret); 2013*eda14cbcSMatt Macy 2014*eda14cbcSMatt Macy /* 2015*eda14cbcSMatt Macy * Useraccounting is not portable and must be done with the keys loaded. 2016*eda14cbcSMatt Macy * Therefore, whenever we do any kind of receive the useraccounting 2017*eda14cbcSMatt Macy * must not be present. 2018*eda14cbcSMatt Macy */ 2019*eda14cbcSMatt Macy ASSERT0(os->os_flags & OBJSET_FLAG_USERACCOUNTING_COMPLETE); 2020*eda14cbcSMatt Macy ASSERT0(os->os_flags & OBJSET_FLAG_USEROBJACCOUNTING_COMPLETE); 2021*eda14cbcSMatt Macy 2022*eda14cbcSMatt Macy mdn = DMU_META_DNODE(os); 2023*eda14cbcSMatt Macy 2024*eda14cbcSMatt Macy /* 2025*eda14cbcSMatt Macy * If we already created the objset, make sure its unchangeable 2026*eda14cbcSMatt Macy * properties match the ones received in the nvlist. 2027*eda14cbcSMatt Macy */ 2028*eda14cbcSMatt Macy rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2029*eda14cbcSMatt Macy if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) && 2030*eda14cbcSMatt Macy (mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz || 2031*eda14cbcSMatt Macy mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) { 2032*eda14cbcSMatt Macy rrw_exit(&ds->ds_bp_rwlock, FTAG); 2033*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2034*eda14cbcSMatt Macy } 2035*eda14cbcSMatt Macy rrw_exit(&ds->ds_bp_rwlock, FTAG); 2036*eda14cbcSMatt Macy 2037*eda14cbcSMatt Macy /* 2038*eda14cbcSMatt Macy * Check that the ivset guid of the fromds matches the one from the 2039*eda14cbcSMatt Macy * send stream. Older versions of the encryption code did not have 2040*eda14cbcSMatt Macy * an ivset guid on the from dataset and did not send one in the 2041*eda14cbcSMatt Macy * stream. For these streams we provide the 2042*eda14cbcSMatt Macy * zfs_disable_ivset_guid_check tunable to allow these datasets to 2043*eda14cbcSMatt Macy * be received with a generated ivset guid. 2044*eda14cbcSMatt Macy */ 2045*eda14cbcSMatt Macy if (fromds != NULL && !zfs_disable_ivset_guid_check) { 2046*eda14cbcSMatt Macy uint64_t from_ivset_guid = 0; 2047*eda14cbcSMatt Macy intval = 0; 2048*eda14cbcSMatt Macy 2049*eda14cbcSMatt Macy (void) nvlist_lookup_uint64(nvl, "from_ivset_guid", &intval); 2050*eda14cbcSMatt Macy (void) zap_lookup(tx->tx_pool->dp_meta_objset, 2051*eda14cbcSMatt Macy fromds->ds_object, DS_FIELD_IVSET_GUID, 2052*eda14cbcSMatt Macy sizeof (from_ivset_guid), 1, &from_ivset_guid); 2053*eda14cbcSMatt Macy 2054*eda14cbcSMatt Macy if (intval == 0 || from_ivset_guid == 0) 2055*eda14cbcSMatt Macy return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISSING)); 2056*eda14cbcSMatt Macy 2057*eda14cbcSMatt Macy if (intval != from_ivset_guid) 2058*eda14cbcSMatt Macy return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISMATCH)); 2059*eda14cbcSMatt Macy } 2060*eda14cbcSMatt Macy 2061*eda14cbcSMatt Macy return (0); 2062*eda14cbcSMatt Macy } 2063*eda14cbcSMatt Macy 2064*eda14cbcSMatt Macy static void 2065*eda14cbcSMatt Macy dsl_crypto_recv_raw_objset_sync(dsl_dataset_t *ds, dmu_objset_type_t ostype, 2066*eda14cbcSMatt Macy nvlist_t *nvl, dmu_tx_t *tx) 2067*eda14cbcSMatt Macy { 2068*eda14cbcSMatt Macy dsl_pool_t *dp = tx->tx_pool; 2069*eda14cbcSMatt Macy objset_t *os; 2070*eda14cbcSMatt Macy dnode_t *mdn; 2071*eda14cbcSMatt Macy zio_t *zio; 2072*eda14cbcSMatt Macy uint8_t *portable_mac; 2073*eda14cbcSMatt Macy uint_t len; 2074*eda14cbcSMatt Macy uint64_t compress, checksum, nlevels, blksz, ibs, maxblkid; 2075*eda14cbcSMatt Macy boolean_t newds = B_FALSE; 2076*eda14cbcSMatt Macy 2077*eda14cbcSMatt Macy VERIFY0(dmu_objset_from_ds(ds, &os)); 2078*eda14cbcSMatt Macy mdn = DMU_META_DNODE(os); 2079*eda14cbcSMatt Macy 2080*eda14cbcSMatt Macy /* 2081*eda14cbcSMatt Macy * Fetch the values we need from the nvlist. "to_ivset_guid" must 2082*eda14cbcSMatt Macy * be set on the snapshot, which doesn't exist yet. The receive 2083*eda14cbcSMatt Macy * code will take care of this for us later. 2084*eda14cbcSMatt Macy */ 2085*eda14cbcSMatt Macy compress = fnvlist_lookup_uint64(nvl, "mdn_compress"); 2086*eda14cbcSMatt Macy checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum"); 2087*eda14cbcSMatt Macy nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels"); 2088*eda14cbcSMatt Macy blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz"); 2089*eda14cbcSMatt Macy ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift"); 2090*eda14cbcSMatt Macy maxblkid = fnvlist_lookup_uint64(nvl, "mdn_maxblkid"); 2091*eda14cbcSMatt Macy VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac, 2092*eda14cbcSMatt Macy &len)); 2093*eda14cbcSMatt Macy 2094*eda14cbcSMatt Macy /* if we haven't created an objset for the ds yet, do that now */ 2095*eda14cbcSMatt Macy rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2096*eda14cbcSMatt Macy if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) { 2097*eda14cbcSMatt Macy (void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds, 2098*eda14cbcSMatt Macy dsl_dataset_get_blkptr(ds), ostype, nlevels, blksz, 2099*eda14cbcSMatt Macy ibs, tx); 2100*eda14cbcSMatt Macy newds = B_TRUE; 2101*eda14cbcSMatt Macy } 2102*eda14cbcSMatt Macy rrw_exit(&ds->ds_bp_rwlock, FTAG); 2103*eda14cbcSMatt Macy 2104*eda14cbcSMatt Macy /* 2105*eda14cbcSMatt Macy * Set the portable MAC. The local MAC will always be zero since the 2106*eda14cbcSMatt Macy * incoming data will all be portable and user accounting will be 2107*eda14cbcSMatt Macy * deferred until the next mount. Afterwards, flag the os to be 2108*eda14cbcSMatt Macy * written out raw next time. 2109*eda14cbcSMatt Macy */ 2110*eda14cbcSMatt Macy arc_release(os->os_phys_buf, &os->os_phys_buf); 2111*eda14cbcSMatt Macy bcopy(portable_mac, os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN); 2112*eda14cbcSMatt Macy bzero(os->os_phys->os_local_mac, ZIO_OBJSET_MAC_LEN); 2113*eda14cbcSMatt Macy os->os_next_write_raw[tx->tx_txg & TXG_MASK] = B_TRUE; 2114*eda14cbcSMatt Macy 2115*eda14cbcSMatt Macy /* set metadnode compression and checksum */ 2116*eda14cbcSMatt Macy mdn->dn_compress = compress; 2117*eda14cbcSMatt Macy mdn->dn_checksum = checksum; 2118*eda14cbcSMatt Macy 2119*eda14cbcSMatt Macy rw_enter(&mdn->dn_struct_rwlock, RW_WRITER); 2120*eda14cbcSMatt Macy dnode_new_blkid(mdn, maxblkid, tx, B_FALSE, B_TRUE); 2121*eda14cbcSMatt Macy rw_exit(&mdn->dn_struct_rwlock); 2122*eda14cbcSMatt Macy 2123*eda14cbcSMatt Macy /* 2124*eda14cbcSMatt Macy * We can't normally dirty the dataset in syncing context unless 2125*eda14cbcSMatt Macy * we are creating a new dataset. In this case, we perform a 2126*eda14cbcSMatt Macy * pseudo txg sync here instead. 2127*eda14cbcSMatt Macy */ 2128*eda14cbcSMatt Macy if (newds) { 2129*eda14cbcSMatt Macy dsl_dataset_dirty(ds, tx); 2130*eda14cbcSMatt Macy } else { 2131*eda14cbcSMatt Macy zio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED); 2132*eda14cbcSMatt Macy dsl_dataset_sync(ds, zio, tx); 2133*eda14cbcSMatt Macy VERIFY0(zio_wait(zio)); 2134*eda14cbcSMatt Macy 2135*eda14cbcSMatt Macy /* dsl_dataset_sync_done will drop this reference. */ 2136*eda14cbcSMatt Macy dmu_buf_add_ref(ds->ds_dbuf, ds); 2137*eda14cbcSMatt Macy dsl_dataset_sync_done(ds, tx); 2138*eda14cbcSMatt Macy } 2139*eda14cbcSMatt Macy } 2140*eda14cbcSMatt Macy 2141*eda14cbcSMatt Macy int 2142*eda14cbcSMatt Macy dsl_crypto_recv_raw_key_check(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2143*eda14cbcSMatt Macy { 2144*eda14cbcSMatt Macy int ret; 2145*eda14cbcSMatt Macy objset_t *mos = tx->tx_pool->dp_meta_objset; 2146*eda14cbcSMatt Macy uint8_t *buf = NULL; 2147*eda14cbcSMatt Macy uint_t len; 2148*eda14cbcSMatt Macy uint64_t intval, key_guid, version; 2149*eda14cbcSMatt Macy boolean_t is_passphrase = B_FALSE; 2150*eda14cbcSMatt Macy 2151*eda14cbcSMatt Macy ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT); 2152*eda14cbcSMatt Macy 2153*eda14cbcSMatt Macy /* 2154*eda14cbcSMatt Macy * Read and check all the encryption values from the nvlist. We need 2155*eda14cbcSMatt Macy * all of the fields of a DSL Crypto Key, as well as a fully specified 2156*eda14cbcSMatt Macy * wrapping key. 2157*eda14cbcSMatt Macy */ 2158*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval); 2159*eda14cbcSMatt Macy if (ret != 0 || intval >= ZIO_CRYPT_FUNCTIONS || 2160*eda14cbcSMatt Macy intval <= ZIO_CRYPT_OFF) 2161*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2162*eda14cbcSMatt Macy 2163*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval); 2164*eda14cbcSMatt Macy if (ret != 0) 2165*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2166*eda14cbcSMatt Macy 2167*eda14cbcSMatt Macy /* 2168*eda14cbcSMatt Macy * If this is an incremental receive make sure the given key guid 2169*eda14cbcSMatt Macy * matches the one we already have. 2170*eda14cbcSMatt Macy */ 2171*eda14cbcSMatt Macy if (ds->ds_dir->dd_crypto_obj != 0) { 2172*eda14cbcSMatt Macy ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj, 2173*eda14cbcSMatt Macy DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2174*eda14cbcSMatt Macy if (ret != 0) 2175*eda14cbcSMatt Macy return (ret); 2176*eda14cbcSMatt Macy if (intval != key_guid) 2177*eda14cbcSMatt Macy return (SET_ERROR(EACCES)); 2178*eda14cbcSMatt Macy } 2179*eda14cbcSMatt Macy 2180*eda14cbcSMatt Macy ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2181*eda14cbcSMatt Macy &buf, &len); 2182*eda14cbcSMatt Macy if (ret != 0 || len != MASTER_KEY_MAX_LEN) 2183*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2184*eda14cbcSMatt Macy 2185*eda14cbcSMatt Macy ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2186*eda14cbcSMatt Macy &buf, &len); 2187*eda14cbcSMatt Macy if (ret != 0 || len != SHA512_HMAC_KEYLEN) 2188*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2189*eda14cbcSMatt Macy 2190*eda14cbcSMatt Macy ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len); 2191*eda14cbcSMatt Macy if (ret != 0 || len != WRAPPING_IV_LEN) 2192*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2193*eda14cbcSMatt Macy 2194*eda14cbcSMatt Macy ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len); 2195*eda14cbcSMatt Macy if (ret != 0 || len != WRAPPING_MAC_LEN) 2196*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2197*eda14cbcSMatt Macy 2198*eda14cbcSMatt Macy /* 2199*eda14cbcSMatt Macy * We don't support receiving old on-disk formats. The version 0 2200*eda14cbcSMatt Macy * implementation protected several fields in an objset that were 2201*eda14cbcSMatt Macy * not always portable during a raw receive. As a result, we call 2202*eda14cbcSMatt Macy * the old version an on-disk errata #3. 2203*eda14cbcSMatt Macy */ 2204*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_VERSION, &version); 2205*eda14cbcSMatt Macy if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) 2206*eda14cbcSMatt Macy return (SET_ERROR(ENOTSUP)); 2207*eda14cbcSMatt Macy 2208*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 2209*eda14cbcSMatt Macy &intval); 2210*eda14cbcSMatt Macy if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS || 2211*eda14cbcSMatt Macy intval == ZFS_KEYFORMAT_NONE) 2212*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2213*eda14cbcSMatt Macy 2214*eda14cbcSMatt Macy is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE); 2215*eda14cbcSMatt Macy 2216*eda14cbcSMatt Macy /* 2217*eda14cbcSMatt Macy * for raw receives we allow any number of pbkdf2iters since there 2218*eda14cbcSMatt Macy * won't be a chance for the user to change it. 2219*eda14cbcSMatt Macy */ 2220*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 2221*eda14cbcSMatt Macy &intval); 2222*eda14cbcSMatt Macy if (ret != 0 || (is_passphrase == (intval == 0))) 2223*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2224*eda14cbcSMatt Macy 2225*eda14cbcSMatt Macy ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 2226*eda14cbcSMatt Macy &intval); 2227*eda14cbcSMatt Macy if (ret != 0 || (is_passphrase == (intval == 0))) 2228*eda14cbcSMatt Macy return (SET_ERROR(EINVAL)); 2229*eda14cbcSMatt Macy 2230*eda14cbcSMatt Macy return (0); 2231*eda14cbcSMatt Macy } 2232*eda14cbcSMatt Macy 2233*eda14cbcSMatt Macy void 2234*eda14cbcSMatt Macy dsl_crypto_recv_raw_key_sync(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2235*eda14cbcSMatt Macy { 2236*eda14cbcSMatt Macy dsl_pool_t *dp = tx->tx_pool; 2237*eda14cbcSMatt Macy objset_t *mos = dp->dp_meta_objset; 2238*eda14cbcSMatt Macy dsl_dir_t *dd = ds->ds_dir; 2239*eda14cbcSMatt Macy uint_t len; 2240*eda14cbcSMatt Macy uint64_t rddobj, one = 1; 2241*eda14cbcSMatt Macy uint8_t *keydata, *hmac_keydata, *iv, *mac; 2242*eda14cbcSMatt Macy uint64_t crypt, key_guid, keyformat, iters, salt; 2243*eda14cbcSMatt Macy uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2244*eda14cbcSMatt Macy char *keylocation = "prompt"; 2245*eda14cbcSMatt Macy 2246*eda14cbcSMatt Macy /* lookup the values we need to create the DSL Crypto Key */ 2247*eda14cbcSMatt Macy crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE); 2248*eda14cbcSMatt Macy key_guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID); 2249*eda14cbcSMatt Macy keyformat = fnvlist_lookup_uint64(nvl, 2250*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 2251*eda14cbcSMatt Macy iters = fnvlist_lookup_uint64(nvl, 2252*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 2253*eda14cbcSMatt Macy salt = fnvlist_lookup_uint64(nvl, 2254*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 2255*eda14cbcSMatt Macy VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2256*eda14cbcSMatt Macy &keydata, &len)); 2257*eda14cbcSMatt Macy VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2258*eda14cbcSMatt Macy &hmac_keydata, &len)); 2259*eda14cbcSMatt Macy VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len)); 2260*eda14cbcSMatt Macy VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len)); 2261*eda14cbcSMatt Macy 2262*eda14cbcSMatt Macy /* if this is a new dataset setup the DSL Crypto Key. */ 2263*eda14cbcSMatt Macy if (dd->dd_crypto_obj == 0) { 2264*eda14cbcSMatt Macy /* zapify the dsl dir so we can add the key object to it */ 2265*eda14cbcSMatt Macy dmu_buf_will_dirty(dd->dd_dbuf, tx); 2266*eda14cbcSMatt Macy dsl_dir_zapify(dd, tx); 2267*eda14cbcSMatt Macy 2268*eda14cbcSMatt Macy /* create the DSL Crypto Key on disk and activate the feature */ 2269*eda14cbcSMatt Macy dd->dd_crypto_obj = zap_create(mos, 2270*eda14cbcSMatt Macy DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2271*eda14cbcSMatt Macy VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2272*eda14cbcSMatt Macy dd->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT, 2273*eda14cbcSMatt Macy sizeof (uint64_t), 1, &one, tx)); 2274*eda14cbcSMatt Macy VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2275*eda14cbcSMatt Macy dd->dd_crypto_obj, DSL_CRYPTO_KEY_VERSION, 2276*eda14cbcSMatt Macy sizeof (uint64_t), 1, &version, tx)); 2277*eda14cbcSMatt Macy 2278*eda14cbcSMatt Macy dsl_dataset_activate_feature(ds->ds_object, 2279*eda14cbcSMatt Macy SPA_FEATURE_ENCRYPTION, (void *)B_TRUE, tx); 2280*eda14cbcSMatt Macy ds->ds_feature[SPA_FEATURE_ENCRYPTION] = (void *)B_TRUE; 2281*eda14cbcSMatt Macy 2282*eda14cbcSMatt Macy /* save the dd_crypto_obj on disk */ 2283*eda14cbcSMatt Macy VERIFY0(zap_add(mos, dd->dd_object, DD_FIELD_CRYPTO_KEY_OBJ, 2284*eda14cbcSMatt Macy sizeof (uint64_t), 1, &dd->dd_crypto_obj, tx)); 2285*eda14cbcSMatt Macy 2286*eda14cbcSMatt Macy /* 2287*eda14cbcSMatt Macy * Set the keylocation to prompt by default. If keylocation 2288*eda14cbcSMatt Macy * has been provided via the properties, this will be overridden 2289*eda14cbcSMatt Macy * later. 2290*eda14cbcSMatt Macy */ 2291*eda14cbcSMatt Macy dsl_prop_set_sync_impl(ds, 2292*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 2293*eda14cbcSMatt Macy ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 2294*eda14cbcSMatt Macy keylocation, tx); 2295*eda14cbcSMatt Macy 2296*eda14cbcSMatt Macy rddobj = dd->dd_object; 2297*eda14cbcSMatt Macy } else { 2298*eda14cbcSMatt Macy VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &rddobj)); 2299*eda14cbcSMatt Macy } 2300*eda14cbcSMatt Macy 2301*eda14cbcSMatt Macy /* sync the key data to the ZAP object on disk */ 2302*eda14cbcSMatt Macy dsl_crypto_key_sync_impl(mos, dd->dd_crypto_obj, crypt, 2303*eda14cbcSMatt Macy rddobj, key_guid, iv, mac, keydata, hmac_keydata, keyformat, salt, 2304*eda14cbcSMatt Macy iters, tx); 2305*eda14cbcSMatt Macy } 2306*eda14cbcSMatt Macy 2307*eda14cbcSMatt Macy static int 2308*eda14cbcSMatt Macy dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx) 2309*eda14cbcSMatt Macy { 2310*eda14cbcSMatt Macy int ret; 2311*eda14cbcSMatt Macy dsl_crypto_recv_key_arg_t *dcrka = arg; 2312*eda14cbcSMatt Macy dsl_dataset_t *ds = NULL, *fromds = NULL; 2313*eda14cbcSMatt Macy 2314*eda14cbcSMatt Macy ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2315*eda14cbcSMatt Macy FTAG, &ds); 2316*eda14cbcSMatt Macy if (ret != 0) 2317*eda14cbcSMatt Macy goto out; 2318*eda14cbcSMatt Macy 2319*eda14cbcSMatt Macy if (dcrka->dcrka_fromobj != 0) { 2320*eda14cbcSMatt Macy ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_fromobj, 2321*eda14cbcSMatt Macy FTAG, &fromds); 2322*eda14cbcSMatt Macy if (ret != 0) 2323*eda14cbcSMatt Macy goto out; 2324*eda14cbcSMatt Macy } 2325*eda14cbcSMatt Macy 2326*eda14cbcSMatt Macy ret = dsl_crypto_recv_raw_objset_check(ds, fromds, 2327*eda14cbcSMatt Macy dcrka->dcrka_ostype, dcrka->dcrka_nvl, tx); 2328*eda14cbcSMatt Macy if (ret != 0) 2329*eda14cbcSMatt Macy goto out; 2330*eda14cbcSMatt Macy 2331*eda14cbcSMatt Macy /* 2332*eda14cbcSMatt Macy * We run this check even if we won't be doing this part of 2333*eda14cbcSMatt Macy * the receive now so that we don't make the user wait until 2334*eda14cbcSMatt Macy * the receive finishes to fail. 2335*eda14cbcSMatt Macy */ 2336*eda14cbcSMatt Macy ret = dsl_crypto_recv_raw_key_check(ds, dcrka->dcrka_nvl, tx); 2337*eda14cbcSMatt Macy if (ret != 0) 2338*eda14cbcSMatt Macy goto out; 2339*eda14cbcSMatt Macy 2340*eda14cbcSMatt Macy out: 2341*eda14cbcSMatt Macy if (ds != NULL) 2342*eda14cbcSMatt Macy dsl_dataset_rele(ds, FTAG); 2343*eda14cbcSMatt Macy if (fromds != NULL) 2344*eda14cbcSMatt Macy dsl_dataset_rele(fromds, FTAG); 2345*eda14cbcSMatt Macy return (ret); 2346*eda14cbcSMatt Macy } 2347*eda14cbcSMatt Macy 2348*eda14cbcSMatt Macy static void 2349*eda14cbcSMatt Macy dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx) 2350*eda14cbcSMatt Macy { 2351*eda14cbcSMatt Macy dsl_crypto_recv_key_arg_t *dcrka = arg; 2352*eda14cbcSMatt Macy dsl_dataset_t *ds; 2353*eda14cbcSMatt Macy 2354*eda14cbcSMatt Macy VERIFY0(dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2355*eda14cbcSMatt Macy FTAG, &ds)); 2356*eda14cbcSMatt Macy dsl_crypto_recv_raw_objset_sync(ds, dcrka->dcrka_ostype, 2357*eda14cbcSMatt Macy dcrka->dcrka_nvl, tx); 2358*eda14cbcSMatt Macy if (dcrka->dcrka_do_key) 2359*eda14cbcSMatt Macy dsl_crypto_recv_raw_key_sync(ds, dcrka->dcrka_nvl, tx); 2360*eda14cbcSMatt Macy dsl_dataset_rele(ds, FTAG); 2361*eda14cbcSMatt Macy } 2362*eda14cbcSMatt Macy 2363*eda14cbcSMatt Macy /* 2364*eda14cbcSMatt Macy * This function is used to sync an nvlist representing a DSL Crypto Key and 2365*eda14cbcSMatt Macy * the associated encryption parameters. The key will be written exactly as is 2366*eda14cbcSMatt Macy * without wrapping it. 2367*eda14cbcSMatt Macy */ 2368*eda14cbcSMatt Macy int 2369*eda14cbcSMatt Macy dsl_crypto_recv_raw(const char *poolname, uint64_t dsobj, uint64_t fromobj, 2370*eda14cbcSMatt Macy dmu_objset_type_t ostype, nvlist_t *nvl, boolean_t do_key) 2371*eda14cbcSMatt Macy { 2372*eda14cbcSMatt Macy dsl_crypto_recv_key_arg_t dcrka; 2373*eda14cbcSMatt Macy 2374*eda14cbcSMatt Macy dcrka.dcrka_dsobj = dsobj; 2375*eda14cbcSMatt Macy dcrka.dcrka_fromobj = fromobj; 2376*eda14cbcSMatt Macy dcrka.dcrka_ostype = ostype; 2377*eda14cbcSMatt Macy dcrka.dcrka_nvl = nvl; 2378*eda14cbcSMatt Macy dcrka.dcrka_do_key = do_key; 2379*eda14cbcSMatt Macy 2380*eda14cbcSMatt Macy return (dsl_sync_task(poolname, dsl_crypto_recv_key_check, 2381*eda14cbcSMatt Macy dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL)); 2382*eda14cbcSMatt Macy } 2383*eda14cbcSMatt Macy 2384*eda14cbcSMatt Macy int 2385*eda14cbcSMatt Macy dsl_crypto_populate_key_nvlist(objset_t *os, uint64_t from_ivset_guid, 2386*eda14cbcSMatt Macy nvlist_t **nvl_out) 2387*eda14cbcSMatt Macy { 2388*eda14cbcSMatt Macy int ret; 2389*eda14cbcSMatt Macy dsl_dataset_t *ds = os->os_dsl_dataset; 2390*eda14cbcSMatt Macy dnode_t *mdn; 2391*eda14cbcSMatt Macy uint64_t rddobj; 2392*eda14cbcSMatt Macy nvlist_t *nvl = NULL; 2393*eda14cbcSMatt Macy uint64_t dckobj = ds->ds_dir->dd_crypto_obj; 2394*eda14cbcSMatt Macy dsl_dir_t *rdd = NULL; 2395*eda14cbcSMatt Macy dsl_pool_t *dp = ds->ds_dir->dd_pool; 2396*eda14cbcSMatt Macy objset_t *mos = dp->dp_meta_objset; 2397*eda14cbcSMatt Macy uint64_t crypt = 0, key_guid = 0, format = 0; 2398*eda14cbcSMatt Macy uint64_t iters = 0, salt = 0, version = 0; 2399*eda14cbcSMatt Macy uint64_t to_ivset_guid = 0; 2400*eda14cbcSMatt Macy uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 2401*eda14cbcSMatt Macy uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 2402*eda14cbcSMatt Macy uint8_t iv[WRAPPING_IV_LEN]; 2403*eda14cbcSMatt Macy uint8_t mac[WRAPPING_MAC_LEN]; 2404*eda14cbcSMatt Macy 2405*eda14cbcSMatt Macy ASSERT(dckobj != 0); 2406*eda14cbcSMatt Macy 2407*eda14cbcSMatt Macy mdn = DMU_META_DNODE(os); 2408*eda14cbcSMatt Macy 2409*eda14cbcSMatt Macy nvl = fnvlist_alloc(); 2410*eda14cbcSMatt Macy 2411*eda14cbcSMatt Macy /* lookup values from the DSL Crypto Key */ 2412*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 2413*eda14cbcSMatt Macy &crypt); 2414*eda14cbcSMatt Macy if (ret != 0) 2415*eda14cbcSMatt Macy goto error; 2416*eda14cbcSMatt Macy 2417*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2418*eda14cbcSMatt Macy if (ret != 0) 2419*eda14cbcSMatt Macy goto error; 2420*eda14cbcSMatt Macy 2421*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 2422*eda14cbcSMatt Macy MASTER_KEY_MAX_LEN, raw_keydata); 2423*eda14cbcSMatt Macy if (ret != 0) 2424*eda14cbcSMatt Macy goto error; 2425*eda14cbcSMatt Macy 2426*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 2427*eda14cbcSMatt Macy SHA512_HMAC_KEYLEN, raw_hmac_keydata); 2428*eda14cbcSMatt Macy if (ret != 0) 2429*eda14cbcSMatt Macy goto error; 2430*eda14cbcSMatt Macy 2431*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 2432*eda14cbcSMatt Macy iv); 2433*eda14cbcSMatt Macy if (ret != 0) 2434*eda14cbcSMatt Macy goto error; 2435*eda14cbcSMatt Macy 2436*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 2437*eda14cbcSMatt Macy mac); 2438*eda14cbcSMatt Macy if (ret != 0) 2439*eda14cbcSMatt Macy goto error; 2440*eda14cbcSMatt Macy 2441*eda14cbcSMatt Macy /* see zfs_disable_ivset_guid_check tunable for errata info */ 2442*eda14cbcSMatt Macy ret = zap_lookup(mos, ds->ds_object, DS_FIELD_IVSET_GUID, 8, 1, 2443*eda14cbcSMatt Macy &to_ivset_guid); 2444*eda14cbcSMatt Macy if (ret != 0) 2445*eda14cbcSMatt Macy ASSERT3U(dp->dp_spa->spa_errata, !=, 0); 2446*eda14cbcSMatt Macy 2447*eda14cbcSMatt Macy /* 2448*eda14cbcSMatt Macy * We don't support raw sends of legacy on-disk formats. See the 2449*eda14cbcSMatt Macy * comment in dsl_crypto_recv_key_check() for details. 2450*eda14cbcSMatt Macy */ 2451*eda14cbcSMatt Macy ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 2452*eda14cbcSMatt Macy if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) { 2453*eda14cbcSMatt Macy dp->dp_spa->spa_errata = ZPOOL_ERRATA_ZOL_6845_ENCRYPTION; 2454*eda14cbcSMatt Macy ret = SET_ERROR(ENOTSUP); 2455*eda14cbcSMatt Macy goto error; 2456*eda14cbcSMatt Macy } 2457*eda14cbcSMatt Macy 2458*eda14cbcSMatt Macy /* 2459*eda14cbcSMatt Macy * Lookup wrapping key properties. An early version of the code did 2460*eda14cbcSMatt Macy * not correctly add these values to the wrapping key or the DSL 2461*eda14cbcSMatt Macy * Crypto Key on disk for non encryption roots, so to be safe we 2462*eda14cbcSMatt Macy * always take the slightly circuitous route of looking it up from 2463*eda14cbcSMatt Macy * the encryption root's key. 2464*eda14cbcSMatt Macy */ 2465*eda14cbcSMatt Macy ret = dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj); 2466*eda14cbcSMatt Macy if (ret != 0) 2467*eda14cbcSMatt Macy goto error; 2468*eda14cbcSMatt Macy 2469*eda14cbcSMatt Macy dsl_pool_config_enter(dp, FTAG); 2470*eda14cbcSMatt Macy 2471*eda14cbcSMatt Macy ret = dsl_dir_hold_obj(dp, rddobj, NULL, FTAG, &rdd); 2472*eda14cbcSMatt Macy if (ret != 0) 2473*eda14cbcSMatt Macy goto error_unlock; 2474*eda14cbcSMatt Macy 2475*eda14cbcSMatt Macy ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2476*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &format); 2477*eda14cbcSMatt Macy if (ret != 0) 2478*eda14cbcSMatt Macy goto error_unlock; 2479*eda14cbcSMatt Macy 2480*eda14cbcSMatt Macy if (format == ZFS_KEYFORMAT_PASSPHRASE) { 2481*eda14cbcSMatt Macy ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2482*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 2483*eda14cbcSMatt Macy if (ret != 0) 2484*eda14cbcSMatt Macy goto error_unlock; 2485*eda14cbcSMatt Macy 2486*eda14cbcSMatt Macy ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2487*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 2488*eda14cbcSMatt Macy if (ret != 0) 2489*eda14cbcSMatt Macy goto error_unlock; 2490*eda14cbcSMatt Macy } 2491*eda14cbcSMatt Macy 2492*eda14cbcSMatt Macy dsl_dir_rele(rdd, FTAG); 2493*eda14cbcSMatt Macy dsl_pool_config_exit(dp, FTAG); 2494*eda14cbcSMatt Macy 2495*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, crypt); 2496*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_GUID, key_guid); 2497*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_VERSION, version); 2498*eda14cbcSMatt Macy VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2499*eda14cbcSMatt Macy raw_keydata, MASTER_KEY_MAX_LEN)); 2500*eda14cbcSMatt Macy VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2501*eda14cbcSMatt Macy raw_hmac_keydata, SHA512_HMAC_KEYLEN)); 2502*eda14cbcSMatt Macy VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_IV, iv, 2503*eda14cbcSMatt Macy WRAPPING_IV_LEN)); 2504*eda14cbcSMatt Macy VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, mac, 2505*eda14cbcSMatt Macy WRAPPING_MAC_LEN)); 2506*eda14cbcSMatt Macy VERIFY0(nvlist_add_uint8_array(nvl, "portable_mac", 2507*eda14cbcSMatt Macy os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN)); 2508*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), format); 2509*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters); 2510*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt); 2511*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, "mdn_checksum", mdn->dn_checksum); 2512*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, "mdn_compress", mdn->dn_compress); 2513*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, "mdn_nlevels", mdn->dn_nlevels); 2514*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, "mdn_blksz", mdn->dn_datablksz); 2515*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, "mdn_indblkshift", mdn->dn_indblkshift); 2516*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, "mdn_nblkptr", mdn->dn_nblkptr); 2517*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, "mdn_maxblkid", mdn->dn_maxblkid); 2518*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, "to_ivset_guid", to_ivset_guid); 2519*eda14cbcSMatt Macy fnvlist_add_uint64(nvl, "from_ivset_guid", from_ivset_guid); 2520*eda14cbcSMatt Macy 2521*eda14cbcSMatt Macy *nvl_out = nvl; 2522*eda14cbcSMatt Macy return (0); 2523*eda14cbcSMatt Macy 2524*eda14cbcSMatt Macy error_unlock: 2525*eda14cbcSMatt Macy dsl_pool_config_exit(dp, FTAG); 2526*eda14cbcSMatt Macy error: 2527*eda14cbcSMatt Macy if (rdd != NULL) 2528*eda14cbcSMatt Macy dsl_dir_rele(rdd, FTAG); 2529*eda14cbcSMatt Macy nvlist_free(nvl); 2530*eda14cbcSMatt Macy 2531*eda14cbcSMatt Macy *nvl_out = NULL; 2532*eda14cbcSMatt Macy return (ret); 2533*eda14cbcSMatt Macy } 2534*eda14cbcSMatt Macy 2535*eda14cbcSMatt Macy uint64_t 2536*eda14cbcSMatt Macy dsl_crypto_key_create_sync(uint64_t crypt, dsl_wrapping_key_t *wkey, 2537*eda14cbcSMatt Macy dmu_tx_t *tx) 2538*eda14cbcSMatt Macy { 2539*eda14cbcSMatt Macy dsl_crypto_key_t dck; 2540*eda14cbcSMatt Macy uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2541*eda14cbcSMatt Macy uint64_t one = 1ULL; 2542*eda14cbcSMatt Macy 2543*eda14cbcSMatt Macy ASSERT(dmu_tx_is_syncing(tx)); 2544*eda14cbcSMatt Macy ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); 2545*eda14cbcSMatt Macy ASSERT3U(crypt, >, ZIO_CRYPT_OFF); 2546*eda14cbcSMatt Macy 2547*eda14cbcSMatt Macy /* create the DSL Crypto Key ZAP object */ 2548*eda14cbcSMatt Macy dck.dck_obj = zap_create(tx->tx_pool->dp_meta_objset, 2549*eda14cbcSMatt Macy DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2550*eda14cbcSMatt Macy 2551*eda14cbcSMatt Macy /* fill in the key (on the stack) and sync it to disk */ 2552*eda14cbcSMatt Macy dck.dck_wkey = wkey; 2553*eda14cbcSMatt Macy VERIFY0(zio_crypt_key_init(crypt, &dck.dck_key)); 2554*eda14cbcSMatt Macy 2555*eda14cbcSMatt Macy dsl_crypto_key_sync(&dck, tx); 2556*eda14cbcSMatt Macy VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2557*eda14cbcSMatt Macy DSL_CRYPTO_KEY_REFCOUNT, sizeof (uint64_t), 1, &one, tx)); 2558*eda14cbcSMatt Macy VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2559*eda14cbcSMatt Macy DSL_CRYPTO_KEY_VERSION, sizeof (uint64_t), 1, &version, tx)); 2560*eda14cbcSMatt Macy 2561*eda14cbcSMatt Macy zio_crypt_key_destroy(&dck.dck_key); 2562*eda14cbcSMatt Macy bzero(&dck.dck_key, sizeof (zio_crypt_key_t)); 2563*eda14cbcSMatt Macy 2564*eda14cbcSMatt Macy return (dck.dck_obj); 2565*eda14cbcSMatt Macy } 2566*eda14cbcSMatt Macy 2567*eda14cbcSMatt Macy uint64_t 2568*eda14cbcSMatt Macy dsl_crypto_key_clone_sync(dsl_dir_t *origindd, dmu_tx_t *tx) 2569*eda14cbcSMatt Macy { 2570*eda14cbcSMatt Macy objset_t *mos = tx->tx_pool->dp_meta_objset; 2571*eda14cbcSMatt Macy 2572*eda14cbcSMatt Macy ASSERT(dmu_tx_is_syncing(tx)); 2573*eda14cbcSMatt Macy 2574*eda14cbcSMatt Macy VERIFY0(zap_increment(mos, origindd->dd_crypto_obj, 2575*eda14cbcSMatt Macy DSL_CRYPTO_KEY_REFCOUNT, 1, tx)); 2576*eda14cbcSMatt Macy 2577*eda14cbcSMatt Macy return (origindd->dd_crypto_obj); 2578*eda14cbcSMatt Macy } 2579*eda14cbcSMatt Macy 2580*eda14cbcSMatt Macy void 2581*eda14cbcSMatt Macy dsl_crypto_key_destroy_sync(uint64_t dckobj, dmu_tx_t *tx) 2582*eda14cbcSMatt Macy { 2583*eda14cbcSMatt Macy objset_t *mos = tx->tx_pool->dp_meta_objset; 2584*eda14cbcSMatt Macy uint64_t refcnt; 2585*eda14cbcSMatt Macy 2586*eda14cbcSMatt Macy /* Decrement the refcount, destroy if this is the last reference */ 2587*eda14cbcSMatt Macy VERIFY0(zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2588*eda14cbcSMatt Macy sizeof (uint64_t), 1, &refcnt)); 2589*eda14cbcSMatt Macy 2590*eda14cbcSMatt Macy if (refcnt != 1) { 2591*eda14cbcSMatt Macy VERIFY0(zap_increment(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2592*eda14cbcSMatt Macy -1, tx)); 2593*eda14cbcSMatt Macy } else { 2594*eda14cbcSMatt Macy VERIFY0(zap_destroy(mos, dckobj, tx)); 2595*eda14cbcSMatt Macy } 2596*eda14cbcSMatt Macy } 2597*eda14cbcSMatt Macy 2598*eda14cbcSMatt Macy void 2599*eda14cbcSMatt Macy dsl_dataset_crypt_stats(dsl_dataset_t *ds, nvlist_t *nv) 2600*eda14cbcSMatt Macy { 2601*eda14cbcSMatt Macy uint64_t intval; 2602*eda14cbcSMatt Macy dsl_dir_t *dd = ds->ds_dir; 2603*eda14cbcSMatt Macy dsl_dir_t *enc_root; 2604*eda14cbcSMatt Macy char buf[ZFS_MAX_DATASET_NAME_LEN]; 2605*eda14cbcSMatt Macy 2606*eda14cbcSMatt Macy if (dd->dd_crypto_obj == 0) 2607*eda14cbcSMatt Macy return; 2608*eda14cbcSMatt Macy 2609*eda14cbcSMatt Macy intval = dsl_dataset_get_keystatus(dd); 2610*eda14cbcSMatt Macy dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYSTATUS, intval); 2611*eda14cbcSMatt Macy 2612*eda14cbcSMatt Macy if (dsl_dir_get_crypt(dd, &intval) == 0) 2613*eda14cbcSMatt Macy dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_ENCRYPTION, intval); 2614*eda14cbcSMatt Macy if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2615*eda14cbcSMatt Macy DSL_CRYPTO_KEY_GUID, 8, 1, &intval) == 0) { 2616*eda14cbcSMatt Macy dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEY_GUID, intval); 2617*eda14cbcSMatt Macy } 2618*eda14cbcSMatt Macy if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2619*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &intval) == 0) { 2620*eda14cbcSMatt Macy dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYFORMAT, intval); 2621*eda14cbcSMatt Macy } 2622*eda14cbcSMatt Macy if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2623*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &intval) == 0) { 2624*eda14cbcSMatt Macy dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_SALT, intval); 2625*eda14cbcSMatt Macy } 2626*eda14cbcSMatt Macy if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2627*eda14cbcSMatt Macy zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &intval) == 0) { 2628*eda14cbcSMatt Macy dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_ITERS, intval); 2629*eda14cbcSMatt Macy } 2630*eda14cbcSMatt Macy if (zap_lookup(dd->dd_pool->dp_meta_objset, ds->ds_object, 2631*eda14cbcSMatt Macy DS_FIELD_IVSET_GUID, 8, 1, &intval) == 0) { 2632*eda14cbcSMatt Macy dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_IVSET_GUID, intval); 2633*eda14cbcSMatt Macy } 2634*eda14cbcSMatt Macy 2635*eda14cbcSMatt Macy if (dsl_dir_get_encryption_root_ddobj(dd, &intval) == 0) { 2636*eda14cbcSMatt Macy if (dsl_dir_hold_obj(dd->dd_pool, intval, NULL, FTAG, 2637*eda14cbcSMatt Macy &enc_root) == 0) { 2638*eda14cbcSMatt Macy dsl_dir_name(enc_root, buf); 2639*eda14cbcSMatt Macy dsl_dir_rele(enc_root, FTAG); 2640*eda14cbcSMatt Macy dsl_prop_nvlist_add_string(nv, 2641*eda14cbcSMatt Macy ZFS_PROP_ENCRYPTION_ROOT, buf); 2642*eda14cbcSMatt Macy } 2643*eda14cbcSMatt Macy } 2644*eda14cbcSMatt Macy } 2645*eda14cbcSMatt Macy 2646*eda14cbcSMatt Macy int 2647*eda14cbcSMatt Macy spa_crypt_get_salt(spa_t *spa, uint64_t dsobj, uint8_t *salt) 2648*eda14cbcSMatt Macy { 2649*eda14cbcSMatt Macy int ret; 2650*eda14cbcSMatt Macy dsl_crypto_key_t *dck = NULL; 2651*eda14cbcSMatt Macy 2652*eda14cbcSMatt Macy /* look up the key from the spa's keystore */ 2653*eda14cbcSMatt Macy ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2654*eda14cbcSMatt Macy if (ret != 0) 2655*eda14cbcSMatt Macy goto error; 2656*eda14cbcSMatt Macy 2657*eda14cbcSMatt Macy ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2658*eda14cbcSMatt Macy if (ret != 0) 2659*eda14cbcSMatt Macy goto error; 2660*eda14cbcSMatt Macy 2661*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, dck, FTAG); 2662*eda14cbcSMatt Macy return (0); 2663*eda14cbcSMatt Macy 2664*eda14cbcSMatt Macy error: 2665*eda14cbcSMatt Macy if (dck != NULL) 2666*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, dck, FTAG); 2667*eda14cbcSMatt Macy return (ret); 2668*eda14cbcSMatt Macy } 2669*eda14cbcSMatt Macy 2670*eda14cbcSMatt Macy /* 2671*eda14cbcSMatt Macy * Objset blocks are a special case for MAC generation. These blocks have 2 2672*eda14cbcSMatt Macy * 256-bit MACs which are embedded within the block itself, rather than a 2673*eda14cbcSMatt Macy * single 128 bit MAC. As a result, this function handles encoding and decoding 2674*eda14cbcSMatt Macy * the MACs on its own, unlike other functions in this file. 2675*eda14cbcSMatt Macy */ 2676*eda14cbcSMatt Macy int 2677*eda14cbcSMatt Macy spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, 2678*eda14cbcSMatt Macy abd_t *abd, uint_t datalen, boolean_t byteswap) 2679*eda14cbcSMatt Macy { 2680*eda14cbcSMatt Macy int ret; 2681*eda14cbcSMatt Macy dsl_crypto_key_t *dck = NULL; 2682*eda14cbcSMatt Macy void *buf = abd_borrow_buf_copy(abd, datalen); 2683*eda14cbcSMatt Macy objset_phys_t *osp = buf; 2684*eda14cbcSMatt Macy uint8_t portable_mac[ZIO_OBJSET_MAC_LEN]; 2685*eda14cbcSMatt Macy uint8_t local_mac[ZIO_OBJSET_MAC_LEN]; 2686*eda14cbcSMatt Macy 2687*eda14cbcSMatt Macy /* look up the key from the spa's keystore */ 2688*eda14cbcSMatt Macy ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2689*eda14cbcSMatt Macy if (ret != 0) 2690*eda14cbcSMatt Macy goto error; 2691*eda14cbcSMatt Macy 2692*eda14cbcSMatt Macy /* calculate both HMACs */ 2693*eda14cbcSMatt Macy ret = zio_crypt_do_objset_hmacs(&dck->dck_key, buf, datalen, 2694*eda14cbcSMatt Macy byteswap, portable_mac, local_mac); 2695*eda14cbcSMatt Macy if (ret != 0) 2696*eda14cbcSMatt Macy goto error; 2697*eda14cbcSMatt Macy 2698*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, dck, FTAG); 2699*eda14cbcSMatt Macy 2700*eda14cbcSMatt Macy /* if we are generating encode the HMACs in the objset_phys_t */ 2701*eda14cbcSMatt Macy if (generate) { 2702*eda14cbcSMatt Macy bcopy(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN); 2703*eda14cbcSMatt Macy bcopy(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN); 2704*eda14cbcSMatt Macy abd_return_buf_copy(abd, buf, datalen); 2705*eda14cbcSMatt Macy return (0); 2706*eda14cbcSMatt Macy } 2707*eda14cbcSMatt Macy 2708*eda14cbcSMatt Macy if (bcmp(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN) != 0 || 2709*eda14cbcSMatt Macy bcmp(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2710*eda14cbcSMatt Macy abd_return_buf(abd, buf, datalen); 2711*eda14cbcSMatt Macy return (SET_ERROR(ECKSUM)); 2712*eda14cbcSMatt Macy } 2713*eda14cbcSMatt Macy 2714*eda14cbcSMatt Macy abd_return_buf(abd, buf, datalen); 2715*eda14cbcSMatt Macy 2716*eda14cbcSMatt Macy return (0); 2717*eda14cbcSMatt Macy 2718*eda14cbcSMatt Macy error: 2719*eda14cbcSMatt Macy if (dck != NULL) 2720*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, dck, FTAG); 2721*eda14cbcSMatt Macy abd_return_buf(abd, buf, datalen); 2722*eda14cbcSMatt Macy return (ret); 2723*eda14cbcSMatt Macy } 2724*eda14cbcSMatt Macy 2725*eda14cbcSMatt Macy int 2726*eda14cbcSMatt Macy spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd, 2727*eda14cbcSMatt Macy uint_t datalen, uint8_t *mac) 2728*eda14cbcSMatt Macy { 2729*eda14cbcSMatt Macy int ret; 2730*eda14cbcSMatt Macy dsl_crypto_key_t *dck = NULL; 2731*eda14cbcSMatt Macy uint8_t *buf = abd_borrow_buf_copy(abd, datalen); 2732*eda14cbcSMatt Macy uint8_t digestbuf[ZIO_DATA_MAC_LEN]; 2733*eda14cbcSMatt Macy 2734*eda14cbcSMatt Macy /* look up the key from the spa's keystore */ 2735*eda14cbcSMatt Macy ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2736*eda14cbcSMatt Macy if (ret != 0) 2737*eda14cbcSMatt Macy goto error; 2738*eda14cbcSMatt Macy 2739*eda14cbcSMatt Macy /* perform the hmac */ 2740*eda14cbcSMatt Macy ret = zio_crypt_do_hmac(&dck->dck_key, buf, datalen, 2741*eda14cbcSMatt Macy digestbuf, ZIO_DATA_MAC_LEN); 2742*eda14cbcSMatt Macy if (ret != 0) 2743*eda14cbcSMatt Macy goto error; 2744*eda14cbcSMatt Macy 2745*eda14cbcSMatt Macy abd_return_buf(abd, buf, datalen); 2746*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, dck, FTAG); 2747*eda14cbcSMatt Macy 2748*eda14cbcSMatt Macy /* 2749*eda14cbcSMatt Macy * Truncate and fill in mac buffer if we were asked to generate a MAC. 2750*eda14cbcSMatt Macy * Otherwise verify that the MAC matched what we expected. 2751*eda14cbcSMatt Macy */ 2752*eda14cbcSMatt Macy if (generate) { 2753*eda14cbcSMatt Macy bcopy(digestbuf, mac, ZIO_DATA_MAC_LEN); 2754*eda14cbcSMatt Macy return (0); 2755*eda14cbcSMatt Macy } 2756*eda14cbcSMatt Macy 2757*eda14cbcSMatt Macy if (bcmp(digestbuf, mac, ZIO_DATA_MAC_LEN) != 0) 2758*eda14cbcSMatt Macy return (SET_ERROR(ECKSUM)); 2759*eda14cbcSMatt Macy 2760*eda14cbcSMatt Macy return (0); 2761*eda14cbcSMatt Macy 2762*eda14cbcSMatt Macy error: 2763*eda14cbcSMatt Macy if (dck != NULL) 2764*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, dck, FTAG); 2765*eda14cbcSMatt Macy abd_return_buf(abd, buf, datalen); 2766*eda14cbcSMatt Macy return (ret); 2767*eda14cbcSMatt Macy } 2768*eda14cbcSMatt Macy 2769*eda14cbcSMatt Macy /* 2770*eda14cbcSMatt Macy * This function serves as a multiplexer for encryption and decryption of 2771*eda14cbcSMatt Macy * all blocks (except the L2ARC). For encryption, it will populate the IV, 2772*eda14cbcSMatt Macy * salt, MAC, and cabd (the ciphertext). On decryption it will simply use 2773*eda14cbcSMatt Macy * these fields to populate pabd (the plaintext). 2774*eda14cbcSMatt Macy */ 2775*eda14cbcSMatt Macy int 2776*eda14cbcSMatt Macy spa_do_crypt_abd(boolean_t encrypt, spa_t *spa, const zbookmark_phys_t *zb, 2777*eda14cbcSMatt Macy dmu_object_type_t ot, boolean_t dedup, boolean_t bswap, uint8_t *salt, 2778*eda14cbcSMatt Macy uint8_t *iv, uint8_t *mac, uint_t datalen, abd_t *pabd, abd_t *cabd, 2779*eda14cbcSMatt Macy boolean_t *no_crypt) 2780*eda14cbcSMatt Macy { 2781*eda14cbcSMatt Macy int ret; 2782*eda14cbcSMatt Macy dsl_crypto_key_t *dck = NULL; 2783*eda14cbcSMatt Macy uint8_t *plainbuf = NULL, *cipherbuf = NULL; 2784*eda14cbcSMatt Macy 2785*eda14cbcSMatt Macy ASSERT(spa_feature_is_active(spa, SPA_FEATURE_ENCRYPTION)); 2786*eda14cbcSMatt Macy 2787*eda14cbcSMatt Macy /* look up the key from the spa's keystore */ 2788*eda14cbcSMatt Macy ret = spa_keystore_lookup_key(spa, zb->zb_objset, FTAG, &dck); 2789*eda14cbcSMatt Macy if (ret != 0) { 2790*eda14cbcSMatt Macy ret = SET_ERROR(EACCES); 2791*eda14cbcSMatt Macy return (ret); 2792*eda14cbcSMatt Macy } 2793*eda14cbcSMatt Macy 2794*eda14cbcSMatt Macy if (encrypt) { 2795*eda14cbcSMatt Macy plainbuf = abd_borrow_buf_copy(pabd, datalen); 2796*eda14cbcSMatt Macy cipherbuf = abd_borrow_buf(cabd, datalen); 2797*eda14cbcSMatt Macy } else { 2798*eda14cbcSMatt Macy plainbuf = abd_borrow_buf(pabd, datalen); 2799*eda14cbcSMatt Macy cipherbuf = abd_borrow_buf_copy(cabd, datalen); 2800*eda14cbcSMatt Macy } 2801*eda14cbcSMatt Macy 2802*eda14cbcSMatt Macy /* 2803*eda14cbcSMatt Macy * Both encryption and decryption functions need a salt for key 2804*eda14cbcSMatt Macy * generation and an IV. When encrypting a non-dedup block, we 2805*eda14cbcSMatt Macy * generate the salt and IV randomly to be stored by the caller. Dedup 2806*eda14cbcSMatt Macy * blocks perform a (more expensive) HMAC of the plaintext to obtain 2807*eda14cbcSMatt Macy * the salt and the IV. ZIL blocks have their salt and IV generated 2808*eda14cbcSMatt Macy * at allocation time in zio_alloc_zil(). On decryption, we simply use 2809*eda14cbcSMatt Macy * the provided values. 2810*eda14cbcSMatt Macy */ 2811*eda14cbcSMatt Macy if (encrypt && ot != DMU_OT_INTENT_LOG && !dedup) { 2812*eda14cbcSMatt Macy ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2813*eda14cbcSMatt Macy if (ret != 0) 2814*eda14cbcSMatt Macy goto error; 2815*eda14cbcSMatt Macy 2816*eda14cbcSMatt Macy ret = zio_crypt_generate_iv(iv); 2817*eda14cbcSMatt Macy if (ret != 0) 2818*eda14cbcSMatt Macy goto error; 2819*eda14cbcSMatt Macy } else if (encrypt && dedup) { 2820*eda14cbcSMatt Macy ret = zio_crypt_generate_iv_salt_dedup(&dck->dck_key, 2821*eda14cbcSMatt Macy plainbuf, datalen, iv, salt); 2822*eda14cbcSMatt Macy if (ret != 0) 2823*eda14cbcSMatt Macy goto error; 2824*eda14cbcSMatt Macy } 2825*eda14cbcSMatt Macy 2826*eda14cbcSMatt Macy /* call lower level function to perform encryption / decryption */ 2827*eda14cbcSMatt Macy ret = zio_do_crypt_data(encrypt, &dck->dck_key, ot, bswap, salt, iv, 2828*eda14cbcSMatt Macy mac, datalen, plainbuf, cipherbuf, no_crypt); 2829*eda14cbcSMatt Macy 2830*eda14cbcSMatt Macy /* 2831*eda14cbcSMatt Macy * Handle injected decryption faults. Unfortunately, we cannot inject 2832*eda14cbcSMatt Macy * faults for dnode blocks because we might trigger the panic in 2833*eda14cbcSMatt Macy * dbuf_prepare_encrypted_dnode_leaf(), which exists because syncing 2834*eda14cbcSMatt Macy * context is not prepared to handle malicious decryption failures. 2835*eda14cbcSMatt Macy */ 2836*eda14cbcSMatt Macy if (zio_injection_enabled && !encrypt && ot != DMU_OT_DNODE && ret == 0) 2837*eda14cbcSMatt Macy ret = zio_handle_decrypt_injection(spa, zb, ot, ECKSUM); 2838*eda14cbcSMatt Macy if (ret != 0) 2839*eda14cbcSMatt Macy goto error; 2840*eda14cbcSMatt Macy 2841*eda14cbcSMatt Macy if (encrypt) { 2842*eda14cbcSMatt Macy abd_return_buf(pabd, plainbuf, datalen); 2843*eda14cbcSMatt Macy abd_return_buf_copy(cabd, cipherbuf, datalen); 2844*eda14cbcSMatt Macy } else { 2845*eda14cbcSMatt Macy abd_return_buf_copy(pabd, plainbuf, datalen); 2846*eda14cbcSMatt Macy abd_return_buf(cabd, cipherbuf, datalen); 2847*eda14cbcSMatt Macy } 2848*eda14cbcSMatt Macy 2849*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, dck, FTAG); 2850*eda14cbcSMatt Macy 2851*eda14cbcSMatt Macy return (0); 2852*eda14cbcSMatt Macy 2853*eda14cbcSMatt Macy error: 2854*eda14cbcSMatt Macy if (encrypt) { 2855*eda14cbcSMatt Macy /* zero out any state we might have changed while encrypting */ 2856*eda14cbcSMatt Macy bzero(salt, ZIO_DATA_SALT_LEN); 2857*eda14cbcSMatt Macy bzero(iv, ZIO_DATA_IV_LEN); 2858*eda14cbcSMatt Macy bzero(mac, ZIO_DATA_MAC_LEN); 2859*eda14cbcSMatt Macy abd_return_buf(pabd, plainbuf, datalen); 2860*eda14cbcSMatt Macy abd_return_buf_copy(cabd, cipherbuf, datalen); 2861*eda14cbcSMatt Macy } else { 2862*eda14cbcSMatt Macy abd_return_buf_copy(pabd, plainbuf, datalen); 2863*eda14cbcSMatt Macy abd_return_buf(cabd, cipherbuf, datalen); 2864*eda14cbcSMatt Macy } 2865*eda14cbcSMatt Macy 2866*eda14cbcSMatt Macy spa_keystore_dsl_key_rele(spa, dck, FTAG); 2867*eda14cbcSMatt Macy 2868*eda14cbcSMatt Macy return (ret); 2869*eda14cbcSMatt Macy } 2870*eda14cbcSMatt Macy 2871*eda14cbcSMatt Macy ZFS_MODULE_PARAM(zfs, zfs_, disable_ivset_guid_check, INT, ZMOD_RW, 2872*eda14cbcSMatt Macy "Set to allow raw receives without IVset guids"); 2873