1 // SPDX-License-Identifier: CDDL-1.0 2 /* 3 * CDDL HEADER START 4 * 5 * This file and its contents are supplied under the terms of the 6 * Common Development and Distribution License ("CDDL"), version 1.0. 7 * You may only use this file in accordance with the terms of version 8 * 1.0 of the CDDL. 9 * 10 * A full copy of the text of the CDDL should have accompanied this 11 * source. A copy of the CDDL is also available via the Internet at 12 * http://www.illumos.org/license/CDDL. 13 * 14 * CDDL HEADER END 15 */ 16 17 /* 18 * Copyright (c) 2017, Datto, Inc. All rights reserved. 19 * Copyright (c) 2018 by Delphix. All rights reserved. 20 */ 21 22 #include <sys/dsl_crypt.h> 23 #include <sys/dsl_pool.h> 24 #include <sys/zap.h> 25 #include <sys/zil.h> 26 #include <sys/dsl_dir.h> 27 #include <sys/dsl_prop.h> 28 #include <sys/spa_impl.h> 29 #include <sys/dmu_objset.h> 30 #include <sys/zvol.h> 31 32 /* 33 * This file's primary purpose is for managing master encryption keys in 34 * memory and on disk. For more info on how these keys are used, see the 35 * block comment in zio_crypt.c. 36 * 37 * All master keys are stored encrypted on disk in the form of the DSL 38 * Crypto Key ZAP object. The binary key data in this object is always 39 * randomly generated and is encrypted with the user's wrapping key. This 40 * layer of indirection allows the user to change their key without 41 * needing to re-encrypt the entire dataset. The ZAP also holds on to the 42 * (non-encrypted) encryption algorithm identifier, IV, and MAC needed to 43 * safely decrypt the master key. For more info on the user's key see the 44 * block comment in libzfs_crypto.c 45 * 46 * In-memory encryption keys are managed through the spa_keystore. The 47 * keystore consists of 3 AVL trees, which are as follows: 48 * 49 * The Wrapping Key Tree: 50 * The wrapping key (wkey) tree stores the user's keys that are fed into the 51 * kernel through 'zfs load-key' and related commands. Datasets inherit their 52 * parent's wkey by default, so these structures are refcounted. The wrapping 53 * keys remain in memory until they are explicitly unloaded (with 54 * "zfs unload-key"). Unloading is only possible when no datasets are using 55 * them (refcount=0). 56 * 57 * The DSL Crypto Key Tree: 58 * The DSL Crypto Keys (DCK) are the in-memory representation of decrypted 59 * master keys. They are used by the functions in zio_crypt.c to perform 60 * encryption, decryption, and authentication. Snapshots and clones of a given 61 * dataset will share a DSL Crypto Key, so they are also refcounted. Once the 62 * refcount on a key hits zero, it is immediately zeroed out and freed. 63 * 64 * The Crypto Key Mapping Tree: 65 * The zio layer needs to lookup master keys by their dataset object id. Since 66 * the DSL Crypto Keys can belong to multiple datasets, we maintain a tree of 67 * dsl_key_mapping_t's which essentially just map the dataset object id to its 68 * appropriate DSL Crypto Key. The management for creating and destroying these 69 * mappings hooks into the code for owning and disowning datasets. Usually, 70 * there will only be one active dataset owner, but there are times 71 * (particularly during dataset creation and destruction) when this may not be 72 * true or the dataset may not be initialized enough to own. As a result, this 73 * object is also refcounted. 74 */ 75 76 /* 77 * This tunable allows datasets to be raw received even if the stream does 78 * not include IVset guids or if the guids don't match. This is used as part 79 * of the resolution for ZPOOL_ERRATA_ZOL_8308_ENCRYPTION. 80 */ 81 int zfs_disable_ivset_guid_check = 0; 82 83 static void 84 dsl_wrapping_key_hold(dsl_wrapping_key_t *wkey, const void *tag) 85 { 86 (void) zfs_refcount_add(&wkey->wk_refcnt, tag); 87 } 88 89 static void 90 dsl_wrapping_key_rele(dsl_wrapping_key_t *wkey, const void *tag) 91 { 92 (void) zfs_refcount_remove(&wkey->wk_refcnt, tag); 93 } 94 95 static void 96 dsl_wrapping_key_free(dsl_wrapping_key_t *wkey) 97 { 98 ASSERT0(zfs_refcount_count(&wkey->wk_refcnt)); 99 100 if (wkey->wk_key.ck_data) { 101 memset(wkey->wk_key.ck_data, 0, 102 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 103 kmem_free(wkey->wk_key.ck_data, 104 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 105 } 106 107 zfs_refcount_destroy(&wkey->wk_refcnt); 108 kmem_free(wkey, sizeof (dsl_wrapping_key_t)); 109 } 110 111 static void 112 dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat, 113 uint64_t salt, uint64_t iters, dsl_wrapping_key_t **wkey_out) 114 { 115 dsl_wrapping_key_t *wkey; 116 117 /* allocate the wrapping key */ 118 wkey = kmem_alloc(sizeof (dsl_wrapping_key_t), KM_SLEEP); 119 120 /* allocate and initialize the underlying crypto key */ 121 wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP); 122 123 wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN); 124 memcpy(wkey->wk_key.ck_data, wkeydata, WRAPPING_KEY_LEN); 125 126 /* initialize the rest of the struct */ 127 zfs_refcount_create(&wkey->wk_refcnt); 128 wkey->wk_keyformat = keyformat; 129 wkey->wk_salt = salt; 130 wkey->wk_iters = iters; 131 132 *wkey_out = wkey; 133 } 134 135 int 136 dsl_crypto_params_create_nvlist(dcp_cmd_t cmd, nvlist_t *props, 137 nvlist_t *crypto_args, dsl_crypto_params_t **dcp_out) 138 { 139 int ret; 140 uint64_t crypt = ZIO_CRYPT_INHERIT; 141 uint64_t keyformat = ZFS_KEYFORMAT_NONE; 142 uint64_t salt = 0, iters = 0; 143 dsl_crypto_params_t *dcp = NULL; 144 dsl_wrapping_key_t *wkey = NULL; 145 uint8_t *wkeydata = NULL; 146 uint_t wkeydata_len = 0; 147 const char *keylocation = NULL; 148 149 dcp = kmem_zalloc(sizeof (dsl_crypto_params_t), KM_SLEEP); 150 dcp->cp_cmd = cmd; 151 152 /* get relevant arguments from the nvlists */ 153 if (props != NULL) { 154 (void) nvlist_lookup_uint64(props, 155 zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt); 156 (void) nvlist_lookup_uint64(props, 157 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat); 158 (void) nvlist_lookup_string(props, 159 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation); 160 (void) nvlist_lookup_uint64(props, 161 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), &salt); 162 (void) nvlist_lookup_uint64(props, 163 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters); 164 165 dcp->cp_crypt = crypt; 166 } 167 168 if (crypto_args != NULL) { 169 (void) nvlist_lookup_uint8_array(crypto_args, "wkeydata", 170 &wkeydata, &wkeydata_len); 171 } 172 173 /* check for valid command */ 174 if (dcp->cp_cmd >= DCP_CMD_MAX) { 175 ret = SET_ERROR(EINVAL); 176 goto error; 177 } else { 178 dcp->cp_cmd = cmd; 179 } 180 181 /* check for valid crypt */ 182 if (dcp->cp_crypt >= ZIO_CRYPT_FUNCTIONS) { 183 ret = SET_ERROR(EINVAL); 184 goto error; 185 } else { 186 dcp->cp_crypt = crypt; 187 } 188 189 /* check for valid keyformat */ 190 if (keyformat >= ZFS_KEYFORMAT_FORMATS) { 191 ret = SET_ERROR(EINVAL); 192 goto error; 193 } 194 195 /* check for a valid keylocation (of any kind) and copy it in */ 196 if (keylocation != NULL) { 197 if (!zfs_prop_valid_keylocation(keylocation, B_FALSE)) { 198 ret = SET_ERROR(EINVAL); 199 goto error; 200 } 201 202 dcp->cp_keylocation = spa_strdup(keylocation); 203 } 204 205 /* check wrapping key length, if given */ 206 if (wkeydata != NULL && wkeydata_len != WRAPPING_KEY_LEN) { 207 ret = SET_ERROR(EINVAL); 208 goto error; 209 } 210 211 /* if the user asked for the default crypt, determine that now */ 212 if (dcp->cp_crypt == ZIO_CRYPT_ON) 213 dcp->cp_crypt = ZIO_CRYPT_ON_VALUE; 214 215 /* create the wrapping key from the raw data */ 216 if (wkeydata != NULL) { 217 /* create the wrapping key with the verified parameters */ 218 dsl_wrapping_key_create(wkeydata, keyformat, salt, 219 iters, &wkey); 220 dcp->cp_wkey = wkey; 221 } 222 223 /* 224 * Remove the encryption properties from the nvlist since they are not 225 * maintained through the DSL. 226 */ 227 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION)); 228 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 229 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 230 (void) nvlist_remove_all(props, 231 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 232 233 *dcp_out = dcp; 234 235 return (0); 236 237 error: 238 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 239 *dcp_out = NULL; 240 return (ret); 241 } 242 243 void 244 dsl_crypto_params_free(dsl_crypto_params_t *dcp, boolean_t unload) 245 { 246 if (dcp == NULL) 247 return; 248 249 if (dcp->cp_keylocation != NULL) 250 spa_strfree(dcp->cp_keylocation); 251 if (unload && dcp->cp_wkey != NULL) 252 dsl_wrapping_key_free(dcp->cp_wkey); 253 254 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 255 } 256 257 static int 258 spa_crypto_key_compare(const void *a, const void *b) 259 { 260 const dsl_crypto_key_t *dcka = a; 261 const dsl_crypto_key_t *dckb = b; 262 263 if (dcka->dck_obj < dckb->dck_obj) 264 return (-1); 265 if (dcka->dck_obj > dckb->dck_obj) 266 return (1); 267 return (0); 268 } 269 270 /* 271 * this compares a crypto key based on zk_guid. See comment on 272 * spa_crypto_key_compare for more information. 273 */ 274 boolean_t 275 dmu_objset_crypto_key_equal(objset_t *osa, objset_t *osb) 276 { 277 dsl_crypto_key_t *dcka = NULL; 278 dsl_crypto_key_t *dckb = NULL; 279 uint64_t obja, objb; 280 boolean_t equal; 281 spa_t *spa; 282 283 spa = dmu_objset_spa(osa); 284 if (spa != dmu_objset_spa(osb)) 285 return (B_FALSE); 286 obja = dmu_objset_ds(osa)->ds_object; 287 objb = dmu_objset_ds(osb)->ds_object; 288 289 if (spa_keystore_lookup_key(spa, obja, FTAG, &dcka) != 0) 290 return (B_FALSE); 291 if (spa_keystore_lookup_key(spa, objb, FTAG, &dckb) != 0) { 292 spa_keystore_dsl_key_rele(spa, dcka, FTAG); 293 return (B_FALSE); 294 } 295 296 equal = (dcka->dck_key.zk_guid == dckb->dck_key.zk_guid); 297 298 spa_keystore_dsl_key_rele(spa, dcka, FTAG); 299 spa_keystore_dsl_key_rele(spa, dckb, FTAG); 300 301 return (equal); 302 } 303 304 static int 305 spa_key_mapping_compare(const void *a, const void *b) 306 { 307 const dsl_key_mapping_t *kma = a; 308 const dsl_key_mapping_t *kmb = b; 309 310 if (kma->km_dsobj < kmb->km_dsobj) 311 return (-1); 312 if (kma->km_dsobj > kmb->km_dsobj) 313 return (1); 314 return (0); 315 } 316 317 static int 318 spa_wkey_compare(const void *a, const void *b) 319 { 320 const dsl_wrapping_key_t *wka = a; 321 const dsl_wrapping_key_t *wkb = b; 322 323 if (wka->wk_ddobj < wkb->wk_ddobj) 324 return (-1); 325 if (wka->wk_ddobj > wkb->wk_ddobj) 326 return (1); 327 return (0); 328 } 329 330 void 331 spa_keystore_init(spa_keystore_t *sk) 332 { 333 rw_init(&sk->sk_dk_lock, NULL, RW_DEFAULT, NULL); 334 rw_init(&sk->sk_km_lock, NULL, RW_DEFAULT, NULL); 335 rw_init(&sk->sk_wkeys_lock, NULL, RW_DEFAULT, NULL); 336 avl_create(&sk->sk_dsl_keys, spa_crypto_key_compare, 337 sizeof (dsl_crypto_key_t), 338 offsetof(dsl_crypto_key_t, dck_avl_link)); 339 avl_create(&sk->sk_key_mappings, spa_key_mapping_compare, 340 sizeof (dsl_key_mapping_t), 341 offsetof(dsl_key_mapping_t, km_avl_link)); 342 avl_create(&sk->sk_wkeys, spa_wkey_compare, sizeof (dsl_wrapping_key_t), 343 offsetof(dsl_wrapping_key_t, wk_avl_link)); 344 } 345 346 void 347 spa_keystore_fini(spa_keystore_t *sk) 348 { 349 dsl_wrapping_key_t *wkey; 350 void *cookie = NULL; 351 352 ASSERT(avl_is_empty(&sk->sk_dsl_keys)); 353 ASSERT(avl_is_empty(&sk->sk_key_mappings)); 354 355 while ((wkey = avl_destroy_nodes(&sk->sk_wkeys, &cookie)) != NULL) 356 dsl_wrapping_key_free(wkey); 357 358 avl_destroy(&sk->sk_wkeys); 359 avl_destroy(&sk->sk_key_mappings); 360 avl_destroy(&sk->sk_dsl_keys); 361 rw_destroy(&sk->sk_wkeys_lock); 362 rw_destroy(&sk->sk_km_lock); 363 rw_destroy(&sk->sk_dk_lock); 364 } 365 366 static int 367 dsl_dir_get_encryption_root_ddobj(dsl_dir_t *dd, uint64_t *rddobj) 368 { 369 if (dd->dd_crypto_obj == 0) 370 return (SET_ERROR(ENOENT)); 371 372 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 373 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, rddobj)); 374 } 375 376 static int 377 dsl_dir_get_encryption_version(dsl_dir_t *dd, uint64_t *version) 378 { 379 *version = 0; 380 381 if (dd->dd_crypto_obj == 0) 382 return (SET_ERROR(ENOENT)); 383 384 /* version 0 is implied by ENOENT */ 385 (void) zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 386 DSL_CRYPTO_KEY_VERSION, 8, 1, version); 387 388 return (0); 389 } 390 391 boolean_t 392 dsl_dir_incompatible_encryption_version(dsl_dir_t *dd) 393 { 394 int ret; 395 uint64_t version = 0; 396 397 ret = dsl_dir_get_encryption_version(dd, &version); 398 if (ret != 0) 399 return (B_FALSE); 400 401 return (version != ZIO_CRYPT_KEY_CURRENT_VERSION); 402 } 403 404 static int 405 spa_keystore_wkey_hold_ddobj_impl(spa_t *spa, uint64_t ddobj, 406 const void *tag, dsl_wrapping_key_t **wkey_out) 407 { 408 int ret; 409 dsl_wrapping_key_t search_wkey; 410 dsl_wrapping_key_t *found_wkey; 411 412 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_wkeys_lock)); 413 414 /* init the search wrapping key */ 415 search_wkey.wk_ddobj = ddobj; 416 417 /* lookup the wrapping key */ 418 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &search_wkey, NULL); 419 if (!found_wkey) { 420 ret = SET_ERROR(ENOENT); 421 goto error; 422 } 423 424 /* increment the refcount */ 425 dsl_wrapping_key_hold(found_wkey, tag); 426 427 *wkey_out = found_wkey; 428 return (0); 429 430 error: 431 *wkey_out = NULL; 432 return (ret); 433 } 434 435 static int 436 spa_keystore_wkey_hold_dd(spa_t *spa, dsl_dir_t *dd, const void *tag, 437 dsl_wrapping_key_t **wkey_out) 438 { 439 int ret; 440 dsl_wrapping_key_t *wkey; 441 uint64_t rddobj; 442 boolean_t locked = B_FALSE; 443 444 if (!RW_WRITE_HELD(&spa->spa_keystore.sk_wkeys_lock)) { 445 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_READER); 446 locked = B_TRUE; 447 } 448 449 /* get the ddobj that the keylocation property was inherited from */ 450 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 451 if (ret != 0) 452 goto error; 453 454 /* lookup the wkey in the avl tree */ 455 ret = spa_keystore_wkey_hold_ddobj_impl(spa, rddobj, tag, &wkey); 456 if (ret != 0) 457 goto error; 458 459 /* unlock the wkey tree if we locked it */ 460 if (locked) 461 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 462 463 *wkey_out = wkey; 464 return (0); 465 466 error: 467 if (locked) 468 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 469 470 *wkey_out = NULL; 471 return (ret); 472 } 473 474 int 475 dsl_crypto_can_set_keylocation(const char *dsname, const char *keylocation) 476 { 477 int ret = 0; 478 dsl_dir_t *dd = NULL; 479 dsl_pool_t *dp = NULL; 480 uint64_t rddobj; 481 482 /* hold the dsl dir */ 483 ret = dsl_pool_hold(dsname, FTAG, &dp); 484 if (ret != 0) 485 goto out; 486 487 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 488 if (ret != 0) { 489 dd = NULL; 490 goto out; 491 } 492 493 /* if dd is not encrypted, the value may only be "none" */ 494 if (dd->dd_crypto_obj == 0) { 495 if (strcmp(keylocation, "none") != 0) { 496 ret = SET_ERROR(EACCES); 497 goto out; 498 } 499 500 ret = 0; 501 goto out; 502 } 503 504 /* check for a valid keylocation for encrypted datasets */ 505 if (!zfs_prop_valid_keylocation(keylocation, B_TRUE)) { 506 ret = SET_ERROR(EINVAL); 507 goto out; 508 } 509 510 /* check that this is an encryption root */ 511 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 512 if (ret != 0) 513 goto out; 514 515 if (rddobj != dd->dd_object) { 516 ret = SET_ERROR(EACCES); 517 goto out; 518 } 519 520 dsl_dir_rele(dd, FTAG); 521 dsl_pool_rele(dp, FTAG); 522 523 return (0); 524 525 out: 526 if (dd != NULL) 527 dsl_dir_rele(dd, FTAG); 528 if (dp != NULL) 529 dsl_pool_rele(dp, FTAG); 530 531 return (ret); 532 } 533 534 static void 535 dsl_crypto_key_free(dsl_crypto_key_t *dck) 536 { 537 ASSERT(zfs_refcount_count(&dck->dck_holds) == 0); 538 539 /* destroy the zio_crypt_key_t */ 540 zio_crypt_key_destroy(&dck->dck_key); 541 542 /* free the refcount, wrapping key, and lock */ 543 zfs_refcount_destroy(&dck->dck_holds); 544 if (dck->dck_wkey) 545 dsl_wrapping_key_rele(dck->dck_wkey, dck); 546 547 /* free the key */ 548 kmem_free(dck, sizeof (dsl_crypto_key_t)); 549 } 550 551 static void 552 dsl_crypto_key_rele(dsl_crypto_key_t *dck, const void *tag) 553 { 554 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) 555 dsl_crypto_key_free(dck); 556 } 557 558 static int 559 dsl_crypto_key_open(objset_t *mos, dsl_wrapping_key_t *wkey, 560 uint64_t dckobj, const void *tag, dsl_crypto_key_t **dck_out) 561 { 562 int ret; 563 uint64_t crypt = 0, guid = 0, version = 0; 564 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 565 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 566 uint8_t iv[WRAPPING_IV_LEN]; 567 uint8_t mac[WRAPPING_MAC_LEN]; 568 dsl_crypto_key_t *dck; 569 570 /* allocate and initialize the key */ 571 dck = kmem_zalloc(sizeof (dsl_crypto_key_t), KM_SLEEP); 572 573 /* fetch all of the values we need from the ZAP */ 574 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 575 &crypt); 576 if (ret != 0) 577 goto error; 578 579 /* handle a future crypto suite that we don't support */ 580 if (crypt >= ZIO_CRYPT_FUNCTIONS) { 581 ret = (SET_ERROR(ZFS_ERR_CRYPTO_NOTSUP)); 582 goto error; 583 } 584 585 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &guid); 586 if (ret != 0) 587 goto error; 588 589 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 590 MASTER_KEY_MAX_LEN, raw_keydata); 591 if (ret != 0) 592 goto error; 593 594 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 595 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 596 if (ret != 0) 597 goto error; 598 599 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 600 iv); 601 if (ret != 0) 602 goto error; 603 604 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 605 mac); 606 if (ret != 0) 607 goto error; 608 609 /* the initial on-disk format for encryption did not have a version */ 610 (void) zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 611 612 /* 613 * Unwrap the keys. If there is an error return EACCES to indicate 614 * an authentication failure. 615 */ 616 ret = zio_crypt_key_unwrap(&wkey->wk_key, crypt, version, guid, 617 raw_keydata, raw_hmac_keydata, iv, mac, &dck->dck_key); 618 if (ret != 0) { 619 ret = SET_ERROR(EACCES); 620 goto error; 621 } 622 623 /* finish initializing the dsl_crypto_key_t */ 624 zfs_refcount_create(&dck->dck_holds); 625 dsl_wrapping_key_hold(wkey, dck); 626 dck->dck_wkey = wkey; 627 dck->dck_obj = dckobj; 628 zfs_refcount_add(&dck->dck_holds, tag); 629 630 *dck_out = dck; 631 return (0); 632 633 error: 634 if (dck != NULL) { 635 memset(dck, 0, sizeof (dsl_crypto_key_t)); 636 kmem_free(dck, sizeof (dsl_crypto_key_t)); 637 } 638 639 *dck_out = NULL; 640 return (ret); 641 } 642 643 static int 644 spa_keystore_dsl_key_hold_impl(spa_t *spa, uint64_t dckobj, const void *tag, 645 dsl_crypto_key_t **dck_out) 646 { 647 int ret; 648 dsl_crypto_key_t search_dck; 649 dsl_crypto_key_t *found_dck; 650 651 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_dk_lock)); 652 653 /* init the search key */ 654 search_dck.dck_obj = dckobj; 655 656 /* find the matching key in the keystore */ 657 found_dck = avl_find(&spa->spa_keystore.sk_dsl_keys, &search_dck, NULL); 658 if (!found_dck) { 659 ret = SET_ERROR(ENOENT); 660 goto error; 661 } 662 663 /* increment the refcount */ 664 zfs_refcount_add(&found_dck->dck_holds, tag); 665 666 *dck_out = found_dck; 667 return (0); 668 669 error: 670 *dck_out = NULL; 671 return (ret); 672 } 673 674 static int 675 spa_keystore_dsl_key_hold_dd(spa_t *spa, dsl_dir_t *dd, const void *tag, 676 dsl_crypto_key_t **dck_out) 677 { 678 int ret; 679 avl_index_t where; 680 dsl_crypto_key_t *dck_io = NULL, *dck_ks = NULL; 681 dsl_wrapping_key_t *wkey = NULL; 682 uint64_t dckobj = dd->dd_crypto_obj; 683 684 /* Lookup the key in the tree of currently loaded keys */ 685 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_READER); 686 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 687 rw_exit(&spa->spa_keystore.sk_dk_lock); 688 if (ret == 0) { 689 *dck_out = dck_ks; 690 return (0); 691 } 692 693 /* Lookup the wrapping key from the keystore */ 694 ret = spa_keystore_wkey_hold_dd(spa, dd, FTAG, &wkey); 695 if (ret != 0) { 696 *dck_out = NULL; 697 return (SET_ERROR(EACCES)); 698 } 699 700 /* Read the key from disk */ 701 ret = dsl_crypto_key_open(spa->spa_meta_objset, wkey, dckobj, 702 tag, &dck_io); 703 if (ret != 0) { 704 dsl_wrapping_key_rele(wkey, FTAG); 705 *dck_out = NULL; 706 return (ret); 707 } 708 709 /* 710 * Add the key to the keystore. It may already exist if it was 711 * added while performing the read from disk. In this case discard 712 * it and return the key from the keystore. 713 */ 714 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 715 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 716 if (ret != 0) { 717 avl_find(&spa->spa_keystore.sk_dsl_keys, dck_io, &where); 718 avl_insert(&spa->spa_keystore.sk_dsl_keys, dck_io, where); 719 *dck_out = dck_io; 720 } else { 721 dsl_crypto_key_rele(dck_io, tag); 722 *dck_out = dck_ks; 723 } 724 725 /* Release the wrapping key (the dsl key now has a reference to it) */ 726 dsl_wrapping_key_rele(wkey, FTAG); 727 rw_exit(&spa->spa_keystore.sk_dk_lock); 728 729 return (0); 730 } 731 732 void 733 spa_keystore_dsl_key_rele(spa_t *spa, dsl_crypto_key_t *dck, const void *tag) 734 { 735 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 736 737 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) { 738 avl_remove(&spa->spa_keystore.sk_dsl_keys, dck); 739 dsl_crypto_key_free(dck); 740 } 741 742 rw_exit(&spa->spa_keystore.sk_dk_lock); 743 } 744 745 int 746 spa_keystore_load_wkey_impl(spa_t *spa, dsl_wrapping_key_t *wkey) 747 { 748 int ret; 749 avl_index_t where; 750 dsl_wrapping_key_t *found_wkey; 751 752 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 753 754 /* insert the wrapping key into the keystore */ 755 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 756 if (found_wkey != NULL) { 757 ret = SET_ERROR(EEXIST); 758 goto error_unlock; 759 } 760 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 761 762 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 763 764 return (0); 765 766 error_unlock: 767 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 768 return (ret); 769 } 770 771 int 772 spa_keystore_load_wkey(const char *dsname, dsl_crypto_params_t *dcp, 773 boolean_t noop) 774 { 775 int ret; 776 dsl_dir_t *dd = NULL; 777 dsl_crypto_key_t *dck = NULL; 778 dsl_wrapping_key_t *wkey = dcp->cp_wkey; 779 dsl_pool_t *dp = NULL; 780 uint64_t rddobj, keyformat, salt, iters; 781 782 /* 783 * We don't validate the wrapping key's keyformat, salt, or iters 784 * since they will never be needed after the DCK has been wrapped. 785 */ 786 if (dcp->cp_wkey == NULL || 787 dcp->cp_cmd != DCP_CMD_NONE || 788 dcp->cp_crypt != ZIO_CRYPT_INHERIT || 789 dcp->cp_keylocation != NULL) 790 return (SET_ERROR(EINVAL)); 791 792 ret = dsl_pool_hold(dsname, FTAG, &dp); 793 if (ret != 0) 794 goto error; 795 796 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 797 ret = SET_ERROR(ENOTSUP); 798 goto error; 799 } 800 801 /* hold the dsl dir */ 802 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 803 if (ret != 0) { 804 dd = NULL; 805 goto error; 806 } 807 808 /* confirm that dd is the encryption root */ 809 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 810 if (ret != 0 || rddobj != dd->dd_object) { 811 ret = SET_ERROR(EINVAL); 812 goto error; 813 } 814 815 /* initialize the wkey's ddobj */ 816 wkey->wk_ddobj = dd->dd_object; 817 818 /* verify that the wkey is correct by opening its dsl key */ 819 ret = dsl_crypto_key_open(dp->dp_meta_objset, wkey, 820 dd->dd_crypto_obj, FTAG, &dck); 821 if (ret != 0) 822 goto error; 823 824 /* initialize the wkey encryption parameters from the DSL Crypto Key */ 825 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 826 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &keyformat); 827 if (ret != 0) 828 goto error; 829 830 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 831 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 832 if (ret != 0) 833 goto error; 834 835 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 836 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 837 if (ret != 0) 838 goto error; 839 840 ASSERT3U(keyformat, <, ZFS_KEYFORMAT_FORMATS); 841 ASSERT3U(keyformat, !=, ZFS_KEYFORMAT_NONE); 842 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, iters != 0); 843 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, salt != 0); 844 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, iters == 0); 845 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, salt == 0); 846 847 wkey->wk_keyformat = keyformat; 848 wkey->wk_salt = salt; 849 wkey->wk_iters = iters; 850 851 /* 852 * At this point we have verified the wkey and confirmed that it can 853 * be used to decrypt a DSL Crypto Key. We can simply cleanup and 854 * return if this is all the user wanted to do. 855 */ 856 if (noop) 857 goto error; 858 859 /* insert the wrapping key into the keystore */ 860 ret = spa_keystore_load_wkey_impl(dp->dp_spa, wkey); 861 if (ret != 0) 862 goto error; 863 864 dsl_crypto_key_rele(dck, FTAG); 865 dsl_dir_rele(dd, FTAG); 866 dsl_pool_rele(dp, FTAG); 867 868 /* create any zvols under this ds */ 869 zvol_create_minors_recursive(dsname); 870 871 return (0); 872 873 error: 874 if (dck != NULL) 875 dsl_crypto_key_rele(dck, FTAG); 876 if (dd != NULL) 877 dsl_dir_rele(dd, FTAG); 878 if (dp != NULL) 879 dsl_pool_rele(dp, FTAG); 880 881 return (ret); 882 } 883 884 int 885 spa_keystore_unload_wkey_impl(spa_t *spa, uint64_t ddobj) 886 { 887 int ret; 888 dsl_wrapping_key_t search_wkey; 889 dsl_wrapping_key_t *found_wkey; 890 891 /* init the search wrapping key */ 892 search_wkey.wk_ddobj = ddobj; 893 894 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 895 896 /* remove the wrapping key from the keystore */ 897 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, 898 &search_wkey, NULL); 899 if (!found_wkey) { 900 ret = SET_ERROR(EACCES); 901 goto error_unlock; 902 } else if (zfs_refcount_count(&found_wkey->wk_refcnt) != 0) { 903 ret = SET_ERROR(EBUSY); 904 goto error_unlock; 905 } 906 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 907 908 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 909 910 /* free the wrapping key */ 911 dsl_wrapping_key_free(found_wkey); 912 913 return (0); 914 915 error_unlock: 916 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 917 return (ret); 918 } 919 920 int 921 spa_keystore_unload_wkey(const char *dsname) 922 { 923 int ret = 0; 924 dsl_dir_t *dd = NULL; 925 dsl_pool_t *dp = NULL; 926 spa_t *spa = NULL; 927 928 ret = spa_open(dsname, &spa, FTAG); 929 if (ret != 0) 930 return (ret); 931 932 /* 933 * Wait for any outstanding txg IO to complete, releasing any 934 * remaining references on the wkey. 935 */ 936 if (spa_mode(spa) != SPA_MODE_READ) 937 txg_wait_synced(spa->spa_dsl_pool, 0); 938 939 spa_close(spa, FTAG); 940 941 /* hold the dsl dir */ 942 ret = dsl_pool_hold(dsname, FTAG, &dp); 943 if (ret != 0) 944 goto error; 945 946 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 947 ret = (SET_ERROR(ENOTSUP)); 948 goto error; 949 } 950 951 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 952 if (ret != 0) { 953 dd = NULL; 954 goto error; 955 } 956 957 /* unload the wkey */ 958 ret = spa_keystore_unload_wkey_impl(dp->dp_spa, dd->dd_object); 959 if (ret != 0) 960 goto error; 961 962 dsl_dir_rele(dd, FTAG); 963 dsl_pool_rele(dp, FTAG); 964 965 /* remove any zvols under this ds */ 966 zvol_remove_minors(dp->dp_spa, dsname, B_TRUE); 967 968 return (0); 969 970 error: 971 if (dd != NULL) 972 dsl_dir_rele(dd, FTAG); 973 if (dp != NULL) 974 dsl_pool_rele(dp, FTAG); 975 976 return (ret); 977 } 978 979 void 980 key_mapping_add_ref(dsl_key_mapping_t *km, const void *tag) 981 { 982 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 983 zfs_refcount_add(&km->km_refcnt, tag); 984 } 985 986 /* 987 * The locking here is a little tricky to ensure we don't cause unnecessary 988 * performance problems. We want to release a key mapping whenever someone 989 * decrements the refcount to 0, but freeing the mapping requires removing 990 * it from the spa_keystore, which requires holding sk_km_lock as a writer. 991 * Most of the time we don't want to hold this lock as a writer, since the 992 * same lock is held as a reader for each IO that needs to encrypt / decrypt 993 * data for any dataset and in practice we will only actually free the 994 * mapping after unmounting a dataset. 995 */ 996 void 997 key_mapping_rele(spa_t *spa, dsl_key_mapping_t *km, const void *tag) 998 { 999 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 1000 1001 if (zfs_refcount_remove(&km->km_refcnt, tag) != 0) 1002 return; 1003 1004 /* 1005 * We think we are going to need to free the mapping. Add a 1006 * reference to prevent most other releasers from thinking 1007 * this might be their responsibility. This is inherently 1008 * racy, so we will confirm that we are legitimately the 1009 * last holder once we have the sk_km_lock as a writer. 1010 */ 1011 zfs_refcount_add(&km->km_refcnt, FTAG); 1012 1013 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 1014 if (zfs_refcount_remove(&km->km_refcnt, FTAG) != 0) { 1015 rw_exit(&spa->spa_keystore.sk_km_lock); 1016 return; 1017 } 1018 1019 avl_remove(&spa->spa_keystore.sk_key_mappings, km); 1020 rw_exit(&spa->spa_keystore.sk_km_lock); 1021 1022 spa_keystore_dsl_key_rele(spa, km->km_key, km); 1023 zfs_refcount_destroy(&km->km_refcnt); 1024 kmem_free(km, sizeof (dsl_key_mapping_t)); 1025 } 1026 1027 int 1028 spa_keystore_create_mapping(spa_t *spa, dsl_dataset_t *ds, const void *tag, 1029 dsl_key_mapping_t **km_out) 1030 { 1031 int ret; 1032 avl_index_t where; 1033 dsl_key_mapping_t *km, *found_km; 1034 boolean_t should_free = B_FALSE; 1035 1036 /* Allocate and initialize the mapping */ 1037 km = kmem_zalloc(sizeof (dsl_key_mapping_t), KM_SLEEP); 1038 zfs_refcount_create(&km->km_refcnt); 1039 1040 ret = spa_keystore_dsl_key_hold_dd(spa, ds->ds_dir, km, &km->km_key); 1041 if (ret != 0) { 1042 zfs_refcount_destroy(&km->km_refcnt); 1043 kmem_free(km, sizeof (dsl_key_mapping_t)); 1044 1045 if (km_out != NULL) 1046 *km_out = NULL; 1047 return (ret); 1048 } 1049 1050 km->km_dsobj = ds->ds_object; 1051 1052 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 1053 1054 /* 1055 * If a mapping already exists, simply increment its refcount and 1056 * cleanup the one we made. We want to allocate / free outside of 1057 * the lock because this lock is also used by the zio layer to lookup 1058 * key mappings. Otherwise, use the one we created. Normally, there will 1059 * only be one active reference at a time (the objset owner), but there 1060 * are times when there could be multiple async users. 1061 */ 1062 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, km, &where); 1063 if (found_km != NULL) { 1064 should_free = B_TRUE; 1065 zfs_refcount_add(&found_km->km_refcnt, tag); 1066 if (km_out != NULL) 1067 *km_out = found_km; 1068 } else { 1069 zfs_refcount_add(&km->km_refcnt, tag); 1070 avl_insert(&spa->spa_keystore.sk_key_mappings, km, where); 1071 if (km_out != NULL) 1072 *km_out = km; 1073 } 1074 1075 rw_exit(&spa->spa_keystore.sk_km_lock); 1076 1077 if (should_free) { 1078 spa_keystore_dsl_key_rele(spa, km->km_key, km); 1079 zfs_refcount_destroy(&km->km_refcnt); 1080 kmem_free(km, sizeof (dsl_key_mapping_t)); 1081 } 1082 1083 return (0); 1084 } 1085 1086 int 1087 spa_keystore_remove_mapping(spa_t *spa, uint64_t dsobj, const void *tag) 1088 { 1089 int ret; 1090 dsl_key_mapping_t search_km; 1091 dsl_key_mapping_t *found_km; 1092 1093 /* init the search key mapping */ 1094 search_km.km_dsobj = dsobj; 1095 1096 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1097 1098 /* find the matching mapping */ 1099 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, 1100 &search_km, NULL); 1101 if (found_km == NULL) { 1102 ret = SET_ERROR(ENOENT); 1103 goto error_unlock; 1104 } 1105 1106 rw_exit(&spa->spa_keystore.sk_km_lock); 1107 1108 key_mapping_rele(spa, found_km, tag); 1109 1110 return (0); 1111 1112 error_unlock: 1113 rw_exit(&spa->spa_keystore.sk_km_lock); 1114 return (ret); 1115 } 1116 1117 /* 1118 * This function is primarily used by the zio and arc layer to lookup 1119 * DSL Crypto Keys for encryption. Callers must release the key with 1120 * spa_keystore_dsl_key_rele(). The function may also be called with 1121 * dck_out == NULL and tag == NULL to simply check that a key exists 1122 * without getting a reference to it. 1123 */ 1124 int 1125 spa_keystore_lookup_key(spa_t *spa, uint64_t dsobj, const void *tag, 1126 dsl_crypto_key_t **dck_out) 1127 { 1128 int ret; 1129 dsl_key_mapping_t search_km; 1130 dsl_key_mapping_t *found_km; 1131 1132 ASSERT((tag != NULL && dck_out != NULL) || 1133 (tag == NULL && dck_out == NULL)); 1134 1135 /* init the search key mapping */ 1136 search_km.km_dsobj = dsobj; 1137 1138 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1139 1140 /* remove the mapping from the tree */ 1141 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, &search_km, 1142 NULL); 1143 if (found_km == NULL) { 1144 ret = SET_ERROR(ENOENT); 1145 goto error_unlock; 1146 } 1147 1148 if (found_km && tag) 1149 zfs_refcount_add(&found_km->km_key->dck_holds, tag); 1150 1151 rw_exit(&spa->spa_keystore.sk_km_lock); 1152 1153 if (dck_out != NULL) 1154 *dck_out = found_km->km_key; 1155 return (0); 1156 1157 error_unlock: 1158 rw_exit(&spa->spa_keystore.sk_km_lock); 1159 1160 if (dck_out != NULL) 1161 *dck_out = NULL; 1162 return (ret); 1163 } 1164 1165 static int 1166 dmu_objset_check_wkey_loaded(dsl_dir_t *dd) 1167 { 1168 int ret; 1169 dsl_wrapping_key_t *wkey = NULL; 1170 1171 ret = spa_keystore_wkey_hold_dd(dd->dd_pool->dp_spa, dd, FTAG, 1172 &wkey); 1173 if (ret != 0) 1174 return (SET_ERROR(EACCES)); 1175 1176 dsl_wrapping_key_rele(wkey, FTAG); 1177 1178 return (0); 1179 } 1180 1181 zfs_keystatus_t 1182 dsl_dataset_get_keystatus(dsl_dir_t *dd) 1183 { 1184 /* check if this dd has a has a dsl key */ 1185 if (dd->dd_crypto_obj == 0) 1186 return (ZFS_KEYSTATUS_NONE); 1187 1188 return (dmu_objset_check_wkey_loaded(dd) == 0 ? 1189 ZFS_KEYSTATUS_AVAILABLE : ZFS_KEYSTATUS_UNAVAILABLE); 1190 } 1191 1192 static int 1193 dsl_dir_get_crypt(dsl_dir_t *dd, uint64_t *crypt) 1194 { 1195 if (dd->dd_crypto_obj == 0) { 1196 *crypt = ZIO_CRYPT_OFF; 1197 return (0); 1198 } 1199 1200 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 1201 DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, crypt)); 1202 } 1203 1204 static void 1205 dsl_crypto_key_sync_impl(objset_t *mos, uint64_t dckobj, uint64_t crypt, 1206 uint64_t root_ddobj, uint64_t guid, uint8_t *iv, uint8_t *mac, 1207 uint8_t *keydata, uint8_t *hmac_keydata, uint64_t keyformat, 1208 uint64_t salt, uint64_t iters, dmu_tx_t *tx) 1209 { 1210 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 1211 &crypt, tx)); 1212 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1213 &root_ddobj, tx)); 1214 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, 1215 &guid, tx)); 1216 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 1217 iv, tx)); 1218 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 1219 mac, tx)); 1220 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 1221 MASTER_KEY_MAX_LEN, keydata, tx)); 1222 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 1223 SHA512_HMAC_KEYLEN, hmac_keydata, tx)); 1224 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 1225 8, 1, &keyformat, tx)); 1226 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 1227 8, 1, &salt, tx)); 1228 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 1229 8, 1, &iters, tx)); 1230 } 1231 1232 static void 1233 dsl_crypto_key_sync(dsl_crypto_key_t *dck, dmu_tx_t *tx) 1234 { 1235 zio_crypt_key_t *key = &dck->dck_key; 1236 dsl_wrapping_key_t *wkey = dck->dck_wkey; 1237 uint8_t keydata[MASTER_KEY_MAX_LEN]; 1238 uint8_t hmac_keydata[SHA512_HMAC_KEYLEN]; 1239 uint8_t iv[WRAPPING_IV_LEN]; 1240 uint8_t mac[WRAPPING_MAC_LEN]; 1241 1242 ASSERT(dmu_tx_is_syncing(tx)); 1243 ASSERT3U(key->zk_crypt, <, ZIO_CRYPT_FUNCTIONS); 1244 1245 /* encrypt and store the keys along with the IV and MAC */ 1246 VERIFY0(zio_crypt_key_wrap(&dck->dck_wkey->wk_key, key, iv, mac, 1247 keydata, hmac_keydata)); 1248 1249 /* update the ZAP with the obtained values */ 1250 dsl_crypto_key_sync_impl(tx->tx_pool->dp_meta_objset, dck->dck_obj, 1251 key->zk_crypt, wkey->wk_ddobj, key->zk_guid, iv, mac, keydata, 1252 hmac_keydata, wkey->wk_keyformat, wkey->wk_salt, wkey->wk_iters, 1253 tx); 1254 } 1255 1256 typedef struct spa_keystore_change_key_args { 1257 const char *skcka_dsname; 1258 dsl_crypto_params_t *skcka_cp; 1259 } spa_keystore_change_key_args_t; 1260 1261 static int 1262 spa_keystore_change_key_check(void *arg, dmu_tx_t *tx) 1263 { 1264 int ret; 1265 dsl_dir_t *dd = NULL; 1266 dsl_pool_t *dp = dmu_tx_pool(tx); 1267 spa_keystore_change_key_args_t *skcka = arg; 1268 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1269 uint64_t rddobj; 1270 1271 /* check for the encryption feature */ 1272 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 1273 ret = SET_ERROR(ENOTSUP); 1274 goto error; 1275 } 1276 1277 /* check for valid key change command */ 1278 if (dcp->cp_cmd != DCP_CMD_NEW_KEY && 1279 dcp->cp_cmd != DCP_CMD_INHERIT && 1280 dcp->cp_cmd != DCP_CMD_FORCE_NEW_KEY && 1281 dcp->cp_cmd != DCP_CMD_FORCE_INHERIT) { 1282 ret = SET_ERROR(EINVAL); 1283 goto error; 1284 } 1285 1286 /* hold the dd */ 1287 ret = dsl_dir_hold(dp, skcka->skcka_dsname, FTAG, &dd, NULL); 1288 if (ret != 0) { 1289 dd = NULL; 1290 goto error; 1291 } 1292 1293 /* verify that the dataset is encrypted */ 1294 if (dd->dd_crypto_obj == 0) { 1295 ret = SET_ERROR(EINVAL); 1296 goto error; 1297 } 1298 1299 /* clones must always use their origin's key */ 1300 if (dsl_dir_is_clone(dd)) { 1301 ret = SET_ERROR(EINVAL); 1302 goto error; 1303 } 1304 1305 /* lookup the ddobj we are inheriting the keylocation from */ 1306 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 1307 if (ret != 0) 1308 goto error; 1309 1310 /* Handle inheritance */ 1311 if (dcp->cp_cmd == DCP_CMD_INHERIT || 1312 dcp->cp_cmd == DCP_CMD_FORCE_INHERIT) { 1313 /* no other encryption params should be given */ 1314 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1315 dcp->cp_keylocation != NULL || 1316 dcp->cp_wkey != NULL) { 1317 ret = SET_ERROR(EINVAL); 1318 goto error; 1319 } 1320 1321 /* check that this is an encryption root */ 1322 if (dd->dd_object != rddobj) { 1323 ret = SET_ERROR(EINVAL); 1324 goto error; 1325 } 1326 1327 /* check that the parent is encrypted */ 1328 if (dd->dd_parent->dd_crypto_obj == 0) { 1329 ret = SET_ERROR(EINVAL); 1330 goto error; 1331 } 1332 1333 /* if we are rewrapping check that both keys are loaded */ 1334 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1335 ret = dmu_objset_check_wkey_loaded(dd); 1336 if (ret != 0) 1337 goto error; 1338 1339 ret = dmu_objset_check_wkey_loaded(dd->dd_parent); 1340 if (ret != 0) 1341 goto error; 1342 } 1343 1344 dsl_dir_rele(dd, FTAG); 1345 return (0); 1346 } 1347 1348 /* handle forcing an encryption root without rewrapping */ 1349 if (dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1350 /* no other encryption params should be given */ 1351 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1352 dcp->cp_keylocation != NULL || 1353 dcp->cp_wkey != NULL) { 1354 ret = SET_ERROR(EINVAL); 1355 goto error; 1356 } 1357 1358 /* check that this is not an encryption root */ 1359 if (dd->dd_object == rddobj) { 1360 ret = SET_ERROR(EINVAL); 1361 goto error; 1362 } 1363 1364 dsl_dir_rele(dd, FTAG); 1365 return (0); 1366 } 1367 1368 /* crypt cannot be changed after creation */ 1369 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT) { 1370 ret = SET_ERROR(EINVAL); 1371 goto error; 1372 } 1373 1374 /* we are not inheritting our parent's wkey so we need one ourselves */ 1375 if (dcp->cp_wkey == NULL) { 1376 ret = SET_ERROR(EINVAL); 1377 goto error; 1378 } 1379 1380 /* check for a valid keyformat for the new wrapping key */ 1381 if (dcp->cp_wkey->wk_keyformat >= ZFS_KEYFORMAT_FORMATS || 1382 dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_NONE) { 1383 ret = SET_ERROR(EINVAL); 1384 goto error; 1385 } 1386 1387 /* 1388 * If this dataset is not currently an encryption root we need a new 1389 * keylocation for this dataset's new wrapping key. Otherwise we can 1390 * just keep the one we already had. 1391 */ 1392 if (dd->dd_object != rddobj && dcp->cp_keylocation == NULL) { 1393 ret = SET_ERROR(EINVAL); 1394 goto error; 1395 } 1396 1397 /* check that the keylocation is valid if it is not NULL */ 1398 if (dcp->cp_keylocation != NULL && 1399 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) { 1400 ret = SET_ERROR(EINVAL); 1401 goto error; 1402 } 1403 1404 /* passphrases require pbkdf2 salt and iters */ 1405 if (dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_PASSPHRASE) { 1406 if (dcp->cp_wkey->wk_salt == 0 || 1407 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) { 1408 ret = SET_ERROR(EINVAL); 1409 goto error; 1410 } 1411 } else { 1412 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) { 1413 ret = SET_ERROR(EINVAL); 1414 goto error; 1415 } 1416 } 1417 1418 /* make sure the dd's wkey is loaded */ 1419 ret = dmu_objset_check_wkey_loaded(dd); 1420 if (ret != 0) 1421 goto error; 1422 1423 dsl_dir_rele(dd, FTAG); 1424 1425 return (0); 1426 1427 error: 1428 if (dd != NULL) 1429 dsl_dir_rele(dd, FTAG); 1430 1431 return (ret); 1432 } 1433 1434 /* 1435 * This function deals with the intricacies of updating wrapping 1436 * key references and encryption roots recursively in the event 1437 * of a call to 'zfs change-key' or 'zfs promote'. The 'skip' 1438 * parameter should always be set to B_FALSE when called 1439 * externally. 1440 */ 1441 static void 1442 spa_keystore_change_key_sync_impl(uint64_t rddobj, uint64_t ddobj, 1443 uint64_t new_rddobj, dsl_wrapping_key_t *wkey, boolean_t skip, 1444 dmu_tx_t *tx) 1445 { 1446 int ret; 1447 zap_cursor_t *zc; 1448 zap_attribute_t *za; 1449 dsl_pool_t *dp = dmu_tx_pool(tx); 1450 dsl_dir_t *dd = NULL; 1451 dsl_crypto_key_t *dck = NULL; 1452 uint64_t curr_rddobj; 1453 1454 ASSERT(RW_WRITE_HELD(&dp->dp_spa->spa_keystore.sk_wkeys_lock)); 1455 1456 /* hold the dd */ 1457 VERIFY0(dsl_dir_hold_obj(dp, ddobj, NULL, FTAG, &dd)); 1458 1459 /* ignore special dsl dirs */ 1460 if (dd->dd_myname[0] == '$' || dd->dd_myname[0] == '%') { 1461 dsl_dir_rele(dd, FTAG); 1462 return; 1463 } 1464 1465 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1466 VERIFY(ret == 0 || ret == ENOENT); 1467 1468 /* 1469 * Stop recursing if this dsl dir didn't inherit from the root 1470 * or if this dd is a clone. 1471 */ 1472 if (ret == ENOENT || 1473 (!skip && (curr_rddobj != rddobj || dsl_dir_is_clone(dd)))) { 1474 dsl_dir_rele(dd, FTAG); 1475 return; 1476 } 1477 1478 /* 1479 * If we don't have a wrapping key just update the dck to reflect the 1480 * new encryption root. Otherwise rewrap the entire dck and re-sync it 1481 * to disk. If skip is set, we don't do any of this work. 1482 */ 1483 if (!skip) { 1484 if (wkey == NULL) { 1485 VERIFY0(zap_update(dp->dp_meta_objset, 1486 dd->dd_crypto_obj, 1487 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1488 &new_rddobj, tx)); 1489 } else { 1490 VERIFY0(spa_keystore_dsl_key_hold_dd(dp->dp_spa, dd, 1491 FTAG, &dck)); 1492 dsl_wrapping_key_hold(wkey, dck); 1493 dsl_wrapping_key_rele(dck->dck_wkey, dck); 1494 dck->dck_wkey = wkey; 1495 dsl_crypto_key_sync(dck, tx); 1496 spa_keystore_dsl_key_rele(dp->dp_spa, dck, FTAG); 1497 } 1498 } 1499 1500 zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP); 1501 za = zap_attribute_alloc(); 1502 1503 /* Recurse into all child dsl dirs. */ 1504 for (zap_cursor_init(zc, dp->dp_meta_objset, 1505 dsl_dir_phys(dd)->dd_child_dir_zapobj); 1506 zap_cursor_retrieve(zc, za) == 0; 1507 zap_cursor_advance(zc)) { 1508 spa_keystore_change_key_sync_impl(rddobj, 1509 za->za_first_integer, new_rddobj, wkey, B_FALSE, tx); 1510 } 1511 zap_cursor_fini(zc); 1512 1513 /* 1514 * Recurse into all dsl dirs of clones. We utilize the skip parameter 1515 * here so that we don't attempt to process the clones directly. This 1516 * is because the clone and its origin share the same dck, which has 1517 * already been updated. 1518 */ 1519 for (zap_cursor_init(zc, dp->dp_meta_objset, 1520 dsl_dir_phys(dd)->dd_clones); 1521 zap_cursor_retrieve(zc, za) == 0; 1522 zap_cursor_advance(zc)) { 1523 dsl_dataset_t *clone; 1524 1525 VERIFY0(dsl_dataset_hold_obj(dp, za->za_first_integer, 1526 FTAG, &clone)); 1527 spa_keystore_change_key_sync_impl(rddobj, 1528 clone->ds_dir->dd_object, new_rddobj, wkey, B_TRUE, tx); 1529 dsl_dataset_rele(clone, FTAG); 1530 } 1531 zap_cursor_fini(zc); 1532 1533 zap_attribute_free(za); 1534 kmem_free(zc, sizeof (zap_cursor_t)); 1535 1536 dsl_dir_rele(dd, FTAG); 1537 } 1538 1539 static void 1540 spa_keystore_change_key_sync(void *arg, dmu_tx_t *tx) 1541 { 1542 dsl_dataset_t *ds; 1543 avl_index_t where; 1544 dsl_pool_t *dp = dmu_tx_pool(tx); 1545 spa_t *spa = dp->dp_spa; 1546 spa_keystore_change_key_args_t *skcka = arg; 1547 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1548 dsl_wrapping_key_t *wkey = NULL, *found_wkey; 1549 dsl_wrapping_key_t wkey_search; 1550 const char *keylocation = dcp->cp_keylocation; 1551 uint64_t rddobj, new_rddobj; 1552 1553 /* create and initialize the wrapping key */ 1554 VERIFY0(dsl_dataset_hold(dp, skcka->skcka_dsname, FTAG, &ds)); 1555 ASSERT(!ds->ds_is_snapshot); 1556 1557 if (dcp->cp_cmd == DCP_CMD_NEW_KEY || 1558 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1559 /* 1560 * We are changing to a new wkey. Set additional properties 1561 * which can be sent along with this ioctl. Note that this 1562 * command can set keylocation even if it can't normally be 1563 * set via 'zfs set' due to a non-local keylocation. 1564 */ 1565 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1566 wkey = dcp->cp_wkey; 1567 wkey->wk_ddobj = ds->ds_dir->dd_object; 1568 } else { 1569 keylocation = "prompt"; 1570 } 1571 1572 if (keylocation != NULL) { 1573 dsl_prop_set_sync_impl(ds, 1574 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1575 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 1576 keylocation, tx); 1577 } 1578 1579 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj)); 1580 new_rddobj = ds->ds_dir->dd_object; 1581 } else { 1582 /* 1583 * We are inheritting the parent's wkey. Unset any local 1584 * keylocation and grab a reference to the wkey. 1585 */ 1586 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1587 VERIFY0(spa_keystore_wkey_hold_dd(spa, 1588 ds->ds_dir->dd_parent, FTAG, &wkey)); 1589 } 1590 1591 dsl_prop_set_sync_impl(ds, 1592 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), ZPROP_SRC_NONE, 1593 0, 0, NULL, tx); 1594 1595 rddobj = ds->ds_dir->dd_object; 1596 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir->dd_parent, 1597 &new_rddobj)); 1598 } 1599 1600 if (wkey == NULL) { 1601 ASSERT(dcp->cp_cmd == DCP_CMD_FORCE_INHERIT || 1602 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY); 1603 } 1604 1605 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1606 1607 /* recurse through all children and rewrap their keys */ 1608 spa_keystore_change_key_sync_impl(rddobj, ds->ds_dir->dd_object, 1609 new_rddobj, wkey, B_FALSE, tx); 1610 1611 /* 1612 * All references to the old wkey should be released now (if it 1613 * existed). Replace the wrapping key. 1614 */ 1615 wkey_search.wk_ddobj = ds->ds_dir->dd_object; 1616 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &wkey_search, NULL); 1617 if (found_wkey != NULL) { 1618 ASSERT0(zfs_refcount_count(&found_wkey->wk_refcnt)); 1619 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 1620 dsl_wrapping_key_free(found_wkey); 1621 } 1622 1623 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1624 avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 1625 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 1626 } else if (wkey != NULL) { 1627 dsl_wrapping_key_rele(wkey, FTAG); 1628 } 1629 1630 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 1631 1632 dsl_dataset_rele(ds, FTAG); 1633 } 1634 1635 int 1636 spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp) 1637 { 1638 spa_keystore_change_key_args_t skcka; 1639 1640 /* initialize the args struct */ 1641 skcka.skcka_dsname = dsname; 1642 skcka.skcka_cp = dcp; 1643 1644 /* 1645 * Perform the actual work in syncing context. The blocks modified 1646 * here could be calculated but it would require holding the pool 1647 * lock and traversing all of the datasets that will have their keys 1648 * changed. 1649 */ 1650 return (dsl_sync_task(dsname, spa_keystore_change_key_check, 1651 spa_keystore_change_key_sync, &skcka, 15, 1652 ZFS_SPACE_CHECK_RESERVED)); 1653 } 1654 1655 int 1656 dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent) 1657 { 1658 int ret; 1659 uint64_t curr_rddobj, parent_rddobj; 1660 1661 if (dd->dd_crypto_obj == 0) 1662 return (0); 1663 1664 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1665 if (ret != 0) 1666 goto error; 1667 1668 /* 1669 * if this is not an encryption root, we must make sure we are not 1670 * moving dd to a new encryption root 1671 */ 1672 if (dd->dd_object != curr_rddobj) { 1673 ret = dsl_dir_get_encryption_root_ddobj(newparent, 1674 &parent_rddobj); 1675 if (ret != 0) 1676 goto error; 1677 1678 if (parent_rddobj != curr_rddobj) { 1679 ret = SET_ERROR(EACCES); 1680 goto error; 1681 } 1682 } 1683 1684 return (0); 1685 1686 error: 1687 return (ret); 1688 } 1689 1690 /* 1691 * Check to make sure that a promote from targetdd to origindd will not require 1692 * any key rewraps. 1693 */ 1694 int 1695 dsl_dataset_promote_crypt_check(dsl_dir_t *target, dsl_dir_t *origin) 1696 { 1697 int ret; 1698 uint64_t rddobj, op_rddobj, tp_rddobj; 1699 1700 /* If the dataset is not encrypted we don't need to check anything */ 1701 if (origin->dd_crypto_obj == 0) 1702 return (0); 1703 1704 /* 1705 * If we are not changing the first origin snapshot in a chain 1706 * the encryption root won't change either. 1707 */ 1708 if (dsl_dir_is_clone(origin)) 1709 return (0); 1710 1711 /* 1712 * If the origin is the encryption root we will update 1713 * the DSL Crypto Key to point to the target instead. 1714 */ 1715 ret = dsl_dir_get_encryption_root_ddobj(origin, &rddobj); 1716 if (ret != 0) 1717 return (ret); 1718 1719 if (rddobj == origin->dd_object) 1720 return (0); 1721 1722 /* 1723 * The origin is inheriting its encryption root from its parent. 1724 * Check that the parent of the target has the same encryption root. 1725 */ 1726 ret = dsl_dir_get_encryption_root_ddobj(origin->dd_parent, &op_rddobj); 1727 if (ret == ENOENT) 1728 return (SET_ERROR(EACCES)); 1729 else if (ret != 0) 1730 return (ret); 1731 1732 ret = dsl_dir_get_encryption_root_ddobj(target->dd_parent, &tp_rddobj); 1733 if (ret == ENOENT) 1734 return (SET_ERROR(EACCES)); 1735 else if (ret != 0) 1736 return (ret); 1737 1738 if (op_rddobj != tp_rddobj) 1739 return (SET_ERROR(EACCES)); 1740 1741 return (0); 1742 } 1743 1744 void 1745 dsl_dataset_promote_crypt_sync(dsl_dir_t *target, dsl_dir_t *origin, 1746 dmu_tx_t *tx) 1747 { 1748 uint64_t rddobj; 1749 dsl_pool_t *dp = target->dd_pool; 1750 dsl_dataset_t *targetds; 1751 dsl_dataset_t *originds; 1752 char *keylocation; 1753 1754 if (origin->dd_crypto_obj == 0) 1755 return; 1756 if (dsl_dir_is_clone(origin)) 1757 return; 1758 1759 VERIFY0(dsl_dir_get_encryption_root_ddobj(origin, &rddobj)); 1760 1761 if (rddobj != origin->dd_object) 1762 return; 1763 1764 /* 1765 * If the target is being promoted to the encryption root update the 1766 * DSL Crypto Key and keylocation to reflect that. We also need to 1767 * update the DSL Crypto Keys of all children inheritting their 1768 * encryption root to point to the new target. Otherwise, the check 1769 * function ensured that the encryption root will not change. 1770 */ 1771 keylocation = kmem_alloc(ZAP_MAXVALUELEN, KM_SLEEP); 1772 1773 VERIFY0(dsl_dataset_hold_obj(dp, 1774 dsl_dir_phys(target)->dd_head_dataset_obj, FTAG, &targetds)); 1775 VERIFY0(dsl_dataset_hold_obj(dp, 1776 dsl_dir_phys(origin)->dd_head_dataset_obj, FTAG, &originds)); 1777 1778 VERIFY0(dsl_prop_get_dd(origin, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1779 1, ZAP_MAXVALUELEN, keylocation, NULL, B_FALSE)); 1780 dsl_prop_set_sync_impl(targetds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1781 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, keylocation, tx); 1782 dsl_prop_set_sync_impl(originds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1783 ZPROP_SRC_NONE, 0, 0, NULL, tx); 1784 1785 rw_enter(&dp->dp_spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1786 spa_keystore_change_key_sync_impl(rddobj, origin->dd_object, 1787 target->dd_object, NULL, B_FALSE, tx); 1788 rw_exit(&dp->dp_spa->spa_keystore.sk_wkeys_lock); 1789 1790 dsl_dataset_rele(targetds, FTAG); 1791 dsl_dataset_rele(originds, FTAG); 1792 kmem_free(keylocation, ZAP_MAXVALUELEN); 1793 } 1794 1795 int 1796 dmu_objset_create_crypt_check(dsl_dir_t *parentdd, dsl_crypto_params_t *dcp, 1797 boolean_t *will_encrypt) 1798 { 1799 int ret; 1800 uint64_t pcrypt, crypt; 1801 dsl_crypto_params_t dummy_dcp = { 0 }; 1802 1803 if (will_encrypt != NULL) 1804 *will_encrypt = B_FALSE; 1805 1806 if (dcp == NULL) 1807 dcp = &dummy_dcp; 1808 1809 if (dcp->cp_cmd != DCP_CMD_NONE) 1810 return (SET_ERROR(EINVAL)); 1811 1812 if (parentdd != NULL) { 1813 ret = dsl_dir_get_crypt(parentdd, &pcrypt); 1814 if (ret != 0) 1815 return (ret); 1816 } else { 1817 pcrypt = ZIO_CRYPT_OFF; 1818 } 1819 1820 crypt = (dcp->cp_crypt == ZIO_CRYPT_INHERIT) ? pcrypt : dcp->cp_crypt; 1821 1822 ASSERT3U(pcrypt, !=, ZIO_CRYPT_INHERIT); 1823 ASSERT3U(crypt, !=, ZIO_CRYPT_INHERIT); 1824 1825 /* check for valid dcp with no encryption (inherited or local) */ 1826 if (crypt == ZIO_CRYPT_OFF) { 1827 /* Must not specify encryption params */ 1828 if (dcp->cp_wkey != NULL || 1829 (dcp->cp_keylocation != NULL && 1830 strcmp(dcp->cp_keylocation, "none") != 0)) 1831 return (SET_ERROR(EINVAL)); 1832 1833 return (0); 1834 } 1835 1836 if (will_encrypt != NULL) 1837 *will_encrypt = B_TRUE; 1838 1839 /* 1840 * We will now definitely be encrypting. Check the feature flag. When 1841 * creating the pool the caller will check this for us since we won't 1842 * technically have the feature activated yet. 1843 */ 1844 if (parentdd != NULL && 1845 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1846 SPA_FEATURE_ENCRYPTION)) { 1847 return (SET_ERROR(EOPNOTSUPP)); 1848 } 1849 1850 /* Check for errata #4 (encryption enabled, bookmark_v2 disabled) */ 1851 if (parentdd != NULL && 1852 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1853 SPA_FEATURE_BOOKMARK_V2)) { 1854 return (SET_ERROR(EOPNOTSUPP)); 1855 } 1856 1857 /* handle inheritance */ 1858 if (dcp->cp_wkey == NULL) { 1859 ASSERT3P(parentdd, !=, NULL); 1860 1861 /* key must be fully unspecified */ 1862 if (dcp->cp_keylocation != NULL) 1863 return (SET_ERROR(EINVAL)); 1864 1865 /* parent must have a key to inherit */ 1866 if (pcrypt == ZIO_CRYPT_OFF) 1867 return (SET_ERROR(EINVAL)); 1868 1869 /* check for parent key */ 1870 ret = dmu_objset_check_wkey_loaded(parentdd); 1871 if (ret != 0) 1872 return (ret); 1873 1874 return (0); 1875 } 1876 1877 /* At this point we should have a fully specified key. Check location */ 1878 if (dcp->cp_keylocation == NULL || 1879 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) 1880 return (SET_ERROR(EINVAL)); 1881 1882 /* Must have fully specified keyformat */ 1883 switch (dcp->cp_wkey->wk_keyformat) { 1884 case ZFS_KEYFORMAT_HEX: 1885 case ZFS_KEYFORMAT_RAW: 1886 /* requires no pbkdf2 iters and salt */ 1887 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) 1888 return (SET_ERROR(EINVAL)); 1889 break; 1890 case ZFS_KEYFORMAT_PASSPHRASE: 1891 /* requires pbkdf2 iters and salt */ 1892 if (dcp->cp_wkey->wk_salt == 0 || 1893 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) 1894 return (SET_ERROR(EINVAL)); 1895 break; 1896 case ZFS_KEYFORMAT_NONE: 1897 default: 1898 /* keyformat must be specified and valid */ 1899 return (SET_ERROR(EINVAL)); 1900 } 1901 1902 return (0); 1903 } 1904 1905 void 1906 dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd, 1907 dsl_dataset_t *origin, dsl_crypto_params_t *dcp, dmu_tx_t *tx) 1908 { 1909 dsl_pool_t *dp = dd->dd_pool; 1910 uint64_t crypt; 1911 dsl_wrapping_key_t *wkey; 1912 1913 /* clones always use their origin's wrapping key */ 1914 if (dsl_dir_is_clone(dd)) { 1915 ASSERT3P(dcp, ==, NULL); 1916 1917 /* 1918 * If this is an encrypted clone we just need to clone the 1919 * dck into dd. Zapify the dd so we can do that. 1920 */ 1921 if (origin->ds_dir->dd_crypto_obj != 0) { 1922 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1923 dsl_dir_zapify(dd, tx); 1924 1925 dd->dd_crypto_obj = 1926 dsl_crypto_key_clone_sync(origin->ds_dir, tx); 1927 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1928 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, 1929 &dd->dd_crypto_obj, tx)); 1930 } 1931 1932 return; 1933 } 1934 1935 /* 1936 * A NULL dcp at this point indicates this is the origin dataset 1937 * which does not have an objset to encrypt. Raw receives will handle 1938 * encryption separately later. In both cases we can simply return. 1939 */ 1940 if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV) 1941 return; 1942 1943 crypt = dcp->cp_crypt; 1944 wkey = dcp->cp_wkey; 1945 1946 /* figure out the effective crypt */ 1947 if (crypt == ZIO_CRYPT_INHERIT && dd->dd_parent != NULL) 1948 VERIFY0(dsl_dir_get_crypt(dd->dd_parent, &crypt)); 1949 1950 /* if we aren't doing encryption just return */ 1951 if (crypt == ZIO_CRYPT_OFF || crypt == ZIO_CRYPT_INHERIT) 1952 return; 1953 1954 /* zapify the dd so that we can add the crypto key obj to it */ 1955 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1956 dsl_dir_zapify(dd, tx); 1957 1958 /* use the new key if given or inherit from the parent */ 1959 if (wkey == NULL) { 1960 VERIFY0(spa_keystore_wkey_hold_dd(dp->dp_spa, 1961 dd->dd_parent, FTAG, &wkey)); 1962 } else { 1963 wkey->wk_ddobj = dd->dd_object; 1964 } 1965 1966 ASSERT3P(wkey, !=, NULL); 1967 1968 /* Create or clone the DSL crypto key and activate the feature */ 1969 dd->dd_crypto_obj = dsl_crypto_key_create_sync(crypt, wkey, tx); 1970 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1971 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, &dd->dd_crypto_obj, 1972 tx)); 1973 dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, 1974 (void *)B_TRUE, tx); 1975 1976 /* 1977 * If we inherited the wrapping key we release our reference now. 1978 * Otherwise, this is a new key and we need to load it into the 1979 * keystore. 1980 */ 1981 if (dcp->cp_wkey == NULL) { 1982 dsl_wrapping_key_rele(wkey, FTAG); 1983 } else { 1984 VERIFY0(spa_keystore_load_wkey_impl(dp->dp_spa, wkey)); 1985 } 1986 } 1987 1988 typedef struct dsl_crypto_recv_key_arg { 1989 uint64_t dcrka_dsobj; 1990 uint64_t dcrka_fromobj; 1991 dmu_objset_type_t dcrka_ostype; 1992 nvlist_t *dcrka_nvl; 1993 boolean_t dcrka_do_key; 1994 } dsl_crypto_recv_key_arg_t; 1995 1996 static int 1997 dsl_crypto_recv_raw_objset_check(dsl_dataset_t *ds, dsl_dataset_t *fromds, 1998 dmu_objset_type_t ostype, nvlist_t *nvl, dmu_tx_t *tx) 1999 { 2000 int ret; 2001 objset_t *os; 2002 dnode_t *mdn; 2003 uint8_t *buf = NULL; 2004 uint_t len; 2005 uint64_t intval, nlevels, blksz, ibs; 2006 uint64_t nblkptr, maxblkid; 2007 2008 if (ostype != DMU_OST_ZFS && ostype != DMU_OST_ZVOL) 2009 return (SET_ERROR(EINVAL)); 2010 2011 /* raw receives also need info about the structure of the metadnode */ 2012 ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval); 2013 if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS) 2014 return (SET_ERROR(EINVAL)); 2015 2016 ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval); 2017 if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS) 2018 return (SET_ERROR(EINVAL)); 2019 2020 ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels); 2021 if (ret != 0 || nlevels > DN_MAX_LEVELS) 2022 return (SET_ERROR(EINVAL)); 2023 2024 ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz); 2025 if (ret != 0 || blksz < SPA_MINBLOCKSIZE) 2026 return (SET_ERROR(EINVAL)); 2027 else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa)) 2028 return (SET_ERROR(ENOTSUP)); 2029 2030 ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs); 2031 if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT || ibs > DN_MAX_INDBLKSHIFT) 2032 return (SET_ERROR(ENOTSUP)); 2033 2034 ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr); 2035 if (ret != 0 || nblkptr != DN_MAX_NBLKPTR) 2036 return (SET_ERROR(ENOTSUP)); 2037 2038 ret = nvlist_lookup_uint64(nvl, "mdn_maxblkid", &maxblkid); 2039 if (ret != 0) 2040 return (SET_ERROR(EINVAL)); 2041 2042 ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len); 2043 if (ret != 0 || len != ZIO_OBJSET_MAC_LEN) 2044 return (SET_ERROR(EINVAL)); 2045 2046 ret = dmu_objset_from_ds(ds, &os); 2047 if (ret != 0) 2048 return (ret); 2049 2050 mdn = DMU_META_DNODE(os); 2051 2052 /* 2053 * If we already created the objset, make sure its unchangeable 2054 * properties match the ones received in the nvlist. 2055 */ 2056 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2057 if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) && 2058 (mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz || 2059 mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) { 2060 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2061 return (SET_ERROR(EINVAL)); 2062 } 2063 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2064 2065 /* 2066 * Check that the ivset guid of the fromds matches the one from the 2067 * send stream. Older versions of the encryption code did not have 2068 * an ivset guid on the from dataset and did not send one in the 2069 * stream. For these streams we provide the 2070 * zfs_disable_ivset_guid_check tunable to allow these datasets to 2071 * be received with a generated ivset guid. 2072 */ 2073 if (fromds != NULL && !zfs_disable_ivset_guid_check) { 2074 uint64_t from_ivset_guid = 0; 2075 intval = 0; 2076 2077 (void) nvlist_lookup_uint64(nvl, "from_ivset_guid", &intval); 2078 (void) zap_lookup(tx->tx_pool->dp_meta_objset, 2079 fromds->ds_object, DS_FIELD_IVSET_GUID, 2080 sizeof (from_ivset_guid), 1, &from_ivset_guid); 2081 2082 if (intval == 0 || from_ivset_guid == 0) 2083 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISSING)); 2084 2085 if (intval != from_ivset_guid) 2086 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISMATCH)); 2087 } 2088 2089 return (0); 2090 } 2091 2092 static void 2093 dsl_crypto_recv_raw_objset_sync(dsl_dataset_t *ds, dmu_objset_type_t ostype, 2094 nvlist_t *nvl, dmu_tx_t *tx) 2095 { 2096 dsl_pool_t *dp = tx->tx_pool; 2097 objset_t *os; 2098 dnode_t *mdn; 2099 zio_t *zio; 2100 uint8_t *portable_mac; 2101 uint_t len; 2102 uint64_t compress, checksum, nlevels, blksz, ibs, maxblkid; 2103 boolean_t newds = B_FALSE; 2104 2105 VERIFY0(dmu_objset_from_ds(ds, &os)); 2106 mdn = DMU_META_DNODE(os); 2107 2108 /* 2109 * Fetch the values we need from the nvlist. "to_ivset_guid" must 2110 * be set on the snapshot, which doesn't exist yet. The receive 2111 * code will take care of this for us later. 2112 */ 2113 compress = fnvlist_lookup_uint64(nvl, "mdn_compress"); 2114 checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum"); 2115 nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels"); 2116 blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz"); 2117 ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift"); 2118 maxblkid = fnvlist_lookup_uint64(nvl, "mdn_maxblkid"); 2119 VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac, 2120 &len)); 2121 2122 /* if we haven't created an objset for the ds yet, do that now */ 2123 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2124 if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) { 2125 (void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds, 2126 dsl_dataset_get_blkptr(ds), ostype, nlevels, blksz, 2127 ibs, tx); 2128 newds = B_TRUE; 2129 } 2130 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2131 2132 /* 2133 * Set the portable MAC. The local MAC will always be zero since the 2134 * incoming data will all be portable and user accounting will be 2135 * deferred until the next mount. Afterwards, flag the os to be 2136 * written out raw next time. 2137 */ 2138 arc_release(os->os_phys_buf, &os->os_phys_buf); 2139 memcpy(os->os_phys->os_portable_mac, portable_mac, ZIO_OBJSET_MAC_LEN); 2140 memset(os->os_phys->os_local_mac, 0, ZIO_OBJSET_MAC_LEN); 2141 os->os_flags &= ~OBJSET_FLAG_USERACCOUNTING_COMPLETE; 2142 os->os_next_write_raw[tx->tx_txg & TXG_MASK] = B_TRUE; 2143 2144 /* set metadnode compression and checksum */ 2145 mdn->dn_compress = compress; 2146 mdn->dn_checksum = checksum; 2147 2148 rw_enter(&mdn->dn_struct_rwlock, RW_WRITER); 2149 dnode_new_blkid(mdn, maxblkid, tx, B_FALSE, B_TRUE); 2150 rw_exit(&mdn->dn_struct_rwlock); 2151 2152 /* 2153 * We can't normally dirty the dataset in syncing context unless 2154 * we are creating a new dataset. In this case, we perform a 2155 * pseudo txg sync here instead. 2156 */ 2157 if (newds) { 2158 dsl_dataset_dirty(ds, tx); 2159 } else { 2160 zio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED); 2161 dsl_dataset_sync(ds, zio, tx); 2162 VERIFY0(zio_wait(zio)); 2163 dsl_dataset_sync_done(ds, tx); 2164 } 2165 } 2166 2167 int 2168 dsl_crypto_recv_raw_key_check(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2169 { 2170 int ret; 2171 objset_t *mos = tx->tx_pool->dp_meta_objset; 2172 uint8_t *buf = NULL; 2173 uint_t len; 2174 uint64_t intval, key_guid, version; 2175 boolean_t is_passphrase = B_FALSE; 2176 2177 ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT); 2178 2179 /* 2180 * Read and check all the encryption values from the nvlist. We need 2181 * all of the fields of a DSL Crypto Key, as well as a fully specified 2182 * wrapping key. 2183 */ 2184 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval); 2185 if (ret != 0 || intval <= ZIO_CRYPT_OFF) 2186 return (SET_ERROR(EINVAL)); 2187 2188 /* 2189 * Flag a future crypto suite that we don't support differently, so 2190 * we can return a more useful error to the user. 2191 */ 2192 if (intval >= ZIO_CRYPT_FUNCTIONS) 2193 return (SET_ERROR(ZFS_ERR_CRYPTO_NOTSUP)); 2194 2195 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval); 2196 if (ret != 0) 2197 return (SET_ERROR(EINVAL)); 2198 2199 /* 2200 * If this is an incremental receive make sure the given key guid 2201 * matches the one we already have. 2202 */ 2203 if (ds->ds_dir->dd_crypto_obj != 0) { 2204 ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj, 2205 DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2206 if (ret != 0) 2207 return (ret); 2208 if (intval != key_guid) 2209 return (SET_ERROR(EACCES)); 2210 } 2211 2212 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2213 &buf, &len); 2214 if (ret != 0 || len != MASTER_KEY_MAX_LEN) 2215 return (SET_ERROR(EINVAL)); 2216 2217 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2218 &buf, &len); 2219 if (ret != 0 || len != SHA512_HMAC_KEYLEN) 2220 return (SET_ERROR(EINVAL)); 2221 2222 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len); 2223 if (ret != 0 || len != WRAPPING_IV_LEN) 2224 return (SET_ERROR(EINVAL)); 2225 2226 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len); 2227 if (ret != 0 || len != WRAPPING_MAC_LEN) 2228 return (SET_ERROR(EINVAL)); 2229 2230 /* 2231 * We don't support receiving old on-disk formats. The version 0 2232 * implementation protected several fields in an objset that were 2233 * not always portable during a raw receive. As a result, we call 2234 * the old version an on-disk errata #3. 2235 */ 2236 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_VERSION, &version); 2237 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) 2238 return (SET_ERROR(ENOTSUP)); 2239 2240 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 2241 &intval); 2242 if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS || 2243 intval == ZFS_KEYFORMAT_NONE) 2244 return (SET_ERROR(EINVAL)); 2245 2246 is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE); 2247 2248 /* 2249 * for raw receives we allow any number of pbkdf2iters since there 2250 * won't be a chance for the user to change it. 2251 */ 2252 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 2253 &intval); 2254 if (ret != 0 || (is_passphrase == (intval == 0))) 2255 return (SET_ERROR(EINVAL)); 2256 2257 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 2258 &intval); 2259 if (ret != 0 || (is_passphrase == (intval == 0))) 2260 return (SET_ERROR(EINVAL)); 2261 2262 return (0); 2263 } 2264 2265 void 2266 dsl_crypto_recv_raw_key_sync(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2267 { 2268 dsl_pool_t *dp = tx->tx_pool; 2269 objset_t *mos = dp->dp_meta_objset; 2270 dsl_dir_t *dd = ds->ds_dir; 2271 uint_t len; 2272 uint64_t rddobj, one = 1; 2273 uint8_t *keydata, *hmac_keydata, *iv, *mac; 2274 uint64_t crypt, key_guid, keyformat, iters, salt; 2275 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2276 const char *keylocation = "prompt"; 2277 2278 /* lookup the values we need to create the DSL Crypto Key */ 2279 crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE); 2280 key_guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID); 2281 keyformat = fnvlist_lookup_uint64(nvl, 2282 zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 2283 iters = fnvlist_lookup_uint64(nvl, 2284 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 2285 salt = fnvlist_lookup_uint64(nvl, 2286 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 2287 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2288 &keydata, &len)); 2289 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2290 &hmac_keydata, &len)); 2291 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len)); 2292 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len)); 2293 2294 /* if this is a new dataset setup the DSL Crypto Key. */ 2295 if (dd->dd_crypto_obj == 0) { 2296 /* zapify the dsl dir so we can add the key object to it */ 2297 dmu_buf_will_dirty(dd->dd_dbuf, tx); 2298 dsl_dir_zapify(dd, tx); 2299 2300 /* create the DSL Crypto Key on disk and activate the feature */ 2301 dd->dd_crypto_obj = zap_create(mos, 2302 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2303 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2304 dd->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT, 2305 sizeof (uint64_t), 1, &one, tx)); 2306 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2307 dd->dd_crypto_obj, DSL_CRYPTO_KEY_VERSION, 2308 sizeof (uint64_t), 1, &version, tx)); 2309 2310 dsl_dataset_activate_feature(ds->ds_object, 2311 SPA_FEATURE_ENCRYPTION, (void *)B_TRUE, tx); 2312 ds->ds_feature[SPA_FEATURE_ENCRYPTION] = (void *)B_TRUE; 2313 2314 /* save the dd_crypto_obj on disk */ 2315 VERIFY0(zap_add(mos, dd->dd_object, DD_FIELD_CRYPTO_KEY_OBJ, 2316 sizeof (uint64_t), 1, &dd->dd_crypto_obj, tx)); 2317 2318 /* 2319 * Set the keylocation to prompt by default. If keylocation 2320 * has been provided via the properties, this will be overridden 2321 * later. 2322 */ 2323 dsl_prop_set_sync_impl(ds, 2324 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 2325 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 2326 keylocation, tx); 2327 2328 rddobj = dd->dd_object; 2329 } else { 2330 VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &rddobj)); 2331 } 2332 2333 /* sync the key data to the ZAP object on disk */ 2334 dsl_crypto_key_sync_impl(mos, dd->dd_crypto_obj, crypt, 2335 rddobj, key_guid, iv, mac, keydata, hmac_keydata, keyformat, salt, 2336 iters, tx); 2337 } 2338 2339 static int 2340 dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx) 2341 { 2342 int ret; 2343 dsl_crypto_recv_key_arg_t *dcrka = arg; 2344 dsl_dataset_t *ds = NULL, *fromds = NULL; 2345 2346 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2347 FTAG, &ds); 2348 if (ret != 0) 2349 goto out; 2350 2351 if (dcrka->dcrka_fromobj != 0) { 2352 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_fromobj, 2353 FTAG, &fromds); 2354 if (ret != 0) 2355 goto out; 2356 } 2357 2358 ret = dsl_crypto_recv_raw_objset_check(ds, fromds, 2359 dcrka->dcrka_ostype, dcrka->dcrka_nvl, tx); 2360 if (ret != 0) 2361 goto out; 2362 2363 /* 2364 * We run this check even if we won't be doing this part of 2365 * the receive now so that we don't make the user wait until 2366 * the receive finishes to fail. 2367 */ 2368 ret = dsl_crypto_recv_raw_key_check(ds, dcrka->dcrka_nvl, tx); 2369 if (ret != 0) 2370 goto out; 2371 2372 out: 2373 if (ds != NULL) 2374 dsl_dataset_rele(ds, FTAG); 2375 if (fromds != NULL) 2376 dsl_dataset_rele(fromds, FTAG); 2377 return (ret); 2378 } 2379 2380 static void 2381 dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx) 2382 { 2383 dsl_crypto_recv_key_arg_t *dcrka = arg; 2384 dsl_dataset_t *ds; 2385 2386 VERIFY0(dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2387 FTAG, &ds)); 2388 dsl_crypto_recv_raw_objset_sync(ds, dcrka->dcrka_ostype, 2389 dcrka->dcrka_nvl, tx); 2390 if (dcrka->dcrka_do_key) 2391 dsl_crypto_recv_raw_key_sync(ds, dcrka->dcrka_nvl, tx); 2392 dsl_dataset_rele(ds, FTAG); 2393 } 2394 2395 /* 2396 * This function is used to sync an nvlist representing a DSL Crypto Key and 2397 * the associated encryption parameters. The key will be written exactly as is 2398 * without wrapping it. 2399 */ 2400 int 2401 dsl_crypto_recv_raw(const char *poolname, uint64_t dsobj, uint64_t fromobj, 2402 dmu_objset_type_t ostype, nvlist_t *nvl, boolean_t do_key) 2403 { 2404 dsl_crypto_recv_key_arg_t dcrka; 2405 2406 dcrka.dcrka_dsobj = dsobj; 2407 dcrka.dcrka_fromobj = fromobj; 2408 dcrka.dcrka_ostype = ostype; 2409 dcrka.dcrka_nvl = nvl; 2410 dcrka.dcrka_do_key = do_key; 2411 2412 return (dsl_sync_task(poolname, dsl_crypto_recv_key_check, 2413 dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL)); 2414 } 2415 2416 int 2417 dsl_crypto_populate_key_nvlist(objset_t *os, uint64_t from_ivset_guid, 2418 nvlist_t **nvl_out) 2419 { 2420 int ret; 2421 dsl_dataset_t *ds = os->os_dsl_dataset; 2422 dnode_t *mdn; 2423 uint64_t rddobj; 2424 nvlist_t *nvl = NULL; 2425 uint64_t dckobj = ds->ds_dir->dd_crypto_obj; 2426 dsl_dir_t *rdd = NULL; 2427 dsl_pool_t *dp = ds->ds_dir->dd_pool; 2428 objset_t *mos = dp->dp_meta_objset; 2429 uint64_t crypt = 0, key_guid = 0, format = 0; 2430 uint64_t iters = 0, salt = 0, version = 0; 2431 uint64_t to_ivset_guid = 0; 2432 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 2433 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 2434 uint8_t iv[WRAPPING_IV_LEN]; 2435 uint8_t mac[WRAPPING_MAC_LEN]; 2436 2437 ASSERT(dckobj != 0); 2438 2439 mdn = DMU_META_DNODE(os); 2440 2441 nvl = fnvlist_alloc(); 2442 2443 /* lookup values from the DSL Crypto Key */ 2444 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 2445 &crypt); 2446 if (ret != 0) 2447 goto error; 2448 2449 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2450 if (ret != 0) 2451 goto error; 2452 2453 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 2454 MASTER_KEY_MAX_LEN, raw_keydata); 2455 if (ret != 0) 2456 goto error; 2457 2458 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 2459 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 2460 if (ret != 0) 2461 goto error; 2462 2463 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 2464 iv); 2465 if (ret != 0) 2466 goto error; 2467 2468 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 2469 mac); 2470 if (ret != 0) 2471 goto error; 2472 2473 /* see zfs_disable_ivset_guid_check tunable for errata info */ 2474 ret = zap_lookup(mos, ds->ds_object, DS_FIELD_IVSET_GUID, 8, 1, 2475 &to_ivset_guid); 2476 if (ret != 0) 2477 ASSERT3U(dp->dp_spa->spa_errata, !=, 0); 2478 2479 /* 2480 * We don't support raw sends of legacy on-disk formats. See the 2481 * comment in dsl_crypto_recv_key_check() for details. 2482 */ 2483 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 2484 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) { 2485 dp->dp_spa->spa_errata = ZPOOL_ERRATA_ZOL_6845_ENCRYPTION; 2486 ret = SET_ERROR(ENOTSUP); 2487 goto error; 2488 } 2489 2490 /* 2491 * Lookup wrapping key properties. An early version of the code did 2492 * not correctly add these values to the wrapping key or the DSL 2493 * Crypto Key on disk for non encryption roots, so to be safe we 2494 * always take the slightly circuitous route of looking it up from 2495 * the encryption root's key. 2496 */ 2497 ret = dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj); 2498 if (ret != 0) 2499 goto error; 2500 2501 dsl_pool_config_enter(dp, FTAG); 2502 2503 ret = dsl_dir_hold_obj(dp, rddobj, NULL, FTAG, &rdd); 2504 if (ret != 0) 2505 goto error_unlock; 2506 2507 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2508 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &format); 2509 if (ret != 0) 2510 goto error_unlock; 2511 2512 if (format == ZFS_KEYFORMAT_PASSPHRASE) { 2513 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2514 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 2515 if (ret != 0) 2516 goto error_unlock; 2517 2518 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2519 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 2520 if (ret != 0) 2521 goto error_unlock; 2522 } 2523 2524 dsl_dir_rele(rdd, FTAG); 2525 dsl_pool_config_exit(dp, FTAG); 2526 2527 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, crypt); 2528 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_GUID, key_guid); 2529 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_VERSION, version); 2530 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2531 raw_keydata, MASTER_KEY_MAX_LEN)); 2532 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2533 raw_hmac_keydata, SHA512_HMAC_KEYLEN)); 2534 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_IV, iv, 2535 WRAPPING_IV_LEN)); 2536 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, mac, 2537 WRAPPING_MAC_LEN)); 2538 VERIFY0(nvlist_add_uint8_array(nvl, "portable_mac", 2539 os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN)); 2540 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), format); 2541 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters); 2542 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt); 2543 fnvlist_add_uint64(nvl, "mdn_checksum", mdn->dn_checksum); 2544 fnvlist_add_uint64(nvl, "mdn_compress", mdn->dn_compress); 2545 fnvlist_add_uint64(nvl, "mdn_nlevels", mdn->dn_nlevels); 2546 fnvlist_add_uint64(nvl, "mdn_blksz", mdn->dn_datablksz); 2547 fnvlist_add_uint64(nvl, "mdn_indblkshift", mdn->dn_indblkshift); 2548 fnvlist_add_uint64(nvl, "mdn_nblkptr", mdn->dn_nblkptr); 2549 fnvlist_add_uint64(nvl, "mdn_maxblkid", mdn->dn_maxblkid); 2550 fnvlist_add_uint64(nvl, "to_ivset_guid", to_ivset_guid); 2551 fnvlist_add_uint64(nvl, "from_ivset_guid", from_ivset_guid); 2552 2553 *nvl_out = nvl; 2554 return (0); 2555 2556 error_unlock: 2557 dsl_pool_config_exit(dp, FTAG); 2558 error: 2559 if (rdd != NULL) 2560 dsl_dir_rele(rdd, FTAG); 2561 nvlist_free(nvl); 2562 2563 *nvl_out = NULL; 2564 return (ret); 2565 } 2566 2567 uint64_t 2568 dsl_crypto_key_create_sync(uint64_t crypt, dsl_wrapping_key_t *wkey, 2569 dmu_tx_t *tx) 2570 { 2571 dsl_crypto_key_t dck; 2572 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2573 uint64_t one = 1ULL; 2574 2575 ASSERT(dmu_tx_is_syncing(tx)); 2576 ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); 2577 ASSERT3U(crypt, >, ZIO_CRYPT_OFF); 2578 2579 /* create the DSL Crypto Key ZAP object */ 2580 dck.dck_obj = zap_create(tx->tx_pool->dp_meta_objset, 2581 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2582 2583 /* fill in the key (on the stack) and sync it to disk */ 2584 dck.dck_wkey = wkey; 2585 VERIFY0(zio_crypt_key_init(crypt, &dck.dck_key)); 2586 2587 dsl_crypto_key_sync(&dck, tx); 2588 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2589 DSL_CRYPTO_KEY_REFCOUNT, sizeof (uint64_t), 1, &one, tx)); 2590 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2591 DSL_CRYPTO_KEY_VERSION, sizeof (uint64_t), 1, &version, tx)); 2592 2593 zio_crypt_key_destroy(&dck.dck_key); 2594 memset(&dck.dck_key, 0, sizeof (zio_crypt_key_t)); 2595 2596 return (dck.dck_obj); 2597 } 2598 2599 uint64_t 2600 dsl_crypto_key_clone_sync(dsl_dir_t *origindd, dmu_tx_t *tx) 2601 { 2602 objset_t *mos = tx->tx_pool->dp_meta_objset; 2603 2604 ASSERT(dmu_tx_is_syncing(tx)); 2605 2606 VERIFY0(zap_increment(mos, origindd->dd_crypto_obj, 2607 DSL_CRYPTO_KEY_REFCOUNT, 1, tx)); 2608 2609 return (origindd->dd_crypto_obj); 2610 } 2611 2612 void 2613 dsl_crypto_key_destroy_sync(uint64_t dckobj, dmu_tx_t *tx) 2614 { 2615 objset_t *mos = tx->tx_pool->dp_meta_objset; 2616 uint64_t refcnt; 2617 2618 /* Decrement the refcount, destroy if this is the last reference */ 2619 VERIFY0(zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2620 sizeof (uint64_t), 1, &refcnt)); 2621 2622 if (refcnt != 1) { 2623 VERIFY0(zap_increment(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2624 -1, tx)); 2625 } else { 2626 VERIFY0(zap_destroy(mos, dckobj, tx)); 2627 } 2628 } 2629 2630 void 2631 dsl_dataset_crypt_stats(dsl_dataset_t *ds, nvlist_t *nv) 2632 { 2633 uint64_t intval; 2634 dsl_dir_t *dd = ds->ds_dir; 2635 dsl_dir_t *enc_root; 2636 char buf[ZFS_MAX_DATASET_NAME_LEN]; 2637 2638 if (dd->dd_crypto_obj == 0) 2639 return; 2640 2641 intval = dsl_dataset_get_keystatus(dd); 2642 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYSTATUS, intval); 2643 2644 if (dsl_dir_get_crypt(dd, &intval) == 0) 2645 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_ENCRYPTION, intval); 2646 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2647 DSL_CRYPTO_KEY_GUID, 8, 1, &intval) == 0) { 2648 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEY_GUID, intval); 2649 } 2650 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2651 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &intval) == 0) { 2652 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYFORMAT, intval); 2653 } 2654 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2655 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &intval) == 0) { 2656 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_SALT, intval); 2657 } 2658 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2659 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &intval) == 0) { 2660 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_ITERS, intval); 2661 } 2662 if (zap_lookup(dd->dd_pool->dp_meta_objset, ds->ds_object, 2663 DS_FIELD_IVSET_GUID, 8, 1, &intval) == 0) { 2664 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_IVSET_GUID, intval); 2665 } 2666 2667 if (dsl_dir_get_encryption_root_ddobj(dd, &intval) == 0) { 2668 if (dsl_dir_hold_obj(dd->dd_pool, intval, NULL, FTAG, 2669 &enc_root) == 0) { 2670 dsl_dir_name(enc_root, buf); 2671 dsl_dir_rele(enc_root, FTAG); 2672 dsl_prop_nvlist_add_string(nv, 2673 ZFS_PROP_ENCRYPTION_ROOT, buf); 2674 } 2675 } 2676 } 2677 2678 int 2679 spa_crypt_get_salt(spa_t *spa, uint64_t dsobj, uint8_t *salt) 2680 { 2681 int ret; 2682 dsl_crypto_key_t *dck = NULL; 2683 2684 /* look up the key from the spa's keystore */ 2685 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2686 if (ret != 0) 2687 goto error; 2688 2689 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2690 if (ret != 0) 2691 goto error; 2692 2693 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2694 return (0); 2695 2696 error: 2697 if (dck != NULL) 2698 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2699 return (ret); 2700 } 2701 2702 /* 2703 * Objset blocks are a special case for MAC generation. These blocks have 2 2704 * 256-bit MACs which are embedded within the block itself, rather than a 2705 * single 128 bit MAC. As a result, this function handles encoding and decoding 2706 * the MACs on its own, unlike other functions in this file. 2707 */ 2708 int 2709 spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, 2710 abd_t *abd, uint_t datalen, boolean_t byteswap) 2711 { 2712 int ret; 2713 dsl_crypto_key_t *dck = NULL; 2714 void *buf = abd_borrow_buf_copy(abd, datalen); 2715 objset_phys_t *osp = buf; 2716 uint8_t portable_mac[ZIO_OBJSET_MAC_LEN]; 2717 uint8_t local_mac[ZIO_OBJSET_MAC_LEN]; 2718 const uint8_t zeroed_mac[ZIO_OBJSET_MAC_LEN] = {0}; 2719 2720 /* look up the key from the spa's keystore */ 2721 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2722 if (ret != 0) 2723 goto error; 2724 2725 /* calculate both HMACs */ 2726 ret = zio_crypt_do_objset_hmacs(&dck->dck_key, buf, datalen, 2727 byteswap, portable_mac, local_mac); 2728 if (ret != 0) 2729 goto error; 2730 2731 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2732 2733 /* if we are generating encode the HMACs in the objset_phys_t */ 2734 if (generate) { 2735 memcpy(osp->os_portable_mac, portable_mac, ZIO_OBJSET_MAC_LEN); 2736 memcpy(osp->os_local_mac, local_mac, ZIO_OBJSET_MAC_LEN); 2737 abd_return_buf_copy(abd, buf, datalen); 2738 return (0); 2739 } 2740 2741 if (memcmp(portable_mac, osp->os_portable_mac, 2742 ZIO_OBJSET_MAC_LEN) != 0) { 2743 abd_return_buf(abd, buf, datalen); 2744 return (SET_ERROR(ECKSUM)); 2745 } 2746 if (memcmp(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2747 /* 2748 * If the MAC is zeroed out, we failed to decrypt it. 2749 * This should only arise, at least on Linux, 2750 * if we hit edge case handling for useraccounting, since we 2751 * shouldn't get here without bailing out on error earlier 2752 * otherwise. 2753 * 2754 * So if we're in that case, we can just fall through and 2755 * special-casing noticing that it's zero will handle it 2756 * elsewhere, since we can just regenerate it. 2757 */ 2758 if (memcmp(local_mac, zeroed_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2759 abd_return_buf(abd, buf, datalen); 2760 return (SET_ERROR(ECKSUM)); 2761 } 2762 } 2763 2764 abd_return_buf(abd, buf, datalen); 2765 2766 return (0); 2767 2768 error: 2769 if (dck != NULL) 2770 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2771 abd_return_buf(abd, buf, datalen); 2772 return (ret); 2773 } 2774 2775 int 2776 spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd, 2777 uint_t datalen, uint8_t *mac) 2778 { 2779 int ret; 2780 dsl_crypto_key_t *dck = NULL; 2781 uint8_t *buf = abd_borrow_buf_copy(abd, datalen); 2782 uint8_t digestbuf[ZIO_DATA_MAC_LEN]; 2783 2784 /* look up the key from the spa's keystore */ 2785 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2786 if (ret != 0) 2787 goto error; 2788 2789 /* perform the hmac */ 2790 ret = zio_crypt_do_hmac(&dck->dck_key, buf, datalen, 2791 digestbuf, ZIO_DATA_MAC_LEN); 2792 if (ret != 0) 2793 goto error; 2794 2795 abd_return_buf(abd, buf, datalen); 2796 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2797 2798 /* 2799 * Truncate and fill in mac buffer if we were asked to generate a MAC. 2800 * Otherwise verify that the MAC matched what we expected. 2801 */ 2802 if (generate) { 2803 memcpy(mac, digestbuf, ZIO_DATA_MAC_LEN); 2804 return (0); 2805 } 2806 2807 if (memcmp(digestbuf, mac, ZIO_DATA_MAC_LEN) != 0) 2808 return (SET_ERROR(ECKSUM)); 2809 2810 return (0); 2811 2812 error: 2813 if (dck != NULL) 2814 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2815 abd_return_buf(abd, buf, datalen); 2816 return (ret); 2817 } 2818 2819 /* 2820 * This function serves as a multiplexer for encryption and decryption of 2821 * all blocks (except the L2ARC). For encryption, it will populate the IV, 2822 * salt, MAC, and cabd (the ciphertext). On decryption it will simply use 2823 * these fields to populate pabd (the plaintext). 2824 */ 2825 int 2826 spa_do_crypt_abd(boolean_t encrypt, spa_t *spa, const zbookmark_phys_t *zb, 2827 dmu_object_type_t ot, boolean_t dedup, boolean_t bswap, uint8_t *salt, 2828 uint8_t *iv, uint8_t *mac, uint_t datalen, abd_t *pabd, abd_t *cabd, 2829 boolean_t *no_crypt) 2830 { 2831 int ret; 2832 dsl_crypto_key_t *dck = NULL; 2833 uint8_t *plainbuf = NULL, *cipherbuf = NULL; 2834 2835 ASSERT(spa_feature_is_active(spa, SPA_FEATURE_ENCRYPTION)); 2836 2837 /* look up the key from the spa's keystore */ 2838 ret = spa_keystore_lookup_key(spa, zb->zb_objset, FTAG, &dck); 2839 if (ret != 0) { 2840 ret = SET_ERROR(EACCES); 2841 return (ret); 2842 } 2843 2844 if (encrypt) { 2845 plainbuf = abd_borrow_buf_copy(pabd, datalen); 2846 cipherbuf = abd_borrow_buf(cabd, datalen); 2847 } else { 2848 plainbuf = abd_borrow_buf(pabd, datalen); 2849 cipherbuf = abd_borrow_buf_copy(cabd, datalen); 2850 } 2851 2852 /* 2853 * Both encryption and decryption functions need a salt for key 2854 * generation and an IV. When encrypting a non-dedup block, we 2855 * generate the salt and IV randomly to be stored by the caller. Dedup 2856 * blocks perform a (more expensive) HMAC of the plaintext to obtain 2857 * the salt and the IV. ZIL blocks have their salt and IV generated 2858 * at allocation time in zio_alloc_zil(). On decryption, we simply use 2859 * the provided values. 2860 */ 2861 if (encrypt && ot != DMU_OT_INTENT_LOG && !dedup) { 2862 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2863 if (ret != 0) 2864 goto error; 2865 2866 ret = zio_crypt_generate_iv(iv); 2867 if (ret != 0) 2868 goto error; 2869 } else if (encrypt && dedup) { 2870 ret = zio_crypt_generate_iv_salt_dedup(&dck->dck_key, 2871 plainbuf, datalen, iv, salt); 2872 if (ret != 0) 2873 goto error; 2874 } 2875 2876 /* call lower level function to perform encryption / decryption */ 2877 ret = zio_do_crypt_data(encrypt, &dck->dck_key, ot, bswap, salt, iv, 2878 mac, datalen, plainbuf, cipherbuf, no_crypt); 2879 2880 /* 2881 * Handle injected decryption faults. Unfortunately, we cannot inject 2882 * faults for dnode blocks because we might trigger the panic in 2883 * dbuf_prepare_encrypted_dnode_leaf(), which exists because syncing 2884 * context is not prepared to handle malicious decryption failures. 2885 */ 2886 if (zio_injection_enabled && !encrypt && ot != DMU_OT_DNODE && ret == 0) 2887 ret = zio_handle_decrypt_injection(spa, zb, ot, ECKSUM); 2888 if (ret != 0) 2889 goto error; 2890 2891 if (encrypt) { 2892 abd_return_buf(pabd, plainbuf, datalen); 2893 abd_return_buf_copy(cabd, cipherbuf, datalen); 2894 } else { 2895 abd_return_buf_copy(pabd, plainbuf, datalen); 2896 abd_return_buf(cabd, cipherbuf, datalen); 2897 } 2898 2899 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2900 2901 return (0); 2902 2903 error: 2904 if (encrypt) { 2905 /* zero out any state we might have changed while encrypting */ 2906 memset(salt, 0, ZIO_DATA_SALT_LEN); 2907 memset(iv, 0, ZIO_DATA_IV_LEN); 2908 memset(mac, 0, ZIO_DATA_MAC_LEN); 2909 abd_return_buf(pabd, plainbuf, datalen); 2910 abd_return_buf_copy(cabd, cipherbuf, datalen); 2911 } else { 2912 abd_return_buf_copy(pabd, plainbuf, datalen); 2913 abd_return_buf(cabd, cipherbuf, datalen); 2914 } 2915 2916 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2917 2918 return (ret); 2919 } 2920 2921 ZFS_MODULE_PARAM(zfs, zfs_, disable_ivset_guid_check, INT, ZMOD_RW, 2922 "Set to allow raw receives without IVset guids"); 2923