1 /* 2 * CDDL HEADER START 3 * 4 * This file and its contents are supplied under the terms of the 5 * Common Development and Distribution License ("CDDL"), version 1.0. 6 * You may only use this file in accordance with the terms of version 7 * 1.0 of the CDDL. 8 * 9 * A full copy of the text of the CDDL should have accompanied this 10 * source. A copy of the CDDL is also available via the Internet at 11 * http://www.illumos.org/license/CDDL. 12 * 13 * CDDL HEADER END 14 */ 15 16 /* 17 * Copyright (c) 2017, Datto, Inc. All rights reserved. 18 * Copyright (c) 2018 by Delphix. All rights reserved. 19 */ 20 21 #include <sys/dsl_crypt.h> 22 #include <sys/dsl_pool.h> 23 #include <sys/zap.h> 24 #include <sys/zil.h> 25 #include <sys/dsl_dir.h> 26 #include <sys/dsl_prop.h> 27 #include <sys/spa_impl.h> 28 #include <sys/dmu_objset.h> 29 #include <sys/zvol.h> 30 31 /* 32 * This file's primary purpose is for managing master encryption keys in 33 * memory and on disk. For more info on how these keys are used, see the 34 * block comment in zio_crypt.c. 35 * 36 * All master keys are stored encrypted on disk in the form of the DSL 37 * Crypto Key ZAP object. The binary key data in this object is always 38 * randomly generated and is encrypted with the user's wrapping key. This 39 * layer of indirection allows the user to change their key without 40 * needing to re-encrypt the entire dataset. The ZAP also holds on to the 41 * (non-encrypted) encryption algorithm identifier, IV, and MAC needed to 42 * safely decrypt the master key. For more info on the user's key see the 43 * block comment in libzfs_crypto.c 44 * 45 * In-memory encryption keys are managed through the spa_keystore. The 46 * keystore consists of 3 AVL trees, which are as follows: 47 * 48 * The Wrapping Key Tree: 49 * The wrapping key (wkey) tree stores the user's keys that are fed into the 50 * kernel through 'zfs load-key' and related commands. Datasets inherit their 51 * parent's wkey by default, so these structures are refcounted. The wrapping 52 * keys remain in memory until they are explicitly unloaded (with 53 * "zfs unload-key"). Unloading is only possible when no datasets are using 54 * them (refcount=0). 55 * 56 * The DSL Crypto Key Tree: 57 * The DSL Crypto Keys (DCK) are the in-memory representation of decrypted 58 * master keys. They are used by the functions in zio_crypt.c to perform 59 * encryption, decryption, and authentication. Snapshots and clones of a given 60 * dataset will share a DSL Crypto Key, so they are also refcounted. Once the 61 * refcount on a key hits zero, it is immediately zeroed out and freed. 62 * 63 * The Crypto Key Mapping Tree: 64 * The zio layer needs to lookup master keys by their dataset object id. Since 65 * the DSL Crypto Keys can belong to multiple datasets, we maintain a tree of 66 * dsl_key_mapping_t's which essentially just map the dataset object id to its 67 * appropriate DSL Crypto Key. The management for creating and destroying these 68 * mappings hooks into the code for owning and disowning datasets. Usually, 69 * there will only be one active dataset owner, but there are times 70 * (particularly during dataset creation and destruction) when this may not be 71 * true or the dataset may not be initialized enough to own. As a result, this 72 * object is also refcounted. 73 */ 74 75 /* 76 * This tunable allows datasets to be raw received even if the stream does 77 * not include IVset guids or if the guids don't match. This is used as part 78 * of the resolution for ZPOOL_ERRATA_ZOL_8308_ENCRYPTION. 79 */ 80 int zfs_disable_ivset_guid_check = 0; 81 82 static void 83 dsl_wrapping_key_hold(dsl_wrapping_key_t *wkey, const void *tag) 84 { 85 (void) zfs_refcount_add(&wkey->wk_refcnt, tag); 86 } 87 88 static void 89 dsl_wrapping_key_rele(dsl_wrapping_key_t *wkey, const void *tag) 90 { 91 (void) zfs_refcount_remove(&wkey->wk_refcnt, tag); 92 } 93 94 static void 95 dsl_wrapping_key_free(dsl_wrapping_key_t *wkey) 96 { 97 ASSERT0(zfs_refcount_count(&wkey->wk_refcnt)); 98 99 if (wkey->wk_key.ck_data) { 100 memset(wkey->wk_key.ck_data, 0, 101 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 102 kmem_free(wkey->wk_key.ck_data, 103 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 104 } 105 106 zfs_refcount_destroy(&wkey->wk_refcnt); 107 kmem_free(wkey, sizeof (dsl_wrapping_key_t)); 108 } 109 110 static void 111 dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat, 112 uint64_t salt, uint64_t iters, dsl_wrapping_key_t **wkey_out) 113 { 114 dsl_wrapping_key_t *wkey; 115 116 /* allocate the wrapping key */ 117 wkey = kmem_alloc(sizeof (dsl_wrapping_key_t), KM_SLEEP); 118 119 /* allocate and initialize the underlying crypto key */ 120 wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP); 121 122 wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN); 123 memcpy(wkey->wk_key.ck_data, wkeydata, WRAPPING_KEY_LEN); 124 125 /* initialize the rest of the struct */ 126 zfs_refcount_create(&wkey->wk_refcnt); 127 wkey->wk_keyformat = keyformat; 128 wkey->wk_salt = salt; 129 wkey->wk_iters = iters; 130 131 *wkey_out = wkey; 132 } 133 134 int 135 dsl_crypto_params_create_nvlist(dcp_cmd_t cmd, nvlist_t *props, 136 nvlist_t *crypto_args, dsl_crypto_params_t **dcp_out) 137 { 138 int ret; 139 uint64_t crypt = ZIO_CRYPT_INHERIT; 140 uint64_t keyformat = ZFS_KEYFORMAT_NONE; 141 uint64_t salt = 0, iters = 0; 142 dsl_crypto_params_t *dcp = NULL; 143 dsl_wrapping_key_t *wkey = NULL; 144 uint8_t *wkeydata = NULL; 145 uint_t wkeydata_len = 0; 146 const char *keylocation = NULL; 147 148 dcp = kmem_zalloc(sizeof (dsl_crypto_params_t), KM_SLEEP); 149 dcp->cp_cmd = cmd; 150 151 /* get relevant arguments from the nvlists */ 152 if (props != NULL) { 153 (void) nvlist_lookup_uint64(props, 154 zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt); 155 (void) nvlist_lookup_uint64(props, 156 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat); 157 (void) nvlist_lookup_string(props, 158 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation); 159 (void) nvlist_lookup_uint64(props, 160 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), &salt); 161 (void) nvlist_lookup_uint64(props, 162 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters); 163 164 dcp->cp_crypt = crypt; 165 } 166 167 if (crypto_args != NULL) { 168 (void) nvlist_lookup_uint8_array(crypto_args, "wkeydata", 169 &wkeydata, &wkeydata_len); 170 } 171 172 /* check for valid command */ 173 if (dcp->cp_cmd >= DCP_CMD_MAX) { 174 ret = SET_ERROR(EINVAL); 175 goto error; 176 } else { 177 dcp->cp_cmd = cmd; 178 } 179 180 /* check for valid crypt */ 181 if (dcp->cp_crypt >= ZIO_CRYPT_FUNCTIONS) { 182 ret = SET_ERROR(EINVAL); 183 goto error; 184 } else { 185 dcp->cp_crypt = crypt; 186 } 187 188 /* check for valid keyformat */ 189 if (keyformat >= ZFS_KEYFORMAT_FORMATS) { 190 ret = SET_ERROR(EINVAL); 191 goto error; 192 } 193 194 /* check for a valid keylocation (of any kind) and copy it in */ 195 if (keylocation != NULL) { 196 if (!zfs_prop_valid_keylocation(keylocation, B_FALSE)) { 197 ret = SET_ERROR(EINVAL); 198 goto error; 199 } 200 201 dcp->cp_keylocation = spa_strdup(keylocation); 202 } 203 204 /* check wrapping key length, if given */ 205 if (wkeydata != NULL && wkeydata_len != WRAPPING_KEY_LEN) { 206 ret = SET_ERROR(EINVAL); 207 goto error; 208 } 209 210 /* if the user asked for the default crypt, determine that now */ 211 if (dcp->cp_crypt == ZIO_CRYPT_ON) 212 dcp->cp_crypt = ZIO_CRYPT_ON_VALUE; 213 214 /* create the wrapping key from the raw data */ 215 if (wkeydata != NULL) { 216 /* create the wrapping key with the verified parameters */ 217 dsl_wrapping_key_create(wkeydata, keyformat, salt, 218 iters, &wkey); 219 dcp->cp_wkey = wkey; 220 } 221 222 /* 223 * Remove the encryption properties from the nvlist since they are not 224 * maintained through the DSL. 225 */ 226 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION)); 227 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 228 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 229 (void) nvlist_remove_all(props, 230 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 231 232 *dcp_out = dcp; 233 234 return (0); 235 236 error: 237 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 238 *dcp_out = NULL; 239 return (ret); 240 } 241 242 void 243 dsl_crypto_params_free(dsl_crypto_params_t *dcp, boolean_t unload) 244 { 245 if (dcp == NULL) 246 return; 247 248 if (dcp->cp_keylocation != NULL) 249 spa_strfree(dcp->cp_keylocation); 250 if (unload && dcp->cp_wkey != NULL) 251 dsl_wrapping_key_free(dcp->cp_wkey); 252 253 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 254 } 255 256 static int 257 spa_crypto_key_compare(const void *a, const void *b) 258 { 259 const dsl_crypto_key_t *dcka = a; 260 const dsl_crypto_key_t *dckb = b; 261 262 if (dcka->dck_obj < dckb->dck_obj) 263 return (-1); 264 if (dcka->dck_obj > dckb->dck_obj) 265 return (1); 266 return (0); 267 } 268 269 /* 270 * this compares a crypto key based on zk_guid. See comment on 271 * spa_crypto_key_compare for more information. 272 */ 273 boolean_t 274 dmu_objset_crypto_key_equal(objset_t *osa, objset_t *osb) 275 { 276 dsl_crypto_key_t *dcka = NULL; 277 dsl_crypto_key_t *dckb = NULL; 278 uint64_t obja, objb; 279 boolean_t equal; 280 spa_t *spa; 281 282 spa = dmu_objset_spa(osa); 283 if (spa != dmu_objset_spa(osb)) 284 return (B_FALSE); 285 obja = dmu_objset_ds(osa)->ds_object; 286 objb = dmu_objset_ds(osb)->ds_object; 287 288 if (spa_keystore_lookup_key(spa, obja, FTAG, &dcka) != 0) 289 return (B_FALSE); 290 if (spa_keystore_lookup_key(spa, objb, FTAG, &dckb) != 0) { 291 spa_keystore_dsl_key_rele(spa, dcka, FTAG); 292 return (B_FALSE); 293 } 294 295 equal = (dcka->dck_key.zk_guid == dckb->dck_key.zk_guid); 296 297 spa_keystore_dsl_key_rele(spa, dcka, FTAG); 298 spa_keystore_dsl_key_rele(spa, dckb, FTAG); 299 300 return (equal); 301 } 302 303 static int 304 spa_key_mapping_compare(const void *a, const void *b) 305 { 306 const dsl_key_mapping_t *kma = a; 307 const dsl_key_mapping_t *kmb = b; 308 309 if (kma->km_dsobj < kmb->km_dsobj) 310 return (-1); 311 if (kma->km_dsobj > kmb->km_dsobj) 312 return (1); 313 return (0); 314 } 315 316 static int 317 spa_wkey_compare(const void *a, const void *b) 318 { 319 const dsl_wrapping_key_t *wka = a; 320 const dsl_wrapping_key_t *wkb = b; 321 322 if (wka->wk_ddobj < wkb->wk_ddobj) 323 return (-1); 324 if (wka->wk_ddobj > wkb->wk_ddobj) 325 return (1); 326 return (0); 327 } 328 329 void 330 spa_keystore_init(spa_keystore_t *sk) 331 { 332 rw_init(&sk->sk_dk_lock, NULL, RW_DEFAULT, NULL); 333 rw_init(&sk->sk_km_lock, NULL, RW_DEFAULT, NULL); 334 rw_init(&sk->sk_wkeys_lock, NULL, RW_DEFAULT, NULL); 335 avl_create(&sk->sk_dsl_keys, spa_crypto_key_compare, 336 sizeof (dsl_crypto_key_t), 337 offsetof(dsl_crypto_key_t, dck_avl_link)); 338 avl_create(&sk->sk_key_mappings, spa_key_mapping_compare, 339 sizeof (dsl_key_mapping_t), 340 offsetof(dsl_key_mapping_t, km_avl_link)); 341 avl_create(&sk->sk_wkeys, spa_wkey_compare, sizeof (dsl_wrapping_key_t), 342 offsetof(dsl_wrapping_key_t, wk_avl_link)); 343 } 344 345 void 346 spa_keystore_fini(spa_keystore_t *sk) 347 { 348 dsl_wrapping_key_t *wkey; 349 void *cookie = NULL; 350 351 ASSERT(avl_is_empty(&sk->sk_dsl_keys)); 352 ASSERT(avl_is_empty(&sk->sk_key_mappings)); 353 354 while ((wkey = avl_destroy_nodes(&sk->sk_wkeys, &cookie)) != NULL) 355 dsl_wrapping_key_free(wkey); 356 357 avl_destroy(&sk->sk_wkeys); 358 avl_destroy(&sk->sk_key_mappings); 359 avl_destroy(&sk->sk_dsl_keys); 360 rw_destroy(&sk->sk_wkeys_lock); 361 rw_destroy(&sk->sk_km_lock); 362 rw_destroy(&sk->sk_dk_lock); 363 } 364 365 static int 366 dsl_dir_get_encryption_root_ddobj(dsl_dir_t *dd, uint64_t *rddobj) 367 { 368 if (dd->dd_crypto_obj == 0) 369 return (SET_ERROR(ENOENT)); 370 371 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 372 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, rddobj)); 373 } 374 375 static int 376 dsl_dir_get_encryption_version(dsl_dir_t *dd, uint64_t *version) 377 { 378 *version = 0; 379 380 if (dd->dd_crypto_obj == 0) 381 return (SET_ERROR(ENOENT)); 382 383 /* version 0 is implied by ENOENT */ 384 (void) zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 385 DSL_CRYPTO_KEY_VERSION, 8, 1, version); 386 387 return (0); 388 } 389 390 boolean_t 391 dsl_dir_incompatible_encryption_version(dsl_dir_t *dd) 392 { 393 int ret; 394 uint64_t version = 0; 395 396 ret = dsl_dir_get_encryption_version(dd, &version); 397 if (ret != 0) 398 return (B_FALSE); 399 400 return (version != ZIO_CRYPT_KEY_CURRENT_VERSION); 401 } 402 403 static int 404 spa_keystore_wkey_hold_ddobj_impl(spa_t *spa, uint64_t ddobj, 405 const void *tag, dsl_wrapping_key_t **wkey_out) 406 { 407 int ret; 408 dsl_wrapping_key_t search_wkey; 409 dsl_wrapping_key_t *found_wkey; 410 411 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_wkeys_lock)); 412 413 /* init the search wrapping key */ 414 search_wkey.wk_ddobj = ddobj; 415 416 /* lookup the wrapping key */ 417 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &search_wkey, NULL); 418 if (!found_wkey) { 419 ret = SET_ERROR(ENOENT); 420 goto error; 421 } 422 423 /* increment the refcount */ 424 dsl_wrapping_key_hold(found_wkey, tag); 425 426 *wkey_out = found_wkey; 427 return (0); 428 429 error: 430 *wkey_out = NULL; 431 return (ret); 432 } 433 434 static int 435 spa_keystore_wkey_hold_dd(spa_t *spa, dsl_dir_t *dd, const void *tag, 436 dsl_wrapping_key_t **wkey_out) 437 { 438 int ret; 439 dsl_wrapping_key_t *wkey; 440 uint64_t rddobj; 441 boolean_t locked = B_FALSE; 442 443 if (!RW_WRITE_HELD(&spa->spa_keystore.sk_wkeys_lock)) { 444 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_READER); 445 locked = B_TRUE; 446 } 447 448 /* get the ddobj that the keylocation property was inherited from */ 449 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 450 if (ret != 0) 451 goto error; 452 453 /* lookup the wkey in the avl tree */ 454 ret = spa_keystore_wkey_hold_ddobj_impl(spa, rddobj, tag, &wkey); 455 if (ret != 0) 456 goto error; 457 458 /* unlock the wkey tree if we locked it */ 459 if (locked) 460 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 461 462 *wkey_out = wkey; 463 return (0); 464 465 error: 466 if (locked) 467 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 468 469 *wkey_out = NULL; 470 return (ret); 471 } 472 473 int 474 dsl_crypto_can_set_keylocation(const char *dsname, const char *keylocation) 475 { 476 int ret = 0; 477 dsl_dir_t *dd = NULL; 478 dsl_pool_t *dp = NULL; 479 uint64_t rddobj; 480 481 /* hold the dsl dir */ 482 ret = dsl_pool_hold(dsname, FTAG, &dp); 483 if (ret != 0) 484 goto out; 485 486 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 487 if (ret != 0) { 488 dd = NULL; 489 goto out; 490 } 491 492 /* if dd is not encrypted, the value may only be "none" */ 493 if (dd->dd_crypto_obj == 0) { 494 if (strcmp(keylocation, "none") != 0) { 495 ret = SET_ERROR(EACCES); 496 goto out; 497 } 498 499 ret = 0; 500 goto out; 501 } 502 503 /* check for a valid keylocation for encrypted datasets */ 504 if (!zfs_prop_valid_keylocation(keylocation, B_TRUE)) { 505 ret = SET_ERROR(EINVAL); 506 goto out; 507 } 508 509 /* check that this is an encryption root */ 510 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 511 if (ret != 0) 512 goto out; 513 514 if (rddobj != dd->dd_object) { 515 ret = SET_ERROR(EACCES); 516 goto out; 517 } 518 519 dsl_dir_rele(dd, FTAG); 520 dsl_pool_rele(dp, FTAG); 521 522 return (0); 523 524 out: 525 if (dd != NULL) 526 dsl_dir_rele(dd, FTAG); 527 if (dp != NULL) 528 dsl_pool_rele(dp, FTAG); 529 530 return (ret); 531 } 532 533 static void 534 dsl_crypto_key_free(dsl_crypto_key_t *dck) 535 { 536 ASSERT(zfs_refcount_count(&dck->dck_holds) == 0); 537 538 /* destroy the zio_crypt_key_t */ 539 zio_crypt_key_destroy(&dck->dck_key); 540 541 /* free the refcount, wrapping key, and lock */ 542 zfs_refcount_destroy(&dck->dck_holds); 543 if (dck->dck_wkey) 544 dsl_wrapping_key_rele(dck->dck_wkey, dck); 545 546 /* free the key */ 547 kmem_free(dck, sizeof (dsl_crypto_key_t)); 548 } 549 550 static void 551 dsl_crypto_key_rele(dsl_crypto_key_t *dck, const void *tag) 552 { 553 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) 554 dsl_crypto_key_free(dck); 555 } 556 557 static int 558 dsl_crypto_key_open(objset_t *mos, dsl_wrapping_key_t *wkey, 559 uint64_t dckobj, const void *tag, dsl_crypto_key_t **dck_out) 560 { 561 int ret; 562 uint64_t crypt = 0, guid = 0, version = 0; 563 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 564 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 565 uint8_t iv[WRAPPING_IV_LEN]; 566 uint8_t mac[WRAPPING_MAC_LEN]; 567 dsl_crypto_key_t *dck; 568 569 /* allocate and initialize the key */ 570 dck = kmem_zalloc(sizeof (dsl_crypto_key_t), KM_SLEEP); 571 572 /* fetch all of the values we need from the ZAP */ 573 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 574 &crypt); 575 if (ret != 0) 576 goto error; 577 578 /* handle a future crypto suite that we don't support */ 579 if (crypt >= ZIO_CRYPT_FUNCTIONS) { 580 ret = (SET_ERROR(ZFS_ERR_CRYPTO_NOTSUP)); 581 goto error; 582 } 583 584 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &guid); 585 if (ret != 0) 586 goto error; 587 588 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 589 MASTER_KEY_MAX_LEN, raw_keydata); 590 if (ret != 0) 591 goto error; 592 593 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 594 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 595 if (ret != 0) 596 goto error; 597 598 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 599 iv); 600 if (ret != 0) 601 goto error; 602 603 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 604 mac); 605 if (ret != 0) 606 goto error; 607 608 /* the initial on-disk format for encryption did not have a version */ 609 (void) zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 610 611 /* 612 * Unwrap the keys. If there is an error return EACCES to indicate 613 * an authentication failure. 614 */ 615 ret = zio_crypt_key_unwrap(&wkey->wk_key, crypt, version, guid, 616 raw_keydata, raw_hmac_keydata, iv, mac, &dck->dck_key); 617 if (ret != 0) { 618 ret = SET_ERROR(EACCES); 619 goto error; 620 } 621 622 /* finish initializing the dsl_crypto_key_t */ 623 zfs_refcount_create(&dck->dck_holds); 624 dsl_wrapping_key_hold(wkey, dck); 625 dck->dck_wkey = wkey; 626 dck->dck_obj = dckobj; 627 zfs_refcount_add(&dck->dck_holds, tag); 628 629 *dck_out = dck; 630 return (0); 631 632 error: 633 if (dck != NULL) { 634 memset(dck, 0, sizeof (dsl_crypto_key_t)); 635 kmem_free(dck, sizeof (dsl_crypto_key_t)); 636 } 637 638 *dck_out = NULL; 639 return (ret); 640 } 641 642 static int 643 spa_keystore_dsl_key_hold_impl(spa_t *spa, uint64_t dckobj, const void *tag, 644 dsl_crypto_key_t **dck_out) 645 { 646 int ret; 647 dsl_crypto_key_t search_dck; 648 dsl_crypto_key_t *found_dck; 649 650 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_dk_lock)); 651 652 /* init the search key */ 653 search_dck.dck_obj = dckobj; 654 655 /* find the matching key in the keystore */ 656 found_dck = avl_find(&spa->spa_keystore.sk_dsl_keys, &search_dck, NULL); 657 if (!found_dck) { 658 ret = SET_ERROR(ENOENT); 659 goto error; 660 } 661 662 /* increment the refcount */ 663 zfs_refcount_add(&found_dck->dck_holds, tag); 664 665 *dck_out = found_dck; 666 return (0); 667 668 error: 669 *dck_out = NULL; 670 return (ret); 671 } 672 673 static int 674 spa_keystore_dsl_key_hold_dd(spa_t *spa, dsl_dir_t *dd, const void *tag, 675 dsl_crypto_key_t **dck_out) 676 { 677 int ret; 678 avl_index_t where; 679 dsl_crypto_key_t *dck_io = NULL, *dck_ks = NULL; 680 dsl_wrapping_key_t *wkey = NULL; 681 uint64_t dckobj = dd->dd_crypto_obj; 682 683 /* Lookup the key in the tree of currently loaded keys */ 684 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_READER); 685 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 686 rw_exit(&spa->spa_keystore.sk_dk_lock); 687 if (ret == 0) { 688 *dck_out = dck_ks; 689 return (0); 690 } 691 692 /* Lookup the wrapping key from the keystore */ 693 ret = spa_keystore_wkey_hold_dd(spa, dd, FTAG, &wkey); 694 if (ret != 0) { 695 *dck_out = NULL; 696 return (SET_ERROR(EACCES)); 697 } 698 699 /* Read the key from disk */ 700 ret = dsl_crypto_key_open(spa->spa_meta_objset, wkey, dckobj, 701 tag, &dck_io); 702 if (ret != 0) { 703 dsl_wrapping_key_rele(wkey, FTAG); 704 *dck_out = NULL; 705 return (ret); 706 } 707 708 /* 709 * Add the key to the keystore. It may already exist if it was 710 * added while performing the read from disk. In this case discard 711 * it and return the key from the keystore. 712 */ 713 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 714 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 715 if (ret != 0) { 716 avl_find(&spa->spa_keystore.sk_dsl_keys, dck_io, &where); 717 avl_insert(&spa->spa_keystore.sk_dsl_keys, dck_io, where); 718 *dck_out = dck_io; 719 } else { 720 dsl_crypto_key_free(dck_io); 721 *dck_out = dck_ks; 722 } 723 724 /* Release the wrapping key (the dsl key now has a reference to it) */ 725 dsl_wrapping_key_rele(wkey, FTAG); 726 rw_exit(&spa->spa_keystore.sk_dk_lock); 727 728 return (0); 729 } 730 731 void 732 spa_keystore_dsl_key_rele(spa_t *spa, dsl_crypto_key_t *dck, const void *tag) 733 { 734 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 735 736 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) { 737 avl_remove(&spa->spa_keystore.sk_dsl_keys, dck); 738 dsl_crypto_key_free(dck); 739 } 740 741 rw_exit(&spa->spa_keystore.sk_dk_lock); 742 } 743 744 int 745 spa_keystore_load_wkey_impl(spa_t *spa, dsl_wrapping_key_t *wkey) 746 { 747 int ret; 748 avl_index_t where; 749 dsl_wrapping_key_t *found_wkey; 750 751 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 752 753 /* insert the wrapping key into the keystore */ 754 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 755 if (found_wkey != NULL) { 756 ret = SET_ERROR(EEXIST); 757 goto error_unlock; 758 } 759 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 760 761 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 762 763 return (0); 764 765 error_unlock: 766 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 767 return (ret); 768 } 769 770 int 771 spa_keystore_load_wkey(const char *dsname, dsl_crypto_params_t *dcp, 772 boolean_t noop) 773 { 774 int ret; 775 dsl_dir_t *dd = NULL; 776 dsl_crypto_key_t *dck = NULL; 777 dsl_wrapping_key_t *wkey = dcp->cp_wkey; 778 dsl_pool_t *dp = NULL; 779 uint64_t rddobj, keyformat, salt, iters; 780 781 /* 782 * We don't validate the wrapping key's keyformat, salt, or iters 783 * since they will never be needed after the DCK has been wrapped. 784 */ 785 if (dcp->cp_wkey == NULL || 786 dcp->cp_cmd != DCP_CMD_NONE || 787 dcp->cp_crypt != ZIO_CRYPT_INHERIT || 788 dcp->cp_keylocation != NULL) 789 return (SET_ERROR(EINVAL)); 790 791 ret = dsl_pool_hold(dsname, FTAG, &dp); 792 if (ret != 0) 793 goto error; 794 795 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 796 ret = SET_ERROR(ENOTSUP); 797 goto error; 798 } 799 800 /* hold the dsl dir */ 801 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 802 if (ret != 0) { 803 dd = NULL; 804 goto error; 805 } 806 807 /* confirm that dd is the encryption root */ 808 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 809 if (ret != 0 || rddobj != dd->dd_object) { 810 ret = SET_ERROR(EINVAL); 811 goto error; 812 } 813 814 /* initialize the wkey's ddobj */ 815 wkey->wk_ddobj = dd->dd_object; 816 817 /* verify that the wkey is correct by opening its dsl key */ 818 ret = dsl_crypto_key_open(dp->dp_meta_objset, wkey, 819 dd->dd_crypto_obj, FTAG, &dck); 820 if (ret != 0) 821 goto error; 822 823 /* initialize the wkey encryption parameters from the DSL Crypto Key */ 824 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 825 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &keyformat); 826 if (ret != 0) 827 goto error; 828 829 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 830 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 831 if (ret != 0) 832 goto error; 833 834 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 835 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 836 if (ret != 0) 837 goto error; 838 839 ASSERT3U(keyformat, <, ZFS_KEYFORMAT_FORMATS); 840 ASSERT3U(keyformat, !=, ZFS_KEYFORMAT_NONE); 841 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, iters != 0); 842 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, salt != 0); 843 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, iters == 0); 844 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, salt == 0); 845 846 wkey->wk_keyformat = keyformat; 847 wkey->wk_salt = salt; 848 wkey->wk_iters = iters; 849 850 /* 851 * At this point we have verified the wkey and confirmed that it can 852 * be used to decrypt a DSL Crypto Key. We can simply cleanup and 853 * return if this is all the user wanted to do. 854 */ 855 if (noop) 856 goto error; 857 858 /* insert the wrapping key into the keystore */ 859 ret = spa_keystore_load_wkey_impl(dp->dp_spa, wkey); 860 if (ret != 0) 861 goto error; 862 863 dsl_crypto_key_rele(dck, FTAG); 864 dsl_dir_rele(dd, FTAG); 865 dsl_pool_rele(dp, FTAG); 866 867 /* create any zvols under this ds */ 868 zvol_create_minors_recursive(dsname); 869 870 return (0); 871 872 error: 873 if (dck != NULL) 874 dsl_crypto_key_rele(dck, FTAG); 875 if (dd != NULL) 876 dsl_dir_rele(dd, FTAG); 877 if (dp != NULL) 878 dsl_pool_rele(dp, FTAG); 879 880 return (ret); 881 } 882 883 int 884 spa_keystore_unload_wkey_impl(spa_t *spa, uint64_t ddobj) 885 { 886 int ret; 887 dsl_wrapping_key_t search_wkey; 888 dsl_wrapping_key_t *found_wkey; 889 890 /* init the search wrapping key */ 891 search_wkey.wk_ddobj = ddobj; 892 893 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 894 895 /* remove the wrapping key from the keystore */ 896 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, 897 &search_wkey, NULL); 898 if (!found_wkey) { 899 ret = SET_ERROR(EACCES); 900 goto error_unlock; 901 } else if (zfs_refcount_count(&found_wkey->wk_refcnt) != 0) { 902 ret = SET_ERROR(EBUSY); 903 goto error_unlock; 904 } 905 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 906 907 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 908 909 /* free the wrapping key */ 910 dsl_wrapping_key_free(found_wkey); 911 912 return (0); 913 914 error_unlock: 915 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 916 return (ret); 917 } 918 919 int 920 spa_keystore_unload_wkey(const char *dsname) 921 { 922 int ret = 0; 923 dsl_dir_t *dd = NULL; 924 dsl_pool_t *dp = NULL; 925 spa_t *spa = NULL; 926 927 ret = spa_open(dsname, &spa, FTAG); 928 if (ret != 0) 929 return (ret); 930 931 /* 932 * Wait for any outstanding txg IO to complete, releasing any 933 * remaining references on the wkey. 934 */ 935 if (spa_mode(spa) != SPA_MODE_READ) 936 txg_wait_synced(spa->spa_dsl_pool, 0); 937 938 spa_close(spa, FTAG); 939 940 /* hold the dsl dir */ 941 ret = dsl_pool_hold(dsname, FTAG, &dp); 942 if (ret != 0) 943 goto error; 944 945 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 946 ret = (SET_ERROR(ENOTSUP)); 947 goto error; 948 } 949 950 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 951 if (ret != 0) { 952 dd = NULL; 953 goto error; 954 } 955 956 /* unload the wkey */ 957 ret = spa_keystore_unload_wkey_impl(dp->dp_spa, dd->dd_object); 958 if (ret != 0) 959 goto error; 960 961 dsl_dir_rele(dd, FTAG); 962 dsl_pool_rele(dp, FTAG); 963 964 /* remove any zvols under this ds */ 965 zvol_remove_minors(dp->dp_spa, dsname, B_TRUE); 966 967 return (0); 968 969 error: 970 if (dd != NULL) 971 dsl_dir_rele(dd, FTAG); 972 if (dp != NULL) 973 dsl_pool_rele(dp, FTAG); 974 975 return (ret); 976 } 977 978 void 979 key_mapping_add_ref(dsl_key_mapping_t *km, const void *tag) 980 { 981 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 982 zfs_refcount_add(&km->km_refcnt, tag); 983 } 984 985 /* 986 * The locking here is a little tricky to ensure we don't cause unnecessary 987 * performance problems. We want to release a key mapping whenever someone 988 * decrements the refcount to 0, but freeing the mapping requires removing 989 * it from the spa_keystore, which requires holding sk_km_lock as a writer. 990 * Most of the time we don't want to hold this lock as a writer, since the 991 * same lock is held as a reader for each IO that needs to encrypt / decrypt 992 * data for any dataset and in practice we will only actually free the 993 * mapping after unmounting a dataset. 994 */ 995 void 996 key_mapping_rele(spa_t *spa, dsl_key_mapping_t *km, const void *tag) 997 { 998 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 999 1000 if (zfs_refcount_remove(&km->km_refcnt, tag) != 0) 1001 return; 1002 1003 /* 1004 * We think we are going to need to free the mapping. Add a 1005 * reference to prevent most other releasers from thinking 1006 * this might be their responsibility. This is inherently 1007 * racy, so we will confirm that we are legitimately the 1008 * last holder once we have the sk_km_lock as a writer. 1009 */ 1010 zfs_refcount_add(&km->km_refcnt, FTAG); 1011 1012 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 1013 if (zfs_refcount_remove(&km->km_refcnt, FTAG) != 0) { 1014 rw_exit(&spa->spa_keystore.sk_km_lock); 1015 return; 1016 } 1017 1018 avl_remove(&spa->spa_keystore.sk_key_mappings, km); 1019 rw_exit(&spa->spa_keystore.sk_km_lock); 1020 1021 spa_keystore_dsl_key_rele(spa, km->km_key, km); 1022 zfs_refcount_destroy(&km->km_refcnt); 1023 kmem_free(km, sizeof (dsl_key_mapping_t)); 1024 } 1025 1026 int 1027 spa_keystore_create_mapping(spa_t *spa, dsl_dataset_t *ds, const void *tag, 1028 dsl_key_mapping_t **km_out) 1029 { 1030 int ret; 1031 avl_index_t where; 1032 dsl_key_mapping_t *km, *found_km; 1033 boolean_t should_free = B_FALSE; 1034 1035 /* Allocate and initialize the mapping */ 1036 km = kmem_zalloc(sizeof (dsl_key_mapping_t), KM_SLEEP); 1037 zfs_refcount_create(&km->km_refcnt); 1038 1039 ret = spa_keystore_dsl_key_hold_dd(spa, ds->ds_dir, km, &km->km_key); 1040 if (ret != 0) { 1041 zfs_refcount_destroy(&km->km_refcnt); 1042 kmem_free(km, sizeof (dsl_key_mapping_t)); 1043 1044 if (km_out != NULL) 1045 *km_out = NULL; 1046 return (ret); 1047 } 1048 1049 km->km_dsobj = ds->ds_object; 1050 1051 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 1052 1053 /* 1054 * If a mapping already exists, simply increment its refcount and 1055 * cleanup the one we made. We want to allocate / free outside of 1056 * the lock because this lock is also used by the zio layer to lookup 1057 * key mappings. Otherwise, use the one we created. Normally, there will 1058 * only be one active reference at a time (the objset owner), but there 1059 * are times when there could be multiple async users. 1060 */ 1061 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, km, &where); 1062 if (found_km != NULL) { 1063 should_free = B_TRUE; 1064 zfs_refcount_add(&found_km->km_refcnt, tag); 1065 if (km_out != NULL) 1066 *km_out = found_km; 1067 } else { 1068 zfs_refcount_add(&km->km_refcnt, tag); 1069 avl_insert(&spa->spa_keystore.sk_key_mappings, km, where); 1070 if (km_out != NULL) 1071 *km_out = km; 1072 } 1073 1074 rw_exit(&spa->spa_keystore.sk_km_lock); 1075 1076 if (should_free) { 1077 spa_keystore_dsl_key_rele(spa, km->km_key, km); 1078 zfs_refcount_destroy(&km->km_refcnt); 1079 kmem_free(km, sizeof (dsl_key_mapping_t)); 1080 } 1081 1082 return (0); 1083 } 1084 1085 int 1086 spa_keystore_remove_mapping(spa_t *spa, uint64_t dsobj, const void *tag) 1087 { 1088 int ret; 1089 dsl_key_mapping_t search_km; 1090 dsl_key_mapping_t *found_km; 1091 1092 /* init the search key mapping */ 1093 search_km.km_dsobj = dsobj; 1094 1095 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1096 1097 /* find the matching mapping */ 1098 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, 1099 &search_km, NULL); 1100 if (found_km == NULL) { 1101 ret = SET_ERROR(ENOENT); 1102 goto error_unlock; 1103 } 1104 1105 rw_exit(&spa->spa_keystore.sk_km_lock); 1106 1107 key_mapping_rele(spa, found_km, tag); 1108 1109 return (0); 1110 1111 error_unlock: 1112 rw_exit(&spa->spa_keystore.sk_km_lock); 1113 return (ret); 1114 } 1115 1116 /* 1117 * This function is primarily used by the zio and arc layer to lookup 1118 * DSL Crypto Keys for encryption. Callers must release the key with 1119 * spa_keystore_dsl_key_rele(). The function may also be called with 1120 * dck_out == NULL and tag == NULL to simply check that a key exists 1121 * without getting a reference to it. 1122 */ 1123 int 1124 spa_keystore_lookup_key(spa_t *spa, uint64_t dsobj, const void *tag, 1125 dsl_crypto_key_t **dck_out) 1126 { 1127 int ret; 1128 dsl_key_mapping_t search_km; 1129 dsl_key_mapping_t *found_km; 1130 1131 ASSERT((tag != NULL && dck_out != NULL) || 1132 (tag == NULL && dck_out == NULL)); 1133 1134 /* init the search key mapping */ 1135 search_km.km_dsobj = dsobj; 1136 1137 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1138 1139 /* remove the mapping from the tree */ 1140 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, &search_km, 1141 NULL); 1142 if (found_km == NULL) { 1143 ret = SET_ERROR(ENOENT); 1144 goto error_unlock; 1145 } 1146 1147 if (found_km && tag) 1148 zfs_refcount_add(&found_km->km_key->dck_holds, tag); 1149 1150 rw_exit(&spa->spa_keystore.sk_km_lock); 1151 1152 if (dck_out != NULL) 1153 *dck_out = found_km->km_key; 1154 return (0); 1155 1156 error_unlock: 1157 rw_exit(&spa->spa_keystore.sk_km_lock); 1158 1159 if (dck_out != NULL) 1160 *dck_out = NULL; 1161 return (ret); 1162 } 1163 1164 static int 1165 dmu_objset_check_wkey_loaded(dsl_dir_t *dd) 1166 { 1167 int ret; 1168 dsl_wrapping_key_t *wkey = NULL; 1169 1170 ret = spa_keystore_wkey_hold_dd(dd->dd_pool->dp_spa, dd, FTAG, 1171 &wkey); 1172 if (ret != 0) 1173 return (SET_ERROR(EACCES)); 1174 1175 dsl_wrapping_key_rele(wkey, FTAG); 1176 1177 return (0); 1178 } 1179 1180 zfs_keystatus_t 1181 dsl_dataset_get_keystatus(dsl_dir_t *dd) 1182 { 1183 /* check if this dd has a has a dsl key */ 1184 if (dd->dd_crypto_obj == 0) 1185 return (ZFS_KEYSTATUS_NONE); 1186 1187 return (dmu_objset_check_wkey_loaded(dd) == 0 ? 1188 ZFS_KEYSTATUS_AVAILABLE : ZFS_KEYSTATUS_UNAVAILABLE); 1189 } 1190 1191 static int 1192 dsl_dir_get_crypt(dsl_dir_t *dd, uint64_t *crypt) 1193 { 1194 if (dd->dd_crypto_obj == 0) { 1195 *crypt = ZIO_CRYPT_OFF; 1196 return (0); 1197 } 1198 1199 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 1200 DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, crypt)); 1201 } 1202 1203 static void 1204 dsl_crypto_key_sync_impl(objset_t *mos, uint64_t dckobj, uint64_t crypt, 1205 uint64_t root_ddobj, uint64_t guid, uint8_t *iv, uint8_t *mac, 1206 uint8_t *keydata, uint8_t *hmac_keydata, uint64_t keyformat, 1207 uint64_t salt, uint64_t iters, dmu_tx_t *tx) 1208 { 1209 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 1210 &crypt, tx)); 1211 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1212 &root_ddobj, tx)); 1213 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, 1214 &guid, tx)); 1215 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 1216 iv, tx)); 1217 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 1218 mac, tx)); 1219 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 1220 MASTER_KEY_MAX_LEN, keydata, tx)); 1221 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 1222 SHA512_HMAC_KEYLEN, hmac_keydata, tx)); 1223 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 1224 8, 1, &keyformat, tx)); 1225 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 1226 8, 1, &salt, tx)); 1227 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 1228 8, 1, &iters, tx)); 1229 } 1230 1231 static void 1232 dsl_crypto_key_sync(dsl_crypto_key_t *dck, dmu_tx_t *tx) 1233 { 1234 zio_crypt_key_t *key = &dck->dck_key; 1235 dsl_wrapping_key_t *wkey = dck->dck_wkey; 1236 uint8_t keydata[MASTER_KEY_MAX_LEN]; 1237 uint8_t hmac_keydata[SHA512_HMAC_KEYLEN]; 1238 uint8_t iv[WRAPPING_IV_LEN]; 1239 uint8_t mac[WRAPPING_MAC_LEN]; 1240 1241 ASSERT(dmu_tx_is_syncing(tx)); 1242 ASSERT3U(key->zk_crypt, <, ZIO_CRYPT_FUNCTIONS); 1243 1244 /* encrypt and store the keys along with the IV and MAC */ 1245 VERIFY0(zio_crypt_key_wrap(&dck->dck_wkey->wk_key, key, iv, mac, 1246 keydata, hmac_keydata)); 1247 1248 /* update the ZAP with the obtained values */ 1249 dsl_crypto_key_sync_impl(tx->tx_pool->dp_meta_objset, dck->dck_obj, 1250 key->zk_crypt, wkey->wk_ddobj, key->zk_guid, iv, mac, keydata, 1251 hmac_keydata, wkey->wk_keyformat, wkey->wk_salt, wkey->wk_iters, 1252 tx); 1253 } 1254 1255 typedef struct spa_keystore_change_key_args { 1256 const char *skcka_dsname; 1257 dsl_crypto_params_t *skcka_cp; 1258 } spa_keystore_change_key_args_t; 1259 1260 static int 1261 spa_keystore_change_key_check(void *arg, dmu_tx_t *tx) 1262 { 1263 int ret; 1264 dsl_dir_t *dd = NULL; 1265 dsl_pool_t *dp = dmu_tx_pool(tx); 1266 spa_keystore_change_key_args_t *skcka = arg; 1267 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1268 uint64_t rddobj; 1269 1270 /* check for the encryption feature */ 1271 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 1272 ret = SET_ERROR(ENOTSUP); 1273 goto error; 1274 } 1275 1276 /* check for valid key change command */ 1277 if (dcp->cp_cmd != DCP_CMD_NEW_KEY && 1278 dcp->cp_cmd != DCP_CMD_INHERIT && 1279 dcp->cp_cmd != DCP_CMD_FORCE_NEW_KEY && 1280 dcp->cp_cmd != DCP_CMD_FORCE_INHERIT) { 1281 ret = SET_ERROR(EINVAL); 1282 goto error; 1283 } 1284 1285 /* hold the dd */ 1286 ret = dsl_dir_hold(dp, skcka->skcka_dsname, FTAG, &dd, NULL); 1287 if (ret != 0) { 1288 dd = NULL; 1289 goto error; 1290 } 1291 1292 /* verify that the dataset is encrypted */ 1293 if (dd->dd_crypto_obj == 0) { 1294 ret = SET_ERROR(EINVAL); 1295 goto error; 1296 } 1297 1298 /* clones must always use their origin's key */ 1299 if (dsl_dir_is_clone(dd)) { 1300 ret = SET_ERROR(EINVAL); 1301 goto error; 1302 } 1303 1304 /* lookup the ddobj we are inheriting the keylocation from */ 1305 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 1306 if (ret != 0) 1307 goto error; 1308 1309 /* Handle inheritance */ 1310 if (dcp->cp_cmd == DCP_CMD_INHERIT || 1311 dcp->cp_cmd == DCP_CMD_FORCE_INHERIT) { 1312 /* no other encryption params should be given */ 1313 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1314 dcp->cp_keylocation != NULL || 1315 dcp->cp_wkey != NULL) { 1316 ret = SET_ERROR(EINVAL); 1317 goto error; 1318 } 1319 1320 /* check that this is an encryption root */ 1321 if (dd->dd_object != rddobj) { 1322 ret = SET_ERROR(EINVAL); 1323 goto error; 1324 } 1325 1326 /* check that the parent is encrypted */ 1327 if (dd->dd_parent->dd_crypto_obj == 0) { 1328 ret = SET_ERROR(EINVAL); 1329 goto error; 1330 } 1331 1332 /* if we are rewrapping check that both keys are loaded */ 1333 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1334 ret = dmu_objset_check_wkey_loaded(dd); 1335 if (ret != 0) 1336 goto error; 1337 1338 ret = dmu_objset_check_wkey_loaded(dd->dd_parent); 1339 if (ret != 0) 1340 goto error; 1341 } 1342 1343 dsl_dir_rele(dd, FTAG); 1344 return (0); 1345 } 1346 1347 /* handle forcing an encryption root without rewrapping */ 1348 if (dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1349 /* no other encryption params should be given */ 1350 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1351 dcp->cp_keylocation != NULL || 1352 dcp->cp_wkey != NULL) { 1353 ret = SET_ERROR(EINVAL); 1354 goto error; 1355 } 1356 1357 /* check that this is not an encryption root */ 1358 if (dd->dd_object == rddobj) { 1359 ret = SET_ERROR(EINVAL); 1360 goto error; 1361 } 1362 1363 dsl_dir_rele(dd, FTAG); 1364 return (0); 1365 } 1366 1367 /* crypt cannot be changed after creation */ 1368 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT) { 1369 ret = SET_ERROR(EINVAL); 1370 goto error; 1371 } 1372 1373 /* we are not inheritting our parent's wkey so we need one ourselves */ 1374 if (dcp->cp_wkey == NULL) { 1375 ret = SET_ERROR(EINVAL); 1376 goto error; 1377 } 1378 1379 /* check for a valid keyformat for the new wrapping key */ 1380 if (dcp->cp_wkey->wk_keyformat >= ZFS_KEYFORMAT_FORMATS || 1381 dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_NONE) { 1382 ret = SET_ERROR(EINVAL); 1383 goto error; 1384 } 1385 1386 /* 1387 * If this dataset is not currently an encryption root we need a new 1388 * keylocation for this dataset's new wrapping key. Otherwise we can 1389 * just keep the one we already had. 1390 */ 1391 if (dd->dd_object != rddobj && dcp->cp_keylocation == NULL) { 1392 ret = SET_ERROR(EINVAL); 1393 goto error; 1394 } 1395 1396 /* check that the keylocation is valid if it is not NULL */ 1397 if (dcp->cp_keylocation != NULL && 1398 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) { 1399 ret = SET_ERROR(EINVAL); 1400 goto error; 1401 } 1402 1403 /* passphrases require pbkdf2 salt and iters */ 1404 if (dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_PASSPHRASE) { 1405 if (dcp->cp_wkey->wk_salt == 0 || 1406 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) { 1407 ret = SET_ERROR(EINVAL); 1408 goto error; 1409 } 1410 } else { 1411 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) { 1412 ret = SET_ERROR(EINVAL); 1413 goto error; 1414 } 1415 } 1416 1417 /* make sure the dd's wkey is loaded */ 1418 ret = dmu_objset_check_wkey_loaded(dd); 1419 if (ret != 0) 1420 goto error; 1421 1422 dsl_dir_rele(dd, FTAG); 1423 1424 return (0); 1425 1426 error: 1427 if (dd != NULL) 1428 dsl_dir_rele(dd, FTAG); 1429 1430 return (ret); 1431 } 1432 1433 /* 1434 * This function deals with the intricacies of updating wrapping 1435 * key references and encryption roots recursively in the event 1436 * of a call to 'zfs change-key' or 'zfs promote'. The 'skip' 1437 * parameter should always be set to B_FALSE when called 1438 * externally. 1439 */ 1440 static void 1441 spa_keystore_change_key_sync_impl(uint64_t rddobj, uint64_t ddobj, 1442 uint64_t new_rddobj, dsl_wrapping_key_t *wkey, boolean_t skip, 1443 dmu_tx_t *tx) 1444 { 1445 int ret; 1446 zap_cursor_t *zc; 1447 zap_attribute_t *za; 1448 dsl_pool_t *dp = dmu_tx_pool(tx); 1449 dsl_dir_t *dd = NULL; 1450 dsl_crypto_key_t *dck = NULL; 1451 uint64_t curr_rddobj; 1452 1453 ASSERT(RW_WRITE_HELD(&dp->dp_spa->spa_keystore.sk_wkeys_lock)); 1454 1455 /* hold the dd */ 1456 VERIFY0(dsl_dir_hold_obj(dp, ddobj, NULL, FTAG, &dd)); 1457 1458 /* ignore special dsl dirs */ 1459 if (dd->dd_myname[0] == '$' || dd->dd_myname[0] == '%') { 1460 dsl_dir_rele(dd, FTAG); 1461 return; 1462 } 1463 1464 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1465 VERIFY(ret == 0 || ret == ENOENT); 1466 1467 /* 1468 * Stop recursing if this dsl dir didn't inherit from the root 1469 * or if this dd is a clone. 1470 */ 1471 if (ret == ENOENT || 1472 (!skip && (curr_rddobj != rddobj || dsl_dir_is_clone(dd)))) { 1473 dsl_dir_rele(dd, FTAG); 1474 return; 1475 } 1476 1477 /* 1478 * If we don't have a wrapping key just update the dck to reflect the 1479 * new encryption root. Otherwise rewrap the entire dck and re-sync it 1480 * to disk. If skip is set, we don't do any of this work. 1481 */ 1482 if (!skip) { 1483 if (wkey == NULL) { 1484 VERIFY0(zap_update(dp->dp_meta_objset, 1485 dd->dd_crypto_obj, 1486 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1487 &new_rddobj, tx)); 1488 } else { 1489 VERIFY0(spa_keystore_dsl_key_hold_dd(dp->dp_spa, dd, 1490 FTAG, &dck)); 1491 dsl_wrapping_key_hold(wkey, dck); 1492 dsl_wrapping_key_rele(dck->dck_wkey, dck); 1493 dck->dck_wkey = wkey; 1494 dsl_crypto_key_sync(dck, tx); 1495 spa_keystore_dsl_key_rele(dp->dp_spa, dck, FTAG); 1496 } 1497 } 1498 1499 zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP); 1500 za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP); 1501 1502 /* Recurse into all child dsl dirs. */ 1503 for (zap_cursor_init(zc, dp->dp_meta_objset, 1504 dsl_dir_phys(dd)->dd_child_dir_zapobj); 1505 zap_cursor_retrieve(zc, za) == 0; 1506 zap_cursor_advance(zc)) { 1507 spa_keystore_change_key_sync_impl(rddobj, 1508 za->za_first_integer, new_rddobj, wkey, B_FALSE, tx); 1509 } 1510 zap_cursor_fini(zc); 1511 1512 /* 1513 * Recurse into all dsl dirs of clones. We utilize the skip parameter 1514 * here so that we don't attempt to process the clones directly. This 1515 * is because the clone and its origin share the same dck, which has 1516 * already been updated. 1517 */ 1518 for (zap_cursor_init(zc, dp->dp_meta_objset, 1519 dsl_dir_phys(dd)->dd_clones); 1520 zap_cursor_retrieve(zc, za) == 0; 1521 zap_cursor_advance(zc)) { 1522 dsl_dataset_t *clone; 1523 1524 VERIFY0(dsl_dataset_hold_obj(dp, za->za_first_integer, 1525 FTAG, &clone)); 1526 spa_keystore_change_key_sync_impl(rddobj, 1527 clone->ds_dir->dd_object, new_rddobj, wkey, B_TRUE, tx); 1528 dsl_dataset_rele(clone, FTAG); 1529 } 1530 zap_cursor_fini(zc); 1531 1532 kmem_free(za, sizeof (zap_attribute_t)); 1533 kmem_free(zc, sizeof (zap_cursor_t)); 1534 1535 dsl_dir_rele(dd, FTAG); 1536 } 1537 1538 static void 1539 spa_keystore_change_key_sync(void *arg, dmu_tx_t *tx) 1540 { 1541 dsl_dataset_t *ds; 1542 avl_index_t where; 1543 dsl_pool_t *dp = dmu_tx_pool(tx); 1544 spa_t *spa = dp->dp_spa; 1545 spa_keystore_change_key_args_t *skcka = arg; 1546 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1547 dsl_wrapping_key_t *wkey = NULL, *found_wkey; 1548 dsl_wrapping_key_t wkey_search; 1549 const char *keylocation = dcp->cp_keylocation; 1550 uint64_t rddobj, new_rddobj; 1551 1552 /* create and initialize the wrapping key */ 1553 VERIFY0(dsl_dataset_hold(dp, skcka->skcka_dsname, FTAG, &ds)); 1554 ASSERT(!ds->ds_is_snapshot); 1555 1556 if (dcp->cp_cmd == DCP_CMD_NEW_KEY || 1557 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1558 /* 1559 * We are changing to a new wkey. Set additional properties 1560 * which can be sent along with this ioctl. Note that this 1561 * command can set keylocation even if it can't normally be 1562 * set via 'zfs set' due to a non-local keylocation. 1563 */ 1564 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1565 wkey = dcp->cp_wkey; 1566 wkey->wk_ddobj = ds->ds_dir->dd_object; 1567 } else { 1568 keylocation = "prompt"; 1569 } 1570 1571 if (keylocation != NULL) { 1572 dsl_prop_set_sync_impl(ds, 1573 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1574 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 1575 keylocation, tx); 1576 } 1577 1578 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj)); 1579 new_rddobj = ds->ds_dir->dd_object; 1580 } else { 1581 /* 1582 * We are inheritting the parent's wkey. Unset any local 1583 * keylocation and grab a reference to the wkey. 1584 */ 1585 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1586 VERIFY0(spa_keystore_wkey_hold_dd(spa, 1587 ds->ds_dir->dd_parent, FTAG, &wkey)); 1588 } 1589 1590 dsl_prop_set_sync_impl(ds, 1591 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), ZPROP_SRC_NONE, 1592 0, 0, NULL, tx); 1593 1594 rddobj = ds->ds_dir->dd_object; 1595 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir->dd_parent, 1596 &new_rddobj)); 1597 } 1598 1599 if (wkey == NULL) { 1600 ASSERT(dcp->cp_cmd == DCP_CMD_FORCE_INHERIT || 1601 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY); 1602 } 1603 1604 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1605 1606 /* recurse through all children and rewrap their keys */ 1607 spa_keystore_change_key_sync_impl(rddobj, ds->ds_dir->dd_object, 1608 new_rddobj, wkey, B_FALSE, tx); 1609 1610 /* 1611 * All references to the old wkey should be released now (if it 1612 * existed). Replace the wrapping key. 1613 */ 1614 wkey_search.wk_ddobj = ds->ds_dir->dd_object; 1615 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &wkey_search, NULL); 1616 if (found_wkey != NULL) { 1617 ASSERT0(zfs_refcount_count(&found_wkey->wk_refcnt)); 1618 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 1619 dsl_wrapping_key_free(found_wkey); 1620 } 1621 1622 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1623 avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 1624 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 1625 } else if (wkey != NULL) { 1626 dsl_wrapping_key_rele(wkey, FTAG); 1627 } 1628 1629 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 1630 1631 dsl_dataset_rele(ds, FTAG); 1632 } 1633 1634 int 1635 spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp) 1636 { 1637 spa_keystore_change_key_args_t skcka; 1638 1639 /* initialize the args struct */ 1640 skcka.skcka_dsname = dsname; 1641 skcka.skcka_cp = dcp; 1642 1643 /* 1644 * Perform the actual work in syncing context. The blocks modified 1645 * here could be calculated but it would require holding the pool 1646 * lock and traversing all of the datasets that will have their keys 1647 * changed. 1648 */ 1649 return (dsl_sync_task(dsname, spa_keystore_change_key_check, 1650 spa_keystore_change_key_sync, &skcka, 15, 1651 ZFS_SPACE_CHECK_RESERVED)); 1652 } 1653 1654 int 1655 dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent) 1656 { 1657 int ret; 1658 uint64_t curr_rddobj, parent_rddobj; 1659 1660 if (dd->dd_crypto_obj == 0) 1661 return (0); 1662 1663 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1664 if (ret != 0) 1665 goto error; 1666 1667 /* 1668 * if this is not an encryption root, we must make sure we are not 1669 * moving dd to a new encryption root 1670 */ 1671 if (dd->dd_object != curr_rddobj) { 1672 ret = dsl_dir_get_encryption_root_ddobj(newparent, 1673 &parent_rddobj); 1674 if (ret != 0) 1675 goto error; 1676 1677 if (parent_rddobj != curr_rddobj) { 1678 ret = SET_ERROR(EACCES); 1679 goto error; 1680 } 1681 } 1682 1683 return (0); 1684 1685 error: 1686 return (ret); 1687 } 1688 1689 /* 1690 * Check to make sure that a promote from targetdd to origindd will not require 1691 * any key rewraps. 1692 */ 1693 int 1694 dsl_dataset_promote_crypt_check(dsl_dir_t *target, dsl_dir_t *origin) 1695 { 1696 int ret; 1697 uint64_t rddobj, op_rddobj, tp_rddobj; 1698 1699 /* If the dataset is not encrypted we don't need to check anything */ 1700 if (origin->dd_crypto_obj == 0) 1701 return (0); 1702 1703 /* 1704 * If we are not changing the first origin snapshot in a chain 1705 * the encryption root won't change either. 1706 */ 1707 if (dsl_dir_is_clone(origin)) 1708 return (0); 1709 1710 /* 1711 * If the origin is the encryption root we will update 1712 * the DSL Crypto Key to point to the target instead. 1713 */ 1714 ret = dsl_dir_get_encryption_root_ddobj(origin, &rddobj); 1715 if (ret != 0) 1716 return (ret); 1717 1718 if (rddobj == origin->dd_object) 1719 return (0); 1720 1721 /* 1722 * The origin is inheriting its encryption root from its parent. 1723 * Check that the parent of the target has the same encryption root. 1724 */ 1725 ret = dsl_dir_get_encryption_root_ddobj(origin->dd_parent, &op_rddobj); 1726 if (ret == ENOENT) 1727 return (SET_ERROR(EACCES)); 1728 else if (ret != 0) 1729 return (ret); 1730 1731 ret = dsl_dir_get_encryption_root_ddobj(target->dd_parent, &tp_rddobj); 1732 if (ret == ENOENT) 1733 return (SET_ERROR(EACCES)); 1734 else if (ret != 0) 1735 return (ret); 1736 1737 if (op_rddobj != tp_rddobj) 1738 return (SET_ERROR(EACCES)); 1739 1740 return (0); 1741 } 1742 1743 void 1744 dsl_dataset_promote_crypt_sync(dsl_dir_t *target, dsl_dir_t *origin, 1745 dmu_tx_t *tx) 1746 { 1747 uint64_t rddobj; 1748 dsl_pool_t *dp = target->dd_pool; 1749 dsl_dataset_t *targetds; 1750 dsl_dataset_t *originds; 1751 char *keylocation; 1752 1753 if (origin->dd_crypto_obj == 0) 1754 return; 1755 if (dsl_dir_is_clone(origin)) 1756 return; 1757 1758 VERIFY0(dsl_dir_get_encryption_root_ddobj(origin, &rddobj)); 1759 1760 if (rddobj != origin->dd_object) 1761 return; 1762 1763 /* 1764 * If the target is being promoted to the encryption root update the 1765 * DSL Crypto Key and keylocation to reflect that. We also need to 1766 * update the DSL Crypto Keys of all children inheritting their 1767 * encryption root to point to the new target. Otherwise, the check 1768 * function ensured that the encryption root will not change. 1769 */ 1770 keylocation = kmem_alloc(ZAP_MAXVALUELEN, KM_SLEEP); 1771 1772 VERIFY0(dsl_dataset_hold_obj(dp, 1773 dsl_dir_phys(target)->dd_head_dataset_obj, FTAG, &targetds)); 1774 VERIFY0(dsl_dataset_hold_obj(dp, 1775 dsl_dir_phys(origin)->dd_head_dataset_obj, FTAG, &originds)); 1776 1777 VERIFY0(dsl_prop_get_dd(origin, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1778 1, ZAP_MAXVALUELEN, keylocation, NULL, B_FALSE)); 1779 dsl_prop_set_sync_impl(targetds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1780 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, keylocation, tx); 1781 dsl_prop_set_sync_impl(originds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1782 ZPROP_SRC_NONE, 0, 0, NULL, tx); 1783 1784 rw_enter(&dp->dp_spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1785 spa_keystore_change_key_sync_impl(rddobj, origin->dd_object, 1786 target->dd_object, NULL, B_FALSE, tx); 1787 rw_exit(&dp->dp_spa->spa_keystore.sk_wkeys_lock); 1788 1789 dsl_dataset_rele(targetds, FTAG); 1790 dsl_dataset_rele(originds, FTAG); 1791 kmem_free(keylocation, ZAP_MAXVALUELEN); 1792 } 1793 1794 int 1795 dmu_objset_create_crypt_check(dsl_dir_t *parentdd, dsl_crypto_params_t *dcp, 1796 boolean_t *will_encrypt) 1797 { 1798 int ret; 1799 uint64_t pcrypt, crypt; 1800 dsl_crypto_params_t dummy_dcp = { 0 }; 1801 1802 if (will_encrypt != NULL) 1803 *will_encrypt = B_FALSE; 1804 1805 if (dcp == NULL) 1806 dcp = &dummy_dcp; 1807 1808 if (dcp->cp_cmd != DCP_CMD_NONE) 1809 return (SET_ERROR(EINVAL)); 1810 1811 if (parentdd != NULL) { 1812 ret = dsl_dir_get_crypt(parentdd, &pcrypt); 1813 if (ret != 0) 1814 return (ret); 1815 } else { 1816 pcrypt = ZIO_CRYPT_OFF; 1817 } 1818 1819 crypt = (dcp->cp_crypt == ZIO_CRYPT_INHERIT) ? pcrypt : dcp->cp_crypt; 1820 1821 ASSERT3U(pcrypt, !=, ZIO_CRYPT_INHERIT); 1822 ASSERT3U(crypt, !=, ZIO_CRYPT_INHERIT); 1823 1824 /* check for valid dcp with no encryption (inherited or local) */ 1825 if (crypt == ZIO_CRYPT_OFF) { 1826 /* Must not specify encryption params */ 1827 if (dcp->cp_wkey != NULL || 1828 (dcp->cp_keylocation != NULL && 1829 strcmp(dcp->cp_keylocation, "none") != 0)) 1830 return (SET_ERROR(EINVAL)); 1831 1832 return (0); 1833 } 1834 1835 if (will_encrypt != NULL) 1836 *will_encrypt = B_TRUE; 1837 1838 /* 1839 * We will now definitely be encrypting. Check the feature flag. When 1840 * creating the pool the caller will check this for us since we won't 1841 * technically have the feature activated yet. 1842 */ 1843 if (parentdd != NULL && 1844 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1845 SPA_FEATURE_ENCRYPTION)) { 1846 return (SET_ERROR(EOPNOTSUPP)); 1847 } 1848 1849 /* Check for errata #4 (encryption enabled, bookmark_v2 disabled) */ 1850 if (parentdd != NULL && 1851 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1852 SPA_FEATURE_BOOKMARK_V2)) { 1853 return (SET_ERROR(EOPNOTSUPP)); 1854 } 1855 1856 /* handle inheritance */ 1857 if (dcp->cp_wkey == NULL) { 1858 ASSERT3P(parentdd, !=, NULL); 1859 1860 /* key must be fully unspecified */ 1861 if (dcp->cp_keylocation != NULL) 1862 return (SET_ERROR(EINVAL)); 1863 1864 /* parent must have a key to inherit */ 1865 if (pcrypt == ZIO_CRYPT_OFF) 1866 return (SET_ERROR(EINVAL)); 1867 1868 /* check for parent key */ 1869 ret = dmu_objset_check_wkey_loaded(parentdd); 1870 if (ret != 0) 1871 return (ret); 1872 1873 return (0); 1874 } 1875 1876 /* At this point we should have a fully specified key. Check location */ 1877 if (dcp->cp_keylocation == NULL || 1878 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) 1879 return (SET_ERROR(EINVAL)); 1880 1881 /* Must have fully specified keyformat */ 1882 switch (dcp->cp_wkey->wk_keyformat) { 1883 case ZFS_KEYFORMAT_HEX: 1884 case ZFS_KEYFORMAT_RAW: 1885 /* requires no pbkdf2 iters and salt */ 1886 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) 1887 return (SET_ERROR(EINVAL)); 1888 break; 1889 case ZFS_KEYFORMAT_PASSPHRASE: 1890 /* requires pbkdf2 iters and salt */ 1891 if (dcp->cp_wkey->wk_salt == 0 || 1892 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) 1893 return (SET_ERROR(EINVAL)); 1894 break; 1895 case ZFS_KEYFORMAT_NONE: 1896 default: 1897 /* keyformat must be specified and valid */ 1898 return (SET_ERROR(EINVAL)); 1899 } 1900 1901 return (0); 1902 } 1903 1904 void 1905 dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd, 1906 dsl_dataset_t *origin, dsl_crypto_params_t *dcp, dmu_tx_t *tx) 1907 { 1908 dsl_pool_t *dp = dd->dd_pool; 1909 uint64_t crypt; 1910 dsl_wrapping_key_t *wkey; 1911 1912 /* clones always use their origin's wrapping key */ 1913 if (dsl_dir_is_clone(dd)) { 1914 ASSERT3P(dcp, ==, NULL); 1915 1916 /* 1917 * If this is an encrypted clone we just need to clone the 1918 * dck into dd. Zapify the dd so we can do that. 1919 */ 1920 if (origin->ds_dir->dd_crypto_obj != 0) { 1921 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1922 dsl_dir_zapify(dd, tx); 1923 1924 dd->dd_crypto_obj = 1925 dsl_crypto_key_clone_sync(origin->ds_dir, tx); 1926 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1927 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, 1928 &dd->dd_crypto_obj, tx)); 1929 } 1930 1931 return; 1932 } 1933 1934 /* 1935 * A NULL dcp at this point indicates this is the origin dataset 1936 * which does not have an objset to encrypt. Raw receives will handle 1937 * encryption separately later. In both cases we can simply return. 1938 */ 1939 if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV) 1940 return; 1941 1942 crypt = dcp->cp_crypt; 1943 wkey = dcp->cp_wkey; 1944 1945 /* figure out the effective crypt */ 1946 if (crypt == ZIO_CRYPT_INHERIT && dd->dd_parent != NULL) 1947 VERIFY0(dsl_dir_get_crypt(dd->dd_parent, &crypt)); 1948 1949 /* if we aren't doing encryption just return */ 1950 if (crypt == ZIO_CRYPT_OFF || crypt == ZIO_CRYPT_INHERIT) 1951 return; 1952 1953 /* zapify the dd so that we can add the crypto key obj to it */ 1954 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1955 dsl_dir_zapify(dd, tx); 1956 1957 /* use the new key if given or inherit from the parent */ 1958 if (wkey == NULL) { 1959 VERIFY0(spa_keystore_wkey_hold_dd(dp->dp_spa, 1960 dd->dd_parent, FTAG, &wkey)); 1961 } else { 1962 wkey->wk_ddobj = dd->dd_object; 1963 } 1964 1965 ASSERT3P(wkey, !=, NULL); 1966 1967 /* Create or clone the DSL crypto key and activate the feature */ 1968 dd->dd_crypto_obj = dsl_crypto_key_create_sync(crypt, wkey, tx); 1969 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1970 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, &dd->dd_crypto_obj, 1971 tx)); 1972 dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, 1973 (void *)B_TRUE, tx); 1974 1975 /* 1976 * If we inherited the wrapping key we release our reference now. 1977 * Otherwise, this is a new key and we need to load it into the 1978 * keystore. 1979 */ 1980 if (dcp->cp_wkey == NULL) { 1981 dsl_wrapping_key_rele(wkey, FTAG); 1982 } else { 1983 VERIFY0(spa_keystore_load_wkey_impl(dp->dp_spa, wkey)); 1984 } 1985 } 1986 1987 typedef struct dsl_crypto_recv_key_arg { 1988 uint64_t dcrka_dsobj; 1989 uint64_t dcrka_fromobj; 1990 dmu_objset_type_t dcrka_ostype; 1991 nvlist_t *dcrka_nvl; 1992 boolean_t dcrka_do_key; 1993 } dsl_crypto_recv_key_arg_t; 1994 1995 static int 1996 dsl_crypto_recv_raw_objset_check(dsl_dataset_t *ds, dsl_dataset_t *fromds, 1997 dmu_objset_type_t ostype, nvlist_t *nvl, dmu_tx_t *tx) 1998 { 1999 int ret; 2000 objset_t *os; 2001 dnode_t *mdn; 2002 uint8_t *buf = NULL; 2003 uint_t len; 2004 uint64_t intval, nlevels, blksz, ibs; 2005 uint64_t nblkptr, maxblkid; 2006 2007 if (ostype != DMU_OST_ZFS && ostype != DMU_OST_ZVOL) 2008 return (SET_ERROR(EINVAL)); 2009 2010 /* raw receives also need info about the structure of the metadnode */ 2011 ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval); 2012 if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS) 2013 return (SET_ERROR(EINVAL)); 2014 2015 ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval); 2016 if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS) 2017 return (SET_ERROR(EINVAL)); 2018 2019 ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels); 2020 if (ret != 0 || nlevels > DN_MAX_LEVELS) 2021 return (SET_ERROR(EINVAL)); 2022 2023 ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz); 2024 if (ret != 0 || blksz < SPA_MINBLOCKSIZE) 2025 return (SET_ERROR(EINVAL)); 2026 else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa)) 2027 return (SET_ERROR(ENOTSUP)); 2028 2029 ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs); 2030 if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT || ibs > DN_MAX_INDBLKSHIFT) 2031 return (SET_ERROR(ENOTSUP)); 2032 2033 ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr); 2034 if (ret != 0 || nblkptr != DN_MAX_NBLKPTR) 2035 return (SET_ERROR(ENOTSUP)); 2036 2037 ret = nvlist_lookup_uint64(nvl, "mdn_maxblkid", &maxblkid); 2038 if (ret != 0) 2039 return (SET_ERROR(EINVAL)); 2040 2041 ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len); 2042 if (ret != 0 || len != ZIO_OBJSET_MAC_LEN) 2043 return (SET_ERROR(EINVAL)); 2044 2045 ret = dmu_objset_from_ds(ds, &os); 2046 if (ret != 0) 2047 return (ret); 2048 2049 mdn = DMU_META_DNODE(os); 2050 2051 /* 2052 * If we already created the objset, make sure its unchangeable 2053 * properties match the ones received in the nvlist. 2054 */ 2055 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2056 if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) && 2057 (mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz || 2058 mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) { 2059 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2060 return (SET_ERROR(EINVAL)); 2061 } 2062 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2063 2064 /* 2065 * Check that the ivset guid of the fromds matches the one from the 2066 * send stream. Older versions of the encryption code did not have 2067 * an ivset guid on the from dataset and did not send one in the 2068 * stream. For these streams we provide the 2069 * zfs_disable_ivset_guid_check tunable to allow these datasets to 2070 * be received with a generated ivset guid. 2071 */ 2072 if (fromds != NULL && !zfs_disable_ivset_guid_check) { 2073 uint64_t from_ivset_guid = 0; 2074 intval = 0; 2075 2076 (void) nvlist_lookup_uint64(nvl, "from_ivset_guid", &intval); 2077 (void) zap_lookup(tx->tx_pool->dp_meta_objset, 2078 fromds->ds_object, DS_FIELD_IVSET_GUID, 2079 sizeof (from_ivset_guid), 1, &from_ivset_guid); 2080 2081 if (intval == 0 || from_ivset_guid == 0) 2082 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISSING)); 2083 2084 if (intval != from_ivset_guid) 2085 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISMATCH)); 2086 } 2087 2088 return (0); 2089 } 2090 2091 static void 2092 dsl_crypto_recv_raw_objset_sync(dsl_dataset_t *ds, dmu_objset_type_t ostype, 2093 nvlist_t *nvl, dmu_tx_t *tx) 2094 { 2095 dsl_pool_t *dp = tx->tx_pool; 2096 objset_t *os; 2097 dnode_t *mdn; 2098 zio_t *zio; 2099 uint8_t *portable_mac; 2100 uint_t len; 2101 uint64_t compress, checksum, nlevels, blksz, ibs, maxblkid; 2102 boolean_t newds = B_FALSE; 2103 2104 VERIFY0(dmu_objset_from_ds(ds, &os)); 2105 mdn = DMU_META_DNODE(os); 2106 2107 /* 2108 * Fetch the values we need from the nvlist. "to_ivset_guid" must 2109 * be set on the snapshot, which doesn't exist yet. The receive 2110 * code will take care of this for us later. 2111 */ 2112 compress = fnvlist_lookup_uint64(nvl, "mdn_compress"); 2113 checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum"); 2114 nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels"); 2115 blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz"); 2116 ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift"); 2117 maxblkid = fnvlist_lookup_uint64(nvl, "mdn_maxblkid"); 2118 VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac, 2119 &len)); 2120 2121 /* if we haven't created an objset for the ds yet, do that now */ 2122 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2123 if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) { 2124 (void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds, 2125 dsl_dataset_get_blkptr(ds), ostype, nlevels, blksz, 2126 ibs, tx); 2127 newds = B_TRUE; 2128 } 2129 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2130 2131 /* 2132 * Set the portable MAC. The local MAC will always be zero since the 2133 * incoming data will all be portable and user accounting will be 2134 * deferred until the next mount. Afterwards, flag the os to be 2135 * written out raw next time. 2136 */ 2137 arc_release(os->os_phys_buf, &os->os_phys_buf); 2138 memcpy(os->os_phys->os_portable_mac, portable_mac, ZIO_OBJSET_MAC_LEN); 2139 memset(os->os_phys->os_local_mac, 0, ZIO_OBJSET_MAC_LEN); 2140 os->os_flags &= ~OBJSET_FLAG_USERACCOUNTING_COMPLETE; 2141 os->os_next_write_raw[tx->tx_txg & TXG_MASK] = B_TRUE; 2142 2143 /* set metadnode compression and checksum */ 2144 mdn->dn_compress = compress; 2145 mdn->dn_checksum = checksum; 2146 2147 rw_enter(&mdn->dn_struct_rwlock, RW_WRITER); 2148 dnode_new_blkid(mdn, maxblkid, tx, B_FALSE, B_TRUE); 2149 rw_exit(&mdn->dn_struct_rwlock); 2150 2151 /* 2152 * We can't normally dirty the dataset in syncing context unless 2153 * we are creating a new dataset. In this case, we perform a 2154 * pseudo txg sync here instead. 2155 */ 2156 if (newds) { 2157 dsl_dataset_dirty(ds, tx); 2158 } else { 2159 zio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED); 2160 dsl_dataset_sync(ds, zio, tx); 2161 VERIFY0(zio_wait(zio)); 2162 dsl_dataset_sync_done(ds, tx); 2163 } 2164 } 2165 2166 int 2167 dsl_crypto_recv_raw_key_check(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2168 { 2169 int ret; 2170 objset_t *mos = tx->tx_pool->dp_meta_objset; 2171 uint8_t *buf = NULL; 2172 uint_t len; 2173 uint64_t intval, key_guid, version; 2174 boolean_t is_passphrase = B_FALSE; 2175 2176 ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT); 2177 2178 /* 2179 * Read and check all the encryption values from the nvlist. We need 2180 * all of the fields of a DSL Crypto Key, as well as a fully specified 2181 * wrapping key. 2182 */ 2183 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval); 2184 if (ret != 0 || intval <= ZIO_CRYPT_OFF) 2185 return (SET_ERROR(EINVAL)); 2186 2187 /* 2188 * Flag a future crypto suite that we don't support differently, so 2189 * we can return a more useful error to the user. 2190 */ 2191 if (intval >= ZIO_CRYPT_FUNCTIONS) 2192 return (SET_ERROR(ZFS_ERR_CRYPTO_NOTSUP)); 2193 2194 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval); 2195 if (ret != 0) 2196 return (SET_ERROR(EINVAL)); 2197 2198 /* 2199 * If this is an incremental receive make sure the given key guid 2200 * matches the one we already have. 2201 */ 2202 if (ds->ds_dir->dd_crypto_obj != 0) { 2203 ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj, 2204 DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2205 if (ret != 0) 2206 return (ret); 2207 if (intval != key_guid) 2208 return (SET_ERROR(EACCES)); 2209 } 2210 2211 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2212 &buf, &len); 2213 if (ret != 0 || len != MASTER_KEY_MAX_LEN) 2214 return (SET_ERROR(EINVAL)); 2215 2216 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2217 &buf, &len); 2218 if (ret != 0 || len != SHA512_HMAC_KEYLEN) 2219 return (SET_ERROR(EINVAL)); 2220 2221 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len); 2222 if (ret != 0 || len != WRAPPING_IV_LEN) 2223 return (SET_ERROR(EINVAL)); 2224 2225 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len); 2226 if (ret != 0 || len != WRAPPING_MAC_LEN) 2227 return (SET_ERROR(EINVAL)); 2228 2229 /* 2230 * We don't support receiving old on-disk formats. The version 0 2231 * implementation protected several fields in an objset that were 2232 * not always portable during a raw receive. As a result, we call 2233 * the old version an on-disk errata #3. 2234 */ 2235 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_VERSION, &version); 2236 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) 2237 return (SET_ERROR(ENOTSUP)); 2238 2239 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 2240 &intval); 2241 if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS || 2242 intval == ZFS_KEYFORMAT_NONE) 2243 return (SET_ERROR(EINVAL)); 2244 2245 is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE); 2246 2247 /* 2248 * for raw receives we allow any number of pbkdf2iters since there 2249 * won't be a chance for the user to change it. 2250 */ 2251 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 2252 &intval); 2253 if (ret != 0 || (is_passphrase == (intval == 0))) 2254 return (SET_ERROR(EINVAL)); 2255 2256 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 2257 &intval); 2258 if (ret != 0 || (is_passphrase == (intval == 0))) 2259 return (SET_ERROR(EINVAL)); 2260 2261 return (0); 2262 } 2263 2264 void 2265 dsl_crypto_recv_raw_key_sync(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2266 { 2267 dsl_pool_t *dp = tx->tx_pool; 2268 objset_t *mos = dp->dp_meta_objset; 2269 dsl_dir_t *dd = ds->ds_dir; 2270 uint_t len; 2271 uint64_t rddobj, one = 1; 2272 uint8_t *keydata, *hmac_keydata, *iv, *mac; 2273 uint64_t crypt, key_guid, keyformat, iters, salt; 2274 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2275 const char *keylocation = "prompt"; 2276 2277 /* lookup the values we need to create the DSL Crypto Key */ 2278 crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE); 2279 key_guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID); 2280 keyformat = fnvlist_lookup_uint64(nvl, 2281 zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 2282 iters = fnvlist_lookup_uint64(nvl, 2283 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 2284 salt = fnvlist_lookup_uint64(nvl, 2285 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 2286 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2287 &keydata, &len)); 2288 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2289 &hmac_keydata, &len)); 2290 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len)); 2291 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len)); 2292 2293 /* if this is a new dataset setup the DSL Crypto Key. */ 2294 if (dd->dd_crypto_obj == 0) { 2295 /* zapify the dsl dir so we can add the key object to it */ 2296 dmu_buf_will_dirty(dd->dd_dbuf, tx); 2297 dsl_dir_zapify(dd, tx); 2298 2299 /* create the DSL Crypto Key on disk and activate the feature */ 2300 dd->dd_crypto_obj = zap_create(mos, 2301 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2302 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2303 dd->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT, 2304 sizeof (uint64_t), 1, &one, tx)); 2305 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2306 dd->dd_crypto_obj, DSL_CRYPTO_KEY_VERSION, 2307 sizeof (uint64_t), 1, &version, tx)); 2308 2309 dsl_dataset_activate_feature(ds->ds_object, 2310 SPA_FEATURE_ENCRYPTION, (void *)B_TRUE, tx); 2311 ds->ds_feature[SPA_FEATURE_ENCRYPTION] = (void *)B_TRUE; 2312 2313 /* save the dd_crypto_obj on disk */ 2314 VERIFY0(zap_add(mos, dd->dd_object, DD_FIELD_CRYPTO_KEY_OBJ, 2315 sizeof (uint64_t), 1, &dd->dd_crypto_obj, tx)); 2316 2317 /* 2318 * Set the keylocation to prompt by default. If keylocation 2319 * has been provided via the properties, this will be overridden 2320 * later. 2321 */ 2322 dsl_prop_set_sync_impl(ds, 2323 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 2324 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 2325 keylocation, tx); 2326 2327 rddobj = dd->dd_object; 2328 } else { 2329 VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &rddobj)); 2330 } 2331 2332 /* sync the key data to the ZAP object on disk */ 2333 dsl_crypto_key_sync_impl(mos, dd->dd_crypto_obj, crypt, 2334 rddobj, key_guid, iv, mac, keydata, hmac_keydata, keyformat, salt, 2335 iters, tx); 2336 } 2337 2338 static int 2339 dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx) 2340 { 2341 int ret; 2342 dsl_crypto_recv_key_arg_t *dcrka = arg; 2343 dsl_dataset_t *ds = NULL, *fromds = NULL; 2344 2345 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2346 FTAG, &ds); 2347 if (ret != 0) 2348 goto out; 2349 2350 if (dcrka->dcrka_fromobj != 0) { 2351 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_fromobj, 2352 FTAG, &fromds); 2353 if (ret != 0) 2354 goto out; 2355 } 2356 2357 ret = dsl_crypto_recv_raw_objset_check(ds, fromds, 2358 dcrka->dcrka_ostype, dcrka->dcrka_nvl, tx); 2359 if (ret != 0) 2360 goto out; 2361 2362 /* 2363 * We run this check even if we won't be doing this part of 2364 * the receive now so that we don't make the user wait until 2365 * the receive finishes to fail. 2366 */ 2367 ret = dsl_crypto_recv_raw_key_check(ds, dcrka->dcrka_nvl, tx); 2368 if (ret != 0) 2369 goto out; 2370 2371 out: 2372 if (ds != NULL) 2373 dsl_dataset_rele(ds, FTAG); 2374 if (fromds != NULL) 2375 dsl_dataset_rele(fromds, FTAG); 2376 return (ret); 2377 } 2378 2379 static void 2380 dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx) 2381 { 2382 dsl_crypto_recv_key_arg_t *dcrka = arg; 2383 dsl_dataset_t *ds; 2384 2385 VERIFY0(dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2386 FTAG, &ds)); 2387 dsl_crypto_recv_raw_objset_sync(ds, dcrka->dcrka_ostype, 2388 dcrka->dcrka_nvl, tx); 2389 if (dcrka->dcrka_do_key) 2390 dsl_crypto_recv_raw_key_sync(ds, dcrka->dcrka_nvl, tx); 2391 dsl_dataset_rele(ds, FTAG); 2392 } 2393 2394 /* 2395 * This function is used to sync an nvlist representing a DSL Crypto Key and 2396 * the associated encryption parameters. The key will be written exactly as is 2397 * without wrapping it. 2398 */ 2399 int 2400 dsl_crypto_recv_raw(const char *poolname, uint64_t dsobj, uint64_t fromobj, 2401 dmu_objset_type_t ostype, nvlist_t *nvl, boolean_t do_key) 2402 { 2403 dsl_crypto_recv_key_arg_t dcrka; 2404 2405 dcrka.dcrka_dsobj = dsobj; 2406 dcrka.dcrka_fromobj = fromobj; 2407 dcrka.dcrka_ostype = ostype; 2408 dcrka.dcrka_nvl = nvl; 2409 dcrka.dcrka_do_key = do_key; 2410 2411 return (dsl_sync_task(poolname, dsl_crypto_recv_key_check, 2412 dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL)); 2413 } 2414 2415 int 2416 dsl_crypto_populate_key_nvlist(objset_t *os, uint64_t from_ivset_guid, 2417 nvlist_t **nvl_out) 2418 { 2419 int ret; 2420 dsl_dataset_t *ds = os->os_dsl_dataset; 2421 dnode_t *mdn; 2422 uint64_t rddobj; 2423 nvlist_t *nvl = NULL; 2424 uint64_t dckobj = ds->ds_dir->dd_crypto_obj; 2425 dsl_dir_t *rdd = NULL; 2426 dsl_pool_t *dp = ds->ds_dir->dd_pool; 2427 objset_t *mos = dp->dp_meta_objset; 2428 uint64_t crypt = 0, key_guid = 0, format = 0; 2429 uint64_t iters = 0, salt = 0, version = 0; 2430 uint64_t to_ivset_guid = 0; 2431 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 2432 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 2433 uint8_t iv[WRAPPING_IV_LEN]; 2434 uint8_t mac[WRAPPING_MAC_LEN]; 2435 2436 ASSERT(dckobj != 0); 2437 2438 mdn = DMU_META_DNODE(os); 2439 2440 nvl = fnvlist_alloc(); 2441 2442 /* lookup values from the DSL Crypto Key */ 2443 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 2444 &crypt); 2445 if (ret != 0) 2446 goto error; 2447 2448 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2449 if (ret != 0) 2450 goto error; 2451 2452 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 2453 MASTER_KEY_MAX_LEN, raw_keydata); 2454 if (ret != 0) 2455 goto error; 2456 2457 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 2458 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 2459 if (ret != 0) 2460 goto error; 2461 2462 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 2463 iv); 2464 if (ret != 0) 2465 goto error; 2466 2467 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 2468 mac); 2469 if (ret != 0) 2470 goto error; 2471 2472 /* see zfs_disable_ivset_guid_check tunable for errata info */ 2473 ret = zap_lookup(mos, ds->ds_object, DS_FIELD_IVSET_GUID, 8, 1, 2474 &to_ivset_guid); 2475 if (ret != 0) 2476 ASSERT3U(dp->dp_spa->spa_errata, !=, 0); 2477 2478 /* 2479 * We don't support raw sends of legacy on-disk formats. See the 2480 * comment in dsl_crypto_recv_key_check() for details. 2481 */ 2482 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 2483 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) { 2484 dp->dp_spa->spa_errata = ZPOOL_ERRATA_ZOL_6845_ENCRYPTION; 2485 ret = SET_ERROR(ENOTSUP); 2486 goto error; 2487 } 2488 2489 /* 2490 * Lookup wrapping key properties. An early version of the code did 2491 * not correctly add these values to the wrapping key or the DSL 2492 * Crypto Key on disk for non encryption roots, so to be safe we 2493 * always take the slightly circuitous route of looking it up from 2494 * the encryption root's key. 2495 */ 2496 ret = dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj); 2497 if (ret != 0) 2498 goto error; 2499 2500 dsl_pool_config_enter(dp, FTAG); 2501 2502 ret = dsl_dir_hold_obj(dp, rddobj, NULL, FTAG, &rdd); 2503 if (ret != 0) 2504 goto error_unlock; 2505 2506 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2507 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &format); 2508 if (ret != 0) 2509 goto error_unlock; 2510 2511 if (format == ZFS_KEYFORMAT_PASSPHRASE) { 2512 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2513 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 2514 if (ret != 0) 2515 goto error_unlock; 2516 2517 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2518 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 2519 if (ret != 0) 2520 goto error_unlock; 2521 } 2522 2523 dsl_dir_rele(rdd, FTAG); 2524 dsl_pool_config_exit(dp, FTAG); 2525 2526 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, crypt); 2527 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_GUID, key_guid); 2528 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_VERSION, version); 2529 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2530 raw_keydata, MASTER_KEY_MAX_LEN)); 2531 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2532 raw_hmac_keydata, SHA512_HMAC_KEYLEN)); 2533 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_IV, iv, 2534 WRAPPING_IV_LEN)); 2535 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, mac, 2536 WRAPPING_MAC_LEN)); 2537 VERIFY0(nvlist_add_uint8_array(nvl, "portable_mac", 2538 os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN)); 2539 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), format); 2540 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters); 2541 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt); 2542 fnvlist_add_uint64(nvl, "mdn_checksum", mdn->dn_checksum); 2543 fnvlist_add_uint64(nvl, "mdn_compress", mdn->dn_compress); 2544 fnvlist_add_uint64(nvl, "mdn_nlevels", mdn->dn_nlevels); 2545 fnvlist_add_uint64(nvl, "mdn_blksz", mdn->dn_datablksz); 2546 fnvlist_add_uint64(nvl, "mdn_indblkshift", mdn->dn_indblkshift); 2547 fnvlist_add_uint64(nvl, "mdn_nblkptr", mdn->dn_nblkptr); 2548 fnvlist_add_uint64(nvl, "mdn_maxblkid", mdn->dn_maxblkid); 2549 fnvlist_add_uint64(nvl, "to_ivset_guid", to_ivset_guid); 2550 fnvlist_add_uint64(nvl, "from_ivset_guid", from_ivset_guid); 2551 2552 *nvl_out = nvl; 2553 return (0); 2554 2555 error_unlock: 2556 dsl_pool_config_exit(dp, FTAG); 2557 error: 2558 if (rdd != NULL) 2559 dsl_dir_rele(rdd, FTAG); 2560 nvlist_free(nvl); 2561 2562 *nvl_out = NULL; 2563 return (ret); 2564 } 2565 2566 uint64_t 2567 dsl_crypto_key_create_sync(uint64_t crypt, dsl_wrapping_key_t *wkey, 2568 dmu_tx_t *tx) 2569 { 2570 dsl_crypto_key_t dck; 2571 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2572 uint64_t one = 1ULL; 2573 2574 ASSERT(dmu_tx_is_syncing(tx)); 2575 ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); 2576 ASSERT3U(crypt, >, ZIO_CRYPT_OFF); 2577 2578 /* create the DSL Crypto Key ZAP object */ 2579 dck.dck_obj = zap_create(tx->tx_pool->dp_meta_objset, 2580 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2581 2582 /* fill in the key (on the stack) and sync it to disk */ 2583 dck.dck_wkey = wkey; 2584 VERIFY0(zio_crypt_key_init(crypt, &dck.dck_key)); 2585 2586 dsl_crypto_key_sync(&dck, tx); 2587 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2588 DSL_CRYPTO_KEY_REFCOUNT, sizeof (uint64_t), 1, &one, tx)); 2589 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2590 DSL_CRYPTO_KEY_VERSION, sizeof (uint64_t), 1, &version, tx)); 2591 2592 zio_crypt_key_destroy(&dck.dck_key); 2593 memset(&dck.dck_key, 0, sizeof (zio_crypt_key_t)); 2594 2595 return (dck.dck_obj); 2596 } 2597 2598 uint64_t 2599 dsl_crypto_key_clone_sync(dsl_dir_t *origindd, dmu_tx_t *tx) 2600 { 2601 objset_t *mos = tx->tx_pool->dp_meta_objset; 2602 2603 ASSERT(dmu_tx_is_syncing(tx)); 2604 2605 VERIFY0(zap_increment(mos, origindd->dd_crypto_obj, 2606 DSL_CRYPTO_KEY_REFCOUNT, 1, tx)); 2607 2608 return (origindd->dd_crypto_obj); 2609 } 2610 2611 void 2612 dsl_crypto_key_destroy_sync(uint64_t dckobj, dmu_tx_t *tx) 2613 { 2614 objset_t *mos = tx->tx_pool->dp_meta_objset; 2615 uint64_t refcnt; 2616 2617 /* Decrement the refcount, destroy if this is the last reference */ 2618 VERIFY0(zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2619 sizeof (uint64_t), 1, &refcnt)); 2620 2621 if (refcnt != 1) { 2622 VERIFY0(zap_increment(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2623 -1, tx)); 2624 } else { 2625 VERIFY0(zap_destroy(mos, dckobj, tx)); 2626 } 2627 } 2628 2629 void 2630 dsl_dataset_crypt_stats(dsl_dataset_t *ds, nvlist_t *nv) 2631 { 2632 uint64_t intval; 2633 dsl_dir_t *dd = ds->ds_dir; 2634 dsl_dir_t *enc_root; 2635 char buf[ZFS_MAX_DATASET_NAME_LEN]; 2636 2637 if (dd->dd_crypto_obj == 0) 2638 return; 2639 2640 intval = dsl_dataset_get_keystatus(dd); 2641 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYSTATUS, intval); 2642 2643 if (dsl_dir_get_crypt(dd, &intval) == 0) 2644 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_ENCRYPTION, intval); 2645 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2646 DSL_CRYPTO_KEY_GUID, 8, 1, &intval) == 0) { 2647 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEY_GUID, intval); 2648 } 2649 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2650 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &intval) == 0) { 2651 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYFORMAT, intval); 2652 } 2653 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2654 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &intval) == 0) { 2655 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_SALT, intval); 2656 } 2657 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2658 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &intval) == 0) { 2659 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_ITERS, intval); 2660 } 2661 if (zap_lookup(dd->dd_pool->dp_meta_objset, ds->ds_object, 2662 DS_FIELD_IVSET_GUID, 8, 1, &intval) == 0) { 2663 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_IVSET_GUID, intval); 2664 } 2665 2666 if (dsl_dir_get_encryption_root_ddobj(dd, &intval) == 0) { 2667 if (dsl_dir_hold_obj(dd->dd_pool, intval, NULL, FTAG, 2668 &enc_root) == 0) { 2669 dsl_dir_name(enc_root, buf); 2670 dsl_dir_rele(enc_root, FTAG); 2671 dsl_prop_nvlist_add_string(nv, 2672 ZFS_PROP_ENCRYPTION_ROOT, buf); 2673 } 2674 } 2675 } 2676 2677 int 2678 spa_crypt_get_salt(spa_t *spa, uint64_t dsobj, uint8_t *salt) 2679 { 2680 int ret; 2681 dsl_crypto_key_t *dck = NULL; 2682 2683 /* look up the key from the spa's keystore */ 2684 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2685 if (ret != 0) 2686 goto error; 2687 2688 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2689 if (ret != 0) 2690 goto error; 2691 2692 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2693 return (0); 2694 2695 error: 2696 if (dck != NULL) 2697 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2698 return (ret); 2699 } 2700 2701 /* 2702 * Objset blocks are a special case for MAC generation. These blocks have 2 2703 * 256-bit MACs which are embedded within the block itself, rather than a 2704 * single 128 bit MAC. As a result, this function handles encoding and decoding 2705 * the MACs on its own, unlike other functions in this file. 2706 */ 2707 int 2708 spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, 2709 abd_t *abd, uint_t datalen, boolean_t byteswap) 2710 { 2711 int ret; 2712 dsl_crypto_key_t *dck = NULL; 2713 void *buf = abd_borrow_buf_copy(abd, datalen); 2714 objset_phys_t *osp = buf; 2715 uint8_t portable_mac[ZIO_OBJSET_MAC_LEN]; 2716 uint8_t local_mac[ZIO_OBJSET_MAC_LEN]; 2717 const uint8_t zeroed_mac[ZIO_OBJSET_MAC_LEN] = {0}; 2718 2719 /* look up the key from the spa's keystore */ 2720 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2721 if (ret != 0) 2722 goto error; 2723 2724 /* calculate both HMACs */ 2725 ret = zio_crypt_do_objset_hmacs(&dck->dck_key, buf, datalen, 2726 byteswap, portable_mac, local_mac); 2727 if (ret != 0) 2728 goto error; 2729 2730 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2731 2732 /* if we are generating encode the HMACs in the objset_phys_t */ 2733 if (generate) { 2734 memcpy(osp->os_portable_mac, portable_mac, ZIO_OBJSET_MAC_LEN); 2735 memcpy(osp->os_local_mac, local_mac, ZIO_OBJSET_MAC_LEN); 2736 abd_return_buf_copy(abd, buf, datalen); 2737 return (0); 2738 } 2739 2740 if (memcmp(portable_mac, osp->os_portable_mac, 2741 ZIO_OBJSET_MAC_LEN) != 0 || 2742 memcmp(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2743 /* 2744 * If the MAC is zeroed out, we failed to decrypt it. 2745 * This should only arise, at least on Linux, 2746 * if we hit edge case handling for useraccounting, since we 2747 * shouldn't get here without bailing out on error earlier 2748 * otherwise. 2749 * 2750 * So if we're in that case, we can just fall through and 2751 * special-casing noticing that it's zero will handle it 2752 * elsewhere, since we can just regenerate it. 2753 */ 2754 if (memcmp(local_mac, zeroed_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2755 abd_return_buf(abd, buf, datalen); 2756 return (SET_ERROR(ECKSUM)); 2757 } 2758 } 2759 2760 abd_return_buf(abd, buf, datalen); 2761 2762 return (0); 2763 2764 error: 2765 if (dck != NULL) 2766 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2767 abd_return_buf(abd, buf, datalen); 2768 return (ret); 2769 } 2770 2771 int 2772 spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd, 2773 uint_t datalen, uint8_t *mac) 2774 { 2775 int ret; 2776 dsl_crypto_key_t *dck = NULL; 2777 uint8_t *buf = abd_borrow_buf_copy(abd, datalen); 2778 uint8_t digestbuf[ZIO_DATA_MAC_LEN]; 2779 2780 /* look up the key from the spa's keystore */ 2781 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2782 if (ret != 0) 2783 goto error; 2784 2785 /* perform the hmac */ 2786 ret = zio_crypt_do_hmac(&dck->dck_key, buf, datalen, 2787 digestbuf, ZIO_DATA_MAC_LEN); 2788 if (ret != 0) 2789 goto error; 2790 2791 abd_return_buf(abd, buf, datalen); 2792 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2793 2794 /* 2795 * Truncate and fill in mac buffer if we were asked to generate a MAC. 2796 * Otherwise verify that the MAC matched what we expected. 2797 */ 2798 if (generate) { 2799 memcpy(mac, digestbuf, ZIO_DATA_MAC_LEN); 2800 return (0); 2801 } 2802 2803 if (memcmp(digestbuf, mac, ZIO_DATA_MAC_LEN) != 0) 2804 return (SET_ERROR(ECKSUM)); 2805 2806 return (0); 2807 2808 error: 2809 if (dck != NULL) 2810 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2811 abd_return_buf(abd, buf, datalen); 2812 return (ret); 2813 } 2814 2815 /* 2816 * This function serves as a multiplexer for encryption and decryption of 2817 * all blocks (except the L2ARC). For encryption, it will populate the IV, 2818 * salt, MAC, and cabd (the ciphertext). On decryption it will simply use 2819 * these fields to populate pabd (the plaintext). 2820 */ 2821 int 2822 spa_do_crypt_abd(boolean_t encrypt, spa_t *spa, const zbookmark_phys_t *zb, 2823 dmu_object_type_t ot, boolean_t dedup, boolean_t bswap, uint8_t *salt, 2824 uint8_t *iv, uint8_t *mac, uint_t datalen, abd_t *pabd, abd_t *cabd, 2825 boolean_t *no_crypt) 2826 { 2827 int ret; 2828 dsl_crypto_key_t *dck = NULL; 2829 uint8_t *plainbuf = NULL, *cipherbuf = NULL; 2830 2831 ASSERT(spa_feature_is_active(spa, SPA_FEATURE_ENCRYPTION)); 2832 2833 /* look up the key from the spa's keystore */ 2834 ret = spa_keystore_lookup_key(spa, zb->zb_objset, FTAG, &dck); 2835 if (ret != 0) { 2836 ret = SET_ERROR(EACCES); 2837 return (ret); 2838 } 2839 2840 if (encrypt) { 2841 plainbuf = abd_borrow_buf_copy(pabd, datalen); 2842 cipherbuf = abd_borrow_buf(cabd, datalen); 2843 } else { 2844 plainbuf = abd_borrow_buf(pabd, datalen); 2845 cipherbuf = abd_borrow_buf_copy(cabd, datalen); 2846 } 2847 2848 /* 2849 * Both encryption and decryption functions need a salt for key 2850 * generation and an IV. When encrypting a non-dedup block, we 2851 * generate the salt and IV randomly to be stored by the caller. Dedup 2852 * blocks perform a (more expensive) HMAC of the plaintext to obtain 2853 * the salt and the IV. ZIL blocks have their salt and IV generated 2854 * at allocation time in zio_alloc_zil(). On decryption, we simply use 2855 * the provided values. 2856 */ 2857 if (encrypt && ot != DMU_OT_INTENT_LOG && !dedup) { 2858 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2859 if (ret != 0) 2860 goto error; 2861 2862 ret = zio_crypt_generate_iv(iv); 2863 if (ret != 0) 2864 goto error; 2865 } else if (encrypt && dedup) { 2866 ret = zio_crypt_generate_iv_salt_dedup(&dck->dck_key, 2867 plainbuf, datalen, iv, salt); 2868 if (ret != 0) 2869 goto error; 2870 } 2871 2872 /* call lower level function to perform encryption / decryption */ 2873 ret = zio_do_crypt_data(encrypt, &dck->dck_key, ot, bswap, salt, iv, 2874 mac, datalen, plainbuf, cipherbuf, no_crypt); 2875 2876 /* 2877 * Handle injected decryption faults. Unfortunately, we cannot inject 2878 * faults for dnode blocks because we might trigger the panic in 2879 * dbuf_prepare_encrypted_dnode_leaf(), which exists because syncing 2880 * context is not prepared to handle malicious decryption failures. 2881 */ 2882 if (zio_injection_enabled && !encrypt && ot != DMU_OT_DNODE && ret == 0) 2883 ret = zio_handle_decrypt_injection(spa, zb, ot, ECKSUM); 2884 if (ret != 0) 2885 goto error; 2886 2887 if (encrypt) { 2888 abd_return_buf(pabd, plainbuf, datalen); 2889 abd_return_buf_copy(cabd, cipherbuf, datalen); 2890 } else { 2891 abd_return_buf_copy(pabd, plainbuf, datalen); 2892 abd_return_buf(cabd, cipherbuf, datalen); 2893 } 2894 2895 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2896 2897 return (0); 2898 2899 error: 2900 if (encrypt) { 2901 /* zero out any state we might have changed while encrypting */ 2902 memset(salt, 0, ZIO_DATA_SALT_LEN); 2903 memset(iv, 0, ZIO_DATA_IV_LEN); 2904 memset(mac, 0, ZIO_DATA_MAC_LEN); 2905 abd_return_buf(pabd, plainbuf, datalen); 2906 abd_return_buf_copy(cabd, cipherbuf, datalen); 2907 } else { 2908 abd_return_buf_copy(pabd, plainbuf, datalen); 2909 abd_return_buf(cabd, cipherbuf, datalen); 2910 } 2911 2912 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2913 2914 return (ret); 2915 } 2916 2917 ZFS_MODULE_PARAM(zfs, zfs_, disable_ivset_guid_check, INT, ZMOD_RW, 2918 "Set to allow raw receives without IVset guids"); 2919