1 /* 2 * CDDL HEADER START 3 * 4 * This file and its contents are supplied under the terms of the 5 * Common Development and Distribution License ("CDDL"), version 1.0. 6 * You may only use this file in accordance with the terms of version 7 * 1.0 of the CDDL. 8 * 9 * A full copy of the text of the CDDL should have accompanied this 10 * source. A copy of the CDDL is also available via the Internet at 11 * http://www.illumos.org/license/CDDL. 12 * 13 * CDDL HEADER END 14 */ 15 16 /* 17 * Copyright (c) 2017, Datto, Inc. All rights reserved. 18 * Copyright (c) 2018 by Delphix. All rights reserved. 19 */ 20 21 #include <sys/dsl_crypt.h> 22 #include <sys/dsl_pool.h> 23 #include <sys/zap.h> 24 #include <sys/zil.h> 25 #include <sys/dsl_dir.h> 26 #include <sys/dsl_prop.h> 27 #include <sys/spa_impl.h> 28 #include <sys/dmu_objset.h> 29 #include <sys/zvol.h> 30 31 /* 32 * This file's primary purpose is for managing master encryption keys in 33 * memory and on disk. For more info on how these keys are used, see the 34 * block comment in zio_crypt.c. 35 * 36 * All master keys are stored encrypted on disk in the form of the DSL 37 * Crypto Key ZAP object. The binary key data in this object is always 38 * randomly generated and is encrypted with the user's wrapping key. This 39 * layer of indirection allows the user to change their key without 40 * needing to re-encrypt the entire dataset. The ZAP also holds on to the 41 * (non-encrypted) encryption algorithm identifier, IV, and MAC needed to 42 * safely decrypt the master key. For more info on the user's key see the 43 * block comment in libzfs_crypto.c 44 * 45 * In-memory encryption keys are managed through the spa_keystore. The 46 * keystore consists of 3 AVL trees, which are as follows: 47 * 48 * The Wrapping Key Tree: 49 * The wrapping key (wkey) tree stores the user's keys that are fed into the 50 * kernel through 'zfs load-key' and related commands. Datasets inherit their 51 * parent's wkey by default, so these structures are refcounted. The wrapping 52 * keys remain in memory until they are explicitly unloaded (with 53 * "zfs unload-key"). Unloading is only possible when no datasets are using 54 * them (refcount=0). 55 * 56 * The DSL Crypto Key Tree: 57 * The DSL Crypto Keys (DCK) are the in-memory representation of decrypted 58 * master keys. They are used by the functions in zio_crypt.c to perform 59 * encryption, decryption, and authentication. Snapshots and clones of a given 60 * dataset will share a DSL Crypto Key, so they are also refcounted. Once the 61 * refcount on a key hits zero, it is immediately zeroed out and freed. 62 * 63 * The Crypto Key Mapping Tree: 64 * The zio layer needs to lookup master keys by their dataset object id. Since 65 * the DSL Crypto Keys can belong to multiple datasets, we maintain a tree of 66 * dsl_key_mapping_t's which essentially just map the dataset object id to its 67 * appropriate DSL Crypto Key. The management for creating and destroying these 68 * mappings hooks into the code for owning and disowning datasets. Usually, 69 * there will only be one active dataset owner, but there are times 70 * (particularly during dataset creation and destruction) when this may not be 71 * true or the dataset may not be initialized enough to own. As a result, this 72 * object is also refcounted. 73 */ 74 75 /* 76 * This tunable allows datasets to be raw received even if the stream does 77 * not include IVset guids or if the guids don't match. This is used as part 78 * of the resolution for ZPOOL_ERRATA_ZOL_8308_ENCRYPTION. 79 */ 80 int zfs_disable_ivset_guid_check = 0; 81 82 static void 83 dsl_wrapping_key_hold(dsl_wrapping_key_t *wkey, const void *tag) 84 { 85 (void) zfs_refcount_add(&wkey->wk_refcnt, tag); 86 } 87 88 static void 89 dsl_wrapping_key_rele(dsl_wrapping_key_t *wkey, const void *tag) 90 { 91 (void) zfs_refcount_remove(&wkey->wk_refcnt, tag); 92 } 93 94 static void 95 dsl_wrapping_key_free(dsl_wrapping_key_t *wkey) 96 { 97 ASSERT0(zfs_refcount_count(&wkey->wk_refcnt)); 98 99 if (wkey->wk_key.ck_data) { 100 memset(wkey->wk_key.ck_data, 0, 101 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 102 kmem_free(wkey->wk_key.ck_data, 103 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 104 } 105 106 zfs_refcount_destroy(&wkey->wk_refcnt); 107 kmem_free(wkey, sizeof (dsl_wrapping_key_t)); 108 } 109 110 static void 111 dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat, 112 uint64_t salt, uint64_t iters, dsl_wrapping_key_t **wkey_out) 113 { 114 dsl_wrapping_key_t *wkey; 115 116 /* allocate the wrapping key */ 117 wkey = kmem_alloc(sizeof (dsl_wrapping_key_t), KM_SLEEP); 118 119 /* allocate and initialize the underlying crypto key */ 120 wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP); 121 122 wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN); 123 memcpy(wkey->wk_key.ck_data, wkeydata, WRAPPING_KEY_LEN); 124 125 /* initialize the rest of the struct */ 126 zfs_refcount_create(&wkey->wk_refcnt); 127 wkey->wk_keyformat = keyformat; 128 wkey->wk_salt = salt; 129 wkey->wk_iters = iters; 130 131 *wkey_out = wkey; 132 } 133 134 int 135 dsl_crypto_params_create_nvlist(dcp_cmd_t cmd, nvlist_t *props, 136 nvlist_t *crypto_args, dsl_crypto_params_t **dcp_out) 137 { 138 int ret; 139 uint64_t crypt = ZIO_CRYPT_INHERIT; 140 uint64_t keyformat = ZFS_KEYFORMAT_NONE; 141 uint64_t salt = 0, iters = 0; 142 dsl_crypto_params_t *dcp = NULL; 143 dsl_wrapping_key_t *wkey = NULL; 144 uint8_t *wkeydata = NULL; 145 uint_t wkeydata_len = 0; 146 const char *keylocation = NULL; 147 148 dcp = kmem_zalloc(sizeof (dsl_crypto_params_t), KM_SLEEP); 149 dcp->cp_cmd = cmd; 150 151 /* get relevant arguments from the nvlists */ 152 if (props != NULL) { 153 (void) nvlist_lookup_uint64(props, 154 zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt); 155 (void) nvlist_lookup_uint64(props, 156 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat); 157 (void) nvlist_lookup_string(props, 158 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation); 159 (void) nvlist_lookup_uint64(props, 160 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), &salt); 161 (void) nvlist_lookup_uint64(props, 162 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters); 163 164 dcp->cp_crypt = crypt; 165 } 166 167 if (crypto_args != NULL) { 168 (void) nvlist_lookup_uint8_array(crypto_args, "wkeydata", 169 &wkeydata, &wkeydata_len); 170 } 171 172 /* check for valid command */ 173 if (dcp->cp_cmd >= DCP_CMD_MAX) { 174 ret = SET_ERROR(EINVAL); 175 goto error; 176 } else { 177 dcp->cp_cmd = cmd; 178 } 179 180 /* check for valid crypt */ 181 if (dcp->cp_crypt >= ZIO_CRYPT_FUNCTIONS) { 182 ret = SET_ERROR(EINVAL); 183 goto error; 184 } else { 185 dcp->cp_crypt = crypt; 186 } 187 188 /* check for valid keyformat */ 189 if (keyformat >= ZFS_KEYFORMAT_FORMATS) { 190 ret = SET_ERROR(EINVAL); 191 goto error; 192 } 193 194 /* check for a valid keylocation (of any kind) and copy it in */ 195 if (keylocation != NULL) { 196 if (!zfs_prop_valid_keylocation(keylocation, B_FALSE)) { 197 ret = SET_ERROR(EINVAL); 198 goto error; 199 } 200 201 dcp->cp_keylocation = spa_strdup(keylocation); 202 } 203 204 /* check wrapping key length, if given */ 205 if (wkeydata != NULL && wkeydata_len != WRAPPING_KEY_LEN) { 206 ret = SET_ERROR(EINVAL); 207 goto error; 208 } 209 210 /* if the user asked for the default crypt, determine that now */ 211 if (dcp->cp_crypt == ZIO_CRYPT_ON) 212 dcp->cp_crypt = ZIO_CRYPT_ON_VALUE; 213 214 /* create the wrapping key from the raw data */ 215 if (wkeydata != NULL) { 216 /* create the wrapping key with the verified parameters */ 217 dsl_wrapping_key_create(wkeydata, keyformat, salt, 218 iters, &wkey); 219 dcp->cp_wkey = wkey; 220 } 221 222 /* 223 * Remove the encryption properties from the nvlist since they are not 224 * maintained through the DSL. 225 */ 226 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION)); 227 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 228 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 229 (void) nvlist_remove_all(props, 230 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 231 232 *dcp_out = dcp; 233 234 return (0); 235 236 error: 237 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 238 *dcp_out = NULL; 239 return (ret); 240 } 241 242 void 243 dsl_crypto_params_free(dsl_crypto_params_t *dcp, boolean_t unload) 244 { 245 if (dcp == NULL) 246 return; 247 248 if (dcp->cp_keylocation != NULL) 249 spa_strfree(dcp->cp_keylocation); 250 if (unload && dcp->cp_wkey != NULL) 251 dsl_wrapping_key_free(dcp->cp_wkey); 252 253 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 254 } 255 256 static int 257 spa_crypto_key_compare(const void *a, const void *b) 258 { 259 const dsl_crypto_key_t *dcka = a; 260 const dsl_crypto_key_t *dckb = b; 261 262 if (dcka->dck_obj < dckb->dck_obj) 263 return (-1); 264 if (dcka->dck_obj > dckb->dck_obj) 265 return (1); 266 return (0); 267 } 268 269 static int 270 spa_key_mapping_compare(const void *a, const void *b) 271 { 272 const dsl_key_mapping_t *kma = a; 273 const dsl_key_mapping_t *kmb = b; 274 275 if (kma->km_dsobj < kmb->km_dsobj) 276 return (-1); 277 if (kma->km_dsobj > kmb->km_dsobj) 278 return (1); 279 return (0); 280 } 281 282 static int 283 spa_wkey_compare(const void *a, const void *b) 284 { 285 const dsl_wrapping_key_t *wka = a; 286 const dsl_wrapping_key_t *wkb = b; 287 288 if (wka->wk_ddobj < wkb->wk_ddobj) 289 return (-1); 290 if (wka->wk_ddobj > wkb->wk_ddobj) 291 return (1); 292 return (0); 293 } 294 295 void 296 spa_keystore_init(spa_keystore_t *sk) 297 { 298 rw_init(&sk->sk_dk_lock, NULL, RW_DEFAULT, NULL); 299 rw_init(&sk->sk_km_lock, NULL, RW_DEFAULT, NULL); 300 rw_init(&sk->sk_wkeys_lock, NULL, RW_DEFAULT, NULL); 301 avl_create(&sk->sk_dsl_keys, spa_crypto_key_compare, 302 sizeof (dsl_crypto_key_t), 303 offsetof(dsl_crypto_key_t, dck_avl_link)); 304 avl_create(&sk->sk_key_mappings, spa_key_mapping_compare, 305 sizeof (dsl_key_mapping_t), 306 offsetof(dsl_key_mapping_t, km_avl_link)); 307 avl_create(&sk->sk_wkeys, spa_wkey_compare, sizeof (dsl_wrapping_key_t), 308 offsetof(dsl_wrapping_key_t, wk_avl_link)); 309 } 310 311 void 312 spa_keystore_fini(spa_keystore_t *sk) 313 { 314 dsl_wrapping_key_t *wkey; 315 void *cookie = NULL; 316 317 ASSERT(avl_is_empty(&sk->sk_dsl_keys)); 318 ASSERT(avl_is_empty(&sk->sk_key_mappings)); 319 320 while ((wkey = avl_destroy_nodes(&sk->sk_wkeys, &cookie)) != NULL) 321 dsl_wrapping_key_free(wkey); 322 323 avl_destroy(&sk->sk_wkeys); 324 avl_destroy(&sk->sk_key_mappings); 325 avl_destroy(&sk->sk_dsl_keys); 326 rw_destroy(&sk->sk_wkeys_lock); 327 rw_destroy(&sk->sk_km_lock); 328 rw_destroy(&sk->sk_dk_lock); 329 } 330 331 static int 332 dsl_dir_get_encryption_root_ddobj(dsl_dir_t *dd, uint64_t *rddobj) 333 { 334 if (dd->dd_crypto_obj == 0) 335 return (SET_ERROR(ENOENT)); 336 337 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 338 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, rddobj)); 339 } 340 341 static int 342 dsl_dir_get_encryption_version(dsl_dir_t *dd, uint64_t *version) 343 { 344 *version = 0; 345 346 if (dd->dd_crypto_obj == 0) 347 return (SET_ERROR(ENOENT)); 348 349 /* version 0 is implied by ENOENT */ 350 (void) zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 351 DSL_CRYPTO_KEY_VERSION, 8, 1, version); 352 353 return (0); 354 } 355 356 boolean_t 357 dsl_dir_incompatible_encryption_version(dsl_dir_t *dd) 358 { 359 int ret; 360 uint64_t version = 0; 361 362 ret = dsl_dir_get_encryption_version(dd, &version); 363 if (ret != 0) 364 return (B_FALSE); 365 366 return (version != ZIO_CRYPT_KEY_CURRENT_VERSION); 367 } 368 369 static int 370 spa_keystore_wkey_hold_ddobj_impl(spa_t *spa, uint64_t ddobj, 371 const void *tag, dsl_wrapping_key_t **wkey_out) 372 { 373 int ret; 374 dsl_wrapping_key_t search_wkey; 375 dsl_wrapping_key_t *found_wkey; 376 377 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_wkeys_lock)); 378 379 /* init the search wrapping key */ 380 search_wkey.wk_ddobj = ddobj; 381 382 /* lookup the wrapping key */ 383 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &search_wkey, NULL); 384 if (!found_wkey) { 385 ret = SET_ERROR(ENOENT); 386 goto error; 387 } 388 389 /* increment the refcount */ 390 dsl_wrapping_key_hold(found_wkey, tag); 391 392 *wkey_out = found_wkey; 393 return (0); 394 395 error: 396 *wkey_out = NULL; 397 return (ret); 398 } 399 400 static int 401 spa_keystore_wkey_hold_dd(spa_t *spa, dsl_dir_t *dd, const void *tag, 402 dsl_wrapping_key_t **wkey_out) 403 { 404 int ret; 405 dsl_wrapping_key_t *wkey; 406 uint64_t rddobj; 407 boolean_t locked = B_FALSE; 408 409 if (!RW_WRITE_HELD(&spa->spa_keystore.sk_wkeys_lock)) { 410 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_READER); 411 locked = B_TRUE; 412 } 413 414 /* get the ddobj that the keylocation property was inherited from */ 415 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 416 if (ret != 0) 417 goto error; 418 419 /* lookup the wkey in the avl tree */ 420 ret = spa_keystore_wkey_hold_ddobj_impl(spa, rddobj, tag, &wkey); 421 if (ret != 0) 422 goto error; 423 424 /* unlock the wkey tree if we locked it */ 425 if (locked) 426 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 427 428 *wkey_out = wkey; 429 return (0); 430 431 error: 432 if (locked) 433 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 434 435 *wkey_out = NULL; 436 return (ret); 437 } 438 439 int 440 dsl_crypto_can_set_keylocation(const char *dsname, const char *keylocation) 441 { 442 int ret = 0; 443 dsl_dir_t *dd = NULL; 444 dsl_pool_t *dp = NULL; 445 uint64_t rddobj; 446 447 /* hold the dsl dir */ 448 ret = dsl_pool_hold(dsname, FTAG, &dp); 449 if (ret != 0) 450 goto out; 451 452 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 453 if (ret != 0) { 454 dd = NULL; 455 goto out; 456 } 457 458 /* if dd is not encrypted, the value may only be "none" */ 459 if (dd->dd_crypto_obj == 0) { 460 if (strcmp(keylocation, "none") != 0) { 461 ret = SET_ERROR(EACCES); 462 goto out; 463 } 464 465 ret = 0; 466 goto out; 467 } 468 469 /* check for a valid keylocation for encrypted datasets */ 470 if (!zfs_prop_valid_keylocation(keylocation, B_TRUE)) { 471 ret = SET_ERROR(EINVAL); 472 goto out; 473 } 474 475 /* check that this is an encryption root */ 476 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 477 if (ret != 0) 478 goto out; 479 480 if (rddobj != dd->dd_object) { 481 ret = SET_ERROR(EACCES); 482 goto out; 483 } 484 485 dsl_dir_rele(dd, FTAG); 486 dsl_pool_rele(dp, FTAG); 487 488 return (0); 489 490 out: 491 if (dd != NULL) 492 dsl_dir_rele(dd, FTAG); 493 if (dp != NULL) 494 dsl_pool_rele(dp, FTAG); 495 496 return (ret); 497 } 498 499 static void 500 dsl_crypto_key_free(dsl_crypto_key_t *dck) 501 { 502 ASSERT(zfs_refcount_count(&dck->dck_holds) == 0); 503 504 /* destroy the zio_crypt_key_t */ 505 zio_crypt_key_destroy(&dck->dck_key); 506 507 /* free the refcount, wrapping key, and lock */ 508 zfs_refcount_destroy(&dck->dck_holds); 509 if (dck->dck_wkey) 510 dsl_wrapping_key_rele(dck->dck_wkey, dck); 511 512 /* free the key */ 513 kmem_free(dck, sizeof (dsl_crypto_key_t)); 514 } 515 516 static void 517 dsl_crypto_key_rele(dsl_crypto_key_t *dck, const void *tag) 518 { 519 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) 520 dsl_crypto_key_free(dck); 521 } 522 523 static int 524 dsl_crypto_key_open(objset_t *mos, dsl_wrapping_key_t *wkey, 525 uint64_t dckobj, const void *tag, dsl_crypto_key_t **dck_out) 526 { 527 int ret; 528 uint64_t crypt = 0, guid = 0, version = 0; 529 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 530 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 531 uint8_t iv[WRAPPING_IV_LEN]; 532 uint8_t mac[WRAPPING_MAC_LEN]; 533 dsl_crypto_key_t *dck; 534 535 /* allocate and initialize the key */ 536 dck = kmem_zalloc(sizeof (dsl_crypto_key_t), KM_SLEEP); 537 538 /* fetch all of the values we need from the ZAP */ 539 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 540 &crypt); 541 if (ret != 0) 542 goto error; 543 544 /* handle a future crypto suite that we don't support */ 545 if (crypt >= ZIO_CRYPT_FUNCTIONS) { 546 ret = (SET_ERROR(ZFS_ERR_CRYPTO_NOTSUP)); 547 goto error; 548 } 549 550 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &guid); 551 if (ret != 0) 552 goto error; 553 554 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 555 MASTER_KEY_MAX_LEN, raw_keydata); 556 if (ret != 0) 557 goto error; 558 559 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 560 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 561 if (ret != 0) 562 goto error; 563 564 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 565 iv); 566 if (ret != 0) 567 goto error; 568 569 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 570 mac); 571 if (ret != 0) 572 goto error; 573 574 /* the initial on-disk format for encryption did not have a version */ 575 (void) zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 576 577 /* 578 * Unwrap the keys. If there is an error return EACCES to indicate 579 * an authentication failure. 580 */ 581 ret = zio_crypt_key_unwrap(&wkey->wk_key, crypt, version, guid, 582 raw_keydata, raw_hmac_keydata, iv, mac, &dck->dck_key); 583 if (ret != 0) { 584 ret = SET_ERROR(EACCES); 585 goto error; 586 } 587 588 /* finish initializing the dsl_crypto_key_t */ 589 zfs_refcount_create(&dck->dck_holds); 590 dsl_wrapping_key_hold(wkey, dck); 591 dck->dck_wkey = wkey; 592 dck->dck_obj = dckobj; 593 zfs_refcount_add(&dck->dck_holds, tag); 594 595 *dck_out = dck; 596 return (0); 597 598 error: 599 if (dck != NULL) { 600 memset(dck, 0, sizeof (dsl_crypto_key_t)); 601 kmem_free(dck, sizeof (dsl_crypto_key_t)); 602 } 603 604 *dck_out = NULL; 605 return (ret); 606 } 607 608 static int 609 spa_keystore_dsl_key_hold_impl(spa_t *spa, uint64_t dckobj, const void *tag, 610 dsl_crypto_key_t **dck_out) 611 { 612 int ret; 613 dsl_crypto_key_t search_dck; 614 dsl_crypto_key_t *found_dck; 615 616 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_dk_lock)); 617 618 /* init the search key */ 619 search_dck.dck_obj = dckobj; 620 621 /* find the matching key in the keystore */ 622 found_dck = avl_find(&spa->spa_keystore.sk_dsl_keys, &search_dck, NULL); 623 if (!found_dck) { 624 ret = SET_ERROR(ENOENT); 625 goto error; 626 } 627 628 /* increment the refcount */ 629 zfs_refcount_add(&found_dck->dck_holds, tag); 630 631 *dck_out = found_dck; 632 return (0); 633 634 error: 635 *dck_out = NULL; 636 return (ret); 637 } 638 639 static int 640 spa_keystore_dsl_key_hold_dd(spa_t *spa, dsl_dir_t *dd, const void *tag, 641 dsl_crypto_key_t **dck_out) 642 { 643 int ret; 644 avl_index_t where; 645 dsl_crypto_key_t *dck_io = NULL, *dck_ks = NULL; 646 dsl_wrapping_key_t *wkey = NULL; 647 uint64_t dckobj = dd->dd_crypto_obj; 648 649 /* Lookup the key in the tree of currently loaded keys */ 650 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_READER); 651 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 652 rw_exit(&spa->spa_keystore.sk_dk_lock); 653 if (ret == 0) { 654 *dck_out = dck_ks; 655 return (0); 656 } 657 658 /* Lookup the wrapping key from the keystore */ 659 ret = spa_keystore_wkey_hold_dd(spa, dd, FTAG, &wkey); 660 if (ret != 0) { 661 *dck_out = NULL; 662 return (SET_ERROR(EACCES)); 663 } 664 665 /* Read the key from disk */ 666 ret = dsl_crypto_key_open(spa->spa_meta_objset, wkey, dckobj, 667 tag, &dck_io); 668 if (ret != 0) { 669 dsl_wrapping_key_rele(wkey, FTAG); 670 *dck_out = NULL; 671 return (ret); 672 } 673 674 /* 675 * Add the key to the keystore. It may already exist if it was 676 * added while performing the read from disk. In this case discard 677 * it and return the key from the keystore. 678 */ 679 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 680 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 681 if (ret != 0) { 682 avl_find(&spa->spa_keystore.sk_dsl_keys, dck_io, &where); 683 avl_insert(&spa->spa_keystore.sk_dsl_keys, dck_io, where); 684 *dck_out = dck_io; 685 } else { 686 dsl_crypto_key_free(dck_io); 687 *dck_out = dck_ks; 688 } 689 690 /* Release the wrapping key (the dsl key now has a reference to it) */ 691 dsl_wrapping_key_rele(wkey, FTAG); 692 rw_exit(&spa->spa_keystore.sk_dk_lock); 693 694 return (0); 695 } 696 697 void 698 spa_keystore_dsl_key_rele(spa_t *spa, dsl_crypto_key_t *dck, const void *tag) 699 { 700 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 701 702 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) { 703 avl_remove(&spa->spa_keystore.sk_dsl_keys, dck); 704 dsl_crypto_key_free(dck); 705 } 706 707 rw_exit(&spa->spa_keystore.sk_dk_lock); 708 } 709 710 int 711 spa_keystore_load_wkey_impl(spa_t *spa, dsl_wrapping_key_t *wkey) 712 { 713 int ret; 714 avl_index_t where; 715 dsl_wrapping_key_t *found_wkey; 716 717 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 718 719 /* insert the wrapping key into the keystore */ 720 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 721 if (found_wkey != NULL) { 722 ret = SET_ERROR(EEXIST); 723 goto error_unlock; 724 } 725 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 726 727 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 728 729 return (0); 730 731 error_unlock: 732 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 733 return (ret); 734 } 735 736 int 737 spa_keystore_load_wkey(const char *dsname, dsl_crypto_params_t *dcp, 738 boolean_t noop) 739 { 740 int ret; 741 dsl_dir_t *dd = NULL; 742 dsl_crypto_key_t *dck = NULL; 743 dsl_wrapping_key_t *wkey = dcp->cp_wkey; 744 dsl_pool_t *dp = NULL; 745 uint64_t rddobj, keyformat, salt, iters; 746 747 /* 748 * We don't validate the wrapping key's keyformat, salt, or iters 749 * since they will never be needed after the DCK has been wrapped. 750 */ 751 if (dcp->cp_wkey == NULL || 752 dcp->cp_cmd != DCP_CMD_NONE || 753 dcp->cp_crypt != ZIO_CRYPT_INHERIT || 754 dcp->cp_keylocation != NULL) 755 return (SET_ERROR(EINVAL)); 756 757 ret = dsl_pool_hold(dsname, FTAG, &dp); 758 if (ret != 0) 759 goto error; 760 761 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 762 ret = SET_ERROR(ENOTSUP); 763 goto error; 764 } 765 766 /* hold the dsl dir */ 767 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 768 if (ret != 0) { 769 dd = NULL; 770 goto error; 771 } 772 773 /* confirm that dd is the encryption root */ 774 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 775 if (ret != 0 || rddobj != dd->dd_object) { 776 ret = SET_ERROR(EINVAL); 777 goto error; 778 } 779 780 /* initialize the wkey's ddobj */ 781 wkey->wk_ddobj = dd->dd_object; 782 783 /* verify that the wkey is correct by opening its dsl key */ 784 ret = dsl_crypto_key_open(dp->dp_meta_objset, wkey, 785 dd->dd_crypto_obj, FTAG, &dck); 786 if (ret != 0) 787 goto error; 788 789 /* initialize the wkey encryption parameters from the DSL Crypto Key */ 790 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 791 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &keyformat); 792 if (ret != 0) 793 goto error; 794 795 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 796 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 797 if (ret != 0) 798 goto error; 799 800 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 801 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 802 if (ret != 0) 803 goto error; 804 805 ASSERT3U(keyformat, <, ZFS_KEYFORMAT_FORMATS); 806 ASSERT3U(keyformat, !=, ZFS_KEYFORMAT_NONE); 807 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, iters != 0); 808 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, salt != 0); 809 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, iters == 0); 810 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, salt == 0); 811 812 wkey->wk_keyformat = keyformat; 813 wkey->wk_salt = salt; 814 wkey->wk_iters = iters; 815 816 /* 817 * At this point we have verified the wkey and confirmed that it can 818 * be used to decrypt a DSL Crypto Key. We can simply cleanup and 819 * return if this is all the user wanted to do. 820 */ 821 if (noop) 822 goto error; 823 824 /* insert the wrapping key into the keystore */ 825 ret = spa_keystore_load_wkey_impl(dp->dp_spa, wkey); 826 if (ret != 0) 827 goto error; 828 829 dsl_crypto_key_rele(dck, FTAG); 830 dsl_dir_rele(dd, FTAG); 831 dsl_pool_rele(dp, FTAG); 832 833 /* create any zvols under this ds */ 834 zvol_create_minors_recursive(dsname); 835 836 return (0); 837 838 error: 839 if (dck != NULL) 840 dsl_crypto_key_rele(dck, FTAG); 841 if (dd != NULL) 842 dsl_dir_rele(dd, FTAG); 843 if (dp != NULL) 844 dsl_pool_rele(dp, FTAG); 845 846 return (ret); 847 } 848 849 int 850 spa_keystore_unload_wkey_impl(spa_t *spa, uint64_t ddobj) 851 { 852 int ret; 853 dsl_wrapping_key_t search_wkey; 854 dsl_wrapping_key_t *found_wkey; 855 856 /* init the search wrapping key */ 857 search_wkey.wk_ddobj = ddobj; 858 859 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 860 861 /* remove the wrapping key from the keystore */ 862 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, 863 &search_wkey, NULL); 864 if (!found_wkey) { 865 ret = SET_ERROR(EACCES); 866 goto error_unlock; 867 } else if (zfs_refcount_count(&found_wkey->wk_refcnt) != 0) { 868 ret = SET_ERROR(EBUSY); 869 goto error_unlock; 870 } 871 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 872 873 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 874 875 /* free the wrapping key */ 876 dsl_wrapping_key_free(found_wkey); 877 878 return (0); 879 880 error_unlock: 881 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 882 return (ret); 883 } 884 885 int 886 spa_keystore_unload_wkey(const char *dsname) 887 { 888 int ret = 0; 889 dsl_dir_t *dd = NULL; 890 dsl_pool_t *dp = NULL; 891 spa_t *spa = NULL; 892 893 ret = spa_open(dsname, &spa, FTAG); 894 if (ret != 0) 895 return (ret); 896 897 /* 898 * Wait for any outstanding txg IO to complete, releasing any 899 * remaining references on the wkey. 900 */ 901 if (spa_mode(spa) != SPA_MODE_READ) 902 txg_wait_synced(spa->spa_dsl_pool, 0); 903 904 spa_close(spa, FTAG); 905 906 /* hold the dsl dir */ 907 ret = dsl_pool_hold(dsname, FTAG, &dp); 908 if (ret != 0) 909 goto error; 910 911 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 912 ret = (SET_ERROR(ENOTSUP)); 913 goto error; 914 } 915 916 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 917 if (ret != 0) { 918 dd = NULL; 919 goto error; 920 } 921 922 /* unload the wkey */ 923 ret = spa_keystore_unload_wkey_impl(dp->dp_spa, dd->dd_object); 924 if (ret != 0) 925 goto error; 926 927 dsl_dir_rele(dd, FTAG); 928 dsl_pool_rele(dp, FTAG); 929 930 /* remove any zvols under this ds */ 931 zvol_remove_minors(dp->dp_spa, dsname, B_TRUE); 932 933 return (0); 934 935 error: 936 if (dd != NULL) 937 dsl_dir_rele(dd, FTAG); 938 if (dp != NULL) 939 dsl_pool_rele(dp, FTAG); 940 941 return (ret); 942 } 943 944 void 945 key_mapping_add_ref(dsl_key_mapping_t *km, const void *tag) 946 { 947 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 948 zfs_refcount_add(&km->km_refcnt, tag); 949 } 950 951 /* 952 * The locking here is a little tricky to ensure we don't cause unnecessary 953 * performance problems. We want to release a key mapping whenever someone 954 * decrements the refcount to 0, but freeing the mapping requires removing 955 * it from the spa_keystore, which requires holding sk_km_lock as a writer. 956 * Most of the time we don't want to hold this lock as a writer, since the 957 * same lock is held as a reader for each IO that needs to encrypt / decrypt 958 * data for any dataset and in practice we will only actually free the 959 * mapping after unmounting a dataset. 960 */ 961 void 962 key_mapping_rele(spa_t *spa, dsl_key_mapping_t *km, const void *tag) 963 { 964 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 965 966 if (zfs_refcount_remove(&km->km_refcnt, tag) != 0) 967 return; 968 969 /* 970 * We think we are going to need to free the mapping. Add a 971 * reference to prevent most other releasers from thinking 972 * this might be their responsibility. This is inherently 973 * racy, so we will confirm that we are legitimately the 974 * last holder once we have the sk_km_lock as a writer. 975 */ 976 zfs_refcount_add(&km->km_refcnt, FTAG); 977 978 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 979 if (zfs_refcount_remove(&km->km_refcnt, FTAG) != 0) { 980 rw_exit(&spa->spa_keystore.sk_km_lock); 981 return; 982 } 983 984 avl_remove(&spa->spa_keystore.sk_key_mappings, km); 985 rw_exit(&spa->spa_keystore.sk_km_lock); 986 987 spa_keystore_dsl_key_rele(spa, km->km_key, km); 988 zfs_refcount_destroy(&km->km_refcnt); 989 kmem_free(km, sizeof (dsl_key_mapping_t)); 990 } 991 992 int 993 spa_keystore_create_mapping(spa_t *spa, dsl_dataset_t *ds, const void *tag, 994 dsl_key_mapping_t **km_out) 995 { 996 int ret; 997 avl_index_t where; 998 dsl_key_mapping_t *km, *found_km; 999 boolean_t should_free = B_FALSE; 1000 1001 /* Allocate and initialize the mapping */ 1002 km = kmem_zalloc(sizeof (dsl_key_mapping_t), KM_SLEEP); 1003 zfs_refcount_create(&km->km_refcnt); 1004 1005 ret = spa_keystore_dsl_key_hold_dd(spa, ds->ds_dir, km, &km->km_key); 1006 if (ret != 0) { 1007 zfs_refcount_destroy(&km->km_refcnt); 1008 kmem_free(km, sizeof (dsl_key_mapping_t)); 1009 1010 if (km_out != NULL) 1011 *km_out = NULL; 1012 return (ret); 1013 } 1014 1015 km->km_dsobj = ds->ds_object; 1016 1017 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 1018 1019 /* 1020 * If a mapping already exists, simply increment its refcount and 1021 * cleanup the one we made. We want to allocate / free outside of 1022 * the lock because this lock is also used by the zio layer to lookup 1023 * key mappings. Otherwise, use the one we created. Normally, there will 1024 * only be one active reference at a time (the objset owner), but there 1025 * are times when there could be multiple async users. 1026 */ 1027 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, km, &where); 1028 if (found_km != NULL) { 1029 should_free = B_TRUE; 1030 zfs_refcount_add(&found_km->km_refcnt, tag); 1031 if (km_out != NULL) 1032 *km_out = found_km; 1033 } else { 1034 zfs_refcount_add(&km->km_refcnt, tag); 1035 avl_insert(&spa->spa_keystore.sk_key_mappings, km, where); 1036 if (km_out != NULL) 1037 *km_out = km; 1038 } 1039 1040 rw_exit(&spa->spa_keystore.sk_km_lock); 1041 1042 if (should_free) { 1043 spa_keystore_dsl_key_rele(spa, km->km_key, km); 1044 zfs_refcount_destroy(&km->km_refcnt); 1045 kmem_free(km, sizeof (dsl_key_mapping_t)); 1046 } 1047 1048 return (0); 1049 } 1050 1051 int 1052 spa_keystore_remove_mapping(spa_t *spa, uint64_t dsobj, const void *tag) 1053 { 1054 int ret; 1055 dsl_key_mapping_t search_km; 1056 dsl_key_mapping_t *found_km; 1057 1058 /* init the search key mapping */ 1059 search_km.km_dsobj = dsobj; 1060 1061 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1062 1063 /* find the matching mapping */ 1064 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, 1065 &search_km, NULL); 1066 if (found_km == NULL) { 1067 ret = SET_ERROR(ENOENT); 1068 goto error_unlock; 1069 } 1070 1071 rw_exit(&spa->spa_keystore.sk_km_lock); 1072 1073 key_mapping_rele(spa, found_km, tag); 1074 1075 return (0); 1076 1077 error_unlock: 1078 rw_exit(&spa->spa_keystore.sk_km_lock); 1079 return (ret); 1080 } 1081 1082 /* 1083 * This function is primarily used by the zio and arc layer to lookup 1084 * DSL Crypto Keys for encryption. Callers must release the key with 1085 * spa_keystore_dsl_key_rele(). The function may also be called with 1086 * dck_out == NULL and tag == NULL to simply check that a key exists 1087 * without getting a reference to it. 1088 */ 1089 int 1090 spa_keystore_lookup_key(spa_t *spa, uint64_t dsobj, const void *tag, 1091 dsl_crypto_key_t **dck_out) 1092 { 1093 int ret; 1094 dsl_key_mapping_t search_km; 1095 dsl_key_mapping_t *found_km; 1096 1097 ASSERT((tag != NULL && dck_out != NULL) || 1098 (tag == NULL && dck_out == NULL)); 1099 1100 /* init the search key mapping */ 1101 search_km.km_dsobj = dsobj; 1102 1103 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1104 1105 /* remove the mapping from the tree */ 1106 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, &search_km, 1107 NULL); 1108 if (found_km == NULL) { 1109 ret = SET_ERROR(ENOENT); 1110 goto error_unlock; 1111 } 1112 1113 if (found_km && tag) 1114 zfs_refcount_add(&found_km->km_key->dck_holds, tag); 1115 1116 rw_exit(&spa->spa_keystore.sk_km_lock); 1117 1118 if (dck_out != NULL) 1119 *dck_out = found_km->km_key; 1120 return (0); 1121 1122 error_unlock: 1123 rw_exit(&spa->spa_keystore.sk_km_lock); 1124 1125 if (dck_out != NULL) 1126 *dck_out = NULL; 1127 return (ret); 1128 } 1129 1130 static int 1131 dmu_objset_check_wkey_loaded(dsl_dir_t *dd) 1132 { 1133 int ret; 1134 dsl_wrapping_key_t *wkey = NULL; 1135 1136 ret = spa_keystore_wkey_hold_dd(dd->dd_pool->dp_spa, dd, FTAG, 1137 &wkey); 1138 if (ret != 0) 1139 return (SET_ERROR(EACCES)); 1140 1141 dsl_wrapping_key_rele(wkey, FTAG); 1142 1143 return (0); 1144 } 1145 1146 zfs_keystatus_t 1147 dsl_dataset_get_keystatus(dsl_dir_t *dd) 1148 { 1149 /* check if this dd has a has a dsl key */ 1150 if (dd->dd_crypto_obj == 0) 1151 return (ZFS_KEYSTATUS_NONE); 1152 1153 return (dmu_objset_check_wkey_loaded(dd) == 0 ? 1154 ZFS_KEYSTATUS_AVAILABLE : ZFS_KEYSTATUS_UNAVAILABLE); 1155 } 1156 1157 static int 1158 dsl_dir_get_crypt(dsl_dir_t *dd, uint64_t *crypt) 1159 { 1160 if (dd->dd_crypto_obj == 0) { 1161 *crypt = ZIO_CRYPT_OFF; 1162 return (0); 1163 } 1164 1165 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 1166 DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, crypt)); 1167 } 1168 1169 static void 1170 dsl_crypto_key_sync_impl(objset_t *mos, uint64_t dckobj, uint64_t crypt, 1171 uint64_t root_ddobj, uint64_t guid, uint8_t *iv, uint8_t *mac, 1172 uint8_t *keydata, uint8_t *hmac_keydata, uint64_t keyformat, 1173 uint64_t salt, uint64_t iters, dmu_tx_t *tx) 1174 { 1175 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 1176 &crypt, tx)); 1177 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1178 &root_ddobj, tx)); 1179 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, 1180 &guid, tx)); 1181 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 1182 iv, tx)); 1183 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 1184 mac, tx)); 1185 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 1186 MASTER_KEY_MAX_LEN, keydata, tx)); 1187 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 1188 SHA512_HMAC_KEYLEN, hmac_keydata, tx)); 1189 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 1190 8, 1, &keyformat, tx)); 1191 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 1192 8, 1, &salt, tx)); 1193 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 1194 8, 1, &iters, tx)); 1195 } 1196 1197 static void 1198 dsl_crypto_key_sync(dsl_crypto_key_t *dck, dmu_tx_t *tx) 1199 { 1200 zio_crypt_key_t *key = &dck->dck_key; 1201 dsl_wrapping_key_t *wkey = dck->dck_wkey; 1202 uint8_t keydata[MASTER_KEY_MAX_LEN]; 1203 uint8_t hmac_keydata[SHA512_HMAC_KEYLEN]; 1204 uint8_t iv[WRAPPING_IV_LEN]; 1205 uint8_t mac[WRAPPING_MAC_LEN]; 1206 1207 ASSERT(dmu_tx_is_syncing(tx)); 1208 ASSERT3U(key->zk_crypt, <, ZIO_CRYPT_FUNCTIONS); 1209 1210 /* encrypt and store the keys along with the IV and MAC */ 1211 VERIFY0(zio_crypt_key_wrap(&dck->dck_wkey->wk_key, key, iv, mac, 1212 keydata, hmac_keydata)); 1213 1214 /* update the ZAP with the obtained values */ 1215 dsl_crypto_key_sync_impl(tx->tx_pool->dp_meta_objset, dck->dck_obj, 1216 key->zk_crypt, wkey->wk_ddobj, key->zk_guid, iv, mac, keydata, 1217 hmac_keydata, wkey->wk_keyformat, wkey->wk_salt, wkey->wk_iters, 1218 tx); 1219 } 1220 1221 typedef struct spa_keystore_change_key_args { 1222 const char *skcka_dsname; 1223 dsl_crypto_params_t *skcka_cp; 1224 } spa_keystore_change_key_args_t; 1225 1226 static int 1227 spa_keystore_change_key_check(void *arg, dmu_tx_t *tx) 1228 { 1229 int ret; 1230 dsl_dir_t *dd = NULL; 1231 dsl_pool_t *dp = dmu_tx_pool(tx); 1232 spa_keystore_change_key_args_t *skcka = arg; 1233 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1234 uint64_t rddobj; 1235 1236 /* check for the encryption feature */ 1237 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 1238 ret = SET_ERROR(ENOTSUP); 1239 goto error; 1240 } 1241 1242 /* check for valid key change command */ 1243 if (dcp->cp_cmd != DCP_CMD_NEW_KEY && 1244 dcp->cp_cmd != DCP_CMD_INHERIT && 1245 dcp->cp_cmd != DCP_CMD_FORCE_NEW_KEY && 1246 dcp->cp_cmd != DCP_CMD_FORCE_INHERIT) { 1247 ret = SET_ERROR(EINVAL); 1248 goto error; 1249 } 1250 1251 /* hold the dd */ 1252 ret = dsl_dir_hold(dp, skcka->skcka_dsname, FTAG, &dd, NULL); 1253 if (ret != 0) { 1254 dd = NULL; 1255 goto error; 1256 } 1257 1258 /* verify that the dataset is encrypted */ 1259 if (dd->dd_crypto_obj == 0) { 1260 ret = SET_ERROR(EINVAL); 1261 goto error; 1262 } 1263 1264 /* clones must always use their origin's key */ 1265 if (dsl_dir_is_clone(dd)) { 1266 ret = SET_ERROR(EINVAL); 1267 goto error; 1268 } 1269 1270 /* lookup the ddobj we are inheriting the keylocation from */ 1271 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 1272 if (ret != 0) 1273 goto error; 1274 1275 /* Handle inheritance */ 1276 if (dcp->cp_cmd == DCP_CMD_INHERIT || 1277 dcp->cp_cmd == DCP_CMD_FORCE_INHERIT) { 1278 /* no other encryption params should be given */ 1279 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1280 dcp->cp_keylocation != NULL || 1281 dcp->cp_wkey != NULL) { 1282 ret = SET_ERROR(EINVAL); 1283 goto error; 1284 } 1285 1286 /* check that this is an encryption root */ 1287 if (dd->dd_object != rddobj) { 1288 ret = SET_ERROR(EINVAL); 1289 goto error; 1290 } 1291 1292 /* check that the parent is encrypted */ 1293 if (dd->dd_parent->dd_crypto_obj == 0) { 1294 ret = SET_ERROR(EINVAL); 1295 goto error; 1296 } 1297 1298 /* if we are rewrapping check that both keys are loaded */ 1299 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1300 ret = dmu_objset_check_wkey_loaded(dd); 1301 if (ret != 0) 1302 goto error; 1303 1304 ret = dmu_objset_check_wkey_loaded(dd->dd_parent); 1305 if (ret != 0) 1306 goto error; 1307 } 1308 1309 dsl_dir_rele(dd, FTAG); 1310 return (0); 1311 } 1312 1313 /* handle forcing an encryption root without rewrapping */ 1314 if (dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1315 /* no other encryption params should be given */ 1316 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1317 dcp->cp_keylocation != NULL || 1318 dcp->cp_wkey != NULL) { 1319 ret = SET_ERROR(EINVAL); 1320 goto error; 1321 } 1322 1323 /* check that this is not an encryption root */ 1324 if (dd->dd_object == rddobj) { 1325 ret = SET_ERROR(EINVAL); 1326 goto error; 1327 } 1328 1329 dsl_dir_rele(dd, FTAG); 1330 return (0); 1331 } 1332 1333 /* crypt cannot be changed after creation */ 1334 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT) { 1335 ret = SET_ERROR(EINVAL); 1336 goto error; 1337 } 1338 1339 /* we are not inheritting our parent's wkey so we need one ourselves */ 1340 if (dcp->cp_wkey == NULL) { 1341 ret = SET_ERROR(EINVAL); 1342 goto error; 1343 } 1344 1345 /* check for a valid keyformat for the new wrapping key */ 1346 if (dcp->cp_wkey->wk_keyformat >= ZFS_KEYFORMAT_FORMATS || 1347 dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_NONE) { 1348 ret = SET_ERROR(EINVAL); 1349 goto error; 1350 } 1351 1352 /* 1353 * If this dataset is not currently an encryption root we need a new 1354 * keylocation for this dataset's new wrapping key. Otherwise we can 1355 * just keep the one we already had. 1356 */ 1357 if (dd->dd_object != rddobj && dcp->cp_keylocation == NULL) { 1358 ret = SET_ERROR(EINVAL); 1359 goto error; 1360 } 1361 1362 /* check that the keylocation is valid if it is not NULL */ 1363 if (dcp->cp_keylocation != NULL && 1364 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) { 1365 ret = SET_ERROR(EINVAL); 1366 goto error; 1367 } 1368 1369 /* passphrases require pbkdf2 salt and iters */ 1370 if (dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_PASSPHRASE) { 1371 if (dcp->cp_wkey->wk_salt == 0 || 1372 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) { 1373 ret = SET_ERROR(EINVAL); 1374 goto error; 1375 } 1376 } else { 1377 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) { 1378 ret = SET_ERROR(EINVAL); 1379 goto error; 1380 } 1381 } 1382 1383 /* make sure the dd's wkey is loaded */ 1384 ret = dmu_objset_check_wkey_loaded(dd); 1385 if (ret != 0) 1386 goto error; 1387 1388 dsl_dir_rele(dd, FTAG); 1389 1390 return (0); 1391 1392 error: 1393 if (dd != NULL) 1394 dsl_dir_rele(dd, FTAG); 1395 1396 return (ret); 1397 } 1398 1399 /* 1400 * This function deals with the intricacies of updating wrapping 1401 * key references and encryption roots recursively in the event 1402 * of a call to 'zfs change-key' or 'zfs promote'. The 'skip' 1403 * parameter should always be set to B_FALSE when called 1404 * externally. 1405 */ 1406 static void 1407 spa_keystore_change_key_sync_impl(uint64_t rddobj, uint64_t ddobj, 1408 uint64_t new_rddobj, dsl_wrapping_key_t *wkey, boolean_t skip, 1409 dmu_tx_t *tx) 1410 { 1411 int ret; 1412 zap_cursor_t *zc; 1413 zap_attribute_t *za; 1414 dsl_pool_t *dp = dmu_tx_pool(tx); 1415 dsl_dir_t *dd = NULL; 1416 dsl_crypto_key_t *dck = NULL; 1417 uint64_t curr_rddobj; 1418 1419 ASSERT(RW_WRITE_HELD(&dp->dp_spa->spa_keystore.sk_wkeys_lock)); 1420 1421 /* hold the dd */ 1422 VERIFY0(dsl_dir_hold_obj(dp, ddobj, NULL, FTAG, &dd)); 1423 1424 /* ignore special dsl dirs */ 1425 if (dd->dd_myname[0] == '$' || dd->dd_myname[0] == '%') { 1426 dsl_dir_rele(dd, FTAG); 1427 return; 1428 } 1429 1430 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1431 VERIFY(ret == 0 || ret == ENOENT); 1432 1433 /* 1434 * Stop recursing if this dsl dir didn't inherit from the root 1435 * or if this dd is a clone. 1436 */ 1437 if (ret == ENOENT || 1438 (!skip && (curr_rddobj != rddobj || dsl_dir_is_clone(dd)))) { 1439 dsl_dir_rele(dd, FTAG); 1440 return; 1441 } 1442 1443 /* 1444 * If we don't have a wrapping key just update the dck to reflect the 1445 * new encryption root. Otherwise rewrap the entire dck and re-sync it 1446 * to disk. If skip is set, we don't do any of this work. 1447 */ 1448 if (!skip) { 1449 if (wkey == NULL) { 1450 VERIFY0(zap_update(dp->dp_meta_objset, 1451 dd->dd_crypto_obj, 1452 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1453 &new_rddobj, tx)); 1454 } else { 1455 VERIFY0(spa_keystore_dsl_key_hold_dd(dp->dp_spa, dd, 1456 FTAG, &dck)); 1457 dsl_wrapping_key_hold(wkey, dck); 1458 dsl_wrapping_key_rele(dck->dck_wkey, dck); 1459 dck->dck_wkey = wkey; 1460 dsl_crypto_key_sync(dck, tx); 1461 spa_keystore_dsl_key_rele(dp->dp_spa, dck, FTAG); 1462 } 1463 } 1464 1465 zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP); 1466 za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP); 1467 1468 /* Recurse into all child dsl dirs. */ 1469 for (zap_cursor_init(zc, dp->dp_meta_objset, 1470 dsl_dir_phys(dd)->dd_child_dir_zapobj); 1471 zap_cursor_retrieve(zc, za) == 0; 1472 zap_cursor_advance(zc)) { 1473 spa_keystore_change_key_sync_impl(rddobj, 1474 za->za_first_integer, new_rddobj, wkey, B_FALSE, tx); 1475 } 1476 zap_cursor_fini(zc); 1477 1478 /* 1479 * Recurse into all dsl dirs of clones. We utilize the skip parameter 1480 * here so that we don't attempt to process the clones directly. This 1481 * is because the clone and its origin share the same dck, which has 1482 * already been updated. 1483 */ 1484 for (zap_cursor_init(zc, dp->dp_meta_objset, 1485 dsl_dir_phys(dd)->dd_clones); 1486 zap_cursor_retrieve(zc, za) == 0; 1487 zap_cursor_advance(zc)) { 1488 dsl_dataset_t *clone; 1489 1490 VERIFY0(dsl_dataset_hold_obj(dp, za->za_first_integer, 1491 FTAG, &clone)); 1492 spa_keystore_change_key_sync_impl(rddobj, 1493 clone->ds_dir->dd_object, new_rddobj, wkey, B_TRUE, tx); 1494 dsl_dataset_rele(clone, FTAG); 1495 } 1496 zap_cursor_fini(zc); 1497 1498 kmem_free(za, sizeof (zap_attribute_t)); 1499 kmem_free(zc, sizeof (zap_cursor_t)); 1500 1501 dsl_dir_rele(dd, FTAG); 1502 } 1503 1504 static void 1505 spa_keystore_change_key_sync(void *arg, dmu_tx_t *tx) 1506 { 1507 dsl_dataset_t *ds; 1508 avl_index_t where; 1509 dsl_pool_t *dp = dmu_tx_pool(tx); 1510 spa_t *spa = dp->dp_spa; 1511 spa_keystore_change_key_args_t *skcka = arg; 1512 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1513 dsl_wrapping_key_t *wkey = NULL, *found_wkey; 1514 dsl_wrapping_key_t wkey_search; 1515 const char *keylocation = dcp->cp_keylocation; 1516 uint64_t rddobj, new_rddobj; 1517 1518 /* create and initialize the wrapping key */ 1519 VERIFY0(dsl_dataset_hold(dp, skcka->skcka_dsname, FTAG, &ds)); 1520 ASSERT(!ds->ds_is_snapshot); 1521 1522 if (dcp->cp_cmd == DCP_CMD_NEW_KEY || 1523 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1524 /* 1525 * We are changing to a new wkey. Set additional properties 1526 * which can be sent along with this ioctl. Note that this 1527 * command can set keylocation even if it can't normally be 1528 * set via 'zfs set' due to a non-local keylocation. 1529 */ 1530 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1531 wkey = dcp->cp_wkey; 1532 wkey->wk_ddobj = ds->ds_dir->dd_object; 1533 } else { 1534 keylocation = "prompt"; 1535 } 1536 1537 if (keylocation != NULL) { 1538 dsl_prop_set_sync_impl(ds, 1539 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1540 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 1541 keylocation, tx); 1542 } 1543 1544 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj)); 1545 new_rddobj = ds->ds_dir->dd_object; 1546 } else { 1547 /* 1548 * We are inheritting the parent's wkey. Unset any local 1549 * keylocation and grab a reference to the wkey. 1550 */ 1551 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1552 VERIFY0(spa_keystore_wkey_hold_dd(spa, 1553 ds->ds_dir->dd_parent, FTAG, &wkey)); 1554 } 1555 1556 dsl_prop_set_sync_impl(ds, 1557 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), ZPROP_SRC_NONE, 1558 0, 0, NULL, tx); 1559 1560 rddobj = ds->ds_dir->dd_object; 1561 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir->dd_parent, 1562 &new_rddobj)); 1563 } 1564 1565 if (wkey == NULL) { 1566 ASSERT(dcp->cp_cmd == DCP_CMD_FORCE_INHERIT || 1567 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY); 1568 } 1569 1570 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1571 1572 /* recurse through all children and rewrap their keys */ 1573 spa_keystore_change_key_sync_impl(rddobj, ds->ds_dir->dd_object, 1574 new_rddobj, wkey, B_FALSE, tx); 1575 1576 /* 1577 * All references to the old wkey should be released now (if it 1578 * existed). Replace the wrapping key. 1579 */ 1580 wkey_search.wk_ddobj = ds->ds_dir->dd_object; 1581 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &wkey_search, NULL); 1582 if (found_wkey != NULL) { 1583 ASSERT0(zfs_refcount_count(&found_wkey->wk_refcnt)); 1584 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 1585 dsl_wrapping_key_free(found_wkey); 1586 } 1587 1588 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1589 avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 1590 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 1591 } else if (wkey != NULL) { 1592 dsl_wrapping_key_rele(wkey, FTAG); 1593 } 1594 1595 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 1596 1597 dsl_dataset_rele(ds, FTAG); 1598 } 1599 1600 int 1601 spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp) 1602 { 1603 spa_keystore_change_key_args_t skcka; 1604 1605 /* initialize the args struct */ 1606 skcka.skcka_dsname = dsname; 1607 skcka.skcka_cp = dcp; 1608 1609 /* 1610 * Perform the actual work in syncing context. The blocks modified 1611 * here could be calculated but it would require holding the pool 1612 * lock and traversing all of the datasets that will have their keys 1613 * changed. 1614 */ 1615 return (dsl_sync_task(dsname, spa_keystore_change_key_check, 1616 spa_keystore_change_key_sync, &skcka, 15, 1617 ZFS_SPACE_CHECK_RESERVED)); 1618 } 1619 1620 int 1621 dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent) 1622 { 1623 int ret; 1624 uint64_t curr_rddobj, parent_rddobj; 1625 1626 if (dd->dd_crypto_obj == 0) 1627 return (0); 1628 1629 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1630 if (ret != 0) 1631 goto error; 1632 1633 /* 1634 * if this is not an encryption root, we must make sure we are not 1635 * moving dd to a new encryption root 1636 */ 1637 if (dd->dd_object != curr_rddobj) { 1638 ret = dsl_dir_get_encryption_root_ddobj(newparent, 1639 &parent_rddobj); 1640 if (ret != 0) 1641 goto error; 1642 1643 if (parent_rddobj != curr_rddobj) { 1644 ret = SET_ERROR(EACCES); 1645 goto error; 1646 } 1647 } 1648 1649 return (0); 1650 1651 error: 1652 return (ret); 1653 } 1654 1655 /* 1656 * Check to make sure that a promote from targetdd to origindd will not require 1657 * any key rewraps. 1658 */ 1659 int 1660 dsl_dataset_promote_crypt_check(dsl_dir_t *target, dsl_dir_t *origin) 1661 { 1662 int ret; 1663 uint64_t rddobj, op_rddobj, tp_rddobj; 1664 1665 /* If the dataset is not encrypted we don't need to check anything */ 1666 if (origin->dd_crypto_obj == 0) 1667 return (0); 1668 1669 /* 1670 * If we are not changing the first origin snapshot in a chain 1671 * the encryption root won't change either. 1672 */ 1673 if (dsl_dir_is_clone(origin)) 1674 return (0); 1675 1676 /* 1677 * If the origin is the encryption root we will update 1678 * the DSL Crypto Key to point to the target instead. 1679 */ 1680 ret = dsl_dir_get_encryption_root_ddobj(origin, &rddobj); 1681 if (ret != 0) 1682 return (ret); 1683 1684 if (rddobj == origin->dd_object) 1685 return (0); 1686 1687 /* 1688 * The origin is inheriting its encryption root from its parent. 1689 * Check that the parent of the target has the same encryption root. 1690 */ 1691 ret = dsl_dir_get_encryption_root_ddobj(origin->dd_parent, &op_rddobj); 1692 if (ret == ENOENT) 1693 return (SET_ERROR(EACCES)); 1694 else if (ret != 0) 1695 return (ret); 1696 1697 ret = dsl_dir_get_encryption_root_ddobj(target->dd_parent, &tp_rddobj); 1698 if (ret == ENOENT) 1699 return (SET_ERROR(EACCES)); 1700 else if (ret != 0) 1701 return (ret); 1702 1703 if (op_rddobj != tp_rddobj) 1704 return (SET_ERROR(EACCES)); 1705 1706 return (0); 1707 } 1708 1709 void 1710 dsl_dataset_promote_crypt_sync(dsl_dir_t *target, dsl_dir_t *origin, 1711 dmu_tx_t *tx) 1712 { 1713 uint64_t rddobj; 1714 dsl_pool_t *dp = target->dd_pool; 1715 dsl_dataset_t *targetds; 1716 dsl_dataset_t *originds; 1717 char *keylocation; 1718 1719 if (origin->dd_crypto_obj == 0) 1720 return; 1721 if (dsl_dir_is_clone(origin)) 1722 return; 1723 1724 VERIFY0(dsl_dir_get_encryption_root_ddobj(origin, &rddobj)); 1725 1726 if (rddobj != origin->dd_object) 1727 return; 1728 1729 /* 1730 * If the target is being promoted to the encryption root update the 1731 * DSL Crypto Key and keylocation to reflect that. We also need to 1732 * update the DSL Crypto Keys of all children inheritting their 1733 * encryption root to point to the new target. Otherwise, the check 1734 * function ensured that the encryption root will not change. 1735 */ 1736 keylocation = kmem_alloc(ZAP_MAXVALUELEN, KM_SLEEP); 1737 1738 VERIFY0(dsl_dataset_hold_obj(dp, 1739 dsl_dir_phys(target)->dd_head_dataset_obj, FTAG, &targetds)); 1740 VERIFY0(dsl_dataset_hold_obj(dp, 1741 dsl_dir_phys(origin)->dd_head_dataset_obj, FTAG, &originds)); 1742 1743 VERIFY0(dsl_prop_get_dd(origin, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1744 1, ZAP_MAXVALUELEN, keylocation, NULL, B_FALSE)); 1745 dsl_prop_set_sync_impl(targetds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1746 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, keylocation, tx); 1747 dsl_prop_set_sync_impl(originds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1748 ZPROP_SRC_NONE, 0, 0, NULL, tx); 1749 1750 rw_enter(&dp->dp_spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1751 spa_keystore_change_key_sync_impl(rddobj, origin->dd_object, 1752 target->dd_object, NULL, B_FALSE, tx); 1753 rw_exit(&dp->dp_spa->spa_keystore.sk_wkeys_lock); 1754 1755 dsl_dataset_rele(targetds, FTAG); 1756 dsl_dataset_rele(originds, FTAG); 1757 kmem_free(keylocation, ZAP_MAXVALUELEN); 1758 } 1759 1760 int 1761 dmu_objset_create_crypt_check(dsl_dir_t *parentdd, dsl_crypto_params_t *dcp, 1762 boolean_t *will_encrypt) 1763 { 1764 int ret; 1765 uint64_t pcrypt, crypt; 1766 dsl_crypto_params_t dummy_dcp = { 0 }; 1767 1768 if (will_encrypt != NULL) 1769 *will_encrypt = B_FALSE; 1770 1771 if (dcp == NULL) 1772 dcp = &dummy_dcp; 1773 1774 if (dcp->cp_cmd != DCP_CMD_NONE) 1775 return (SET_ERROR(EINVAL)); 1776 1777 if (parentdd != NULL) { 1778 ret = dsl_dir_get_crypt(parentdd, &pcrypt); 1779 if (ret != 0) 1780 return (ret); 1781 } else { 1782 pcrypt = ZIO_CRYPT_OFF; 1783 } 1784 1785 crypt = (dcp->cp_crypt == ZIO_CRYPT_INHERIT) ? pcrypt : dcp->cp_crypt; 1786 1787 ASSERT3U(pcrypt, !=, ZIO_CRYPT_INHERIT); 1788 ASSERT3U(crypt, !=, ZIO_CRYPT_INHERIT); 1789 1790 /* check for valid dcp with no encryption (inherited or local) */ 1791 if (crypt == ZIO_CRYPT_OFF) { 1792 /* Must not specify encryption params */ 1793 if (dcp->cp_wkey != NULL || 1794 (dcp->cp_keylocation != NULL && 1795 strcmp(dcp->cp_keylocation, "none") != 0)) 1796 return (SET_ERROR(EINVAL)); 1797 1798 return (0); 1799 } 1800 1801 if (will_encrypt != NULL) 1802 *will_encrypt = B_TRUE; 1803 1804 /* 1805 * We will now definitely be encrypting. Check the feature flag. When 1806 * creating the pool the caller will check this for us since we won't 1807 * technically have the feature activated yet. 1808 */ 1809 if (parentdd != NULL && 1810 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1811 SPA_FEATURE_ENCRYPTION)) { 1812 return (SET_ERROR(EOPNOTSUPP)); 1813 } 1814 1815 /* Check for errata #4 (encryption enabled, bookmark_v2 disabled) */ 1816 if (parentdd != NULL && 1817 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1818 SPA_FEATURE_BOOKMARK_V2)) { 1819 return (SET_ERROR(EOPNOTSUPP)); 1820 } 1821 1822 /* handle inheritance */ 1823 if (dcp->cp_wkey == NULL) { 1824 ASSERT3P(parentdd, !=, NULL); 1825 1826 /* key must be fully unspecified */ 1827 if (dcp->cp_keylocation != NULL) 1828 return (SET_ERROR(EINVAL)); 1829 1830 /* parent must have a key to inherit */ 1831 if (pcrypt == ZIO_CRYPT_OFF) 1832 return (SET_ERROR(EINVAL)); 1833 1834 /* check for parent key */ 1835 ret = dmu_objset_check_wkey_loaded(parentdd); 1836 if (ret != 0) 1837 return (ret); 1838 1839 return (0); 1840 } 1841 1842 /* At this point we should have a fully specified key. Check location */ 1843 if (dcp->cp_keylocation == NULL || 1844 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) 1845 return (SET_ERROR(EINVAL)); 1846 1847 /* Must have fully specified keyformat */ 1848 switch (dcp->cp_wkey->wk_keyformat) { 1849 case ZFS_KEYFORMAT_HEX: 1850 case ZFS_KEYFORMAT_RAW: 1851 /* requires no pbkdf2 iters and salt */ 1852 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) 1853 return (SET_ERROR(EINVAL)); 1854 break; 1855 case ZFS_KEYFORMAT_PASSPHRASE: 1856 /* requires pbkdf2 iters and salt */ 1857 if (dcp->cp_wkey->wk_salt == 0 || 1858 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) 1859 return (SET_ERROR(EINVAL)); 1860 break; 1861 case ZFS_KEYFORMAT_NONE: 1862 default: 1863 /* keyformat must be specified and valid */ 1864 return (SET_ERROR(EINVAL)); 1865 } 1866 1867 return (0); 1868 } 1869 1870 void 1871 dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd, 1872 dsl_dataset_t *origin, dsl_crypto_params_t *dcp, dmu_tx_t *tx) 1873 { 1874 dsl_pool_t *dp = dd->dd_pool; 1875 uint64_t crypt; 1876 dsl_wrapping_key_t *wkey; 1877 1878 /* clones always use their origin's wrapping key */ 1879 if (dsl_dir_is_clone(dd)) { 1880 ASSERT3P(dcp, ==, NULL); 1881 1882 /* 1883 * If this is an encrypted clone we just need to clone the 1884 * dck into dd. Zapify the dd so we can do that. 1885 */ 1886 if (origin->ds_dir->dd_crypto_obj != 0) { 1887 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1888 dsl_dir_zapify(dd, tx); 1889 1890 dd->dd_crypto_obj = 1891 dsl_crypto_key_clone_sync(origin->ds_dir, tx); 1892 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1893 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, 1894 &dd->dd_crypto_obj, tx)); 1895 } 1896 1897 return; 1898 } 1899 1900 /* 1901 * A NULL dcp at this point indicates this is the origin dataset 1902 * which does not have an objset to encrypt. Raw receives will handle 1903 * encryption separately later. In both cases we can simply return. 1904 */ 1905 if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV) 1906 return; 1907 1908 crypt = dcp->cp_crypt; 1909 wkey = dcp->cp_wkey; 1910 1911 /* figure out the effective crypt */ 1912 if (crypt == ZIO_CRYPT_INHERIT && dd->dd_parent != NULL) 1913 VERIFY0(dsl_dir_get_crypt(dd->dd_parent, &crypt)); 1914 1915 /* if we aren't doing encryption just return */ 1916 if (crypt == ZIO_CRYPT_OFF || crypt == ZIO_CRYPT_INHERIT) 1917 return; 1918 1919 /* zapify the dd so that we can add the crypto key obj to it */ 1920 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1921 dsl_dir_zapify(dd, tx); 1922 1923 /* use the new key if given or inherit from the parent */ 1924 if (wkey == NULL) { 1925 VERIFY0(spa_keystore_wkey_hold_dd(dp->dp_spa, 1926 dd->dd_parent, FTAG, &wkey)); 1927 } else { 1928 wkey->wk_ddobj = dd->dd_object; 1929 } 1930 1931 ASSERT3P(wkey, !=, NULL); 1932 1933 /* Create or clone the DSL crypto key and activate the feature */ 1934 dd->dd_crypto_obj = dsl_crypto_key_create_sync(crypt, wkey, tx); 1935 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1936 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, &dd->dd_crypto_obj, 1937 tx)); 1938 dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, 1939 (void *)B_TRUE, tx); 1940 1941 /* 1942 * If we inherited the wrapping key we release our reference now. 1943 * Otherwise, this is a new key and we need to load it into the 1944 * keystore. 1945 */ 1946 if (dcp->cp_wkey == NULL) { 1947 dsl_wrapping_key_rele(wkey, FTAG); 1948 } else { 1949 VERIFY0(spa_keystore_load_wkey_impl(dp->dp_spa, wkey)); 1950 } 1951 } 1952 1953 typedef struct dsl_crypto_recv_key_arg { 1954 uint64_t dcrka_dsobj; 1955 uint64_t dcrka_fromobj; 1956 dmu_objset_type_t dcrka_ostype; 1957 nvlist_t *dcrka_nvl; 1958 boolean_t dcrka_do_key; 1959 } dsl_crypto_recv_key_arg_t; 1960 1961 static int 1962 dsl_crypto_recv_raw_objset_check(dsl_dataset_t *ds, dsl_dataset_t *fromds, 1963 dmu_objset_type_t ostype, nvlist_t *nvl, dmu_tx_t *tx) 1964 { 1965 int ret; 1966 objset_t *os; 1967 dnode_t *mdn; 1968 uint8_t *buf = NULL; 1969 uint_t len; 1970 uint64_t intval, nlevels, blksz, ibs; 1971 uint64_t nblkptr, maxblkid; 1972 1973 if (ostype != DMU_OST_ZFS && ostype != DMU_OST_ZVOL) 1974 return (SET_ERROR(EINVAL)); 1975 1976 /* raw receives also need info about the structure of the metadnode */ 1977 ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval); 1978 if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS) 1979 return (SET_ERROR(EINVAL)); 1980 1981 ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval); 1982 if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS) 1983 return (SET_ERROR(EINVAL)); 1984 1985 ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels); 1986 if (ret != 0 || nlevels > DN_MAX_LEVELS) 1987 return (SET_ERROR(EINVAL)); 1988 1989 ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz); 1990 if (ret != 0 || blksz < SPA_MINBLOCKSIZE) 1991 return (SET_ERROR(EINVAL)); 1992 else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa)) 1993 return (SET_ERROR(ENOTSUP)); 1994 1995 ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs); 1996 if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT || ibs > DN_MAX_INDBLKSHIFT) 1997 return (SET_ERROR(ENOTSUP)); 1998 1999 ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr); 2000 if (ret != 0 || nblkptr != DN_MAX_NBLKPTR) 2001 return (SET_ERROR(ENOTSUP)); 2002 2003 ret = nvlist_lookup_uint64(nvl, "mdn_maxblkid", &maxblkid); 2004 if (ret != 0) 2005 return (SET_ERROR(EINVAL)); 2006 2007 ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len); 2008 if (ret != 0 || len != ZIO_OBJSET_MAC_LEN) 2009 return (SET_ERROR(EINVAL)); 2010 2011 ret = dmu_objset_from_ds(ds, &os); 2012 if (ret != 0) 2013 return (ret); 2014 2015 mdn = DMU_META_DNODE(os); 2016 2017 /* 2018 * If we already created the objset, make sure its unchangeable 2019 * properties match the ones received in the nvlist. 2020 */ 2021 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2022 if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) && 2023 (mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz || 2024 mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) { 2025 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2026 return (SET_ERROR(EINVAL)); 2027 } 2028 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2029 2030 /* 2031 * Check that the ivset guid of the fromds matches the one from the 2032 * send stream. Older versions of the encryption code did not have 2033 * an ivset guid on the from dataset and did not send one in the 2034 * stream. For these streams we provide the 2035 * zfs_disable_ivset_guid_check tunable to allow these datasets to 2036 * be received with a generated ivset guid. 2037 */ 2038 if (fromds != NULL && !zfs_disable_ivset_guid_check) { 2039 uint64_t from_ivset_guid = 0; 2040 intval = 0; 2041 2042 (void) nvlist_lookup_uint64(nvl, "from_ivset_guid", &intval); 2043 (void) zap_lookup(tx->tx_pool->dp_meta_objset, 2044 fromds->ds_object, DS_FIELD_IVSET_GUID, 2045 sizeof (from_ivset_guid), 1, &from_ivset_guid); 2046 2047 if (intval == 0 || from_ivset_guid == 0) 2048 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISSING)); 2049 2050 if (intval != from_ivset_guid) 2051 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISMATCH)); 2052 } 2053 2054 return (0); 2055 } 2056 2057 static void 2058 dsl_crypto_recv_raw_objset_sync(dsl_dataset_t *ds, dmu_objset_type_t ostype, 2059 nvlist_t *nvl, dmu_tx_t *tx) 2060 { 2061 dsl_pool_t *dp = tx->tx_pool; 2062 objset_t *os; 2063 dnode_t *mdn; 2064 zio_t *zio; 2065 uint8_t *portable_mac; 2066 uint_t len; 2067 uint64_t compress, checksum, nlevels, blksz, ibs, maxblkid; 2068 boolean_t newds = B_FALSE; 2069 2070 VERIFY0(dmu_objset_from_ds(ds, &os)); 2071 mdn = DMU_META_DNODE(os); 2072 2073 /* 2074 * Fetch the values we need from the nvlist. "to_ivset_guid" must 2075 * be set on the snapshot, which doesn't exist yet. The receive 2076 * code will take care of this for us later. 2077 */ 2078 compress = fnvlist_lookup_uint64(nvl, "mdn_compress"); 2079 checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum"); 2080 nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels"); 2081 blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz"); 2082 ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift"); 2083 maxblkid = fnvlist_lookup_uint64(nvl, "mdn_maxblkid"); 2084 VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac, 2085 &len)); 2086 2087 /* if we haven't created an objset for the ds yet, do that now */ 2088 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2089 if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) { 2090 (void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds, 2091 dsl_dataset_get_blkptr(ds), ostype, nlevels, blksz, 2092 ibs, tx); 2093 newds = B_TRUE; 2094 } 2095 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2096 2097 /* 2098 * Set the portable MAC. The local MAC will always be zero since the 2099 * incoming data will all be portable and user accounting will be 2100 * deferred until the next mount. Afterwards, flag the os to be 2101 * written out raw next time. 2102 */ 2103 arc_release(os->os_phys_buf, &os->os_phys_buf); 2104 memcpy(os->os_phys->os_portable_mac, portable_mac, ZIO_OBJSET_MAC_LEN); 2105 memset(os->os_phys->os_local_mac, 0, ZIO_OBJSET_MAC_LEN); 2106 os->os_flags &= ~OBJSET_FLAG_USERACCOUNTING_COMPLETE; 2107 os->os_next_write_raw[tx->tx_txg & TXG_MASK] = B_TRUE; 2108 2109 /* set metadnode compression and checksum */ 2110 mdn->dn_compress = compress; 2111 mdn->dn_checksum = checksum; 2112 2113 rw_enter(&mdn->dn_struct_rwlock, RW_WRITER); 2114 dnode_new_blkid(mdn, maxblkid, tx, B_FALSE, B_TRUE); 2115 rw_exit(&mdn->dn_struct_rwlock); 2116 2117 /* 2118 * We can't normally dirty the dataset in syncing context unless 2119 * we are creating a new dataset. In this case, we perform a 2120 * pseudo txg sync here instead. 2121 */ 2122 if (newds) { 2123 dsl_dataset_dirty(ds, tx); 2124 } else { 2125 zio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED); 2126 dsl_dataset_sync(ds, zio, tx); 2127 VERIFY0(zio_wait(zio)); 2128 dsl_dataset_sync_done(ds, tx); 2129 } 2130 } 2131 2132 int 2133 dsl_crypto_recv_raw_key_check(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2134 { 2135 int ret; 2136 objset_t *mos = tx->tx_pool->dp_meta_objset; 2137 uint8_t *buf = NULL; 2138 uint_t len; 2139 uint64_t intval, key_guid, version; 2140 boolean_t is_passphrase = B_FALSE; 2141 2142 ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT); 2143 2144 /* 2145 * Read and check all the encryption values from the nvlist. We need 2146 * all of the fields of a DSL Crypto Key, as well as a fully specified 2147 * wrapping key. 2148 */ 2149 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval); 2150 if (ret != 0 || intval <= ZIO_CRYPT_OFF) 2151 return (SET_ERROR(EINVAL)); 2152 2153 /* 2154 * Flag a future crypto suite that we don't support differently, so 2155 * we can return a more useful error to the user. 2156 */ 2157 if (intval >= ZIO_CRYPT_FUNCTIONS) 2158 return (SET_ERROR(ZFS_ERR_CRYPTO_NOTSUP)); 2159 2160 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval); 2161 if (ret != 0) 2162 return (SET_ERROR(EINVAL)); 2163 2164 /* 2165 * If this is an incremental receive make sure the given key guid 2166 * matches the one we already have. 2167 */ 2168 if (ds->ds_dir->dd_crypto_obj != 0) { 2169 ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj, 2170 DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2171 if (ret != 0) 2172 return (ret); 2173 if (intval != key_guid) 2174 return (SET_ERROR(EACCES)); 2175 } 2176 2177 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2178 &buf, &len); 2179 if (ret != 0 || len != MASTER_KEY_MAX_LEN) 2180 return (SET_ERROR(EINVAL)); 2181 2182 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2183 &buf, &len); 2184 if (ret != 0 || len != SHA512_HMAC_KEYLEN) 2185 return (SET_ERROR(EINVAL)); 2186 2187 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len); 2188 if (ret != 0 || len != WRAPPING_IV_LEN) 2189 return (SET_ERROR(EINVAL)); 2190 2191 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len); 2192 if (ret != 0 || len != WRAPPING_MAC_LEN) 2193 return (SET_ERROR(EINVAL)); 2194 2195 /* 2196 * We don't support receiving old on-disk formats. The version 0 2197 * implementation protected several fields in an objset that were 2198 * not always portable during a raw receive. As a result, we call 2199 * the old version an on-disk errata #3. 2200 */ 2201 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_VERSION, &version); 2202 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) 2203 return (SET_ERROR(ENOTSUP)); 2204 2205 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 2206 &intval); 2207 if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS || 2208 intval == ZFS_KEYFORMAT_NONE) 2209 return (SET_ERROR(EINVAL)); 2210 2211 is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE); 2212 2213 /* 2214 * for raw receives we allow any number of pbkdf2iters since there 2215 * won't be a chance for the user to change it. 2216 */ 2217 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 2218 &intval); 2219 if (ret != 0 || (is_passphrase == (intval == 0))) 2220 return (SET_ERROR(EINVAL)); 2221 2222 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 2223 &intval); 2224 if (ret != 0 || (is_passphrase == (intval == 0))) 2225 return (SET_ERROR(EINVAL)); 2226 2227 return (0); 2228 } 2229 2230 void 2231 dsl_crypto_recv_raw_key_sync(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2232 { 2233 dsl_pool_t *dp = tx->tx_pool; 2234 objset_t *mos = dp->dp_meta_objset; 2235 dsl_dir_t *dd = ds->ds_dir; 2236 uint_t len; 2237 uint64_t rddobj, one = 1; 2238 uint8_t *keydata, *hmac_keydata, *iv, *mac; 2239 uint64_t crypt, key_guid, keyformat, iters, salt; 2240 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2241 const char *keylocation = "prompt"; 2242 2243 /* lookup the values we need to create the DSL Crypto Key */ 2244 crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE); 2245 key_guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID); 2246 keyformat = fnvlist_lookup_uint64(nvl, 2247 zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 2248 iters = fnvlist_lookup_uint64(nvl, 2249 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 2250 salt = fnvlist_lookup_uint64(nvl, 2251 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 2252 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2253 &keydata, &len)); 2254 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2255 &hmac_keydata, &len)); 2256 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len)); 2257 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len)); 2258 2259 /* if this is a new dataset setup the DSL Crypto Key. */ 2260 if (dd->dd_crypto_obj == 0) { 2261 /* zapify the dsl dir so we can add the key object to it */ 2262 dmu_buf_will_dirty(dd->dd_dbuf, tx); 2263 dsl_dir_zapify(dd, tx); 2264 2265 /* create the DSL Crypto Key on disk and activate the feature */ 2266 dd->dd_crypto_obj = zap_create(mos, 2267 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2268 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2269 dd->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT, 2270 sizeof (uint64_t), 1, &one, tx)); 2271 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2272 dd->dd_crypto_obj, DSL_CRYPTO_KEY_VERSION, 2273 sizeof (uint64_t), 1, &version, tx)); 2274 2275 dsl_dataset_activate_feature(ds->ds_object, 2276 SPA_FEATURE_ENCRYPTION, (void *)B_TRUE, tx); 2277 ds->ds_feature[SPA_FEATURE_ENCRYPTION] = (void *)B_TRUE; 2278 2279 /* save the dd_crypto_obj on disk */ 2280 VERIFY0(zap_add(mos, dd->dd_object, DD_FIELD_CRYPTO_KEY_OBJ, 2281 sizeof (uint64_t), 1, &dd->dd_crypto_obj, tx)); 2282 2283 /* 2284 * Set the keylocation to prompt by default. If keylocation 2285 * has been provided via the properties, this will be overridden 2286 * later. 2287 */ 2288 dsl_prop_set_sync_impl(ds, 2289 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 2290 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 2291 keylocation, tx); 2292 2293 rddobj = dd->dd_object; 2294 } else { 2295 VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &rddobj)); 2296 } 2297 2298 /* sync the key data to the ZAP object on disk */ 2299 dsl_crypto_key_sync_impl(mos, dd->dd_crypto_obj, crypt, 2300 rddobj, key_guid, iv, mac, keydata, hmac_keydata, keyformat, salt, 2301 iters, tx); 2302 } 2303 2304 static int 2305 dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx) 2306 { 2307 int ret; 2308 dsl_crypto_recv_key_arg_t *dcrka = arg; 2309 dsl_dataset_t *ds = NULL, *fromds = NULL; 2310 2311 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2312 FTAG, &ds); 2313 if (ret != 0) 2314 goto out; 2315 2316 if (dcrka->dcrka_fromobj != 0) { 2317 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_fromobj, 2318 FTAG, &fromds); 2319 if (ret != 0) 2320 goto out; 2321 } 2322 2323 ret = dsl_crypto_recv_raw_objset_check(ds, fromds, 2324 dcrka->dcrka_ostype, dcrka->dcrka_nvl, tx); 2325 if (ret != 0) 2326 goto out; 2327 2328 /* 2329 * We run this check even if we won't be doing this part of 2330 * the receive now so that we don't make the user wait until 2331 * the receive finishes to fail. 2332 */ 2333 ret = dsl_crypto_recv_raw_key_check(ds, dcrka->dcrka_nvl, tx); 2334 if (ret != 0) 2335 goto out; 2336 2337 out: 2338 if (ds != NULL) 2339 dsl_dataset_rele(ds, FTAG); 2340 if (fromds != NULL) 2341 dsl_dataset_rele(fromds, FTAG); 2342 return (ret); 2343 } 2344 2345 static void 2346 dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx) 2347 { 2348 dsl_crypto_recv_key_arg_t *dcrka = arg; 2349 dsl_dataset_t *ds; 2350 2351 VERIFY0(dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2352 FTAG, &ds)); 2353 dsl_crypto_recv_raw_objset_sync(ds, dcrka->dcrka_ostype, 2354 dcrka->dcrka_nvl, tx); 2355 if (dcrka->dcrka_do_key) 2356 dsl_crypto_recv_raw_key_sync(ds, dcrka->dcrka_nvl, tx); 2357 dsl_dataset_rele(ds, FTAG); 2358 } 2359 2360 /* 2361 * This function is used to sync an nvlist representing a DSL Crypto Key and 2362 * the associated encryption parameters. The key will be written exactly as is 2363 * without wrapping it. 2364 */ 2365 int 2366 dsl_crypto_recv_raw(const char *poolname, uint64_t dsobj, uint64_t fromobj, 2367 dmu_objset_type_t ostype, nvlist_t *nvl, boolean_t do_key) 2368 { 2369 dsl_crypto_recv_key_arg_t dcrka; 2370 2371 dcrka.dcrka_dsobj = dsobj; 2372 dcrka.dcrka_fromobj = fromobj; 2373 dcrka.dcrka_ostype = ostype; 2374 dcrka.dcrka_nvl = nvl; 2375 dcrka.dcrka_do_key = do_key; 2376 2377 return (dsl_sync_task(poolname, dsl_crypto_recv_key_check, 2378 dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL)); 2379 } 2380 2381 int 2382 dsl_crypto_populate_key_nvlist(objset_t *os, uint64_t from_ivset_guid, 2383 nvlist_t **nvl_out) 2384 { 2385 int ret; 2386 dsl_dataset_t *ds = os->os_dsl_dataset; 2387 dnode_t *mdn; 2388 uint64_t rddobj; 2389 nvlist_t *nvl = NULL; 2390 uint64_t dckobj = ds->ds_dir->dd_crypto_obj; 2391 dsl_dir_t *rdd = NULL; 2392 dsl_pool_t *dp = ds->ds_dir->dd_pool; 2393 objset_t *mos = dp->dp_meta_objset; 2394 uint64_t crypt = 0, key_guid = 0, format = 0; 2395 uint64_t iters = 0, salt = 0, version = 0; 2396 uint64_t to_ivset_guid = 0; 2397 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 2398 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 2399 uint8_t iv[WRAPPING_IV_LEN]; 2400 uint8_t mac[WRAPPING_MAC_LEN]; 2401 2402 ASSERT(dckobj != 0); 2403 2404 mdn = DMU_META_DNODE(os); 2405 2406 nvl = fnvlist_alloc(); 2407 2408 /* lookup values from the DSL Crypto Key */ 2409 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 2410 &crypt); 2411 if (ret != 0) 2412 goto error; 2413 2414 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2415 if (ret != 0) 2416 goto error; 2417 2418 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 2419 MASTER_KEY_MAX_LEN, raw_keydata); 2420 if (ret != 0) 2421 goto error; 2422 2423 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 2424 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 2425 if (ret != 0) 2426 goto error; 2427 2428 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 2429 iv); 2430 if (ret != 0) 2431 goto error; 2432 2433 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 2434 mac); 2435 if (ret != 0) 2436 goto error; 2437 2438 /* see zfs_disable_ivset_guid_check tunable for errata info */ 2439 ret = zap_lookup(mos, ds->ds_object, DS_FIELD_IVSET_GUID, 8, 1, 2440 &to_ivset_guid); 2441 if (ret != 0) 2442 ASSERT3U(dp->dp_spa->spa_errata, !=, 0); 2443 2444 /* 2445 * We don't support raw sends of legacy on-disk formats. See the 2446 * comment in dsl_crypto_recv_key_check() for details. 2447 */ 2448 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 2449 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) { 2450 dp->dp_spa->spa_errata = ZPOOL_ERRATA_ZOL_6845_ENCRYPTION; 2451 ret = SET_ERROR(ENOTSUP); 2452 goto error; 2453 } 2454 2455 /* 2456 * Lookup wrapping key properties. An early version of the code did 2457 * not correctly add these values to the wrapping key or the DSL 2458 * Crypto Key on disk for non encryption roots, so to be safe we 2459 * always take the slightly circuitous route of looking it up from 2460 * the encryption root's key. 2461 */ 2462 ret = dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj); 2463 if (ret != 0) 2464 goto error; 2465 2466 dsl_pool_config_enter(dp, FTAG); 2467 2468 ret = dsl_dir_hold_obj(dp, rddobj, NULL, FTAG, &rdd); 2469 if (ret != 0) 2470 goto error_unlock; 2471 2472 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2473 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &format); 2474 if (ret != 0) 2475 goto error_unlock; 2476 2477 if (format == ZFS_KEYFORMAT_PASSPHRASE) { 2478 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2479 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 2480 if (ret != 0) 2481 goto error_unlock; 2482 2483 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2484 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 2485 if (ret != 0) 2486 goto error_unlock; 2487 } 2488 2489 dsl_dir_rele(rdd, FTAG); 2490 dsl_pool_config_exit(dp, FTAG); 2491 2492 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, crypt); 2493 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_GUID, key_guid); 2494 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_VERSION, version); 2495 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2496 raw_keydata, MASTER_KEY_MAX_LEN)); 2497 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2498 raw_hmac_keydata, SHA512_HMAC_KEYLEN)); 2499 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_IV, iv, 2500 WRAPPING_IV_LEN)); 2501 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, mac, 2502 WRAPPING_MAC_LEN)); 2503 VERIFY0(nvlist_add_uint8_array(nvl, "portable_mac", 2504 os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN)); 2505 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), format); 2506 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters); 2507 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt); 2508 fnvlist_add_uint64(nvl, "mdn_checksum", mdn->dn_checksum); 2509 fnvlist_add_uint64(nvl, "mdn_compress", mdn->dn_compress); 2510 fnvlist_add_uint64(nvl, "mdn_nlevels", mdn->dn_nlevels); 2511 fnvlist_add_uint64(nvl, "mdn_blksz", mdn->dn_datablksz); 2512 fnvlist_add_uint64(nvl, "mdn_indblkshift", mdn->dn_indblkshift); 2513 fnvlist_add_uint64(nvl, "mdn_nblkptr", mdn->dn_nblkptr); 2514 fnvlist_add_uint64(nvl, "mdn_maxblkid", mdn->dn_maxblkid); 2515 fnvlist_add_uint64(nvl, "to_ivset_guid", to_ivset_guid); 2516 fnvlist_add_uint64(nvl, "from_ivset_guid", from_ivset_guid); 2517 2518 *nvl_out = nvl; 2519 return (0); 2520 2521 error_unlock: 2522 dsl_pool_config_exit(dp, FTAG); 2523 error: 2524 if (rdd != NULL) 2525 dsl_dir_rele(rdd, FTAG); 2526 nvlist_free(nvl); 2527 2528 *nvl_out = NULL; 2529 return (ret); 2530 } 2531 2532 uint64_t 2533 dsl_crypto_key_create_sync(uint64_t crypt, dsl_wrapping_key_t *wkey, 2534 dmu_tx_t *tx) 2535 { 2536 dsl_crypto_key_t dck; 2537 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2538 uint64_t one = 1ULL; 2539 2540 ASSERT(dmu_tx_is_syncing(tx)); 2541 ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); 2542 ASSERT3U(crypt, >, ZIO_CRYPT_OFF); 2543 2544 /* create the DSL Crypto Key ZAP object */ 2545 dck.dck_obj = zap_create(tx->tx_pool->dp_meta_objset, 2546 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2547 2548 /* fill in the key (on the stack) and sync it to disk */ 2549 dck.dck_wkey = wkey; 2550 VERIFY0(zio_crypt_key_init(crypt, &dck.dck_key)); 2551 2552 dsl_crypto_key_sync(&dck, tx); 2553 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2554 DSL_CRYPTO_KEY_REFCOUNT, sizeof (uint64_t), 1, &one, tx)); 2555 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2556 DSL_CRYPTO_KEY_VERSION, sizeof (uint64_t), 1, &version, tx)); 2557 2558 zio_crypt_key_destroy(&dck.dck_key); 2559 memset(&dck.dck_key, 0, sizeof (zio_crypt_key_t)); 2560 2561 return (dck.dck_obj); 2562 } 2563 2564 uint64_t 2565 dsl_crypto_key_clone_sync(dsl_dir_t *origindd, dmu_tx_t *tx) 2566 { 2567 objset_t *mos = tx->tx_pool->dp_meta_objset; 2568 2569 ASSERT(dmu_tx_is_syncing(tx)); 2570 2571 VERIFY0(zap_increment(mos, origindd->dd_crypto_obj, 2572 DSL_CRYPTO_KEY_REFCOUNT, 1, tx)); 2573 2574 return (origindd->dd_crypto_obj); 2575 } 2576 2577 void 2578 dsl_crypto_key_destroy_sync(uint64_t dckobj, dmu_tx_t *tx) 2579 { 2580 objset_t *mos = tx->tx_pool->dp_meta_objset; 2581 uint64_t refcnt; 2582 2583 /* Decrement the refcount, destroy if this is the last reference */ 2584 VERIFY0(zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2585 sizeof (uint64_t), 1, &refcnt)); 2586 2587 if (refcnt != 1) { 2588 VERIFY0(zap_increment(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2589 -1, tx)); 2590 } else { 2591 VERIFY0(zap_destroy(mos, dckobj, tx)); 2592 } 2593 } 2594 2595 void 2596 dsl_dataset_crypt_stats(dsl_dataset_t *ds, nvlist_t *nv) 2597 { 2598 uint64_t intval; 2599 dsl_dir_t *dd = ds->ds_dir; 2600 dsl_dir_t *enc_root; 2601 char buf[ZFS_MAX_DATASET_NAME_LEN]; 2602 2603 if (dd->dd_crypto_obj == 0) 2604 return; 2605 2606 intval = dsl_dataset_get_keystatus(dd); 2607 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYSTATUS, intval); 2608 2609 if (dsl_dir_get_crypt(dd, &intval) == 0) 2610 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_ENCRYPTION, intval); 2611 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2612 DSL_CRYPTO_KEY_GUID, 8, 1, &intval) == 0) { 2613 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEY_GUID, intval); 2614 } 2615 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2616 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &intval) == 0) { 2617 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYFORMAT, intval); 2618 } 2619 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2620 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &intval) == 0) { 2621 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_SALT, intval); 2622 } 2623 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2624 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &intval) == 0) { 2625 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_ITERS, intval); 2626 } 2627 if (zap_lookup(dd->dd_pool->dp_meta_objset, ds->ds_object, 2628 DS_FIELD_IVSET_GUID, 8, 1, &intval) == 0) { 2629 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_IVSET_GUID, intval); 2630 } 2631 2632 if (dsl_dir_get_encryption_root_ddobj(dd, &intval) == 0) { 2633 if (dsl_dir_hold_obj(dd->dd_pool, intval, NULL, FTAG, 2634 &enc_root) == 0) { 2635 dsl_dir_name(enc_root, buf); 2636 dsl_dir_rele(enc_root, FTAG); 2637 dsl_prop_nvlist_add_string(nv, 2638 ZFS_PROP_ENCRYPTION_ROOT, buf); 2639 } 2640 } 2641 } 2642 2643 int 2644 spa_crypt_get_salt(spa_t *spa, uint64_t dsobj, uint8_t *salt) 2645 { 2646 int ret; 2647 dsl_crypto_key_t *dck = NULL; 2648 2649 /* look up the key from the spa's keystore */ 2650 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2651 if (ret != 0) 2652 goto error; 2653 2654 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2655 if (ret != 0) 2656 goto error; 2657 2658 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2659 return (0); 2660 2661 error: 2662 if (dck != NULL) 2663 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2664 return (ret); 2665 } 2666 2667 /* 2668 * Objset blocks are a special case for MAC generation. These blocks have 2 2669 * 256-bit MACs which are embedded within the block itself, rather than a 2670 * single 128 bit MAC. As a result, this function handles encoding and decoding 2671 * the MACs on its own, unlike other functions in this file. 2672 */ 2673 int 2674 spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, 2675 abd_t *abd, uint_t datalen, boolean_t byteswap) 2676 { 2677 int ret; 2678 dsl_crypto_key_t *dck = NULL; 2679 void *buf = abd_borrow_buf_copy(abd, datalen); 2680 objset_phys_t *osp = buf; 2681 uint8_t portable_mac[ZIO_OBJSET_MAC_LEN]; 2682 uint8_t local_mac[ZIO_OBJSET_MAC_LEN]; 2683 const uint8_t zeroed_mac[ZIO_OBJSET_MAC_LEN] = {0}; 2684 2685 /* look up the key from the spa's keystore */ 2686 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2687 if (ret != 0) 2688 goto error; 2689 2690 /* calculate both HMACs */ 2691 ret = zio_crypt_do_objset_hmacs(&dck->dck_key, buf, datalen, 2692 byteswap, portable_mac, local_mac); 2693 if (ret != 0) 2694 goto error; 2695 2696 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2697 2698 /* if we are generating encode the HMACs in the objset_phys_t */ 2699 if (generate) { 2700 memcpy(osp->os_portable_mac, portable_mac, ZIO_OBJSET_MAC_LEN); 2701 memcpy(osp->os_local_mac, local_mac, ZIO_OBJSET_MAC_LEN); 2702 abd_return_buf_copy(abd, buf, datalen); 2703 return (0); 2704 } 2705 2706 if (memcmp(portable_mac, osp->os_portable_mac, 2707 ZIO_OBJSET_MAC_LEN) != 0 || 2708 memcmp(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2709 /* 2710 * If the MAC is zeroed out, we failed to decrypt it. 2711 * This should only arise, at least on Linux, 2712 * if we hit edge case handling for useraccounting, since we 2713 * shouldn't get here without bailing out on error earlier 2714 * otherwise. 2715 * 2716 * So if we're in that case, we can just fall through and 2717 * special-casing noticing that it's zero will handle it 2718 * elsewhere, since we can just regenerate it. 2719 */ 2720 if (memcmp(local_mac, zeroed_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2721 abd_return_buf(abd, buf, datalen); 2722 return (SET_ERROR(ECKSUM)); 2723 } 2724 } 2725 2726 abd_return_buf(abd, buf, datalen); 2727 2728 return (0); 2729 2730 error: 2731 if (dck != NULL) 2732 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2733 abd_return_buf(abd, buf, datalen); 2734 return (ret); 2735 } 2736 2737 int 2738 spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd, 2739 uint_t datalen, uint8_t *mac) 2740 { 2741 int ret; 2742 dsl_crypto_key_t *dck = NULL; 2743 uint8_t *buf = abd_borrow_buf_copy(abd, datalen); 2744 uint8_t digestbuf[ZIO_DATA_MAC_LEN]; 2745 2746 /* look up the key from the spa's keystore */ 2747 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2748 if (ret != 0) 2749 goto error; 2750 2751 /* perform the hmac */ 2752 ret = zio_crypt_do_hmac(&dck->dck_key, buf, datalen, 2753 digestbuf, ZIO_DATA_MAC_LEN); 2754 if (ret != 0) 2755 goto error; 2756 2757 abd_return_buf(abd, buf, datalen); 2758 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2759 2760 /* 2761 * Truncate and fill in mac buffer if we were asked to generate a MAC. 2762 * Otherwise verify that the MAC matched what we expected. 2763 */ 2764 if (generate) { 2765 memcpy(mac, digestbuf, ZIO_DATA_MAC_LEN); 2766 return (0); 2767 } 2768 2769 if (memcmp(digestbuf, mac, ZIO_DATA_MAC_LEN) != 0) 2770 return (SET_ERROR(ECKSUM)); 2771 2772 return (0); 2773 2774 error: 2775 if (dck != NULL) 2776 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2777 abd_return_buf(abd, buf, datalen); 2778 return (ret); 2779 } 2780 2781 /* 2782 * This function serves as a multiplexer for encryption and decryption of 2783 * all blocks (except the L2ARC). For encryption, it will populate the IV, 2784 * salt, MAC, and cabd (the ciphertext). On decryption it will simply use 2785 * these fields to populate pabd (the plaintext). 2786 */ 2787 int 2788 spa_do_crypt_abd(boolean_t encrypt, spa_t *spa, const zbookmark_phys_t *zb, 2789 dmu_object_type_t ot, boolean_t dedup, boolean_t bswap, uint8_t *salt, 2790 uint8_t *iv, uint8_t *mac, uint_t datalen, abd_t *pabd, abd_t *cabd, 2791 boolean_t *no_crypt) 2792 { 2793 int ret; 2794 dsl_crypto_key_t *dck = NULL; 2795 uint8_t *plainbuf = NULL, *cipherbuf = NULL; 2796 2797 ASSERT(spa_feature_is_active(spa, SPA_FEATURE_ENCRYPTION)); 2798 2799 /* look up the key from the spa's keystore */ 2800 ret = spa_keystore_lookup_key(spa, zb->zb_objset, FTAG, &dck); 2801 if (ret != 0) { 2802 ret = SET_ERROR(EACCES); 2803 return (ret); 2804 } 2805 2806 if (encrypt) { 2807 plainbuf = abd_borrow_buf_copy(pabd, datalen); 2808 cipherbuf = abd_borrow_buf(cabd, datalen); 2809 } else { 2810 plainbuf = abd_borrow_buf(pabd, datalen); 2811 cipherbuf = abd_borrow_buf_copy(cabd, datalen); 2812 } 2813 2814 /* 2815 * Both encryption and decryption functions need a salt for key 2816 * generation and an IV. When encrypting a non-dedup block, we 2817 * generate the salt and IV randomly to be stored by the caller. Dedup 2818 * blocks perform a (more expensive) HMAC of the plaintext to obtain 2819 * the salt and the IV. ZIL blocks have their salt and IV generated 2820 * at allocation time in zio_alloc_zil(). On decryption, we simply use 2821 * the provided values. 2822 */ 2823 if (encrypt && ot != DMU_OT_INTENT_LOG && !dedup) { 2824 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2825 if (ret != 0) 2826 goto error; 2827 2828 ret = zio_crypt_generate_iv(iv); 2829 if (ret != 0) 2830 goto error; 2831 } else if (encrypt && dedup) { 2832 ret = zio_crypt_generate_iv_salt_dedup(&dck->dck_key, 2833 plainbuf, datalen, iv, salt); 2834 if (ret != 0) 2835 goto error; 2836 } 2837 2838 /* call lower level function to perform encryption / decryption */ 2839 ret = zio_do_crypt_data(encrypt, &dck->dck_key, ot, bswap, salt, iv, 2840 mac, datalen, plainbuf, cipherbuf, no_crypt); 2841 2842 /* 2843 * Handle injected decryption faults. Unfortunately, we cannot inject 2844 * faults for dnode blocks because we might trigger the panic in 2845 * dbuf_prepare_encrypted_dnode_leaf(), which exists because syncing 2846 * context is not prepared to handle malicious decryption failures. 2847 */ 2848 if (zio_injection_enabled && !encrypt && ot != DMU_OT_DNODE && ret == 0) 2849 ret = zio_handle_decrypt_injection(spa, zb, ot, ECKSUM); 2850 if (ret != 0) 2851 goto error; 2852 2853 if (encrypt) { 2854 abd_return_buf(pabd, plainbuf, datalen); 2855 abd_return_buf_copy(cabd, cipherbuf, datalen); 2856 } else { 2857 abd_return_buf_copy(pabd, plainbuf, datalen); 2858 abd_return_buf(cabd, cipherbuf, datalen); 2859 } 2860 2861 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2862 2863 return (0); 2864 2865 error: 2866 if (encrypt) { 2867 /* zero out any state we might have changed while encrypting */ 2868 memset(salt, 0, ZIO_DATA_SALT_LEN); 2869 memset(iv, 0, ZIO_DATA_IV_LEN); 2870 memset(mac, 0, ZIO_DATA_MAC_LEN); 2871 abd_return_buf(pabd, plainbuf, datalen); 2872 abd_return_buf_copy(cabd, cipherbuf, datalen); 2873 } else { 2874 abd_return_buf_copy(pabd, plainbuf, datalen); 2875 abd_return_buf(cabd, cipherbuf, datalen); 2876 } 2877 2878 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2879 2880 return (ret); 2881 } 2882 2883 ZFS_MODULE_PARAM(zfs, zfs_, disable_ivset_guid_check, INT, ZMOD_RW, 2884 "Set to allow raw receives without IVset guids"); 2885