1 /* 2 * CDDL HEADER START 3 * 4 * This file and its contents are supplied under the terms of the 5 * Common Development and Distribution License ("CDDL"), version 1.0. 6 * You may only use this file in accordance with the terms of version 7 * 1.0 of the CDDL. 8 * 9 * A full copy of the text of the CDDL should have accompanied this 10 * source. A copy of the CDDL is also available via the Internet at 11 * http://www.illumos.org/license/CDDL. 12 * 13 * CDDL HEADER END 14 */ 15 16 /* 17 * Copyright (c) 2017, Datto, Inc. All rights reserved. 18 * Copyright (c) 2018 by Delphix. All rights reserved. 19 */ 20 21 #include <sys/dsl_crypt.h> 22 #include <sys/dsl_pool.h> 23 #include <sys/zap.h> 24 #include <sys/zil.h> 25 #include <sys/dsl_dir.h> 26 #include <sys/dsl_prop.h> 27 #include <sys/spa_impl.h> 28 #include <sys/dmu_objset.h> 29 #include <sys/zvol.h> 30 31 /* 32 * This file's primary purpose is for managing master encryption keys in 33 * memory and on disk. For more info on how these keys are used, see the 34 * block comment in zio_crypt.c. 35 * 36 * All master keys are stored encrypted on disk in the form of the DSL 37 * Crypto Key ZAP object. The binary key data in this object is always 38 * randomly generated and is encrypted with the user's wrapping key. This 39 * layer of indirection allows the user to change their key without 40 * needing to re-encrypt the entire dataset. The ZAP also holds on to the 41 * (non-encrypted) encryption algorithm identifier, IV, and MAC needed to 42 * safely decrypt the master key. For more info on the user's key see the 43 * block comment in libzfs_crypto.c 44 * 45 * In-memory encryption keys are managed through the spa_keystore. The 46 * keystore consists of 3 AVL trees, which are as follows: 47 * 48 * The Wrapping Key Tree: 49 * The wrapping key (wkey) tree stores the user's keys that are fed into the 50 * kernel through 'zfs load-key' and related commands. Datasets inherit their 51 * parent's wkey by default, so these structures are refcounted. The wrapping 52 * keys remain in memory until they are explicitly unloaded (with 53 * "zfs unload-key"). Unloading is only possible when no datasets are using 54 * them (refcount=0). 55 * 56 * The DSL Crypto Key Tree: 57 * The DSL Crypto Keys (DCK) are the in-memory representation of decrypted 58 * master keys. They are used by the functions in zio_crypt.c to perform 59 * encryption, decryption, and authentication. Snapshots and clones of a given 60 * dataset will share a DSL Crypto Key, so they are also refcounted. Once the 61 * refcount on a key hits zero, it is immediately zeroed out and freed. 62 * 63 * The Crypto Key Mapping Tree: 64 * The zio layer needs to lookup master keys by their dataset object id. Since 65 * the DSL Crypto Keys can belong to multiple datasets, we maintain a tree of 66 * dsl_key_mapping_t's which essentially just map the dataset object id to its 67 * appropriate DSL Crypto Key. The management for creating and destroying these 68 * mappings hooks into the code for owning and disowning datasets. Usually, 69 * there will only be one active dataset owner, but there are times 70 * (particularly during dataset creation and destruction) when this may not be 71 * true or the dataset may not be initialized enough to own. As a result, this 72 * object is also refcounted. 73 */ 74 75 /* 76 * This tunable allows datasets to be raw received even if the stream does 77 * not include IVset guids or if the guids don't match. This is used as part 78 * of the resolution for ZPOOL_ERRATA_ZOL_8308_ENCRYPTION. 79 */ 80 int zfs_disable_ivset_guid_check = 0; 81 82 static void 83 dsl_wrapping_key_hold(dsl_wrapping_key_t *wkey, void *tag) 84 { 85 (void) zfs_refcount_add(&wkey->wk_refcnt, tag); 86 } 87 88 static void 89 dsl_wrapping_key_rele(dsl_wrapping_key_t *wkey, void *tag) 90 { 91 (void) zfs_refcount_remove(&wkey->wk_refcnt, tag); 92 } 93 94 static void 95 dsl_wrapping_key_free(dsl_wrapping_key_t *wkey) 96 { 97 ASSERT0(zfs_refcount_count(&wkey->wk_refcnt)); 98 99 if (wkey->wk_key.ck_data) { 100 bzero(wkey->wk_key.ck_data, 101 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 102 kmem_free(wkey->wk_key.ck_data, 103 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 104 } 105 106 zfs_refcount_destroy(&wkey->wk_refcnt); 107 kmem_free(wkey, sizeof (dsl_wrapping_key_t)); 108 } 109 110 static void 111 dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat, 112 uint64_t salt, uint64_t iters, dsl_wrapping_key_t **wkey_out) 113 { 114 dsl_wrapping_key_t *wkey; 115 116 /* allocate the wrapping key */ 117 wkey = kmem_alloc(sizeof (dsl_wrapping_key_t), KM_SLEEP); 118 119 /* allocate and initialize the underlying crypto key */ 120 wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP); 121 122 wkey->wk_key.ck_format = CRYPTO_KEY_RAW; 123 wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN); 124 bcopy(wkeydata, wkey->wk_key.ck_data, WRAPPING_KEY_LEN); 125 126 /* initialize the rest of the struct */ 127 zfs_refcount_create(&wkey->wk_refcnt); 128 wkey->wk_keyformat = keyformat; 129 wkey->wk_salt = salt; 130 wkey->wk_iters = iters; 131 132 *wkey_out = wkey; 133 } 134 135 int 136 dsl_crypto_params_create_nvlist(dcp_cmd_t cmd, nvlist_t *props, 137 nvlist_t *crypto_args, dsl_crypto_params_t **dcp_out) 138 { 139 int ret; 140 uint64_t crypt = ZIO_CRYPT_INHERIT; 141 uint64_t keyformat = ZFS_KEYFORMAT_NONE; 142 uint64_t salt = 0, iters = 0; 143 dsl_crypto_params_t *dcp = NULL; 144 dsl_wrapping_key_t *wkey = NULL; 145 uint8_t *wkeydata = NULL; 146 uint_t wkeydata_len = 0; 147 char *keylocation = NULL; 148 149 dcp = kmem_zalloc(sizeof (dsl_crypto_params_t), KM_SLEEP); 150 dcp->cp_cmd = cmd; 151 152 /* get relevant arguments from the nvlists */ 153 if (props != NULL) { 154 (void) nvlist_lookup_uint64(props, 155 zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt); 156 (void) nvlist_lookup_uint64(props, 157 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat); 158 (void) nvlist_lookup_string(props, 159 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation); 160 (void) nvlist_lookup_uint64(props, 161 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), &salt); 162 (void) nvlist_lookup_uint64(props, 163 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters); 164 165 dcp->cp_crypt = crypt; 166 } 167 168 if (crypto_args != NULL) { 169 (void) nvlist_lookup_uint8_array(crypto_args, "wkeydata", 170 &wkeydata, &wkeydata_len); 171 } 172 173 /* check for valid command */ 174 if (dcp->cp_cmd >= DCP_CMD_MAX) { 175 ret = SET_ERROR(EINVAL); 176 goto error; 177 } else { 178 dcp->cp_cmd = cmd; 179 } 180 181 /* check for valid crypt */ 182 if (dcp->cp_crypt >= ZIO_CRYPT_FUNCTIONS) { 183 ret = SET_ERROR(EINVAL); 184 goto error; 185 } else { 186 dcp->cp_crypt = crypt; 187 } 188 189 /* check for valid keyformat */ 190 if (keyformat >= ZFS_KEYFORMAT_FORMATS) { 191 ret = SET_ERROR(EINVAL); 192 goto error; 193 } 194 195 /* check for a valid keylocation (of any kind) and copy it in */ 196 if (keylocation != NULL) { 197 if (!zfs_prop_valid_keylocation(keylocation, B_FALSE)) { 198 ret = SET_ERROR(EINVAL); 199 goto error; 200 } 201 202 dcp->cp_keylocation = spa_strdup(keylocation); 203 } 204 205 /* check wrapping key length, if given */ 206 if (wkeydata != NULL && wkeydata_len != WRAPPING_KEY_LEN) { 207 ret = SET_ERROR(EINVAL); 208 goto error; 209 } 210 211 /* if the user asked for the default crypt, determine that now */ 212 if (dcp->cp_crypt == ZIO_CRYPT_ON) 213 dcp->cp_crypt = ZIO_CRYPT_ON_VALUE; 214 215 /* create the wrapping key from the raw data */ 216 if (wkeydata != NULL) { 217 /* create the wrapping key with the verified parameters */ 218 dsl_wrapping_key_create(wkeydata, keyformat, salt, 219 iters, &wkey); 220 dcp->cp_wkey = wkey; 221 } 222 223 /* 224 * Remove the encryption properties from the nvlist since they are not 225 * maintained through the DSL. 226 */ 227 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION)); 228 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 229 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 230 (void) nvlist_remove_all(props, 231 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 232 233 *dcp_out = dcp; 234 235 return (0); 236 237 error: 238 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 239 *dcp_out = NULL; 240 return (ret); 241 } 242 243 void 244 dsl_crypto_params_free(dsl_crypto_params_t *dcp, boolean_t unload) 245 { 246 if (dcp == NULL) 247 return; 248 249 if (dcp->cp_keylocation != NULL) 250 spa_strfree(dcp->cp_keylocation); 251 if (unload && dcp->cp_wkey != NULL) 252 dsl_wrapping_key_free(dcp->cp_wkey); 253 254 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 255 } 256 257 static int 258 spa_crypto_key_compare(const void *a, const void *b) 259 { 260 const dsl_crypto_key_t *dcka = a; 261 const dsl_crypto_key_t *dckb = b; 262 263 if (dcka->dck_obj < dckb->dck_obj) 264 return (-1); 265 if (dcka->dck_obj > dckb->dck_obj) 266 return (1); 267 return (0); 268 } 269 270 static int 271 spa_key_mapping_compare(const void *a, const void *b) 272 { 273 const dsl_key_mapping_t *kma = a; 274 const dsl_key_mapping_t *kmb = b; 275 276 if (kma->km_dsobj < kmb->km_dsobj) 277 return (-1); 278 if (kma->km_dsobj > kmb->km_dsobj) 279 return (1); 280 return (0); 281 } 282 283 static int 284 spa_wkey_compare(const void *a, const void *b) 285 { 286 const dsl_wrapping_key_t *wka = a; 287 const dsl_wrapping_key_t *wkb = b; 288 289 if (wka->wk_ddobj < wkb->wk_ddobj) 290 return (-1); 291 if (wka->wk_ddobj > wkb->wk_ddobj) 292 return (1); 293 return (0); 294 } 295 296 void 297 spa_keystore_init(spa_keystore_t *sk) 298 { 299 rw_init(&sk->sk_dk_lock, NULL, RW_DEFAULT, NULL); 300 rw_init(&sk->sk_km_lock, NULL, RW_DEFAULT, NULL); 301 rw_init(&sk->sk_wkeys_lock, NULL, RW_DEFAULT, NULL); 302 avl_create(&sk->sk_dsl_keys, spa_crypto_key_compare, 303 sizeof (dsl_crypto_key_t), 304 offsetof(dsl_crypto_key_t, dck_avl_link)); 305 avl_create(&sk->sk_key_mappings, spa_key_mapping_compare, 306 sizeof (dsl_key_mapping_t), 307 offsetof(dsl_key_mapping_t, km_avl_link)); 308 avl_create(&sk->sk_wkeys, spa_wkey_compare, sizeof (dsl_wrapping_key_t), 309 offsetof(dsl_wrapping_key_t, wk_avl_link)); 310 } 311 312 void 313 spa_keystore_fini(spa_keystore_t *sk) 314 { 315 dsl_wrapping_key_t *wkey; 316 void *cookie = NULL; 317 318 ASSERT(avl_is_empty(&sk->sk_dsl_keys)); 319 ASSERT(avl_is_empty(&sk->sk_key_mappings)); 320 321 while ((wkey = avl_destroy_nodes(&sk->sk_wkeys, &cookie)) != NULL) 322 dsl_wrapping_key_free(wkey); 323 324 avl_destroy(&sk->sk_wkeys); 325 avl_destroy(&sk->sk_key_mappings); 326 avl_destroy(&sk->sk_dsl_keys); 327 rw_destroy(&sk->sk_wkeys_lock); 328 rw_destroy(&sk->sk_km_lock); 329 rw_destroy(&sk->sk_dk_lock); 330 } 331 332 static int 333 dsl_dir_get_encryption_root_ddobj(dsl_dir_t *dd, uint64_t *rddobj) 334 { 335 if (dd->dd_crypto_obj == 0) 336 return (SET_ERROR(ENOENT)); 337 338 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 339 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, rddobj)); 340 } 341 342 static int 343 dsl_dir_get_encryption_version(dsl_dir_t *dd, uint64_t *version) 344 { 345 *version = 0; 346 347 if (dd->dd_crypto_obj == 0) 348 return (SET_ERROR(ENOENT)); 349 350 /* version 0 is implied by ENOENT */ 351 (void) zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 352 DSL_CRYPTO_KEY_VERSION, 8, 1, version); 353 354 return (0); 355 } 356 357 boolean_t 358 dsl_dir_incompatible_encryption_version(dsl_dir_t *dd) 359 { 360 int ret; 361 uint64_t version = 0; 362 363 ret = dsl_dir_get_encryption_version(dd, &version); 364 if (ret != 0) 365 return (B_FALSE); 366 367 return (version != ZIO_CRYPT_KEY_CURRENT_VERSION); 368 } 369 370 static int 371 spa_keystore_wkey_hold_ddobj_impl(spa_t *spa, uint64_t ddobj, 372 void *tag, dsl_wrapping_key_t **wkey_out) 373 { 374 int ret; 375 dsl_wrapping_key_t search_wkey; 376 dsl_wrapping_key_t *found_wkey; 377 378 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_wkeys_lock)); 379 380 /* init the search wrapping key */ 381 search_wkey.wk_ddobj = ddobj; 382 383 /* lookup the wrapping key */ 384 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &search_wkey, NULL); 385 if (!found_wkey) { 386 ret = SET_ERROR(ENOENT); 387 goto error; 388 } 389 390 /* increment the refcount */ 391 dsl_wrapping_key_hold(found_wkey, tag); 392 393 *wkey_out = found_wkey; 394 return (0); 395 396 error: 397 *wkey_out = NULL; 398 return (ret); 399 } 400 401 static int 402 spa_keystore_wkey_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag, 403 dsl_wrapping_key_t **wkey_out) 404 { 405 int ret; 406 dsl_wrapping_key_t *wkey; 407 uint64_t rddobj; 408 boolean_t locked = B_FALSE; 409 410 if (!RW_WRITE_HELD(&spa->spa_keystore.sk_wkeys_lock)) { 411 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_READER); 412 locked = B_TRUE; 413 } 414 415 /* get the ddobj that the keylocation property was inherited from */ 416 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 417 if (ret != 0) 418 goto error; 419 420 /* lookup the wkey in the avl tree */ 421 ret = spa_keystore_wkey_hold_ddobj_impl(spa, rddobj, tag, &wkey); 422 if (ret != 0) 423 goto error; 424 425 /* unlock the wkey tree if we locked it */ 426 if (locked) 427 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 428 429 *wkey_out = wkey; 430 return (0); 431 432 error: 433 if (locked) 434 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 435 436 *wkey_out = NULL; 437 return (ret); 438 } 439 440 int 441 dsl_crypto_can_set_keylocation(const char *dsname, const char *keylocation) 442 { 443 int ret = 0; 444 dsl_dir_t *dd = NULL; 445 dsl_pool_t *dp = NULL; 446 uint64_t rddobj; 447 448 /* hold the dsl dir */ 449 ret = dsl_pool_hold(dsname, FTAG, &dp); 450 if (ret != 0) 451 goto out; 452 453 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 454 if (ret != 0) { 455 dd = NULL; 456 goto out; 457 } 458 459 /* if dd is not encrypted, the value may only be "none" */ 460 if (dd->dd_crypto_obj == 0) { 461 if (strcmp(keylocation, "none") != 0) { 462 ret = SET_ERROR(EACCES); 463 goto out; 464 } 465 466 ret = 0; 467 goto out; 468 } 469 470 /* check for a valid keylocation for encrypted datasets */ 471 if (!zfs_prop_valid_keylocation(keylocation, B_TRUE)) { 472 ret = SET_ERROR(EINVAL); 473 goto out; 474 } 475 476 /* check that this is an encryption root */ 477 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 478 if (ret != 0) 479 goto out; 480 481 if (rddobj != dd->dd_object) { 482 ret = SET_ERROR(EACCES); 483 goto out; 484 } 485 486 dsl_dir_rele(dd, FTAG); 487 dsl_pool_rele(dp, FTAG); 488 489 return (0); 490 491 out: 492 if (dd != NULL) 493 dsl_dir_rele(dd, FTAG); 494 if (dp != NULL) 495 dsl_pool_rele(dp, FTAG); 496 497 return (ret); 498 } 499 500 static void 501 dsl_crypto_key_free(dsl_crypto_key_t *dck) 502 { 503 ASSERT(zfs_refcount_count(&dck->dck_holds) == 0); 504 505 /* destroy the zio_crypt_key_t */ 506 zio_crypt_key_destroy(&dck->dck_key); 507 508 /* free the refcount, wrapping key, and lock */ 509 zfs_refcount_destroy(&dck->dck_holds); 510 if (dck->dck_wkey) 511 dsl_wrapping_key_rele(dck->dck_wkey, dck); 512 513 /* free the key */ 514 kmem_free(dck, sizeof (dsl_crypto_key_t)); 515 } 516 517 static void 518 dsl_crypto_key_rele(dsl_crypto_key_t *dck, void *tag) 519 { 520 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) 521 dsl_crypto_key_free(dck); 522 } 523 524 static int 525 dsl_crypto_key_open(objset_t *mos, dsl_wrapping_key_t *wkey, 526 uint64_t dckobj, void *tag, dsl_crypto_key_t **dck_out) 527 { 528 int ret; 529 uint64_t crypt = 0, guid = 0, version = 0; 530 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 531 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 532 uint8_t iv[WRAPPING_IV_LEN]; 533 uint8_t mac[WRAPPING_MAC_LEN]; 534 dsl_crypto_key_t *dck; 535 536 /* allocate and initialize the key */ 537 dck = kmem_zalloc(sizeof (dsl_crypto_key_t), KM_SLEEP); 538 539 /* fetch all of the values we need from the ZAP */ 540 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 541 &crypt); 542 if (ret != 0) 543 goto error; 544 545 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &guid); 546 if (ret != 0) 547 goto error; 548 549 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 550 MASTER_KEY_MAX_LEN, raw_keydata); 551 if (ret != 0) 552 goto error; 553 554 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 555 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 556 if (ret != 0) 557 goto error; 558 559 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 560 iv); 561 if (ret != 0) 562 goto error; 563 564 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 565 mac); 566 if (ret != 0) 567 goto error; 568 569 /* the initial on-disk format for encryption did not have a version */ 570 (void) zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 571 572 /* 573 * Unwrap the keys. If there is an error return EACCES to indicate 574 * an authentication failure. 575 */ 576 ret = zio_crypt_key_unwrap(&wkey->wk_key, crypt, version, guid, 577 raw_keydata, raw_hmac_keydata, iv, mac, &dck->dck_key); 578 if (ret != 0) { 579 ret = SET_ERROR(EACCES); 580 goto error; 581 } 582 583 /* finish initializing the dsl_crypto_key_t */ 584 zfs_refcount_create(&dck->dck_holds); 585 dsl_wrapping_key_hold(wkey, dck); 586 dck->dck_wkey = wkey; 587 dck->dck_obj = dckobj; 588 zfs_refcount_add(&dck->dck_holds, tag); 589 590 *dck_out = dck; 591 return (0); 592 593 error: 594 if (dck != NULL) { 595 bzero(dck, sizeof (dsl_crypto_key_t)); 596 kmem_free(dck, sizeof (dsl_crypto_key_t)); 597 } 598 599 *dck_out = NULL; 600 return (ret); 601 } 602 603 static int 604 spa_keystore_dsl_key_hold_impl(spa_t *spa, uint64_t dckobj, void *tag, 605 dsl_crypto_key_t **dck_out) 606 { 607 int ret; 608 dsl_crypto_key_t search_dck; 609 dsl_crypto_key_t *found_dck; 610 611 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_dk_lock)); 612 613 /* init the search key */ 614 search_dck.dck_obj = dckobj; 615 616 /* find the matching key in the keystore */ 617 found_dck = avl_find(&spa->spa_keystore.sk_dsl_keys, &search_dck, NULL); 618 if (!found_dck) { 619 ret = SET_ERROR(ENOENT); 620 goto error; 621 } 622 623 /* increment the refcount */ 624 zfs_refcount_add(&found_dck->dck_holds, tag); 625 626 *dck_out = found_dck; 627 return (0); 628 629 error: 630 *dck_out = NULL; 631 return (ret); 632 } 633 634 static int 635 spa_keystore_dsl_key_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag, 636 dsl_crypto_key_t **dck_out) 637 { 638 int ret; 639 avl_index_t where; 640 dsl_crypto_key_t *dck_io = NULL, *dck_ks = NULL; 641 dsl_wrapping_key_t *wkey = NULL; 642 uint64_t dckobj = dd->dd_crypto_obj; 643 644 /* Lookup the key in the tree of currently loaded keys */ 645 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_READER); 646 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 647 rw_exit(&spa->spa_keystore.sk_dk_lock); 648 if (ret == 0) { 649 *dck_out = dck_ks; 650 return (0); 651 } 652 653 /* Lookup the wrapping key from the keystore */ 654 ret = spa_keystore_wkey_hold_dd(spa, dd, FTAG, &wkey); 655 if (ret != 0) { 656 *dck_out = NULL; 657 return (SET_ERROR(EACCES)); 658 } 659 660 /* Read the key from disk */ 661 ret = dsl_crypto_key_open(spa->spa_meta_objset, wkey, dckobj, 662 tag, &dck_io); 663 if (ret != 0) { 664 dsl_wrapping_key_rele(wkey, FTAG); 665 *dck_out = NULL; 666 return (ret); 667 } 668 669 /* 670 * Add the key to the keystore. It may already exist if it was 671 * added while performing the read from disk. In this case discard 672 * it and return the key from the keystore. 673 */ 674 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 675 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 676 if (ret != 0) { 677 avl_find(&spa->spa_keystore.sk_dsl_keys, dck_io, &where); 678 avl_insert(&spa->spa_keystore.sk_dsl_keys, dck_io, where); 679 *dck_out = dck_io; 680 } else { 681 dsl_crypto_key_free(dck_io); 682 *dck_out = dck_ks; 683 } 684 685 /* Release the wrapping key (the dsl key now has a reference to it) */ 686 dsl_wrapping_key_rele(wkey, FTAG); 687 rw_exit(&spa->spa_keystore.sk_dk_lock); 688 689 return (0); 690 } 691 692 void 693 spa_keystore_dsl_key_rele(spa_t *spa, dsl_crypto_key_t *dck, void *tag) 694 { 695 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 696 697 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) { 698 avl_remove(&spa->spa_keystore.sk_dsl_keys, dck); 699 dsl_crypto_key_free(dck); 700 } 701 702 rw_exit(&spa->spa_keystore.sk_dk_lock); 703 } 704 705 int 706 spa_keystore_load_wkey_impl(spa_t *spa, dsl_wrapping_key_t *wkey) 707 { 708 int ret; 709 avl_index_t where; 710 dsl_wrapping_key_t *found_wkey; 711 712 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 713 714 /* insert the wrapping key into the keystore */ 715 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 716 if (found_wkey != NULL) { 717 ret = SET_ERROR(EEXIST); 718 goto error_unlock; 719 } 720 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 721 722 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 723 724 return (0); 725 726 error_unlock: 727 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 728 return (ret); 729 } 730 731 int 732 spa_keystore_load_wkey(const char *dsname, dsl_crypto_params_t *dcp, 733 boolean_t noop) 734 { 735 int ret; 736 dsl_dir_t *dd = NULL; 737 dsl_crypto_key_t *dck = NULL; 738 dsl_wrapping_key_t *wkey = dcp->cp_wkey; 739 dsl_pool_t *dp = NULL; 740 uint64_t rddobj, keyformat, salt, iters; 741 742 /* 743 * We don't validate the wrapping key's keyformat, salt, or iters 744 * since they will never be needed after the DCK has been wrapped. 745 */ 746 if (dcp->cp_wkey == NULL || 747 dcp->cp_cmd != DCP_CMD_NONE || 748 dcp->cp_crypt != ZIO_CRYPT_INHERIT || 749 dcp->cp_keylocation != NULL) 750 return (SET_ERROR(EINVAL)); 751 752 ret = dsl_pool_hold(dsname, FTAG, &dp); 753 if (ret != 0) 754 goto error; 755 756 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 757 ret = SET_ERROR(ENOTSUP); 758 goto error; 759 } 760 761 /* hold the dsl dir */ 762 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 763 if (ret != 0) { 764 dd = NULL; 765 goto error; 766 } 767 768 /* confirm that dd is the encryption root */ 769 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 770 if (ret != 0 || rddobj != dd->dd_object) { 771 ret = SET_ERROR(EINVAL); 772 goto error; 773 } 774 775 /* initialize the wkey's ddobj */ 776 wkey->wk_ddobj = dd->dd_object; 777 778 /* verify that the wkey is correct by opening its dsl key */ 779 ret = dsl_crypto_key_open(dp->dp_meta_objset, wkey, 780 dd->dd_crypto_obj, FTAG, &dck); 781 if (ret != 0) 782 goto error; 783 784 /* initialize the wkey encryption parameters from the DSL Crypto Key */ 785 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 786 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &keyformat); 787 if (ret != 0) 788 goto error; 789 790 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 791 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 792 if (ret != 0) 793 goto error; 794 795 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 796 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 797 if (ret != 0) 798 goto error; 799 800 ASSERT3U(keyformat, <, ZFS_KEYFORMAT_FORMATS); 801 ASSERT3U(keyformat, !=, ZFS_KEYFORMAT_NONE); 802 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, iters != 0); 803 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, salt != 0); 804 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, iters == 0); 805 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, salt == 0); 806 807 wkey->wk_keyformat = keyformat; 808 wkey->wk_salt = salt; 809 wkey->wk_iters = iters; 810 811 /* 812 * At this point we have verified the wkey and confirmed that it can 813 * be used to decrypt a DSL Crypto Key. We can simply cleanup and 814 * return if this is all the user wanted to do. 815 */ 816 if (noop) 817 goto error; 818 819 /* insert the wrapping key into the keystore */ 820 ret = spa_keystore_load_wkey_impl(dp->dp_spa, wkey); 821 if (ret != 0) 822 goto error; 823 824 dsl_crypto_key_rele(dck, FTAG); 825 dsl_dir_rele(dd, FTAG); 826 dsl_pool_rele(dp, FTAG); 827 828 /* create any zvols under this ds */ 829 zvol_create_minors_recursive(dsname); 830 831 return (0); 832 833 error: 834 if (dck != NULL) 835 dsl_crypto_key_rele(dck, FTAG); 836 if (dd != NULL) 837 dsl_dir_rele(dd, FTAG); 838 if (dp != NULL) 839 dsl_pool_rele(dp, FTAG); 840 841 return (ret); 842 } 843 844 int 845 spa_keystore_unload_wkey_impl(spa_t *spa, uint64_t ddobj) 846 { 847 int ret; 848 dsl_wrapping_key_t search_wkey; 849 dsl_wrapping_key_t *found_wkey; 850 851 /* init the search wrapping key */ 852 search_wkey.wk_ddobj = ddobj; 853 854 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 855 856 /* remove the wrapping key from the keystore */ 857 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, 858 &search_wkey, NULL); 859 if (!found_wkey) { 860 ret = SET_ERROR(EACCES); 861 goto error_unlock; 862 } else if (zfs_refcount_count(&found_wkey->wk_refcnt) != 0) { 863 ret = SET_ERROR(EBUSY); 864 goto error_unlock; 865 } 866 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 867 868 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 869 870 /* free the wrapping key */ 871 dsl_wrapping_key_free(found_wkey); 872 873 return (0); 874 875 error_unlock: 876 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 877 return (ret); 878 } 879 880 int 881 spa_keystore_unload_wkey(const char *dsname) 882 { 883 int ret = 0; 884 dsl_dir_t *dd = NULL; 885 dsl_pool_t *dp = NULL; 886 spa_t *spa = NULL; 887 888 ret = spa_open(dsname, &spa, FTAG); 889 if (ret != 0) 890 return (ret); 891 892 /* 893 * Wait for any outstanding txg IO to complete, releasing any 894 * remaining references on the wkey. 895 */ 896 if (spa_mode(spa) != SPA_MODE_READ) 897 txg_wait_synced(spa->spa_dsl_pool, 0); 898 899 spa_close(spa, FTAG); 900 901 /* hold the dsl dir */ 902 ret = dsl_pool_hold(dsname, FTAG, &dp); 903 if (ret != 0) 904 goto error; 905 906 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 907 ret = (SET_ERROR(ENOTSUP)); 908 goto error; 909 } 910 911 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 912 if (ret != 0) { 913 dd = NULL; 914 goto error; 915 } 916 917 /* unload the wkey */ 918 ret = spa_keystore_unload_wkey_impl(dp->dp_spa, dd->dd_object); 919 if (ret != 0) 920 goto error; 921 922 dsl_dir_rele(dd, FTAG); 923 dsl_pool_rele(dp, FTAG); 924 925 /* remove any zvols under this ds */ 926 zvol_remove_minors(dp->dp_spa, dsname, B_TRUE); 927 928 return (0); 929 930 error: 931 if (dd != NULL) 932 dsl_dir_rele(dd, FTAG); 933 if (dp != NULL) 934 dsl_pool_rele(dp, FTAG); 935 936 return (ret); 937 } 938 939 void 940 key_mapping_add_ref(dsl_key_mapping_t *km, void *tag) 941 { 942 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 943 zfs_refcount_add(&km->km_refcnt, tag); 944 } 945 946 /* 947 * The locking here is a little tricky to ensure we don't cause unnecessary 948 * performance problems. We want to release a key mapping whenever someone 949 * decrements the refcount to 0, but freeing the mapping requires removing 950 * it from the spa_keystore, which requires holding sk_km_lock as a writer. 951 * Most of the time we don't want to hold this lock as a writer, since the 952 * same lock is held as a reader for each IO that needs to encrypt / decrypt 953 * data for any dataset and in practice we will only actually free the 954 * mapping after unmounting a dataset. 955 */ 956 void 957 key_mapping_rele(spa_t *spa, dsl_key_mapping_t *km, void *tag) 958 { 959 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 960 961 if (zfs_refcount_remove(&km->km_refcnt, tag) != 0) 962 return; 963 964 /* 965 * We think we are going to need to free the mapping. Add a 966 * reference to prevent most other releasers from thinking 967 * this might be their responsibility. This is inherently 968 * racy, so we will confirm that we are legitimately the 969 * last holder once we have the sk_km_lock as a writer. 970 */ 971 zfs_refcount_add(&km->km_refcnt, FTAG); 972 973 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 974 if (zfs_refcount_remove(&km->km_refcnt, FTAG) != 0) { 975 rw_exit(&spa->spa_keystore.sk_km_lock); 976 return; 977 } 978 979 avl_remove(&spa->spa_keystore.sk_key_mappings, km); 980 rw_exit(&spa->spa_keystore.sk_km_lock); 981 982 spa_keystore_dsl_key_rele(spa, km->km_key, km); 983 zfs_refcount_destroy(&km->km_refcnt); 984 kmem_free(km, sizeof (dsl_key_mapping_t)); 985 } 986 987 int 988 spa_keystore_create_mapping(spa_t *spa, dsl_dataset_t *ds, void *tag, 989 dsl_key_mapping_t **km_out) 990 { 991 int ret; 992 avl_index_t where; 993 dsl_key_mapping_t *km, *found_km; 994 boolean_t should_free = B_FALSE; 995 996 /* Allocate and initialize the mapping */ 997 km = kmem_zalloc(sizeof (dsl_key_mapping_t), KM_SLEEP); 998 zfs_refcount_create(&km->km_refcnt); 999 1000 ret = spa_keystore_dsl_key_hold_dd(spa, ds->ds_dir, km, &km->km_key); 1001 if (ret != 0) { 1002 zfs_refcount_destroy(&km->km_refcnt); 1003 kmem_free(km, sizeof (dsl_key_mapping_t)); 1004 1005 if (km_out != NULL) 1006 *km_out = NULL; 1007 return (ret); 1008 } 1009 1010 km->km_dsobj = ds->ds_object; 1011 1012 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 1013 1014 /* 1015 * If a mapping already exists, simply increment its refcount and 1016 * cleanup the one we made. We want to allocate / free outside of 1017 * the lock because this lock is also used by the zio layer to lookup 1018 * key mappings. Otherwise, use the one we created. Normally, there will 1019 * only be one active reference at a time (the objset owner), but there 1020 * are times when there could be multiple async users. 1021 */ 1022 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, km, &where); 1023 if (found_km != NULL) { 1024 should_free = B_TRUE; 1025 zfs_refcount_add(&found_km->km_refcnt, tag); 1026 if (km_out != NULL) 1027 *km_out = found_km; 1028 } else { 1029 zfs_refcount_add(&km->km_refcnt, tag); 1030 avl_insert(&spa->spa_keystore.sk_key_mappings, km, where); 1031 if (km_out != NULL) 1032 *km_out = km; 1033 } 1034 1035 rw_exit(&spa->spa_keystore.sk_km_lock); 1036 1037 if (should_free) { 1038 spa_keystore_dsl_key_rele(spa, km->km_key, km); 1039 zfs_refcount_destroy(&km->km_refcnt); 1040 kmem_free(km, sizeof (dsl_key_mapping_t)); 1041 } 1042 1043 return (0); 1044 } 1045 1046 int 1047 spa_keystore_remove_mapping(spa_t *spa, uint64_t dsobj, void *tag) 1048 { 1049 int ret; 1050 dsl_key_mapping_t search_km; 1051 dsl_key_mapping_t *found_km; 1052 1053 /* init the search key mapping */ 1054 search_km.km_dsobj = dsobj; 1055 1056 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1057 1058 /* find the matching mapping */ 1059 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, 1060 &search_km, NULL); 1061 if (found_km == NULL) { 1062 ret = SET_ERROR(ENOENT); 1063 goto error_unlock; 1064 } 1065 1066 rw_exit(&spa->spa_keystore.sk_km_lock); 1067 1068 key_mapping_rele(spa, found_km, tag); 1069 1070 return (0); 1071 1072 error_unlock: 1073 rw_exit(&spa->spa_keystore.sk_km_lock); 1074 return (ret); 1075 } 1076 1077 /* 1078 * This function is primarily used by the zio and arc layer to lookup 1079 * DSL Crypto Keys for encryption. Callers must release the key with 1080 * spa_keystore_dsl_key_rele(). The function may also be called with 1081 * dck_out == NULL and tag == NULL to simply check that a key exists 1082 * without getting a reference to it. 1083 */ 1084 int 1085 spa_keystore_lookup_key(spa_t *spa, uint64_t dsobj, void *tag, 1086 dsl_crypto_key_t **dck_out) 1087 { 1088 int ret; 1089 dsl_key_mapping_t search_km; 1090 dsl_key_mapping_t *found_km; 1091 1092 ASSERT((tag != NULL && dck_out != NULL) || 1093 (tag == NULL && dck_out == NULL)); 1094 1095 /* init the search key mapping */ 1096 search_km.km_dsobj = dsobj; 1097 1098 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1099 1100 /* remove the mapping from the tree */ 1101 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, &search_km, 1102 NULL); 1103 if (found_km == NULL) { 1104 ret = SET_ERROR(ENOENT); 1105 goto error_unlock; 1106 } 1107 1108 if (found_km && tag) 1109 zfs_refcount_add(&found_km->km_key->dck_holds, tag); 1110 1111 rw_exit(&spa->spa_keystore.sk_km_lock); 1112 1113 if (dck_out != NULL) 1114 *dck_out = found_km->km_key; 1115 return (0); 1116 1117 error_unlock: 1118 rw_exit(&spa->spa_keystore.sk_km_lock); 1119 1120 if (dck_out != NULL) 1121 *dck_out = NULL; 1122 return (ret); 1123 } 1124 1125 static int 1126 dmu_objset_check_wkey_loaded(dsl_dir_t *dd) 1127 { 1128 int ret; 1129 dsl_wrapping_key_t *wkey = NULL; 1130 1131 ret = spa_keystore_wkey_hold_dd(dd->dd_pool->dp_spa, dd, FTAG, 1132 &wkey); 1133 if (ret != 0) 1134 return (SET_ERROR(EACCES)); 1135 1136 dsl_wrapping_key_rele(wkey, FTAG); 1137 1138 return (0); 1139 } 1140 1141 static zfs_keystatus_t 1142 dsl_dataset_get_keystatus(dsl_dir_t *dd) 1143 { 1144 /* check if this dd has a has a dsl key */ 1145 if (dd->dd_crypto_obj == 0) 1146 return (ZFS_KEYSTATUS_NONE); 1147 1148 return (dmu_objset_check_wkey_loaded(dd) == 0 ? 1149 ZFS_KEYSTATUS_AVAILABLE : ZFS_KEYSTATUS_UNAVAILABLE); 1150 } 1151 1152 static int 1153 dsl_dir_get_crypt(dsl_dir_t *dd, uint64_t *crypt) 1154 { 1155 if (dd->dd_crypto_obj == 0) { 1156 *crypt = ZIO_CRYPT_OFF; 1157 return (0); 1158 } 1159 1160 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 1161 DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, crypt)); 1162 } 1163 1164 static void 1165 dsl_crypto_key_sync_impl(objset_t *mos, uint64_t dckobj, uint64_t crypt, 1166 uint64_t root_ddobj, uint64_t guid, uint8_t *iv, uint8_t *mac, 1167 uint8_t *keydata, uint8_t *hmac_keydata, uint64_t keyformat, 1168 uint64_t salt, uint64_t iters, dmu_tx_t *tx) 1169 { 1170 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 1171 &crypt, tx)); 1172 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1173 &root_ddobj, tx)); 1174 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, 1175 &guid, tx)); 1176 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 1177 iv, tx)); 1178 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 1179 mac, tx)); 1180 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 1181 MASTER_KEY_MAX_LEN, keydata, tx)); 1182 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 1183 SHA512_HMAC_KEYLEN, hmac_keydata, tx)); 1184 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 1185 8, 1, &keyformat, tx)); 1186 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 1187 8, 1, &salt, tx)); 1188 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 1189 8, 1, &iters, tx)); 1190 } 1191 1192 static void 1193 dsl_crypto_key_sync(dsl_crypto_key_t *dck, dmu_tx_t *tx) 1194 { 1195 zio_crypt_key_t *key = &dck->dck_key; 1196 dsl_wrapping_key_t *wkey = dck->dck_wkey; 1197 uint8_t keydata[MASTER_KEY_MAX_LEN]; 1198 uint8_t hmac_keydata[SHA512_HMAC_KEYLEN]; 1199 uint8_t iv[WRAPPING_IV_LEN]; 1200 uint8_t mac[WRAPPING_MAC_LEN]; 1201 1202 ASSERT(dmu_tx_is_syncing(tx)); 1203 ASSERT3U(key->zk_crypt, <, ZIO_CRYPT_FUNCTIONS); 1204 1205 /* encrypt and store the keys along with the IV and MAC */ 1206 VERIFY0(zio_crypt_key_wrap(&dck->dck_wkey->wk_key, key, iv, mac, 1207 keydata, hmac_keydata)); 1208 1209 /* update the ZAP with the obtained values */ 1210 dsl_crypto_key_sync_impl(tx->tx_pool->dp_meta_objset, dck->dck_obj, 1211 key->zk_crypt, wkey->wk_ddobj, key->zk_guid, iv, mac, keydata, 1212 hmac_keydata, wkey->wk_keyformat, wkey->wk_salt, wkey->wk_iters, 1213 tx); 1214 } 1215 1216 typedef struct spa_keystore_change_key_args { 1217 const char *skcka_dsname; 1218 dsl_crypto_params_t *skcka_cp; 1219 } spa_keystore_change_key_args_t; 1220 1221 static int 1222 spa_keystore_change_key_check(void *arg, dmu_tx_t *tx) 1223 { 1224 int ret; 1225 dsl_dir_t *dd = NULL; 1226 dsl_pool_t *dp = dmu_tx_pool(tx); 1227 spa_keystore_change_key_args_t *skcka = arg; 1228 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1229 uint64_t rddobj; 1230 1231 /* check for the encryption feature */ 1232 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 1233 ret = SET_ERROR(ENOTSUP); 1234 goto error; 1235 } 1236 1237 /* check for valid key change command */ 1238 if (dcp->cp_cmd != DCP_CMD_NEW_KEY && 1239 dcp->cp_cmd != DCP_CMD_INHERIT && 1240 dcp->cp_cmd != DCP_CMD_FORCE_NEW_KEY && 1241 dcp->cp_cmd != DCP_CMD_FORCE_INHERIT) { 1242 ret = SET_ERROR(EINVAL); 1243 goto error; 1244 } 1245 1246 /* hold the dd */ 1247 ret = dsl_dir_hold(dp, skcka->skcka_dsname, FTAG, &dd, NULL); 1248 if (ret != 0) { 1249 dd = NULL; 1250 goto error; 1251 } 1252 1253 /* verify that the dataset is encrypted */ 1254 if (dd->dd_crypto_obj == 0) { 1255 ret = SET_ERROR(EINVAL); 1256 goto error; 1257 } 1258 1259 /* clones must always use their origin's key */ 1260 if (dsl_dir_is_clone(dd)) { 1261 ret = SET_ERROR(EINVAL); 1262 goto error; 1263 } 1264 1265 /* lookup the ddobj we are inheriting the keylocation from */ 1266 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 1267 if (ret != 0) 1268 goto error; 1269 1270 /* Handle inheritance */ 1271 if (dcp->cp_cmd == DCP_CMD_INHERIT || 1272 dcp->cp_cmd == DCP_CMD_FORCE_INHERIT) { 1273 /* no other encryption params should be given */ 1274 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1275 dcp->cp_keylocation != NULL || 1276 dcp->cp_wkey != NULL) { 1277 ret = SET_ERROR(EINVAL); 1278 goto error; 1279 } 1280 1281 /* check that this is an encryption root */ 1282 if (dd->dd_object != rddobj) { 1283 ret = SET_ERROR(EINVAL); 1284 goto error; 1285 } 1286 1287 /* check that the parent is encrypted */ 1288 if (dd->dd_parent->dd_crypto_obj == 0) { 1289 ret = SET_ERROR(EINVAL); 1290 goto error; 1291 } 1292 1293 /* if we are rewrapping check that both keys are loaded */ 1294 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1295 ret = dmu_objset_check_wkey_loaded(dd); 1296 if (ret != 0) 1297 goto error; 1298 1299 ret = dmu_objset_check_wkey_loaded(dd->dd_parent); 1300 if (ret != 0) 1301 goto error; 1302 } 1303 1304 dsl_dir_rele(dd, FTAG); 1305 return (0); 1306 } 1307 1308 /* handle forcing an encryption root without rewrapping */ 1309 if (dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1310 /* no other encryption params should be given */ 1311 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1312 dcp->cp_keylocation != NULL || 1313 dcp->cp_wkey != NULL) { 1314 ret = SET_ERROR(EINVAL); 1315 goto error; 1316 } 1317 1318 /* check that this is not an encryption root */ 1319 if (dd->dd_object == rddobj) { 1320 ret = SET_ERROR(EINVAL); 1321 goto error; 1322 } 1323 1324 dsl_dir_rele(dd, FTAG); 1325 return (0); 1326 } 1327 1328 /* crypt cannot be changed after creation */ 1329 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT) { 1330 ret = SET_ERROR(EINVAL); 1331 goto error; 1332 } 1333 1334 /* we are not inheritting our parent's wkey so we need one ourselves */ 1335 if (dcp->cp_wkey == NULL) { 1336 ret = SET_ERROR(EINVAL); 1337 goto error; 1338 } 1339 1340 /* check for a valid keyformat for the new wrapping key */ 1341 if (dcp->cp_wkey->wk_keyformat >= ZFS_KEYFORMAT_FORMATS || 1342 dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_NONE) { 1343 ret = SET_ERROR(EINVAL); 1344 goto error; 1345 } 1346 1347 /* 1348 * If this dataset is not currently an encryption root we need a new 1349 * keylocation for this dataset's new wrapping key. Otherwise we can 1350 * just keep the one we already had. 1351 */ 1352 if (dd->dd_object != rddobj && dcp->cp_keylocation == NULL) { 1353 ret = SET_ERROR(EINVAL); 1354 goto error; 1355 } 1356 1357 /* check that the keylocation is valid if it is not NULL */ 1358 if (dcp->cp_keylocation != NULL && 1359 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) { 1360 ret = SET_ERROR(EINVAL); 1361 goto error; 1362 } 1363 1364 /* passphrases require pbkdf2 salt and iters */ 1365 if (dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_PASSPHRASE) { 1366 if (dcp->cp_wkey->wk_salt == 0 || 1367 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) { 1368 ret = SET_ERROR(EINVAL); 1369 goto error; 1370 } 1371 } else { 1372 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) { 1373 ret = SET_ERROR(EINVAL); 1374 goto error; 1375 } 1376 } 1377 1378 /* make sure the dd's wkey is loaded */ 1379 ret = dmu_objset_check_wkey_loaded(dd); 1380 if (ret != 0) 1381 goto error; 1382 1383 dsl_dir_rele(dd, FTAG); 1384 1385 return (0); 1386 1387 error: 1388 if (dd != NULL) 1389 dsl_dir_rele(dd, FTAG); 1390 1391 return (ret); 1392 } 1393 1394 /* 1395 * This function deals with the intricacies of updating wrapping 1396 * key references and encryption roots recursively in the event 1397 * of a call to 'zfs change-key' or 'zfs promote'. The 'skip' 1398 * parameter should always be set to B_FALSE when called 1399 * externally. 1400 */ 1401 static void 1402 spa_keystore_change_key_sync_impl(uint64_t rddobj, uint64_t ddobj, 1403 uint64_t new_rddobj, dsl_wrapping_key_t *wkey, boolean_t skip, 1404 dmu_tx_t *tx) 1405 { 1406 int ret; 1407 zap_cursor_t *zc; 1408 zap_attribute_t *za; 1409 dsl_pool_t *dp = dmu_tx_pool(tx); 1410 dsl_dir_t *dd = NULL; 1411 dsl_crypto_key_t *dck = NULL; 1412 uint64_t curr_rddobj; 1413 1414 ASSERT(RW_WRITE_HELD(&dp->dp_spa->spa_keystore.sk_wkeys_lock)); 1415 1416 /* hold the dd */ 1417 VERIFY0(dsl_dir_hold_obj(dp, ddobj, NULL, FTAG, &dd)); 1418 1419 /* ignore special dsl dirs */ 1420 if (dd->dd_myname[0] == '$' || dd->dd_myname[0] == '%') { 1421 dsl_dir_rele(dd, FTAG); 1422 return; 1423 } 1424 1425 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1426 VERIFY(ret == 0 || ret == ENOENT); 1427 1428 /* 1429 * Stop recursing if this dsl dir didn't inherit from the root 1430 * or if this dd is a clone. 1431 */ 1432 if (ret == ENOENT || 1433 (!skip && (curr_rddobj != rddobj || dsl_dir_is_clone(dd)))) { 1434 dsl_dir_rele(dd, FTAG); 1435 return; 1436 } 1437 1438 /* 1439 * If we don't have a wrapping key just update the dck to reflect the 1440 * new encryption root. Otherwise rewrap the entire dck and re-sync it 1441 * to disk. If skip is set, we don't do any of this work. 1442 */ 1443 if (!skip) { 1444 if (wkey == NULL) { 1445 VERIFY0(zap_update(dp->dp_meta_objset, 1446 dd->dd_crypto_obj, 1447 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1448 &new_rddobj, tx)); 1449 } else { 1450 VERIFY0(spa_keystore_dsl_key_hold_dd(dp->dp_spa, dd, 1451 FTAG, &dck)); 1452 dsl_wrapping_key_hold(wkey, dck); 1453 dsl_wrapping_key_rele(dck->dck_wkey, dck); 1454 dck->dck_wkey = wkey; 1455 dsl_crypto_key_sync(dck, tx); 1456 spa_keystore_dsl_key_rele(dp->dp_spa, dck, FTAG); 1457 } 1458 } 1459 1460 zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP); 1461 za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP); 1462 1463 /* Recurse into all child dsl dirs. */ 1464 for (zap_cursor_init(zc, dp->dp_meta_objset, 1465 dsl_dir_phys(dd)->dd_child_dir_zapobj); 1466 zap_cursor_retrieve(zc, za) == 0; 1467 zap_cursor_advance(zc)) { 1468 spa_keystore_change_key_sync_impl(rddobj, 1469 za->za_first_integer, new_rddobj, wkey, B_FALSE, tx); 1470 } 1471 zap_cursor_fini(zc); 1472 1473 /* 1474 * Recurse into all dsl dirs of clones. We utilize the skip parameter 1475 * here so that we don't attempt to process the clones directly. This 1476 * is because the clone and its origin share the same dck, which has 1477 * already been updated. 1478 */ 1479 for (zap_cursor_init(zc, dp->dp_meta_objset, 1480 dsl_dir_phys(dd)->dd_clones); 1481 zap_cursor_retrieve(zc, za) == 0; 1482 zap_cursor_advance(zc)) { 1483 dsl_dataset_t *clone; 1484 1485 VERIFY0(dsl_dataset_hold_obj(dp, za->za_first_integer, 1486 FTAG, &clone)); 1487 spa_keystore_change_key_sync_impl(rddobj, 1488 clone->ds_dir->dd_object, new_rddobj, wkey, B_TRUE, tx); 1489 dsl_dataset_rele(clone, FTAG); 1490 } 1491 zap_cursor_fini(zc); 1492 1493 kmem_free(za, sizeof (zap_attribute_t)); 1494 kmem_free(zc, sizeof (zap_cursor_t)); 1495 1496 dsl_dir_rele(dd, FTAG); 1497 } 1498 1499 static void 1500 spa_keystore_change_key_sync(void *arg, dmu_tx_t *tx) 1501 { 1502 dsl_dataset_t *ds; 1503 avl_index_t where; 1504 dsl_pool_t *dp = dmu_tx_pool(tx); 1505 spa_t *spa = dp->dp_spa; 1506 spa_keystore_change_key_args_t *skcka = arg; 1507 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1508 dsl_wrapping_key_t *wkey = NULL, *found_wkey; 1509 dsl_wrapping_key_t wkey_search; 1510 char *keylocation = dcp->cp_keylocation; 1511 uint64_t rddobj, new_rddobj; 1512 1513 /* create and initialize the wrapping key */ 1514 VERIFY0(dsl_dataset_hold(dp, skcka->skcka_dsname, FTAG, &ds)); 1515 ASSERT(!ds->ds_is_snapshot); 1516 1517 if (dcp->cp_cmd == DCP_CMD_NEW_KEY || 1518 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1519 /* 1520 * We are changing to a new wkey. Set additional properties 1521 * which can be sent along with this ioctl. Note that this 1522 * command can set keylocation even if it can't normally be 1523 * set via 'zfs set' due to a non-local keylocation. 1524 */ 1525 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1526 wkey = dcp->cp_wkey; 1527 wkey->wk_ddobj = ds->ds_dir->dd_object; 1528 } else { 1529 keylocation = "prompt"; 1530 } 1531 1532 if (keylocation != NULL) { 1533 dsl_prop_set_sync_impl(ds, 1534 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1535 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 1536 keylocation, tx); 1537 } 1538 1539 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj)); 1540 new_rddobj = ds->ds_dir->dd_object; 1541 } else { 1542 /* 1543 * We are inheritting the parent's wkey. Unset any local 1544 * keylocation and grab a reference to the wkey. 1545 */ 1546 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1547 VERIFY0(spa_keystore_wkey_hold_dd(spa, 1548 ds->ds_dir->dd_parent, FTAG, &wkey)); 1549 } 1550 1551 dsl_prop_set_sync_impl(ds, 1552 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), ZPROP_SRC_NONE, 1553 0, 0, NULL, tx); 1554 1555 rddobj = ds->ds_dir->dd_object; 1556 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir->dd_parent, 1557 &new_rddobj)); 1558 } 1559 1560 if (wkey == NULL) { 1561 ASSERT(dcp->cp_cmd == DCP_CMD_FORCE_INHERIT || 1562 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY); 1563 } 1564 1565 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1566 1567 /* recurse through all children and rewrap their keys */ 1568 spa_keystore_change_key_sync_impl(rddobj, ds->ds_dir->dd_object, 1569 new_rddobj, wkey, B_FALSE, tx); 1570 1571 /* 1572 * All references to the old wkey should be released now (if it 1573 * existed). Replace the wrapping key. 1574 */ 1575 wkey_search.wk_ddobj = ds->ds_dir->dd_object; 1576 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &wkey_search, NULL); 1577 if (found_wkey != NULL) { 1578 ASSERT0(zfs_refcount_count(&found_wkey->wk_refcnt)); 1579 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 1580 dsl_wrapping_key_free(found_wkey); 1581 } 1582 1583 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1584 avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 1585 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 1586 } else if (wkey != NULL) { 1587 dsl_wrapping_key_rele(wkey, FTAG); 1588 } 1589 1590 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 1591 1592 dsl_dataset_rele(ds, FTAG); 1593 } 1594 1595 int 1596 spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp) 1597 { 1598 spa_keystore_change_key_args_t skcka; 1599 1600 /* initialize the args struct */ 1601 skcka.skcka_dsname = dsname; 1602 skcka.skcka_cp = dcp; 1603 1604 /* 1605 * Perform the actual work in syncing context. The blocks modified 1606 * here could be calculated but it would require holding the pool 1607 * lock and traversing all of the datasets that will have their keys 1608 * changed. 1609 */ 1610 return (dsl_sync_task(dsname, spa_keystore_change_key_check, 1611 spa_keystore_change_key_sync, &skcka, 15, 1612 ZFS_SPACE_CHECK_RESERVED)); 1613 } 1614 1615 int 1616 dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent) 1617 { 1618 int ret; 1619 uint64_t curr_rddobj, parent_rddobj; 1620 1621 if (dd->dd_crypto_obj == 0) 1622 return (0); 1623 1624 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1625 if (ret != 0) 1626 goto error; 1627 1628 /* 1629 * if this is not an encryption root, we must make sure we are not 1630 * moving dd to a new encryption root 1631 */ 1632 if (dd->dd_object != curr_rddobj) { 1633 ret = dsl_dir_get_encryption_root_ddobj(newparent, 1634 &parent_rddobj); 1635 if (ret != 0) 1636 goto error; 1637 1638 if (parent_rddobj != curr_rddobj) { 1639 ret = SET_ERROR(EACCES); 1640 goto error; 1641 } 1642 } 1643 1644 return (0); 1645 1646 error: 1647 return (ret); 1648 } 1649 1650 /* 1651 * Check to make sure that a promote from targetdd to origindd will not require 1652 * any key rewraps. 1653 */ 1654 int 1655 dsl_dataset_promote_crypt_check(dsl_dir_t *target, dsl_dir_t *origin) 1656 { 1657 int ret; 1658 uint64_t rddobj, op_rddobj, tp_rddobj; 1659 1660 /* If the dataset is not encrypted we don't need to check anything */ 1661 if (origin->dd_crypto_obj == 0) 1662 return (0); 1663 1664 /* 1665 * If we are not changing the first origin snapshot in a chain 1666 * the encryption root won't change either. 1667 */ 1668 if (dsl_dir_is_clone(origin)) 1669 return (0); 1670 1671 /* 1672 * If the origin is the encryption root we will update 1673 * the DSL Crypto Key to point to the target instead. 1674 */ 1675 ret = dsl_dir_get_encryption_root_ddobj(origin, &rddobj); 1676 if (ret != 0) 1677 return (ret); 1678 1679 if (rddobj == origin->dd_object) 1680 return (0); 1681 1682 /* 1683 * The origin is inheriting its encryption root from its parent. 1684 * Check that the parent of the target has the same encryption root. 1685 */ 1686 ret = dsl_dir_get_encryption_root_ddobj(origin->dd_parent, &op_rddobj); 1687 if (ret == ENOENT) 1688 return (SET_ERROR(EACCES)); 1689 else if (ret != 0) 1690 return (ret); 1691 1692 ret = dsl_dir_get_encryption_root_ddobj(target->dd_parent, &tp_rddobj); 1693 if (ret == ENOENT) 1694 return (SET_ERROR(EACCES)); 1695 else if (ret != 0) 1696 return (ret); 1697 1698 if (op_rddobj != tp_rddobj) 1699 return (SET_ERROR(EACCES)); 1700 1701 return (0); 1702 } 1703 1704 void 1705 dsl_dataset_promote_crypt_sync(dsl_dir_t *target, dsl_dir_t *origin, 1706 dmu_tx_t *tx) 1707 { 1708 uint64_t rddobj; 1709 dsl_pool_t *dp = target->dd_pool; 1710 dsl_dataset_t *targetds; 1711 dsl_dataset_t *originds; 1712 char *keylocation; 1713 1714 if (origin->dd_crypto_obj == 0) 1715 return; 1716 if (dsl_dir_is_clone(origin)) 1717 return; 1718 1719 VERIFY0(dsl_dir_get_encryption_root_ddobj(origin, &rddobj)); 1720 1721 if (rddobj != origin->dd_object) 1722 return; 1723 1724 /* 1725 * If the target is being promoted to the encryption root update the 1726 * DSL Crypto Key and keylocation to reflect that. We also need to 1727 * update the DSL Crypto Keys of all children inheritting their 1728 * encryption root to point to the new target. Otherwise, the check 1729 * function ensured that the encryption root will not change. 1730 */ 1731 keylocation = kmem_alloc(ZAP_MAXVALUELEN, KM_SLEEP); 1732 1733 VERIFY0(dsl_dataset_hold_obj(dp, 1734 dsl_dir_phys(target)->dd_head_dataset_obj, FTAG, &targetds)); 1735 VERIFY0(dsl_dataset_hold_obj(dp, 1736 dsl_dir_phys(origin)->dd_head_dataset_obj, FTAG, &originds)); 1737 1738 VERIFY0(dsl_prop_get_dd(origin, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1739 1, ZAP_MAXVALUELEN, keylocation, NULL, B_FALSE)); 1740 dsl_prop_set_sync_impl(targetds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1741 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, keylocation, tx); 1742 dsl_prop_set_sync_impl(originds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1743 ZPROP_SRC_NONE, 0, 0, NULL, tx); 1744 1745 rw_enter(&dp->dp_spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1746 spa_keystore_change_key_sync_impl(rddobj, origin->dd_object, 1747 target->dd_object, NULL, B_FALSE, tx); 1748 rw_exit(&dp->dp_spa->spa_keystore.sk_wkeys_lock); 1749 1750 dsl_dataset_rele(targetds, FTAG); 1751 dsl_dataset_rele(originds, FTAG); 1752 kmem_free(keylocation, ZAP_MAXVALUELEN); 1753 } 1754 1755 int 1756 dmu_objset_create_crypt_check(dsl_dir_t *parentdd, dsl_crypto_params_t *dcp, 1757 boolean_t *will_encrypt) 1758 { 1759 int ret; 1760 uint64_t pcrypt, crypt; 1761 dsl_crypto_params_t dummy_dcp = { 0 }; 1762 1763 if (will_encrypt != NULL) 1764 *will_encrypt = B_FALSE; 1765 1766 if (dcp == NULL) 1767 dcp = &dummy_dcp; 1768 1769 if (dcp->cp_cmd != DCP_CMD_NONE) 1770 return (SET_ERROR(EINVAL)); 1771 1772 if (parentdd != NULL) { 1773 ret = dsl_dir_get_crypt(parentdd, &pcrypt); 1774 if (ret != 0) 1775 return (ret); 1776 } else { 1777 pcrypt = ZIO_CRYPT_OFF; 1778 } 1779 1780 crypt = (dcp->cp_crypt == ZIO_CRYPT_INHERIT) ? pcrypt : dcp->cp_crypt; 1781 1782 ASSERT3U(pcrypt, !=, ZIO_CRYPT_INHERIT); 1783 ASSERT3U(crypt, !=, ZIO_CRYPT_INHERIT); 1784 1785 /* check for valid dcp with no encryption (inherited or local) */ 1786 if (crypt == ZIO_CRYPT_OFF) { 1787 /* Must not specify encryption params */ 1788 if (dcp->cp_wkey != NULL || 1789 (dcp->cp_keylocation != NULL && 1790 strcmp(dcp->cp_keylocation, "none") != 0)) 1791 return (SET_ERROR(EINVAL)); 1792 1793 return (0); 1794 } 1795 1796 if (will_encrypt != NULL) 1797 *will_encrypt = B_TRUE; 1798 1799 /* 1800 * We will now definitely be encrypting. Check the feature flag. When 1801 * creating the pool the caller will check this for us since we won't 1802 * technically have the feature activated yet. 1803 */ 1804 if (parentdd != NULL && 1805 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1806 SPA_FEATURE_ENCRYPTION)) { 1807 return (SET_ERROR(EOPNOTSUPP)); 1808 } 1809 1810 /* Check for errata #4 (encryption enabled, bookmark_v2 disabled) */ 1811 if (parentdd != NULL && 1812 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1813 SPA_FEATURE_BOOKMARK_V2)) { 1814 return (SET_ERROR(EOPNOTSUPP)); 1815 } 1816 1817 /* handle inheritance */ 1818 if (dcp->cp_wkey == NULL) { 1819 ASSERT3P(parentdd, !=, NULL); 1820 1821 /* key must be fully unspecified */ 1822 if (dcp->cp_keylocation != NULL) 1823 return (SET_ERROR(EINVAL)); 1824 1825 /* parent must have a key to inherit */ 1826 if (pcrypt == ZIO_CRYPT_OFF) 1827 return (SET_ERROR(EINVAL)); 1828 1829 /* check for parent key */ 1830 ret = dmu_objset_check_wkey_loaded(parentdd); 1831 if (ret != 0) 1832 return (ret); 1833 1834 return (0); 1835 } 1836 1837 /* At this point we should have a fully specified key. Check location */ 1838 if (dcp->cp_keylocation == NULL || 1839 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) 1840 return (SET_ERROR(EINVAL)); 1841 1842 /* Must have fully specified keyformat */ 1843 switch (dcp->cp_wkey->wk_keyformat) { 1844 case ZFS_KEYFORMAT_HEX: 1845 case ZFS_KEYFORMAT_RAW: 1846 /* requires no pbkdf2 iters and salt */ 1847 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) 1848 return (SET_ERROR(EINVAL)); 1849 break; 1850 case ZFS_KEYFORMAT_PASSPHRASE: 1851 /* requires pbkdf2 iters and salt */ 1852 if (dcp->cp_wkey->wk_salt == 0 || 1853 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) 1854 return (SET_ERROR(EINVAL)); 1855 break; 1856 case ZFS_KEYFORMAT_NONE: 1857 default: 1858 /* keyformat must be specified and valid */ 1859 return (SET_ERROR(EINVAL)); 1860 } 1861 1862 return (0); 1863 } 1864 1865 void 1866 dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd, 1867 dsl_dataset_t *origin, dsl_crypto_params_t *dcp, dmu_tx_t *tx) 1868 { 1869 dsl_pool_t *dp = dd->dd_pool; 1870 uint64_t crypt; 1871 dsl_wrapping_key_t *wkey; 1872 1873 /* clones always use their origin's wrapping key */ 1874 if (dsl_dir_is_clone(dd)) { 1875 ASSERT3P(dcp, ==, NULL); 1876 1877 /* 1878 * If this is an encrypted clone we just need to clone the 1879 * dck into dd. Zapify the dd so we can do that. 1880 */ 1881 if (origin->ds_dir->dd_crypto_obj != 0) { 1882 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1883 dsl_dir_zapify(dd, tx); 1884 1885 dd->dd_crypto_obj = 1886 dsl_crypto_key_clone_sync(origin->ds_dir, tx); 1887 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1888 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, 1889 &dd->dd_crypto_obj, tx)); 1890 } 1891 1892 return; 1893 } 1894 1895 /* 1896 * A NULL dcp at this point indicates this is the origin dataset 1897 * which does not have an objset to encrypt. Raw receives will handle 1898 * encryption separately later. In both cases we can simply return. 1899 */ 1900 if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV) 1901 return; 1902 1903 crypt = dcp->cp_crypt; 1904 wkey = dcp->cp_wkey; 1905 1906 /* figure out the effective crypt */ 1907 if (crypt == ZIO_CRYPT_INHERIT && dd->dd_parent != NULL) 1908 VERIFY0(dsl_dir_get_crypt(dd->dd_parent, &crypt)); 1909 1910 /* if we aren't doing encryption just return */ 1911 if (crypt == ZIO_CRYPT_OFF || crypt == ZIO_CRYPT_INHERIT) 1912 return; 1913 1914 /* zapify the dd so that we can add the crypto key obj to it */ 1915 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1916 dsl_dir_zapify(dd, tx); 1917 1918 /* use the new key if given or inherit from the parent */ 1919 if (wkey == NULL) { 1920 VERIFY0(spa_keystore_wkey_hold_dd(dp->dp_spa, 1921 dd->dd_parent, FTAG, &wkey)); 1922 } else { 1923 wkey->wk_ddobj = dd->dd_object; 1924 } 1925 1926 ASSERT3P(wkey, !=, NULL); 1927 1928 /* Create or clone the DSL crypto key and activate the feature */ 1929 dd->dd_crypto_obj = dsl_crypto_key_create_sync(crypt, wkey, tx); 1930 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1931 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, &dd->dd_crypto_obj, 1932 tx)); 1933 dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, 1934 (void *)B_TRUE, tx); 1935 1936 /* 1937 * If we inherited the wrapping key we release our reference now. 1938 * Otherwise, this is a new key and we need to load it into the 1939 * keystore. 1940 */ 1941 if (dcp->cp_wkey == NULL) { 1942 dsl_wrapping_key_rele(wkey, FTAG); 1943 } else { 1944 VERIFY0(spa_keystore_load_wkey_impl(dp->dp_spa, wkey)); 1945 } 1946 } 1947 1948 typedef struct dsl_crypto_recv_key_arg { 1949 uint64_t dcrka_dsobj; 1950 uint64_t dcrka_fromobj; 1951 dmu_objset_type_t dcrka_ostype; 1952 nvlist_t *dcrka_nvl; 1953 boolean_t dcrka_do_key; 1954 } dsl_crypto_recv_key_arg_t; 1955 1956 static int 1957 dsl_crypto_recv_raw_objset_check(dsl_dataset_t *ds, dsl_dataset_t *fromds, 1958 dmu_objset_type_t ostype, nvlist_t *nvl, dmu_tx_t *tx) 1959 { 1960 int ret; 1961 objset_t *os; 1962 dnode_t *mdn; 1963 uint8_t *buf = NULL; 1964 uint_t len; 1965 uint64_t intval, nlevels, blksz, ibs; 1966 uint64_t nblkptr, maxblkid; 1967 1968 if (ostype != DMU_OST_ZFS && ostype != DMU_OST_ZVOL) 1969 return (SET_ERROR(EINVAL)); 1970 1971 /* raw receives also need info about the structure of the metadnode */ 1972 ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval); 1973 if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS) 1974 return (SET_ERROR(EINVAL)); 1975 1976 ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval); 1977 if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS) 1978 return (SET_ERROR(EINVAL)); 1979 1980 ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels); 1981 if (ret != 0 || nlevels > DN_MAX_LEVELS) 1982 return (SET_ERROR(EINVAL)); 1983 1984 ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz); 1985 if (ret != 0 || blksz < SPA_MINBLOCKSIZE) 1986 return (SET_ERROR(EINVAL)); 1987 else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa)) 1988 return (SET_ERROR(ENOTSUP)); 1989 1990 ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs); 1991 if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT || ibs > DN_MAX_INDBLKSHIFT) 1992 return (SET_ERROR(ENOTSUP)); 1993 1994 ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr); 1995 if (ret != 0 || nblkptr != DN_MAX_NBLKPTR) 1996 return (SET_ERROR(ENOTSUP)); 1997 1998 ret = nvlist_lookup_uint64(nvl, "mdn_maxblkid", &maxblkid); 1999 if (ret != 0) 2000 return (SET_ERROR(EINVAL)); 2001 2002 ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len); 2003 if (ret != 0 || len != ZIO_OBJSET_MAC_LEN) 2004 return (SET_ERROR(EINVAL)); 2005 2006 ret = dmu_objset_from_ds(ds, &os); 2007 if (ret != 0) 2008 return (ret); 2009 2010 mdn = DMU_META_DNODE(os); 2011 2012 /* 2013 * If we already created the objset, make sure its unchangeable 2014 * properties match the ones received in the nvlist. 2015 */ 2016 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2017 if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) && 2018 (mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz || 2019 mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) { 2020 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2021 return (SET_ERROR(EINVAL)); 2022 } 2023 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2024 2025 /* 2026 * Check that the ivset guid of the fromds matches the one from the 2027 * send stream. Older versions of the encryption code did not have 2028 * an ivset guid on the from dataset and did not send one in the 2029 * stream. For these streams we provide the 2030 * zfs_disable_ivset_guid_check tunable to allow these datasets to 2031 * be received with a generated ivset guid. 2032 */ 2033 if (fromds != NULL && !zfs_disable_ivset_guid_check) { 2034 uint64_t from_ivset_guid = 0; 2035 intval = 0; 2036 2037 (void) nvlist_lookup_uint64(nvl, "from_ivset_guid", &intval); 2038 (void) zap_lookup(tx->tx_pool->dp_meta_objset, 2039 fromds->ds_object, DS_FIELD_IVSET_GUID, 2040 sizeof (from_ivset_guid), 1, &from_ivset_guid); 2041 2042 if (intval == 0 || from_ivset_guid == 0) 2043 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISSING)); 2044 2045 if (intval != from_ivset_guid) 2046 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISMATCH)); 2047 } 2048 2049 return (0); 2050 } 2051 2052 static void 2053 dsl_crypto_recv_raw_objset_sync(dsl_dataset_t *ds, dmu_objset_type_t ostype, 2054 nvlist_t *nvl, dmu_tx_t *tx) 2055 { 2056 dsl_pool_t *dp = tx->tx_pool; 2057 objset_t *os; 2058 dnode_t *mdn; 2059 zio_t *zio; 2060 uint8_t *portable_mac; 2061 uint_t len; 2062 uint64_t compress, checksum, nlevels, blksz, ibs, maxblkid; 2063 boolean_t newds = B_FALSE; 2064 2065 VERIFY0(dmu_objset_from_ds(ds, &os)); 2066 mdn = DMU_META_DNODE(os); 2067 2068 /* 2069 * Fetch the values we need from the nvlist. "to_ivset_guid" must 2070 * be set on the snapshot, which doesn't exist yet. The receive 2071 * code will take care of this for us later. 2072 */ 2073 compress = fnvlist_lookup_uint64(nvl, "mdn_compress"); 2074 checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum"); 2075 nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels"); 2076 blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz"); 2077 ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift"); 2078 maxblkid = fnvlist_lookup_uint64(nvl, "mdn_maxblkid"); 2079 VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac, 2080 &len)); 2081 2082 /* if we haven't created an objset for the ds yet, do that now */ 2083 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2084 if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) { 2085 (void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds, 2086 dsl_dataset_get_blkptr(ds), ostype, nlevels, blksz, 2087 ibs, tx); 2088 newds = B_TRUE; 2089 } 2090 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2091 2092 /* 2093 * Set the portable MAC. The local MAC will always be zero since the 2094 * incoming data will all be portable and user accounting will be 2095 * deferred until the next mount. Afterwards, flag the os to be 2096 * written out raw next time. 2097 */ 2098 arc_release(os->os_phys_buf, &os->os_phys_buf); 2099 bcopy(portable_mac, os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN); 2100 os->os_phys->os_flags &= ~OBJSET_FLAG_USERACCOUNTING_COMPLETE; 2101 os->os_phys->os_flags &= ~OBJSET_FLAG_USEROBJACCOUNTING_COMPLETE; 2102 os->os_flags = os->os_phys->os_flags; 2103 bzero(os->os_phys->os_local_mac, ZIO_OBJSET_MAC_LEN); 2104 os->os_next_write_raw[tx->tx_txg & TXG_MASK] = B_TRUE; 2105 2106 /* set metadnode compression and checksum */ 2107 mdn->dn_compress = compress; 2108 mdn->dn_checksum = checksum; 2109 2110 rw_enter(&mdn->dn_struct_rwlock, RW_WRITER); 2111 dnode_new_blkid(mdn, maxblkid, tx, B_FALSE, B_TRUE); 2112 rw_exit(&mdn->dn_struct_rwlock); 2113 2114 /* 2115 * We can't normally dirty the dataset in syncing context unless 2116 * we are creating a new dataset. In this case, we perform a 2117 * pseudo txg sync here instead. 2118 */ 2119 if (newds) { 2120 dsl_dataset_dirty(ds, tx); 2121 } else { 2122 zio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED); 2123 dsl_dataset_sync(ds, zio, tx); 2124 VERIFY0(zio_wait(zio)); 2125 2126 /* dsl_dataset_sync_done will drop this reference. */ 2127 dmu_buf_add_ref(ds->ds_dbuf, ds); 2128 dsl_dataset_sync_done(ds, tx); 2129 } 2130 } 2131 2132 int 2133 dsl_crypto_recv_raw_key_check(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2134 { 2135 int ret; 2136 objset_t *mos = tx->tx_pool->dp_meta_objset; 2137 uint8_t *buf = NULL; 2138 uint_t len; 2139 uint64_t intval, key_guid, version; 2140 boolean_t is_passphrase = B_FALSE; 2141 2142 ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT); 2143 2144 /* 2145 * Read and check all the encryption values from the nvlist. We need 2146 * all of the fields of a DSL Crypto Key, as well as a fully specified 2147 * wrapping key. 2148 */ 2149 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval); 2150 if (ret != 0 || intval >= ZIO_CRYPT_FUNCTIONS || 2151 intval <= ZIO_CRYPT_OFF) 2152 return (SET_ERROR(EINVAL)); 2153 2154 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval); 2155 if (ret != 0) 2156 return (SET_ERROR(EINVAL)); 2157 2158 /* 2159 * If this is an incremental receive make sure the given key guid 2160 * matches the one we already have. 2161 */ 2162 if (ds->ds_dir->dd_crypto_obj != 0) { 2163 ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj, 2164 DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2165 if (ret != 0) 2166 return (ret); 2167 if (intval != key_guid) 2168 return (SET_ERROR(EACCES)); 2169 } 2170 2171 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2172 &buf, &len); 2173 if (ret != 0 || len != MASTER_KEY_MAX_LEN) 2174 return (SET_ERROR(EINVAL)); 2175 2176 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2177 &buf, &len); 2178 if (ret != 0 || len != SHA512_HMAC_KEYLEN) 2179 return (SET_ERROR(EINVAL)); 2180 2181 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len); 2182 if (ret != 0 || len != WRAPPING_IV_LEN) 2183 return (SET_ERROR(EINVAL)); 2184 2185 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len); 2186 if (ret != 0 || len != WRAPPING_MAC_LEN) 2187 return (SET_ERROR(EINVAL)); 2188 2189 /* 2190 * We don't support receiving old on-disk formats. The version 0 2191 * implementation protected several fields in an objset that were 2192 * not always portable during a raw receive. As a result, we call 2193 * the old version an on-disk errata #3. 2194 */ 2195 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_VERSION, &version); 2196 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) 2197 return (SET_ERROR(ENOTSUP)); 2198 2199 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 2200 &intval); 2201 if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS || 2202 intval == ZFS_KEYFORMAT_NONE) 2203 return (SET_ERROR(EINVAL)); 2204 2205 is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE); 2206 2207 /* 2208 * for raw receives we allow any number of pbkdf2iters since there 2209 * won't be a chance for the user to change it. 2210 */ 2211 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 2212 &intval); 2213 if (ret != 0 || (is_passphrase == (intval == 0))) 2214 return (SET_ERROR(EINVAL)); 2215 2216 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 2217 &intval); 2218 if (ret != 0 || (is_passphrase == (intval == 0))) 2219 return (SET_ERROR(EINVAL)); 2220 2221 return (0); 2222 } 2223 2224 void 2225 dsl_crypto_recv_raw_key_sync(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2226 { 2227 dsl_pool_t *dp = tx->tx_pool; 2228 objset_t *mos = dp->dp_meta_objset; 2229 dsl_dir_t *dd = ds->ds_dir; 2230 uint_t len; 2231 uint64_t rddobj, one = 1; 2232 uint8_t *keydata, *hmac_keydata, *iv, *mac; 2233 uint64_t crypt, key_guid, keyformat, iters, salt; 2234 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2235 char *keylocation = "prompt"; 2236 2237 /* lookup the values we need to create the DSL Crypto Key */ 2238 crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE); 2239 key_guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID); 2240 keyformat = fnvlist_lookup_uint64(nvl, 2241 zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 2242 iters = fnvlist_lookup_uint64(nvl, 2243 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 2244 salt = fnvlist_lookup_uint64(nvl, 2245 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 2246 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2247 &keydata, &len)); 2248 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2249 &hmac_keydata, &len)); 2250 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len)); 2251 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len)); 2252 2253 /* if this is a new dataset setup the DSL Crypto Key. */ 2254 if (dd->dd_crypto_obj == 0) { 2255 /* zapify the dsl dir so we can add the key object to it */ 2256 dmu_buf_will_dirty(dd->dd_dbuf, tx); 2257 dsl_dir_zapify(dd, tx); 2258 2259 /* create the DSL Crypto Key on disk and activate the feature */ 2260 dd->dd_crypto_obj = zap_create(mos, 2261 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2262 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2263 dd->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT, 2264 sizeof (uint64_t), 1, &one, tx)); 2265 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2266 dd->dd_crypto_obj, DSL_CRYPTO_KEY_VERSION, 2267 sizeof (uint64_t), 1, &version, tx)); 2268 2269 dsl_dataset_activate_feature(ds->ds_object, 2270 SPA_FEATURE_ENCRYPTION, (void *)B_TRUE, tx); 2271 ds->ds_feature[SPA_FEATURE_ENCRYPTION] = (void *)B_TRUE; 2272 2273 /* save the dd_crypto_obj on disk */ 2274 VERIFY0(zap_add(mos, dd->dd_object, DD_FIELD_CRYPTO_KEY_OBJ, 2275 sizeof (uint64_t), 1, &dd->dd_crypto_obj, tx)); 2276 2277 /* 2278 * Set the keylocation to prompt by default. If keylocation 2279 * has been provided via the properties, this will be overridden 2280 * later. 2281 */ 2282 dsl_prop_set_sync_impl(ds, 2283 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 2284 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 2285 keylocation, tx); 2286 2287 rddobj = dd->dd_object; 2288 } else { 2289 VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &rddobj)); 2290 } 2291 2292 /* sync the key data to the ZAP object on disk */ 2293 dsl_crypto_key_sync_impl(mos, dd->dd_crypto_obj, crypt, 2294 rddobj, key_guid, iv, mac, keydata, hmac_keydata, keyformat, salt, 2295 iters, tx); 2296 } 2297 2298 static int 2299 dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx) 2300 { 2301 int ret; 2302 dsl_crypto_recv_key_arg_t *dcrka = arg; 2303 dsl_dataset_t *ds = NULL, *fromds = NULL; 2304 2305 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2306 FTAG, &ds); 2307 if (ret != 0) 2308 goto out; 2309 2310 if (dcrka->dcrka_fromobj != 0) { 2311 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_fromobj, 2312 FTAG, &fromds); 2313 if (ret != 0) 2314 goto out; 2315 } 2316 2317 ret = dsl_crypto_recv_raw_objset_check(ds, fromds, 2318 dcrka->dcrka_ostype, dcrka->dcrka_nvl, tx); 2319 if (ret != 0) 2320 goto out; 2321 2322 /* 2323 * We run this check even if we won't be doing this part of 2324 * the receive now so that we don't make the user wait until 2325 * the receive finishes to fail. 2326 */ 2327 ret = dsl_crypto_recv_raw_key_check(ds, dcrka->dcrka_nvl, tx); 2328 if (ret != 0) 2329 goto out; 2330 2331 out: 2332 if (ds != NULL) 2333 dsl_dataset_rele(ds, FTAG); 2334 if (fromds != NULL) 2335 dsl_dataset_rele(fromds, FTAG); 2336 return (ret); 2337 } 2338 2339 static void 2340 dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx) 2341 { 2342 dsl_crypto_recv_key_arg_t *dcrka = arg; 2343 dsl_dataset_t *ds; 2344 2345 VERIFY0(dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2346 FTAG, &ds)); 2347 dsl_crypto_recv_raw_objset_sync(ds, dcrka->dcrka_ostype, 2348 dcrka->dcrka_nvl, tx); 2349 if (dcrka->dcrka_do_key) 2350 dsl_crypto_recv_raw_key_sync(ds, dcrka->dcrka_nvl, tx); 2351 dsl_dataset_rele(ds, FTAG); 2352 } 2353 2354 /* 2355 * This function is used to sync an nvlist representing a DSL Crypto Key and 2356 * the associated encryption parameters. The key will be written exactly as is 2357 * without wrapping it. 2358 */ 2359 int 2360 dsl_crypto_recv_raw(const char *poolname, uint64_t dsobj, uint64_t fromobj, 2361 dmu_objset_type_t ostype, nvlist_t *nvl, boolean_t do_key) 2362 { 2363 dsl_crypto_recv_key_arg_t dcrka; 2364 2365 dcrka.dcrka_dsobj = dsobj; 2366 dcrka.dcrka_fromobj = fromobj; 2367 dcrka.dcrka_ostype = ostype; 2368 dcrka.dcrka_nvl = nvl; 2369 dcrka.dcrka_do_key = do_key; 2370 2371 return (dsl_sync_task(poolname, dsl_crypto_recv_key_check, 2372 dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL)); 2373 } 2374 2375 int 2376 dsl_crypto_populate_key_nvlist(objset_t *os, uint64_t from_ivset_guid, 2377 nvlist_t **nvl_out) 2378 { 2379 int ret; 2380 dsl_dataset_t *ds = os->os_dsl_dataset; 2381 dnode_t *mdn; 2382 uint64_t rddobj; 2383 nvlist_t *nvl = NULL; 2384 uint64_t dckobj = ds->ds_dir->dd_crypto_obj; 2385 dsl_dir_t *rdd = NULL; 2386 dsl_pool_t *dp = ds->ds_dir->dd_pool; 2387 objset_t *mos = dp->dp_meta_objset; 2388 uint64_t crypt = 0, key_guid = 0, format = 0; 2389 uint64_t iters = 0, salt = 0, version = 0; 2390 uint64_t to_ivset_guid = 0; 2391 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 2392 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 2393 uint8_t iv[WRAPPING_IV_LEN]; 2394 uint8_t mac[WRAPPING_MAC_LEN]; 2395 2396 ASSERT(dckobj != 0); 2397 2398 mdn = DMU_META_DNODE(os); 2399 2400 nvl = fnvlist_alloc(); 2401 2402 /* lookup values from the DSL Crypto Key */ 2403 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 2404 &crypt); 2405 if (ret != 0) 2406 goto error; 2407 2408 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2409 if (ret != 0) 2410 goto error; 2411 2412 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 2413 MASTER_KEY_MAX_LEN, raw_keydata); 2414 if (ret != 0) 2415 goto error; 2416 2417 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 2418 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 2419 if (ret != 0) 2420 goto error; 2421 2422 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 2423 iv); 2424 if (ret != 0) 2425 goto error; 2426 2427 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 2428 mac); 2429 if (ret != 0) 2430 goto error; 2431 2432 /* see zfs_disable_ivset_guid_check tunable for errata info */ 2433 ret = zap_lookup(mos, ds->ds_object, DS_FIELD_IVSET_GUID, 8, 1, 2434 &to_ivset_guid); 2435 if (ret != 0) 2436 ASSERT3U(dp->dp_spa->spa_errata, !=, 0); 2437 2438 /* 2439 * We don't support raw sends of legacy on-disk formats. See the 2440 * comment in dsl_crypto_recv_key_check() for details. 2441 */ 2442 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 2443 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) { 2444 dp->dp_spa->spa_errata = ZPOOL_ERRATA_ZOL_6845_ENCRYPTION; 2445 ret = SET_ERROR(ENOTSUP); 2446 goto error; 2447 } 2448 2449 /* 2450 * Lookup wrapping key properties. An early version of the code did 2451 * not correctly add these values to the wrapping key or the DSL 2452 * Crypto Key on disk for non encryption roots, so to be safe we 2453 * always take the slightly circuitous route of looking it up from 2454 * the encryption root's key. 2455 */ 2456 ret = dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj); 2457 if (ret != 0) 2458 goto error; 2459 2460 dsl_pool_config_enter(dp, FTAG); 2461 2462 ret = dsl_dir_hold_obj(dp, rddobj, NULL, FTAG, &rdd); 2463 if (ret != 0) 2464 goto error_unlock; 2465 2466 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2467 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &format); 2468 if (ret != 0) 2469 goto error_unlock; 2470 2471 if (format == ZFS_KEYFORMAT_PASSPHRASE) { 2472 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2473 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 2474 if (ret != 0) 2475 goto error_unlock; 2476 2477 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2478 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 2479 if (ret != 0) 2480 goto error_unlock; 2481 } 2482 2483 dsl_dir_rele(rdd, FTAG); 2484 dsl_pool_config_exit(dp, FTAG); 2485 2486 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, crypt); 2487 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_GUID, key_guid); 2488 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_VERSION, version); 2489 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2490 raw_keydata, MASTER_KEY_MAX_LEN)); 2491 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2492 raw_hmac_keydata, SHA512_HMAC_KEYLEN)); 2493 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_IV, iv, 2494 WRAPPING_IV_LEN)); 2495 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, mac, 2496 WRAPPING_MAC_LEN)); 2497 VERIFY0(nvlist_add_uint8_array(nvl, "portable_mac", 2498 os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN)); 2499 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), format); 2500 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters); 2501 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt); 2502 fnvlist_add_uint64(nvl, "mdn_checksum", mdn->dn_checksum); 2503 fnvlist_add_uint64(nvl, "mdn_compress", mdn->dn_compress); 2504 fnvlist_add_uint64(nvl, "mdn_nlevels", mdn->dn_nlevels); 2505 fnvlist_add_uint64(nvl, "mdn_blksz", mdn->dn_datablksz); 2506 fnvlist_add_uint64(nvl, "mdn_indblkshift", mdn->dn_indblkshift); 2507 fnvlist_add_uint64(nvl, "mdn_nblkptr", mdn->dn_nblkptr); 2508 fnvlist_add_uint64(nvl, "mdn_maxblkid", mdn->dn_maxblkid); 2509 fnvlist_add_uint64(nvl, "to_ivset_guid", to_ivset_guid); 2510 fnvlist_add_uint64(nvl, "from_ivset_guid", from_ivset_guid); 2511 2512 *nvl_out = nvl; 2513 return (0); 2514 2515 error_unlock: 2516 dsl_pool_config_exit(dp, FTAG); 2517 error: 2518 if (rdd != NULL) 2519 dsl_dir_rele(rdd, FTAG); 2520 nvlist_free(nvl); 2521 2522 *nvl_out = NULL; 2523 return (ret); 2524 } 2525 2526 uint64_t 2527 dsl_crypto_key_create_sync(uint64_t crypt, dsl_wrapping_key_t *wkey, 2528 dmu_tx_t *tx) 2529 { 2530 dsl_crypto_key_t dck; 2531 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2532 uint64_t one = 1ULL; 2533 2534 ASSERT(dmu_tx_is_syncing(tx)); 2535 ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); 2536 ASSERT3U(crypt, >, ZIO_CRYPT_OFF); 2537 2538 /* create the DSL Crypto Key ZAP object */ 2539 dck.dck_obj = zap_create(tx->tx_pool->dp_meta_objset, 2540 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2541 2542 /* fill in the key (on the stack) and sync it to disk */ 2543 dck.dck_wkey = wkey; 2544 VERIFY0(zio_crypt_key_init(crypt, &dck.dck_key)); 2545 2546 dsl_crypto_key_sync(&dck, tx); 2547 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2548 DSL_CRYPTO_KEY_REFCOUNT, sizeof (uint64_t), 1, &one, tx)); 2549 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2550 DSL_CRYPTO_KEY_VERSION, sizeof (uint64_t), 1, &version, tx)); 2551 2552 zio_crypt_key_destroy(&dck.dck_key); 2553 bzero(&dck.dck_key, sizeof (zio_crypt_key_t)); 2554 2555 return (dck.dck_obj); 2556 } 2557 2558 uint64_t 2559 dsl_crypto_key_clone_sync(dsl_dir_t *origindd, dmu_tx_t *tx) 2560 { 2561 objset_t *mos = tx->tx_pool->dp_meta_objset; 2562 2563 ASSERT(dmu_tx_is_syncing(tx)); 2564 2565 VERIFY0(zap_increment(mos, origindd->dd_crypto_obj, 2566 DSL_CRYPTO_KEY_REFCOUNT, 1, tx)); 2567 2568 return (origindd->dd_crypto_obj); 2569 } 2570 2571 void 2572 dsl_crypto_key_destroy_sync(uint64_t dckobj, dmu_tx_t *tx) 2573 { 2574 objset_t *mos = tx->tx_pool->dp_meta_objset; 2575 uint64_t refcnt; 2576 2577 /* Decrement the refcount, destroy if this is the last reference */ 2578 VERIFY0(zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2579 sizeof (uint64_t), 1, &refcnt)); 2580 2581 if (refcnt != 1) { 2582 VERIFY0(zap_increment(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2583 -1, tx)); 2584 } else { 2585 VERIFY0(zap_destroy(mos, dckobj, tx)); 2586 } 2587 } 2588 2589 void 2590 dsl_dataset_crypt_stats(dsl_dataset_t *ds, nvlist_t *nv) 2591 { 2592 uint64_t intval; 2593 dsl_dir_t *dd = ds->ds_dir; 2594 dsl_dir_t *enc_root; 2595 char buf[ZFS_MAX_DATASET_NAME_LEN]; 2596 2597 if (dd->dd_crypto_obj == 0) 2598 return; 2599 2600 intval = dsl_dataset_get_keystatus(dd); 2601 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYSTATUS, intval); 2602 2603 if (dsl_dir_get_crypt(dd, &intval) == 0) 2604 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_ENCRYPTION, intval); 2605 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2606 DSL_CRYPTO_KEY_GUID, 8, 1, &intval) == 0) { 2607 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEY_GUID, intval); 2608 } 2609 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2610 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &intval) == 0) { 2611 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYFORMAT, intval); 2612 } 2613 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2614 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &intval) == 0) { 2615 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_SALT, intval); 2616 } 2617 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2618 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &intval) == 0) { 2619 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_ITERS, intval); 2620 } 2621 if (zap_lookup(dd->dd_pool->dp_meta_objset, ds->ds_object, 2622 DS_FIELD_IVSET_GUID, 8, 1, &intval) == 0) { 2623 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_IVSET_GUID, intval); 2624 } 2625 2626 if (dsl_dir_get_encryption_root_ddobj(dd, &intval) == 0) { 2627 if (dsl_dir_hold_obj(dd->dd_pool, intval, NULL, FTAG, 2628 &enc_root) == 0) { 2629 dsl_dir_name(enc_root, buf); 2630 dsl_dir_rele(enc_root, FTAG); 2631 dsl_prop_nvlist_add_string(nv, 2632 ZFS_PROP_ENCRYPTION_ROOT, buf); 2633 } 2634 } 2635 } 2636 2637 int 2638 spa_crypt_get_salt(spa_t *spa, uint64_t dsobj, uint8_t *salt) 2639 { 2640 int ret; 2641 dsl_crypto_key_t *dck = NULL; 2642 2643 /* look up the key from the spa's keystore */ 2644 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2645 if (ret != 0) 2646 goto error; 2647 2648 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2649 if (ret != 0) 2650 goto error; 2651 2652 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2653 return (0); 2654 2655 error: 2656 if (dck != NULL) 2657 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2658 return (ret); 2659 } 2660 2661 /* 2662 * Objset blocks are a special case for MAC generation. These blocks have 2 2663 * 256-bit MACs which are embedded within the block itself, rather than a 2664 * single 128 bit MAC. As a result, this function handles encoding and decoding 2665 * the MACs on its own, unlike other functions in this file. 2666 */ 2667 int 2668 spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, 2669 abd_t *abd, uint_t datalen, boolean_t byteswap) 2670 { 2671 int ret; 2672 dsl_crypto_key_t *dck = NULL; 2673 void *buf = abd_borrow_buf_copy(abd, datalen); 2674 objset_phys_t *osp = buf; 2675 uint8_t portable_mac[ZIO_OBJSET_MAC_LEN]; 2676 uint8_t local_mac[ZIO_OBJSET_MAC_LEN]; 2677 2678 /* look up the key from the spa's keystore */ 2679 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2680 if (ret != 0) 2681 goto error; 2682 2683 /* calculate both HMACs */ 2684 ret = zio_crypt_do_objset_hmacs(&dck->dck_key, buf, datalen, 2685 byteswap, portable_mac, local_mac); 2686 if (ret != 0) 2687 goto error; 2688 2689 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2690 2691 /* if we are generating encode the HMACs in the objset_phys_t */ 2692 if (generate) { 2693 bcopy(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN); 2694 bcopy(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN); 2695 abd_return_buf_copy(abd, buf, datalen); 2696 return (0); 2697 } 2698 2699 if (bcmp(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN) != 0 || 2700 bcmp(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2701 abd_return_buf(abd, buf, datalen); 2702 return (SET_ERROR(ECKSUM)); 2703 } 2704 2705 abd_return_buf(abd, buf, datalen); 2706 2707 return (0); 2708 2709 error: 2710 if (dck != NULL) 2711 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2712 abd_return_buf(abd, buf, datalen); 2713 return (ret); 2714 } 2715 2716 int 2717 spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd, 2718 uint_t datalen, uint8_t *mac) 2719 { 2720 int ret; 2721 dsl_crypto_key_t *dck = NULL; 2722 uint8_t *buf = abd_borrow_buf_copy(abd, datalen); 2723 uint8_t digestbuf[ZIO_DATA_MAC_LEN]; 2724 2725 /* look up the key from the spa's keystore */ 2726 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2727 if (ret != 0) 2728 goto error; 2729 2730 /* perform the hmac */ 2731 ret = zio_crypt_do_hmac(&dck->dck_key, buf, datalen, 2732 digestbuf, ZIO_DATA_MAC_LEN); 2733 if (ret != 0) 2734 goto error; 2735 2736 abd_return_buf(abd, buf, datalen); 2737 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2738 2739 /* 2740 * Truncate and fill in mac buffer if we were asked to generate a MAC. 2741 * Otherwise verify that the MAC matched what we expected. 2742 */ 2743 if (generate) { 2744 bcopy(digestbuf, mac, ZIO_DATA_MAC_LEN); 2745 return (0); 2746 } 2747 2748 if (bcmp(digestbuf, mac, ZIO_DATA_MAC_LEN) != 0) 2749 return (SET_ERROR(ECKSUM)); 2750 2751 return (0); 2752 2753 error: 2754 if (dck != NULL) 2755 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2756 abd_return_buf(abd, buf, datalen); 2757 return (ret); 2758 } 2759 2760 /* 2761 * This function serves as a multiplexer for encryption and decryption of 2762 * all blocks (except the L2ARC). For encryption, it will populate the IV, 2763 * salt, MAC, and cabd (the ciphertext). On decryption it will simply use 2764 * these fields to populate pabd (the plaintext). 2765 */ 2766 int 2767 spa_do_crypt_abd(boolean_t encrypt, spa_t *spa, const zbookmark_phys_t *zb, 2768 dmu_object_type_t ot, boolean_t dedup, boolean_t bswap, uint8_t *salt, 2769 uint8_t *iv, uint8_t *mac, uint_t datalen, abd_t *pabd, abd_t *cabd, 2770 boolean_t *no_crypt) 2771 { 2772 int ret; 2773 dsl_crypto_key_t *dck = NULL; 2774 uint8_t *plainbuf = NULL, *cipherbuf = NULL; 2775 2776 ASSERT(spa_feature_is_active(spa, SPA_FEATURE_ENCRYPTION)); 2777 2778 /* look up the key from the spa's keystore */ 2779 ret = spa_keystore_lookup_key(spa, zb->zb_objset, FTAG, &dck); 2780 if (ret != 0) { 2781 ret = SET_ERROR(EACCES); 2782 return (ret); 2783 } 2784 2785 if (encrypt) { 2786 plainbuf = abd_borrow_buf_copy(pabd, datalen); 2787 cipherbuf = abd_borrow_buf(cabd, datalen); 2788 } else { 2789 plainbuf = abd_borrow_buf(pabd, datalen); 2790 cipherbuf = abd_borrow_buf_copy(cabd, datalen); 2791 } 2792 2793 /* 2794 * Both encryption and decryption functions need a salt for key 2795 * generation and an IV. When encrypting a non-dedup block, we 2796 * generate the salt and IV randomly to be stored by the caller. Dedup 2797 * blocks perform a (more expensive) HMAC of the plaintext to obtain 2798 * the salt and the IV. ZIL blocks have their salt and IV generated 2799 * at allocation time in zio_alloc_zil(). On decryption, we simply use 2800 * the provided values. 2801 */ 2802 if (encrypt && ot != DMU_OT_INTENT_LOG && !dedup) { 2803 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2804 if (ret != 0) 2805 goto error; 2806 2807 ret = zio_crypt_generate_iv(iv); 2808 if (ret != 0) 2809 goto error; 2810 } else if (encrypt && dedup) { 2811 ret = zio_crypt_generate_iv_salt_dedup(&dck->dck_key, 2812 plainbuf, datalen, iv, salt); 2813 if (ret != 0) 2814 goto error; 2815 } 2816 2817 /* call lower level function to perform encryption / decryption */ 2818 ret = zio_do_crypt_data(encrypt, &dck->dck_key, ot, bswap, salt, iv, 2819 mac, datalen, plainbuf, cipherbuf, no_crypt); 2820 2821 /* 2822 * Handle injected decryption faults. Unfortunately, we cannot inject 2823 * faults for dnode blocks because we might trigger the panic in 2824 * dbuf_prepare_encrypted_dnode_leaf(), which exists because syncing 2825 * context is not prepared to handle malicious decryption failures. 2826 */ 2827 if (zio_injection_enabled && !encrypt && ot != DMU_OT_DNODE && ret == 0) 2828 ret = zio_handle_decrypt_injection(spa, zb, ot, ECKSUM); 2829 if (ret != 0) 2830 goto error; 2831 2832 if (encrypt) { 2833 abd_return_buf(pabd, plainbuf, datalen); 2834 abd_return_buf_copy(cabd, cipherbuf, datalen); 2835 } else { 2836 abd_return_buf_copy(pabd, plainbuf, datalen); 2837 abd_return_buf(cabd, cipherbuf, datalen); 2838 } 2839 2840 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2841 2842 return (0); 2843 2844 error: 2845 if (encrypt) { 2846 /* zero out any state we might have changed while encrypting */ 2847 bzero(salt, ZIO_DATA_SALT_LEN); 2848 bzero(iv, ZIO_DATA_IV_LEN); 2849 bzero(mac, ZIO_DATA_MAC_LEN); 2850 abd_return_buf(pabd, plainbuf, datalen); 2851 abd_return_buf_copy(cabd, cipherbuf, datalen); 2852 } else { 2853 abd_return_buf_copy(pabd, plainbuf, datalen); 2854 abd_return_buf(cabd, cipherbuf, datalen); 2855 } 2856 2857 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2858 2859 return (ret); 2860 } 2861 2862 ZFS_MODULE_PARAM(zfs, zfs_, disable_ivset_guid_check, INT, ZMOD_RW, 2863 "Set to allow raw receives without IVset guids"); 2864