1 /* 2 * CDDL HEADER START 3 * 4 * This file and its contents are supplied under the terms of the 5 * Common Development and Distribution License ("CDDL"), version 1.0. 6 * You may only use this file in accordance with the terms of version 7 * 1.0 of the CDDL. 8 * 9 * A full copy of the text of the CDDL should have accompanied this 10 * source. A copy of the CDDL is also available via the Internet at 11 * http://www.illumos.org/license/CDDL. 12 * 13 * CDDL HEADER END 14 */ 15 16 /* 17 * Copyright (c) 2017, Datto, Inc. All rights reserved. 18 * Copyright (c) 2018 by Delphix. All rights reserved. 19 */ 20 21 #include <sys/dsl_crypt.h> 22 #include <sys/dsl_pool.h> 23 #include <sys/zap.h> 24 #include <sys/zil.h> 25 #include <sys/dsl_dir.h> 26 #include <sys/dsl_prop.h> 27 #include <sys/spa_impl.h> 28 #include <sys/dmu_objset.h> 29 #include <sys/zvol.h> 30 31 /* 32 * This file's primary purpose is for managing master encryption keys in 33 * memory and on disk. For more info on how these keys are used, see the 34 * block comment in zio_crypt.c. 35 * 36 * All master keys are stored encrypted on disk in the form of the DSL 37 * Crypto Key ZAP object. The binary key data in this object is always 38 * randomly generated and is encrypted with the user's wrapping key. This 39 * layer of indirection allows the user to change their key without 40 * needing to re-encrypt the entire dataset. The ZAP also holds on to the 41 * (non-encrypted) encryption algorithm identifier, IV, and MAC needed to 42 * safely decrypt the master key. For more info on the user's key see the 43 * block comment in libzfs_crypto.c 44 * 45 * In-memory encryption keys are managed through the spa_keystore. The 46 * keystore consists of 3 AVL trees, which are as follows: 47 * 48 * The Wrapping Key Tree: 49 * The wrapping key (wkey) tree stores the user's keys that are fed into the 50 * kernel through 'zfs load-key' and related commands. Datasets inherit their 51 * parent's wkey by default, so these structures are refcounted. The wrapping 52 * keys remain in memory until they are explicitly unloaded (with 53 * "zfs unload-key"). Unloading is only possible when no datasets are using 54 * them (refcount=0). 55 * 56 * The DSL Crypto Key Tree: 57 * The DSL Crypto Keys (DCK) are the in-memory representation of decrypted 58 * master keys. They are used by the functions in zio_crypt.c to perform 59 * encryption, decryption, and authentication. Snapshots and clones of a given 60 * dataset will share a DSL Crypto Key, so they are also refcounted. Once the 61 * refcount on a key hits zero, it is immediately zeroed out and freed. 62 * 63 * The Crypto Key Mapping Tree: 64 * The zio layer needs to lookup master keys by their dataset object id. Since 65 * the DSL Crypto Keys can belong to multiple datasets, we maintain a tree of 66 * dsl_key_mapping_t's which essentially just map the dataset object id to its 67 * appropriate DSL Crypto Key. The management for creating and destroying these 68 * mappings hooks into the code for owning and disowning datasets. Usually, 69 * there will only be one active dataset owner, but there are times 70 * (particularly during dataset creation and destruction) when this may not be 71 * true or the dataset may not be initialized enough to own. As a result, this 72 * object is also refcounted. 73 */ 74 75 /* 76 * This tunable allows datasets to be raw received even if the stream does 77 * not include IVset guids or if the guids don't match. This is used as part 78 * of the resolution for ZPOOL_ERRATA_ZOL_8308_ENCRYPTION. 79 */ 80 int zfs_disable_ivset_guid_check = 0; 81 82 static void 83 dsl_wrapping_key_hold(dsl_wrapping_key_t *wkey, void *tag) 84 { 85 (void) zfs_refcount_add(&wkey->wk_refcnt, tag); 86 } 87 88 static void 89 dsl_wrapping_key_rele(dsl_wrapping_key_t *wkey, void *tag) 90 { 91 (void) zfs_refcount_remove(&wkey->wk_refcnt, tag); 92 } 93 94 static void 95 dsl_wrapping_key_free(dsl_wrapping_key_t *wkey) 96 { 97 ASSERT0(zfs_refcount_count(&wkey->wk_refcnt)); 98 99 if (wkey->wk_key.ck_data) { 100 bzero(wkey->wk_key.ck_data, 101 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 102 kmem_free(wkey->wk_key.ck_data, 103 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 104 } 105 106 zfs_refcount_destroy(&wkey->wk_refcnt); 107 kmem_free(wkey, sizeof (dsl_wrapping_key_t)); 108 } 109 110 static int 111 dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat, 112 uint64_t salt, uint64_t iters, dsl_wrapping_key_t **wkey_out) 113 { 114 int ret; 115 dsl_wrapping_key_t *wkey; 116 117 /* allocate the wrapping key */ 118 wkey = kmem_alloc(sizeof (dsl_wrapping_key_t), KM_SLEEP); 119 if (!wkey) 120 return (SET_ERROR(ENOMEM)); 121 122 /* allocate and initialize the underlying crypto key */ 123 wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP); 124 if (!wkey->wk_key.ck_data) { 125 ret = SET_ERROR(ENOMEM); 126 goto error; 127 } 128 129 wkey->wk_key.ck_format = CRYPTO_KEY_RAW; 130 wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN); 131 bcopy(wkeydata, wkey->wk_key.ck_data, WRAPPING_KEY_LEN); 132 133 /* initialize the rest of the struct */ 134 zfs_refcount_create(&wkey->wk_refcnt); 135 wkey->wk_keyformat = keyformat; 136 wkey->wk_salt = salt; 137 wkey->wk_iters = iters; 138 139 *wkey_out = wkey; 140 return (0); 141 142 error: 143 dsl_wrapping_key_free(wkey); 144 145 *wkey_out = NULL; 146 return (ret); 147 } 148 149 int 150 dsl_crypto_params_create_nvlist(dcp_cmd_t cmd, nvlist_t *props, 151 nvlist_t *crypto_args, dsl_crypto_params_t **dcp_out) 152 { 153 int ret; 154 uint64_t crypt = ZIO_CRYPT_INHERIT; 155 uint64_t keyformat = ZFS_KEYFORMAT_NONE; 156 uint64_t salt = 0, iters = 0; 157 dsl_crypto_params_t *dcp = NULL; 158 dsl_wrapping_key_t *wkey = NULL; 159 uint8_t *wkeydata = NULL; 160 uint_t wkeydata_len = 0; 161 char *keylocation = NULL; 162 163 dcp = kmem_zalloc(sizeof (dsl_crypto_params_t), KM_SLEEP); 164 if (!dcp) { 165 ret = SET_ERROR(ENOMEM); 166 goto error; 167 } 168 169 /* get relevant properties from the nvlist */ 170 dcp->cp_cmd = cmd; 171 172 /* get relevant arguments from the nvlists */ 173 if (props != NULL) { 174 (void) nvlist_lookup_uint64(props, 175 zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt); 176 (void) nvlist_lookup_uint64(props, 177 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat); 178 (void) nvlist_lookup_string(props, 179 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation); 180 (void) nvlist_lookup_uint64(props, 181 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), &salt); 182 (void) nvlist_lookup_uint64(props, 183 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters); 184 dcp->cp_crypt = crypt; 185 } 186 187 if (crypto_args != NULL) { 188 (void) nvlist_lookup_uint8_array(crypto_args, "wkeydata", 189 &wkeydata, &wkeydata_len); 190 } 191 192 /* check for valid command */ 193 if (dcp->cp_cmd >= DCP_CMD_MAX) { 194 ret = SET_ERROR(EINVAL); 195 goto error; 196 } else { 197 dcp->cp_cmd = cmd; 198 } 199 200 /* check for valid crypt */ 201 if (dcp->cp_crypt >= ZIO_CRYPT_FUNCTIONS) { 202 ret = SET_ERROR(EINVAL); 203 goto error; 204 } else { 205 dcp->cp_crypt = crypt; 206 } 207 208 /* check for valid keyformat */ 209 if (keyformat >= ZFS_KEYFORMAT_FORMATS) { 210 ret = SET_ERROR(EINVAL); 211 goto error; 212 } 213 214 /* check for a valid keylocation (of any kind) and copy it in */ 215 if (keylocation != NULL) { 216 if (!zfs_prop_valid_keylocation(keylocation, B_FALSE)) { 217 ret = SET_ERROR(EINVAL); 218 goto error; 219 } 220 221 dcp->cp_keylocation = spa_strdup(keylocation); 222 } 223 224 /* check wrapping key length, if given */ 225 if (wkeydata != NULL && wkeydata_len != WRAPPING_KEY_LEN) { 226 ret = SET_ERROR(EINVAL); 227 goto error; 228 } 229 230 /* if the user asked for the default crypt, determine that now */ 231 if (dcp->cp_crypt == ZIO_CRYPT_ON) 232 dcp->cp_crypt = ZIO_CRYPT_ON_VALUE; 233 234 /* create the wrapping key from the raw data */ 235 if (wkeydata != NULL) { 236 /* create the wrapping key with the verified parameters */ 237 ret = dsl_wrapping_key_create(wkeydata, keyformat, salt, 238 iters, &wkey); 239 if (ret != 0) 240 goto error; 241 242 dcp->cp_wkey = wkey; 243 } 244 245 /* 246 * Remove the encryption properties from the nvlist since they are not 247 * maintained through the DSL. 248 */ 249 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION)); 250 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 251 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 252 (void) nvlist_remove_all(props, 253 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 254 255 *dcp_out = dcp; 256 257 return (0); 258 259 error: 260 if (wkey != NULL) 261 dsl_wrapping_key_free(wkey); 262 if (dcp != NULL) 263 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 264 265 *dcp_out = NULL; 266 return (ret); 267 } 268 269 void 270 dsl_crypto_params_free(dsl_crypto_params_t *dcp, boolean_t unload) 271 { 272 if (dcp == NULL) 273 return; 274 275 if (dcp->cp_keylocation != NULL) 276 spa_strfree(dcp->cp_keylocation); 277 if (unload && dcp->cp_wkey != NULL) 278 dsl_wrapping_key_free(dcp->cp_wkey); 279 280 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 281 } 282 283 static int 284 spa_crypto_key_compare(const void *a, const void *b) 285 { 286 const dsl_crypto_key_t *dcka = a; 287 const dsl_crypto_key_t *dckb = b; 288 289 if (dcka->dck_obj < dckb->dck_obj) 290 return (-1); 291 if (dcka->dck_obj > dckb->dck_obj) 292 return (1); 293 return (0); 294 } 295 296 static int 297 spa_key_mapping_compare(const void *a, const void *b) 298 { 299 const dsl_key_mapping_t *kma = a; 300 const dsl_key_mapping_t *kmb = b; 301 302 if (kma->km_dsobj < kmb->km_dsobj) 303 return (-1); 304 if (kma->km_dsobj > kmb->km_dsobj) 305 return (1); 306 return (0); 307 } 308 309 static int 310 spa_wkey_compare(const void *a, const void *b) 311 { 312 const dsl_wrapping_key_t *wka = a; 313 const dsl_wrapping_key_t *wkb = b; 314 315 if (wka->wk_ddobj < wkb->wk_ddobj) 316 return (-1); 317 if (wka->wk_ddobj > wkb->wk_ddobj) 318 return (1); 319 return (0); 320 } 321 322 void 323 spa_keystore_init(spa_keystore_t *sk) 324 { 325 rw_init(&sk->sk_dk_lock, NULL, RW_DEFAULT, NULL); 326 rw_init(&sk->sk_km_lock, NULL, RW_DEFAULT, NULL); 327 rw_init(&sk->sk_wkeys_lock, NULL, RW_DEFAULT, NULL); 328 avl_create(&sk->sk_dsl_keys, spa_crypto_key_compare, 329 sizeof (dsl_crypto_key_t), 330 offsetof(dsl_crypto_key_t, dck_avl_link)); 331 avl_create(&sk->sk_key_mappings, spa_key_mapping_compare, 332 sizeof (dsl_key_mapping_t), 333 offsetof(dsl_key_mapping_t, km_avl_link)); 334 avl_create(&sk->sk_wkeys, spa_wkey_compare, sizeof (dsl_wrapping_key_t), 335 offsetof(dsl_wrapping_key_t, wk_avl_link)); 336 } 337 338 void 339 spa_keystore_fini(spa_keystore_t *sk) 340 { 341 dsl_wrapping_key_t *wkey; 342 void *cookie = NULL; 343 344 ASSERT(avl_is_empty(&sk->sk_dsl_keys)); 345 ASSERT(avl_is_empty(&sk->sk_key_mappings)); 346 347 while ((wkey = avl_destroy_nodes(&sk->sk_wkeys, &cookie)) != NULL) 348 dsl_wrapping_key_free(wkey); 349 350 avl_destroy(&sk->sk_wkeys); 351 avl_destroy(&sk->sk_key_mappings); 352 avl_destroy(&sk->sk_dsl_keys); 353 rw_destroy(&sk->sk_wkeys_lock); 354 rw_destroy(&sk->sk_km_lock); 355 rw_destroy(&sk->sk_dk_lock); 356 } 357 358 static int 359 dsl_dir_get_encryption_root_ddobj(dsl_dir_t *dd, uint64_t *rddobj) 360 { 361 if (dd->dd_crypto_obj == 0) 362 return (SET_ERROR(ENOENT)); 363 364 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 365 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, rddobj)); 366 } 367 368 int 369 dsl_dir_get_encryption_version(dsl_dir_t *dd, uint64_t *version) 370 { 371 *version = 0; 372 373 if (dd->dd_crypto_obj == 0) 374 return (SET_ERROR(ENOENT)); 375 376 /* version 0 is implied by ENOENT */ 377 (void) zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 378 DSL_CRYPTO_KEY_VERSION, 8, 1, version); 379 380 return (0); 381 } 382 383 boolean_t 384 dsl_dir_incompatible_encryption_version(dsl_dir_t *dd) 385 { 386 int ret; 387 uint64_t version = 0; 388 389 ret = dsl_dir_get_encryption_version(dd, &version); 390 if (ret != 0) 391 return (B_FALSE); 392 393 return (version != ZIO_CRYPT_KEY_CURRENT_VERSION); 394 } 395 396 static int 397 spa_keystore_wkey_hold_ddobj_impl(spa_t *spa, uint64_t ddobj, 398 void *tag, dsl_wrapping_key_t **wkey_out) 399 { 400 int ret; 401 dsl_wrapping_key_t search_wkey; 402 dsl_wrapping_key_t *found_wkey; 403 404 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_wkeys_lock)); 405 406 /* init the search wrapping key */ 407 search_wkey.wk_ddobj = ddobj; 408 409 /* lookup the wrapping key */ 410 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &search_wkey, NULL); 411 if (!found_wkey) { 412 ret = SET_ERROR(ENOENT); 413 goto error; 414 } 415 416 /* increment the refcount */ 417 dsl_wrapping_key_hold(found_wkey, tag); 418 419 *wkey_out = found_wkey; 420 return (0); 421 422 error: 423 *wkey_out = NULL; 424 return (ret); 425 } 426 427 static int 428 spa_keystore_wkey_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag, 429 dsl_wrapping_key_t **wkey_out) 430 { 431 int ret; 432 dsl_wrapping_key_t *wkey; 433 uint64_t rddobj; 434 boolean_t locked = B_FALSE; 435 436 if (!RW_WRITE_HELD(&spa->spa_keystore.sk_wkeys_lock)) { 437 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_READER); 438 locked = B_TRUE; 439 } 440 441 /* get the ddobj that the keylocation property was inherited from */ 442 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 443 if (ret != 0) 444 goto error; 445 446 /* lookup the wkey in the avl tree */ 447 ret = spa_keystore_wkey_hold_ddobj_impl(spa, rddobj, tag, &wkey); 448 if (ret != 0) 449 goto error; 450 451 /* unlock the wkey tree if we locked it */ 452 if (locked) 453 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 454 455 *wkey_out = wkey; 456 return (0); 457 458 error: 459 if (locked) 460 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 461 462 *wkey_out = NULL; 463 return (ret); 464 } 465 466 int 467 dsl_crypto_can_set_keylocation(const char *dsname, const char *keylocation) 468 { 469 int ret = 0; 470 dsl_dir_t *dd = NULL; 471 dsl_pool_t *dp = NULL; 472 uint64_t rddobj; 473 474 /* hold the dsl dir */ 475 ret = dsl_pool_hold(dsname, FTAG, &dp); 476 if (ret != 0) 477 goto out; 478 479 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 480 if (ret != 0) 481 goto out; 482 483 /* if dd is not encrypted, the value may only be "none" */ 484 if (dd->dd_crypto_obj == 0) { 485 if (strcmp(keylocation, "none") != 0) { 486 ret = SET_ERROR(EACCES); 487 goto out; 488 } 489 490 ret = 0; 491 goto out; 492 } 493 494 /* check for a valid keylocation for encrypted datasets */ 495 if (!zfs_prop_valid_keylocation(keylocation, B_TRUE)) { 496 ret = SET_ERROR(EINVAL); 497 goto out; 498 } 499 500 /* check that this is an encryption root */ 501 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 502 if (ret != 0) 503 goto out; 504 505 if (rddobj != dd->dd_object) { 506 ret = SET_ERROR(EACCES); 507 goto out; 508 } 509 510 dsl_dir_rele(dd, FTAG); 511 dsl_pool_rele(dp, FTAG); 512 513 return (0); 514 515 out: 516 if (dd != NULL) 517 dsl_dir_rele(dd, FTAG); 518 if (dp != NULL) 519 dsl_pool_rele(dp, FTAG); 520 521 return (ret); 522 } 523 524 static void 525 dsl_crypto_key_free(dsl_crypto_key_t *dck) 526 { 527 ASSERT(zfs_refcount_count(&dck->dck_holds) == 0); 528 529 /* destroy the zio_crypt_key_t */ 530 zio_crypt_key_destroy(&dck->dck_key); 531 532 /* free the refcount, wrapping key, and lock */ 533 zfs_refcount_destroy(&dck->dck_holds); 534 if (dck->dck_wkey) 535 dsl_wrapping_key_rele(dck->dck_wkey, dck); 536 537 /* free the key */ 538 kmem_free(dck, sizeof (dsl_crypto_key_t)); 539 } 540 541 static void 542 dsl_crypto_key_rele(dsl_crypto_key_t *dck, void *tag) 543 { 544 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) 545 dsl_crypto_key_free(dck); 546 } 547 548 static int 549 dsl_crypto_key_open(objset_t *mos, dsl_wrapping_key_t *wkey, 550 uint64_t dckobj, void *tag, dsl_crypto_key_t **dck_out) 551 { 552 int ret; 553 uint64_t crypt = 0, guid = 0, version = 0; 554 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 555 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 556 uint8_t iv[WRAPPING_IV_LEN]; 557 uint8_t mac[WRAPPING_MAC_LEN]; 558 dsl_crypto_key_t *dck; 559 560 /* allocate and initialize the key */ 561 dck = kmem_zalloc(sizeof (dsl_crypto_key_t), KM_SLEEP); 562 if (!dck) 563 return (SET_ERROR(ENOMEM)); 564 565 /* fetch all of the values we need from the ZAP */ 566 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 567 &crypt); 568 if (ret != 0) 569 goto error; 570 571 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &guid); 572 if (ret != 0) 573 goto error; 574 575 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 576 MASTER_KEY_MAX_LEN, raw_keydata); 577 if (ret != 0) 578 goto error; 579 580 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 581 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 582 if (ret != 0) 583 goto error; 584 585 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 586 iv); 587 if (ret != 0) 588 goto error; 589 590 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 591 mac); 592 if (ret != 0) 593 goto error; 594 595 /* the initial on-disk format for encryption did not have a version */ 596 (void) zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 597 598 /* 599 * Unwrap the keys. If there is an error return EACCES to indicate 600 * an authentication failure. 601 */ 602 ret = zio_crypt_key_unwrap(&wkey->wk_key, crypt, version, guid, 603 raw_keydata, raw_hmac_keydata, iv, mac, &dck->dck_key); 604 if (ret != 0) { 605 ret = SET_ERROR(EACCES); 606 goto error; 607 } 608 609 /* finish initializing the dsl_crypto_key_t */ 610 zfs_refcount_create(&dck->dck_holds); 611 dsl_wrapping_key_hold(wkey, dck); 612 dck->dck_wkey = wkey; 613 dck->dck_obj = dckobj; 614 (void) zfs_refcount_add(&dck->dck_holds, tag); 615 616 *dck_out = dck; 617 return (0); 618 619 error: 620 if (dck != NULL) { 621 bzero(dck, sizeof (dsl_crypto_key_t)); 622 kmem_free(dck, sizeof (dsl_crypto_key_t)); 623 } 624 625 *dck_out = NULL; 626 return (ret); 627 } 628 629 static int 630 spa_keystore_dsl_key_hold_impl(spa_t *spa, uint64_t dckobj, void *tag, 631 dsl_crypto_key_t **dck_out) 632 { 633 int ret; 634 dsl_crypto_key_t search_dck; 635 dsl_crypto_key_t *found_dck; 636 637 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_dk_lock)); 638 639 /* init the search key */ 640 search_dck.dck_obj = dckobj; 641 642 /* find the matching key in the keystore */ 643 found_dck = avl_find(&spa->spa_keystore.sk_dsl_keys, &search_dck, NULL); 644 if (!found_dck) { 645 ret = SET_ERROR(ENOENT); 646 goto error; 647 } 648 649 /* increment the refcount */ 650 (void) zfs_refcount_add(&found_dck->dck_holds, tag); 651 652 *dck_out = found_dck; 653 return (0); 654 655 error: 656 *dck_out = NULL; 657 return (ret); 658 } 659 660 static int 661 spa_keystore_dsl_key_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag, 662 dsl_crypto_key_t **dck_out) 663 { 664 int ret; 665 avl_index_t where; 666 dsl_crypto_key_t *dck_io = NULL, *dck_ks = NULL; 667 dsl_wrapping_key_t *wkey = NULL; 668 uint64_t dckobj = dd->dd_crypto_obj; 669 670 /* Lookup the key in the tree of currently loaded keys */ 671 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_READER); 672 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 673 rw_exit(&spa->spa_keystore.sk_dk_lock); 674 if (ret == 0) { 675 *dck_out = dck_ks; 676 return (0); 677 } 678 679 /* Lookup the wrapping key from the keystore */ 680 ret = spa_keystore_wkey_hold_dd(spa, dd, FTAG, &wkey); 681 if (ret != 0) { 682 *dck_out = NULL; 683 return (SET_ERROR(EACCES)); 684 } 685 686 /* Read the key from disk */ 687 ret = dsl_crypto_key_open(spa->spa_meta_objset, wkey, dckobj, 688 tag, &dck_io); 689 if (ret != 0) { 690 dsl_wrapping_key_rele(wkey, FTAG); 691 *dck_out = NULL; 692 return (ret); 693 } 694 695 /* 696 * Add the key to the keystore. It may already exist if it was 697 * added while performing the read from disk. In this case discard 698 * it and return the key from the keystore. 699 */ 700 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 701 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 702 if (ret != 0) { 703 (void) avl_find(&spa->spa_keystore.sk_dsl_keys, dck_io, &where); 704 avl_insert(&spa->spa_keystore.sk_dsl_keys, dck_io, where); 705 *dck_out = dck_io; 706 } else { 707 dsl_crypto_key_free(dck_io); 708 *dck_out = dck_ks; 709 } 710 711 /* Release the wrapping key (the dsl key now has a reference to it) */ 712 dsl_wrapping_key_rele(wkey, FTAG); 713 rw_exit(&spa->spa_keystore.sk_dk_lock); 714 715 return (0); 716 } 717 718 void 719 spa_keystore_dsl_key_rele(spa_t *spa, dsl_crypto_key_t *dck, void *tag) 720 { 721 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 722 723 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) { 724 avl_remove(&spa->spa_keystore.sk_dsl_keys, dck); 725 dsl_crypto_key_free(dck); 726 } 727 728 rw_exit(&spa->spa_keystore.sk_dk_lock); 729 } 730 731 int 732 spa_keystore_load_wkey_impl(spa_t *spa, dsl_wrapping_key_t *wkey) 733 { 734 int ret; 735 avl_index_t where; 736 dsl_wrapping_key_t *found_wkey; 737 738 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 739 740 /* insert the wrapping key into the keystore */ 741 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 742 if (found_wkey != NULL) { 743 ret = SET_ERROR(EEXIST); 744 goto error_unlock; 745 } 746 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 747 748 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 749 750 return (0); 751 752 error_unlock: 753 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 754 return (ret); 755 } 756 757 int 758 spa_keystore_load_wkey(const char *dsname, dsl_crypto_params_t *dcp, 759 boolean_t noop) 760 { 761 int ret; 762 dsl_dir_t *dd = NULL; 763 dsl_crypto_key_t *dck = NULL; 764 dsl_wrapping_key_t *wkey = dcp->cp_wkey; 765 dsl_pool_t *dp = NULL; 766 uint64_t keyformat, salt, iters; 767 768 /* 769 * We don't validate the wrapping key's keyformat, salt, or iters 770 * since they will never be needed after the DCK has been wrapped. 771 */ 772 if (dcp->cp_wkey == NULL || 773 dcp->cp_cmd != DCP_CMD_NONE || 774 dcp->cp_crypt != ZIO_CRYPT_INHERIT || 775 dcp->cp_keylocation != NULL) 776 return (SET_ERROR(EINVAL)); 777 778 ret = dsl_pool_hold(dsname, FTAG, &dp); 779 if (ret != 0) 780 goto error; 781 782 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 783 ret = (SET_ERROR(ENOTSUP)); 784 goto error; 785 } 786 787 /* hold the dsl dir */ 788 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 789 if (ret != 0) 790 goto error; 791 792 /* initialize the wkey's ddobj */ 793 wkey->wk_ddobj = dd->dd_object; 794 795 /* verify that the wkey is correct by opening its dsl key */ 796 ret = dsl_crypto_key_open(dp->dp_meta_objset, wkey, 797 dd->dd_crypto_obj, FTAG, &dck); 798 if (ret != 0) 799 goto error; 800 801 /* initialize the wkey encryption parameters from the DSL Crypto Key */ 802 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 803 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &keyformat); 804 if (ret != 0) 805 goto error; 806 807 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 808 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 809 if (ret != 0) 810 goto error; 811 812 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 813 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 814 if (ret != 0) 815 goto error; 816 817 ASSERT3U(keyformat, <, ZFS_KEYFORMAT_FORMATS); 818 ASSERT3U(keyformat, !=, ZFS_KEYFORMAT_NONE); 819 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, iters != 0); 820 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, salt != 0); 821 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, iters == 0); 822 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, salt == 0); 823 824 wkey->wk_keyformat = keyformat; 825 wkey->wk_salt = salt; 826 wkey->wk_iters = iters; 827 828 /* 829 * At this point we have verified the wkey and confirmed that it can 830 * be used to decrypt a DSL Crypto Key. We can simply cleanup and 831 * return if this is all the user wanted to do. 832 */ 833 if (noop) 834 goto error; 835 836 /* insert the wrapping key into the keystore */ 837 ret = spa_keystore_load_wkey_impl(dp->dp_spa, wkey); 838 if (ret != 0) 839 goto error; 840 841 dsl_crypto_key_rele(dck, FTAG); 842 dsl_dir_rele(dd, FTAG); 843 dsl_pool_rele(dp, FTAG); 844 845 return (0); 846 847 error: 848 if (dck != NULL) 849 dsl_crypto_key_rele(dck, FTAG); 850 if (dd != NULL) 851 dsl_dir_rele(dd, FTAG); 852 if (dp != NULL) 853 dsl_pool_rele(dp, FTAG); 854 855 return (ret); 856 } 857 858 int 859 spa_keystore_unload_wkey_impl(spa_t *spa, uint64_t ddobj) 860 { 861 int ret; 862 dsl_wrapping_key_t search_wkey; 863 dsl_wrapping_key_t *found_wkey; 864 865 /* init the search wrapping key */ 866 search_wkey.wk_ddobj = ddobj; 867 868 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 869 870 /* remove the wrapping key from the keystore */ 871 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, 872 &search_wkey, NULL); 873 if (!found_wkey) { 874 ret = SET_ERROR(EACCES); 875 goto error_unlock; 876 } else if (zfs_refcount_count(&found_wkey->wk_refcnt) != 0) { 877 ret = SET_ERROR(EBUSY); 878 goto error_unlock; 879 } 880 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 881 882 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 883 884 /* free the wrapping key */ 885 dsl_wrapping_key_free(found_wkey); 886 887 return (0); 888 889 error_unlock: 890 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 891 return (ret); 892 } 893 894 int 895 spa_keystore_unload_wkey(const char *dsname) 896 { 897 int ret = 0; 898 dsl_dir_t *dd = NULL; 899 dsl_pool_t *dp = NULL; 900 spa_t *spa = NULL; 901 902 ret = spa_open(dsname, &spa, FTAG); 903 if (ret != 0) 904 return (ret); 905 906 /* 907 * Wait for any outstanding txg IO to complete, releasing any 908 * remaining references on the wkey. 909 */ 910 if (spa_mode(spa) != FREAD) 911 txg_wait_synced(spa->spa_dsl_pool, 0); 912 913 spa_close(spa, FTAG); 914 915 /* hold the dsl dir */ 916 ret = dsl_pool_hold(dsname, FTAG, &dp); 917 if (ret != 0) 918 goto error; 919 920 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 921 ret = (SET_ERROR(ENOTSUP)); 922 goto error; 923 } 924 925 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 926 if (ret != 0) 927 goto error; 928 929 /* unload the wkey */ 930 ret = spa_keystore_unload_wkey_impl(dp->dp_spa, dd->dd_object); 931 if (ret != 0) 932 goto error; 933 934 dsl_dir_rele(dd, FTAG); 935 dsl_pool_rele(dp, FTAG); 936 937 return (0); 938 939 error: 940 if (dd != NULL) 941 dsl_dir_rele(dd, FTAG); 942 if (dp != NULL) 943 dsl_pool_rele(dp, FTAG); 944 945 return (ret); 946 } 947 948 void 949 key_mapping_add_ref(dsl_key_mapping_t *km, void *tag) 950 { 951 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 952 (void) zfs_refcount_add(&km->km_refcnt, tag); 953 } 954 955 /* 956 * The locking here is a little tricky to ensure we don't cause unnecessary 957 * performance problems. We want to release a key mapping whenever someone 958 * decrements the refcount to 0, but freeing the mapping requires removing 959 * it from the spa_keystore, which requires holding sk_km_lock as a writer. 960 * Most of the time we don't want to hold this lock as a writer, since the 961 * same lock is held as a reader for each IO that needs to encrypt / decrypt 962 * data for any dataset and in practice we will only actually free the 963 * mapping after unmounting a dataset. 964 */ 965 void 966 key_mapping_rele(spa_t *spa, dsl_key_mapping_t *km, void *tag) 967 { 968 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 969 970 if (zfs_refcount_remove(&km->km_refcnt, tag) != 0) 971 return; 972 973 /* 974 * We think we are going to need to free the mapping. Add a 975 * reference to prevent most other releasers from thinking 976 * this might be their responsibility. This is inherently 977 * racy, so we will confirm that we are legitimately the 978 * last holder once we have the sk_km_lock as a writer. 979 */ 980 (void) zfs_refcount_add(&km->km_refcnt, FTAG); 981 982 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 983 if (zfs_refcount_remove(&km->km_refcnt, FTAG) != 0) { 984 rw_exit(&spa->spa_keystore.sk_km_lock); 985 return; 986 } 987 988 avl_remove(&spa->spa_keystore.sk_key_mappings, km); 989 rw_exit(&spa->spa_keystore.sk_km_lock); 990 991 spa_keystore_dsl_key_rele(spa, km->km_key, km); 992 zfs_refcount_destroy(&km->km_refcnt); 993 kmem_free(km, sizeof (dsl_key_mapping_t)); 994 } 995 996 int 997 spa_keystore_create_mapping(spa_t *spa, dsl_dataset_t *ds, void *tag, 998 dsl_key_mapping_t **km_out) 999 { 1000 int ret; 1001 avl_index_t where; 1002 dsl_key_mapping_t *km, *found_km; 1003 boolean_t should_free = B_FALSE; 1004 1005 /* Allocate and initialize the mapping */ 1006 km = kmem_zalloc(sizeof (dsl_key_mapping_t), KM_SLEEP); 1007 zfs_refcount_create(&km->km_refcnt); 1008 1009 ret = spa_keystore_dsl_key_hold_dd(spa, ds->ds_dir, km, &km->km_key); 1010 if (ret != 0) { 1011 zfs_refcount_destroy(&km->km_refcnt); 1012 kmem_free(km, sizeof (dsl_key_mapping_t)); 1013 1014 if (km_out != NULL) 1015 *km_out = NULL; 1016 return (ret); 1017 } 1018 1019 km->km_dsobj = ds->ds_object; 1020 1021 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 1022 1023 /* 1024 * If a mapping already exists, simply increment its refcount and 1025 * cleanup the one we made. We want to allocate / free outside of 1026 * the lock because this lock is also used by the zio layer to lookup 1027 * key mappings. Otherwise, use the one we created. Normally, there will 1028 * only be one active reference at a time (the objset owner), but there 1029 * are times when there could be multiple async users. 1030 */ 1031 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, km, &where); 1032 if (found_km != NULL) { 1033 should_free = B_TRUE; 1034 (void) zfs_refcount_add(&found_km->km_refcnt, tag); 1035 if (km_out != NULL) 1036 *km_out = found_km; 1037 } else { 1038 (void) zfs_refcount_add(&km->km_refcnt, tag); 1039 avl_insert(&spa->spa_keystore.sk_key_mappings, km, where); 1040 if (km_out != NULL) 1041 *km_out = km; 1042 } 1043 1044 rw_exit(&spa->spa_keystore.sk_km_lock); 1045 1046 if (should_free) { 1047 spa_keystore_dsl_key_rele(spa, km->km_key, km); 1048 zfs_refcount_destroy(&km->km_refcnt); 1049 kmem_free(km, sizeof (dsl_key_mapping_t)); 1050 } 1051 1052 return (0); 1053 } 1054 1055 int 1056 spa_keystore_remove_mapping(spa_t *spa, uint64_t dsobj, void *tag) 1057 { 1058 int ret; 1059 dsl_key_mapping_t search_km; 1060 dsl_key_mapping_t *found_km; 1061 1062 /* init the search key mapping */ 1063 search_km.km_dsobj = dsobj; 1064 1065 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1066 1067 /* find the matching mapping */ 1068 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, 1069 &search_km, NULL); 1070 if (found_km == NULL) { 1071 ret = SET_ERROR(ENOENT); 1072 goto error_unlock; 1073 } 1074 1075 rw_exit(&spa->spa_keystore.sk_km_lock); 1076 1077 key_mapping_rele(spa, found_km, tag); 1078 1079 return (0); 1080 1081 error_unlock: 1082 rw_exit(&spa->spa_keystore.sk_km_lock); 1083 return (ret); 1084 } 1085 1086 /* 1087 * This function is primarily used by the zio and arc layer to lookup 1088 * DSL Crypto Keys for encryption. Callers must release the key with 1089 * spa_keystore_dsl_key_rele(). The function may also be called with 1090 * dck_out == NULL and tag == NULL to simply check that a key exists 1091 * without getting a reference to it. 1092 */ 1093 int 1094 spa_keystore_lookup_key(spa_t *spa, uint64_t dsobj, void *tag, 1095 dsl_crypto_key_t **dck_out) 1096 { 1097 int ret; 1098 dsl_key_mapping_t search_km; 1099 dsl_key_mapping_t *found_km; 1100 1101 ASSERT((tag != NULL && dck_out != NULL) || 1102 (tag == NULL && dck_out == NULL)); 1103 1104 /* init the search key mapping */ 1105 search_km.km_dsobj = dsobj; 1106 1107 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1108 1109 /* remove the mapping from the tree */ 1110 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, &search_km, 1111 NULL); 1112 if (found_km == NULL) { 1113 ret = SET_ERROR(ENOENT); 1114 goto error_unlock; 1115 } 1116 1117 if (found_km && tag) 1118 (void) zfs_refcount_add(&found_km->km_key->dck_holds, tag); 1119 1120 rw_exit(&spa->spa_keystore.sk_km_lock); 1121 1122 if (dck_out != NULL) 1123 *dck_out = found_km->km_key; 1124 return (0); 1125 1126 error_unlock: 1127 rw_exit(&spa->spa_keystore.sk_km_lock); 1128 1129 if (dck_out != NULL) 1130 *dck_out = NULL; 1131 return (ret); 1132 } 1133 1134 static int 1135 dmu_objset_check_wkey_loaded(dsl_dir_t *dd) 1136 { 1137 int ret; 1138 dsl_wrapping_key_t *wkey = NULL; 1139 1140 ret = spa_keystore_wkey_hold_dd(dd->dd_pool->dp_spa, dd, FTAG, 1141 &wkey); 1142 if (ret != 0) 1143 return (SET_ERROR(EACCES)); 1144 1145 dsl_wrapping_key_rele(wkey, FTAG); 1146 1147 return (0); 1148 } 1149 1150 static zfs_keystatus_t 1151 dsl_dataset_get_keystatus(dsl_dir_t *dd) 1152 { 1153 /* check if this dd has a has a dsl key */ 1154 if (dd->dd_crypto_obj == 0) 1155 return (ZFS_KEYSTATUS_NONE); 1156 1157 return (dmu_objset_check_wkey_loaded(dd) == 0 ? 1158 ZFS_KEYSTATUS_AVAILABLE : ZFS_KEYSTATUS_UNAVAILABLE); 1159 } 1160 1161 static int 1162 dsl_dir_get_crypt(dsl_dir_t *dd, uint64_t *crypt) 1163 { 1164 if (dd->dd_crypto_obj == 0) { 1165 *crypt = ZIO_CRYPT_OFF; 1166 return (0); 1167 } 1168 1169 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 1170 DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, crypt)); 1171 } 1172 1173 static void 1174 dsl_crypto_key_sync_impl(objset_t *mos, uint64_t dckobj, uint64_t crypt, 1175 uint64_t root_ddobj, uint64_t guid, uint8_t *iv, uint8_t *mac, 1176 uint8_t *keydata, uint8_t *hmac_keydata, uint64_t keyformat, 1177 uint64_t salt, uint64_t iters, dmu_tx_t *tx) 1178 { 1179 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 1180 &crypt, tx)); 1181 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1182 &root_ddobj, tx)); 1183 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, 1184 &guid, tx)); 1185 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 1186 iv, tx)); 1187 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 1188 mac, tx)); 1189 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 1190 MASTER_KEY_MAX_LEN, keydata, tx)); 1191 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 1192 SHA512_HMAC_KEYLEN, hmac_keydata, tx)); 1193 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 1194 8, 1, &keyformat, tx)); 1195 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 1196 8, 1, &salt, tx)); 1197 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 1198 8, 1, &iters, tx)); 1199 } 1200 1201 static void 1202 dsl_crypto_key_sync(dsl_crypto_key_t *dck, dmu_tx_t *tx) 1203 { 1204 zio_crypt_key_t *key = &dck->dck_key; 1205 dsl_wrapping_key_t *wkey = dck->dck_wkey; 1206 uint8_t keydata[MASTER_KEY_MAX_LEN]; 1207 uint8_t hmac_keydata[SHA512_HMAC_KEYLEN]; 1208 uint8_t iv[WRAPPING_IV_LEN]; 1209 uint8_t mac[WRAPPING_MAC_LEN]; 1210 1211 ASSERT(dmu_tx_is_syncing(tx)); 1212 ASSERT3U(key->zk_crypt, <, ZIO_CRYPT_FUNCTIONS); 1213 1214 /* encrypt and store the keys along with the IV and MAC */ 1215 VERIFY0(zio_crypt_key_wrap(&dck->dck_wkey->wk_key, key, iv, mac, 1216 keydata, hmac_keydata)); 1217 1218 /* update the ZAP with the obtained values */ 1219 dsl_crypto_key_sync_impl(tx->tx_pool->dp_meta_objset, dck->dck_obj, 1220 key->zk_crypt, wkey->wk_ddobj, key->zk_guid, iv, mac, keydata, 1221 hmac_keydata, wkey->wk_keyformat, wkey->wk_salt, wkey->wk_iters, 1222 tx); 1223 } 1224 1225 int 1226 spa_keystore_change_key_check(void *arg, dmu_tx_t *tx) 1227 { 1228 int ret; 1229 dsl_dir_t *dd = NULL; 1230 dsl_pool_t *dp = dmu_tx_pool(tx); 1231 spa_keystore_change_key_args_t *skcka = arg; 1232 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1233 uint64_t rddobj; 1234 1235 /* check for the encryption feature */ 1236 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 1237 ret = SET_ERROR(ENOTSUP); 1238 goto error; 1239 } 1240 1241 /* check for valid key change command */ 1242 if (dcp->cp_cmd != DCP_CMD_NEW_KEY && 1243 dcp->cp_cmd != DCP_CMD_INHERIT && 1244 dcp->cp_cmd != DCP_CMD_FORCE_NEW_KEY && 1245 dcp->cp_cmd != DCP_CMD_FORCE_INHERIT) { 1246 ret = SET_ERROR(EINVAL); 1247 goto error; 1248 } 1249 1250 /* hold the dd */ 1251 ret = dsl_dir_hold(dp, skcka->skcka_dsname, FTAG, &dd, NULL); 1252 if (ret != 0) 1253 goto error; 1254 1255 /* verify that the dataset is encrypted */ 1256 if (dd->dd_crypto_obj == 0) { 1257 ret = SET_ERROR(EINVAL); 1258 goto error; 1259 } 1260 1261 /* clones must always use their origin's key */ 1262 if (dsl_dir_is_clone(dd)) { 1263 ret = SET_ERROR(EINVAL); 1264 goto error; 1265 } 1266 1267 /* lookup the ddobj we are inheriting the keylocation from */ 1268 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 1269 if (ret != 0) 1270 goto error; 1271 1272 /* Handle inheritance */ 1273 if (dcp->cp_cmd == DCP_CMD_INHERIT || 1274 dcp->cp_cmd == DCP_CMD_FORCE_INHERIT) { 1275 /* no other encryption params should be given */ 1276 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1277 dcp->cp_keylocation != NULL || 1278 dcp->cp_wkey != NULL) { 1279 ret = SET_ERROR(EINVAL); 1280 goto error; 1281 } 1282 1283 /* check that this is an encryption root */ 1284 if (dd->dd_object != rddobj) { 1285 ret = SET_ERROR(EINVAL); 1286 goto error; 1287 } 1288 1289 /* check that the parent is encrypted */ 1290 if (dd->dd_parent->dd_crypto_obj == 0) { 1291 ret = SET_ERROR(EINVAL); 1292 goto error; 1293 } 1294 1295 /* if we are rewrapping check that both keys are loaded */ 1296 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1297 ret = dmu_objset_check_wkey_loaded(dd); 1298 if (ret != 0) 1299 goto error; 1300 1301 ret = dmu_objset_check_wkey_loaded(dd->dd_parent); 1302 if (ret != 0) 1303 goto error; 1304 } 1305 1306 dsl_dir_rele(dd, FTAG); 1307 return (0); 1308 } 1309 1310 /* handle forcing an encryption root without rewrapping */ 1311 if (dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1312 /* no other encryption params should be given */ 1313 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1314 dcp->cp_keylocation != NULL || 1315 dcp->cp_wkey != NULL) { 1316 ret = SET_ERROR(EINVAL); 1317 goto error; 1318 } 1319 1320 /* check that this is not an encryption root */ 1321 if (dd->dd_object == rddobj) { 1322 ret = SET_ERROR(EINVAL); 1323 goto error; 1324 } 1325 1326 dsl_dir_rele(dd, FTAG); 1327 return (0); 1328 } 1329 1330 /* crypt cannot be changed after creation */ 1331 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT) { 1332 ret = SET_ERROR(EINVAL); 1333 goto error; 1334 } 1335 1336 /* we are not inheritting our parent's wkey so we need one ourselves */ 1337 if (dcp->cp_wkey == NULL) { 1338 ret = SET_ERROR(EINVAL); 1339 goto error; 1340 } 1341 1342 /* check for a valid keyformat for the new wrapping key */ 1343 if (dcp->cp_wkey->wk_keyformat >= ZFS_KEYFORMAT_FORMATS || 1344 dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_NONE) { 1345 ret = SET_ERROR(EINVAL); 1346 goto error; 1347 } 1348 1349 /* 1350 * If this dataset is not currently an encryption root we need a new 1351 * keylocation for this dataset's new wrapping key. Otherwise we can 1352 * just keep the one we already had. 1353 */ 1354 if (dd->dd_object != rddobj && dcp->cp_keylocation == NULL) { 1355 ret = SET_ERROR(EINVAL); 1356 goto error; 1357 } 1358 1359 /* check that the keylocation is valid if it is not NULL */ 1360 if (dcp->cp_keylocation != NULL && 1361 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) { 1362 ret = SET_ERROR(EINVAL); 1363 goto error; 1364 } 1365 1366 /* passphrases require pbkdf2 salt and iters */ 1367 if (dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_PASSPHRASE) { 1368 if (dcp->cp_wkey->wk_salt == 0 || 1369 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) { 1370 ret = SET_ERROR(EINVAL); 1371 goto error; 1372 } 1373 } else { 1374 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) { 1375 ret = SET_ERROR(EINVAL); 1376 goto error; 1377 } 1378 } 1379 1380 /* make sure the dd's wkey is loaded */ 1381 ret = dmu_objset_check_wkey_loaded(dd); 1382 if (ret != 0) 1383 goto error; 1384 1385 dsl_dir_rele(dd, FTAG); 1386 1387 return (0); 1388 1389 error: 1390 if (dd != NULL) 1391 dsl_dir_rele(dd, FTAG); 1392 1393 return (ret); 1394 } 1395 1396 /* 1397 * This function deals with the intricacies of updating wrapping 1398 * key references and encryption roots recursively in the event 1399 * of a call to 'zfs change-key' or 'zfs promote'. The 'skip' 1400 * parameter should always be set to B_FALSE when called 1401 * externally. 1402 */ 1403 static void 1404 spa_keystore_change_key_sync_impl(uint64_t rddobj, uint64_t ddobj, 1405 uint64_t new_rddobj, dsl_wrapping_key_t *wkey, boolean_t skip, 1406 dmu_tx_t *tx) 1407 { 1408 int ret; 1409 zap_cursor_t *zc; 1410 zap_attribute_t *za; 1411 dsl_pool_t *dp = dmu_tx_pool(tx); 1412 dsl_dir_t *dd = NULL; 1413 dsl_crypto_key_t *dck = NULL; 1414 uint64_t curr_rddobj; 1415 1416 ASSERT(RW_WRITE_HELD(&dp->dp_spa->spa_keystore.sk_wkeys_lock)); 1417 1418 /* hold the dd */ 1419 VERIFY0(dsl_dir_hold_obj(dp, ddobj, NULL, FTAG, &dd)); 1420 1421 /* ignore special dsl dirs */ 1422 if (dd->dd_myname[0] == '$' || dd->dd_myname[0] == '%') { 1423 dsl_dir_rele(dd, FTAG); 1424 return; 1425 } 1426 1427 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1428 VERIFY(ret == 0 || ret == ENOENT); 1429 1430 /* 1431 * Stop recursing if this dsl dir didn't inherit from the root 1432 * or if this dd is a clone. 1433 */ 1434 if (ret == ENOENT || 1435 (!skip && (curr_rddobj != rddobj || dsl_dir_is_clone(dd)))) { 1436 dsl_dir_rele(dd, FTAG); 1437 return; 1438 } 1439 1440 /* 1441 * If we don't have a wrapping key just update the dck to reflect the 1442 * new encryption root. Otherwise rewrap the entire dck and re-sync it 1443 * to disk. If skip is set, we don't do any of this work. 1444 */ 1445 if (!skip) { 1446 if (wkey == NULL) { 1447 VERIFY0(zap_update(dp->dp_meta_objset, 1448 dd->dd_crypto_obj, 1449 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1450 &new_rddobj, tx)); 1451 } else { 1452 VERIFY0(spa_keystore_dsl_key_hold_dd(dp->dp_spa, dd, 1453 FTAG, &dck)); 1454 dsl_wrapping_key_hold(wkey, dck); 1455 dsl_wrapping_key_rele(dck->dck_wkey, dck); 1456 dck->dck_wkey = wkey; 1457 dsl_crypto_key_sync(dck, tx); 1458 spa_keystore_dsl_key_rele(dp->dp_spa, dck, FTAG); 1459 } 1460 } 1461 1462 zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP); 1463 za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP); 1464 1465 /* Recurse into all child dsl dirs. */ 1466 for (zap_cursor_init(zc, dp->dp_meta_objset, 1467 dsl_dir_phys(dd)->dd_child_dir_zapobj); 1468 zap_cursor_retrieve(zc, za) == 0; 1469 zap_cursor_advance(zc)) { 1470 spa_keystore_change_key_sync_impl(rddobj, 1471 za->za_first_integer, new_rddobj, wkey, B_FALSE, tx); 1472 } 1473 zap_cursor_fini(zc); 1474 1475 /* 1476 * Recurse into all dsl dirs of clones. We utilize the skip parameter 1477 * here so that we don't attempt to process the clones directly. This 1478 * is because the clone and its origin share the same dck, which has 1479 * already been updated. 1480 */ 1481 for (zap_cursor_init(zc, dp->dp_meta_objset, 1482 dsl_dir_phys(dd)->dd_clones); 1483 zap_cursor_retrieve(zc, za) == 0; 1484 zap_cursor_advance(zc)) { 1485 dsl_dataset_t *clone; 1486 1487 VERIFY0(dsl_dataset_hold_obj(dp, za->za_first_integer, 1488 FTAG, &clone)); 1489 spa_keystore_change_key_sync_impl(rddobj, 1490 clone->ds_dir->dd_object, new_rddobj, wkey, B_TRUE, tx); 1491 dsl_dataset_rele(clone, FTAG); 1492 } 1493 zap_cursor_fini(zc); 1494 1495 kmem_free(za, sizeof (zap_attribute_t)); 1496 kmem_free(zc, sizeof (zap_cursor_t)); 1497 1498 dsl_dir_rele(dd, FTAG); 1499 } 1500 1501 void 1502 spa_keystore_change_key_sync(void *arg, dmu_tx_t *tx) 1503 { 1504 dsl_dataset_t *ds; 1505 avl_index_t where; 1506 dsl_pool_t *dp = dmu_tx_pool(tx); 1507 spa_t *spa = dp->dp_spa; 1508 spa_keystore_change_key_args_t *skcka = arg; 1509 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1510 dsl_wrapping_key_t *wkey = NULL, *found_wkey; 1511 dsl_wrapping_key_t wkey_search; 1512 char *keylocation = dcp->cp_keylocation; 1513 uint64_t rddobj, new_rddobj; 1514 1515 /* create and initialize the wrapping key */ 1516 VERIFY0(dsl_dataset_hold(dp, skcka->skcka_dsname, FTAG, &ds)); 1517 ASSERT(!ds->ds_is_snapshot); 1518 1519 if (dcp->cp_cmd == DCP_CMD_NEW_KEY || 1520 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1521 /* 1522 * We are changing to a new wkey. Set additional properties 1523 * which can be sent along with this ioctl. Note that this 1524 * command can set keylocation even if it can't normally be 1525 * set via 'zfs set' due to a non-local keylocation. 1526 */ 1527 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1528 wkey = dcp->cp_wkey; 1529 wkey->wk_ddobj = ds->ds_dir->dd_object; 1530 } else { 1531 keylocation = "prompt"; 1532 } 1533 1534 if (keylocation != NULL) { 1535 dsl_prop_set_sync_impl(ds, 1536 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1537 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 1538 keylocation, tx); 1539 } 1540 1541 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj)); 1542 new_rddobj = ds->ds_dir->dd_object; 1543 } else { 1544 /* 1545 * We are inheriting the parent's wkey. Unset any local 1546 * keylocation and grab a reference to the wkey. 1547 */ 1548 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1549 VERIFY0(spa_keystore_wkey_hold_dd(spa, 1550 ds->ds_dir->dd_parent, FTAG, &wkey)); 1551 } 1552 1553 dsl_prop_set_sync_impl(ds, 1554 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), ZPROP_SRC_NONE, 1555 0, 0, NULL, tx); 1556 1557 rddobj = ds->ds_dir->dd_object; 1558 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir->dd_parent, 1559 &new_rddobj)); 1560 } 1561 1562 if (wkey == NULL) { 1563 ASSERT(dcp->cp_cmd == DCP_CMD_FORCE_INHERIT || 1564 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY); 1565 } 1566 1567 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1568 1569 /* recurse through all children and rewrap their keys */ 1570 spa_keystore_change_key_sync_impl(rddobj, ds->ds_dir->dd_object, 1571 new_rddobj, wkey, B_FALSE, tx); 1572 1573 /* 1574 * All references to the old wkey should be released now (if it 1575 * existed). Replace the wrapping key. 1576 */ 1577 wkey_search.wk_ddobj = ds->ds_dir->dd_object; 1578 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &wkey_search, NULL); 1579 if (found_wkey != NULL) { 1580 ASSERT0(zfs_refcount_count(&found_wkey->wk_refcnt)); 1581 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 1582 dsl_wrapping_key_free(found_wkey); 1583 } 1584 1585 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1586 (void) avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 1587 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 1588 } else if (wkey != NULL) { 1589 dsl_wrapping_key_rele(wkey, FTAG); 1590 } 1591 1592 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 1593 1594 dsl_dataset_rele(ds, FTAG); 1595 } 1596 1597 int 1598 spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp) 1599 { 1600 spa_keystore_change_key_args_t skcka; 1601 1602 /* initialize the args struct */ 1603 skcka.skcka_dsname = dsname; 1604 skcka.skcka_cp = dcp; 1605 1606 /* 1607 * Perform the actual work in syncing context. The blocks modified 1608 * here could be calculated but it would require holding the pool 1609 * lock and traversing all of the datasets that will have their keys 1610 * changed. 1611 */ 1612 return (dsl_sync_task(dsname, spa_keystore_change_key_check, 1613 spa_keystore_change_key_sync, &skcka, 15, 1614 ZFS_SPACE_CHECK_RESERVED)); 1615 } 1616 1617 int 1618 dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent) 1619 { 1620 int ret; 1621 uint64_t curr_rddobj, parent_rddobj; 1622 1623 if (dd->dd_crypto_obj == 0) 1624 return (0); 1625 1626 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1627 if (ret != 0) 1628 goto error; 1629 1630 /* 1631 * if this is not an encryption root, we must make sure we are not 1632 * moving dd to a new encryption root 1633 */ 1634 if (dd->dd_object != curr_rddobj) { 1635 ret = dsl_dir_get_encryption_root_ddobj(newparent, 1636 &parent_rddobj); 1637 if (ret != 0) 1638 goto error; 1639 1640 if (parent_rddobj != curr_rddobj) { 1641 ret = SET_ERROR(EACCES); 1642 goto error; 1643 } 1644 } 1645 1646 return (0); 1647 1648 error: 1649 return (ret); 1650 } 1651 1652 /* 1653 * Check to make sure that a promote from targetdd to origindd will not require 1654 * any key rewraps. 1655 */ 1656 int 1657 dsl_dataset_promote_crypt_check(dsl_dir_t *target, dsl_dir_t *origin) 1658 { 1659 int ret; 1660 uint64_t rddobj, op_rddobj, tp_rddobj; 1661 1662 /* If the dataset is not encrypted we don't need to check anything */ 1663 if (origin->dd_crypto_obj == 0) 1664 return (0); 1665 1666 /* 1667 * If we are not changing the first origin snapshot in a chain 1668 * the encryption root won't change either. 1669 */ 1670 if (dsl_dir_is_clone(origin)) 1671 return (0); 1672 1673 /* 1674 * If the origin is the encryption root we will update 1675 * the DSL Crypto Key to point to the target instead. 1676 */ 1677 ret = dsl_dir_get_encryption_root_ddobj(origin, &rddobj); 1678 if (ret != 0) 1679 return (ret); 1680 1681 if (rddobj == origin->dd_object) 1682 return (0); 1683 1684 /* 1685 * The origin is inheriting its encryption root from its parent. 1686 * Check that the parent of the target has the same encryption root. 1687 */ 1688 ret = dsl_dir_get_encryption_root_ddobj(origin->dd_parent, &op_rddobj); 1689 if (ret != 0) 1690 return (ret); 1691 1692 ret = dsl_dir_get_encryption_root_ddobj(target->dd_parent, &tp_rddobj); 1693 if (ret != 0) 1694 return (ret); 1695 1696 if (op_rddobj != tp_rddobj) 1697 return (SET_ERROR(EACCES)); 1698 1699 return (0); 1700 } 1701 1702 void 1703 dsl_dataset_promote_crypt_sync(dsl_dir_t *target, dsl_dir_t *origin, 1704 dmu_tx_t *tx) 1705 { 1706 uint64_t rddobj; 1707 dsl_pool_t *dp = target->dd_pool; 1708 dsl_dataset_t *targetds; 1709 dsl_dataset_t *originds; 1710 char *keylocation; 1711 1712 if (origin->dd_crypto_obj == 0) 1713 return; 1714 if (dsl_dir_is_clone(origin)) 1715 return; 1716 1717 VERIFY0(dsl_dir_get_encryption_root_ddobj(origin, &rddobj)); 1718 1719 if (rddobj != origin->dd_object) 1720 return; 1721 1722 /* 1723 * If the target is being promoted to the encryption root update the 1724 * DSL Crypto Key and keylocation to reflect that. We also need to 1725 * update the DSL Crypto Keys of all children inheriting their 1726 * encryption root to point to the new target. Otherwise, the check 1727 * function ensured that the encryption root will not change. 1728 */ 1729 keylocation = kmem_alloc(ZAP_MAXVALUELEN, KM_SLEEP); 1730 1731 VERIFY0(dsl_dataset_hold_obj(dp, 1732 dsl_dir_phys(target)->dd_head_dataset_obj, FTAG, &targetds)); 1733 VERIFY0(dsl_dataset_hold_obj(dp, 1734 dsl_dir_phys(origin)->dd_head_dataset_obj, FTAG, &originds)); 1735 1736 VERIFY0(dsl_prop_get_dd(origin, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1737 1, ZAP_MAXVALUELEN, keylocation, NULL, B_FALSE)); 1738 dsl_prop_set_sync_impl(targetds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1739 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, keylocation, tx); 1740 dsl_prop_set_sync_impl(originds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1741 ZPROP_SRC_NONE, 0, 0, NULL, tx); 1742 1743 rw_enter(&dp->dp_spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1744 spa_keystore_change_key_sync_impl(rddobj, origin->dd_object, 1745 target->dd_object, NULL, B_FALSE, tx); 1746 rw_exit(&dp->dp_spa->spa_keystore.sk_wkeys_lock); 1747 1748 dsl_dataset_rele(targetds, FTAG); 1749 dsl_dataset_rele(originds, FTAG); 1750 kmem_free(keylocation, ZAP_MAXVALUELEN); 1751 } 1752 1753 int 1754 dmu_objset_create_crypt_check(dsl_dir_t *parentdd, dsl_crypto_params_t *dcp, 1755 boolean_t *will_encrypt) 1756 { 1757 int ret; 1758 uint64_t pcrypt, crypt; 1759 dsl_crypto_params_t dummy_dcp = { 0 }; 1760 1761 if (will_encrypt != NULL) 1762 *will_encrypt = B_FALSE; 1763 1764 if (dcp == NULL) 1765 dcp = &dummy_dcp; 1766 1767 if (dcp->cp_cmd != DCP_CMD_NONE) 1768 return (SET_ERROR(EINVAL)); 1769 1770 if (parentdd != NULL) { 1771 ret = dsl_dir_get_crypt(parentdd, &pcrypt); 1772 if (ret != 0) 1773 return (ret); 1774 } else { 1775 pcrypt = ZIO_CRYPT_OFF; 1776 } 1777 1778 crypt = (dcp->cp_crypt == ZIO_CRYPT_INHERIT) ? pcrypt : dcp->cp_crypt; 1779 1780 ASSERT3U(pcrypt, !=, ZIO_CRYPT_INHERIT); 1781 ASSERT3U(crypt, !=, ZIO_CRYPT_INHERIT); 1782 1783 /* check for valid dcp with no encryption (inherited or local) */ 1784 if (crypt == ZIO_CRYPT_OFF) { 1785 /* Must not specify encryption params */ 1786 if (dcp->cp_wkey != NULL || 1787 (dcp->cp_keylocation != NULL && 1788 strcmp(dcp->cp_keylocation, "none") != 0)) 1789 return (SET_ERROR(EINVAL)); 1790 1791 return (0); 1792 } 1793 1794 if (will_encrypt != NULL) 1795 *will_encrypt = B_TRUE; 1796 1797 /* 1798 * We will now definitely be encrypting. Check the feature flag. When 1799 * creating the pool the caller will check this for us since we won't 1800 * technically have the feature activated yet. 1801 */ 1802 if (parentdd != NULL && 1803 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1804 SPA_FEATURE_ENCRYPTION)) { 1805 return (SET_ERROR(EOPNOTSUPP)); 1806 } 1807 1808 /* check for errata #4 (encryption enabled, bookmark_v2 disabled) */ 1809 if (parentdd != NULL && 1810 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1811 SPA_FEATURE_BOOKMARK_V2)) { 1812 return (SET_ERROR(EOPNOTSUPP)); 1813 } 1814 1815 /* handle inheritance */ 1816 if (dcp->cp_wkey == NULL) { 1817 ASSERT3P(parentdd, !=, NULL); 1818 1819 /* key must be fully unspecified */ 1820 if (dcp->cp_keylocation != NULL) 1821 return (SET_ERROR(EINVAL)); 1822 1823 /* parent must have a key to inherit */ 1824 if (pcrypt == ZIO_CRYPT_OFF) 1825 return (SET_ERROR(EINVAL)); 1826 1827 /* check for parent key */ 1828 ret = dmu_objset_check_wkey_loaded(parentdd); 1829 if (ret != 0) 1830 return (ret); 1831 1832 return (0); 1833 } 1834 1835 /* At this point we should have a fully specified key. Check location */ 1836 if (dcp->cp_keylocation == NULL || 1837 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) 1838 return (SET_ERROR(EINVAL)); 1839 1840 /* Must have fully specified keyformat */ 1841 switch (dcp->cp_wkey->wk_keyformat) { 1842 case ZFS_KEYFORMAT_HEX: 1843 case ZFS_KEYFORMAT_RAW: 1844 /* requires no pbkdf2 iters and salt */ 1845 if (dcp->cp_wkey->wk_salt != 0 || 1846 dcp->cp_wkey->wk_iters != 0) 1847 return (SET_ERROR(EINVAL)); 1848 break; 1849 case ZFS_KEYFORMAT_PASSPHRASE: 1850 /* requires pbkdf2 iters and salt */ 1851 if (dcp->cp_wkey->wk_salt == 0 || 1852 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) 1853 return (SET_ERROR(EINVAL)); 1854 break; 1855 case ZFS_KEYFORMAT_NONE: 1856 default: 1857 /* keyformat must be specified and valid */ 1858 return (SET_ERROR(EINVAL)); 1859 } 1860 1861 return (0); 1862 } 1863 1864 void 1865 dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd, 1866 dsl_dataset_t *origin, dsl_crypto_params_t *dcp, dmu_tx_t *tx) 1867 { 1868 dsl_pool_t *dp = dd->dd_pool; 1869 uint64_t crypt; 1870 dsl_wrapping_key_t *wkey; 1871 1872 /* clones always use their origin's wrapping key */ 1873 if (dsl_dir_is_clone(dd)) { 1874 ASSERT3P(dcp, ==, NULL); 1875 1876 /* 1877 * If this is an encrypted clone we just need to clone the 1878 * dck into dd. Zapify the dd so we can do that. 1879 */ 1880 if (origin->ds_dir->dd_crypto_obj != 0) { 1881 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1882 dsl_dir_zapify(dd, tx); 1883 1884 dd->dd_crypto_obj = 1885 dsl_crypto_key_clone_sync(origin->ds_dir, tx); 1886 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1887 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, 1888 &dd->dd_crypto_obj, tx)); 1889 } 1890 1891 return; 1892 } 1893 1894 /* 1895 * A NULL dcp at this point indicates this is the origin dataset 1896 * which does not have an objset to encrypt. Raw receives will handle 1897 * encryption separately later. In both cases we can simply return. 1898 */ 1899 if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV) 1900 return; 1901 1902 crypt = dcp->cp_crypt; 1903 wkey = dcp->cp_wkey; 1904 1905 /* figure out the effective crypt */ 1906 if (crypt == ZIO_CRYPT_INHERIT && dd->dd_parent != NULL) 1907 VERIFY0(dsl_dir_get_crypt(dd->dd_parent, &crypt)); 1908 1909 /* if we aren't doing encryption just return */ 1910 if (crypt == ZIO_CRYPT_OFF || crypt == ZIO_CRYPT_INHERIT) 1911 return; 1912 1913 /* zapify the dd so that we can add the crypto key obj to it */ 1914 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1915 dsl_dir_zapify(dd, tx); 1916 1917 /* use the new key if given or inherit from the parent */ 1918 if (wkey == NULL) { 1919 VERIFY0(spa_keystore_wkey_hold_dd(dp->dp_spa, 1920 dd->dd_parent, FTAG, &wkey)); 1921 } else { 1922 wkey->wk_ddobj = dd->dd_object; 1923 } 1924 1925 ASSERT3P(wkey, !=, NULL); 1926 1927 /* Create or clone the DSL crypto key and activate the feature */ 1928 dd->dd_crypto_obj = dsl_crypto_key_create_sync(crypt, wkey, tx); 1929 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1930 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, &dd->dd_crypto_obj, 1931 tx)); 1932 dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, 1933 (void *)(uintptr_t)B_TRUE, tx); 1934 1935 /* 1936 * If we inherited the wrapping key we release our reference now. 1937 * Otherwise, this is a new key and we need to load it into the 1938 * keystore. 1939 */ 1940 if (dcp->cp_wkey == NULL) { 1941 dsl_wrapping_key_rele(wkey, FTAG); 1942 } else { 1943 VERIFY0(spa_keystore_load_wkey_impl(dp->dp_spa, wkey)); 1944 } 1945 } 1946 1947 typedef struct dsl_crypto_recv_key_arg { 1948 uint64_t dcrka_dsobj; 1949 uint64_t dcrka_fromobj; 1950 dmu_objset_type_t dcrka_ostype; 1951 nvlist_t *dcrka_nvl; 1952 boolean_t dcrka_do_key; 1953 } dsl_crypto_recv_key_arg_t; 1954 1955 static int 1956 dsl_crypto_recv_raw_objset_check(dsl_dataset_t *ds, dsl_dataset_t *fromds, 1957 dmu_objset_type_t ostype, nvlist_t *nvl, dmu_tx_t *tx) 1958 { 1959 int ret; 1960 objset_t *os; 1961 dnode_t *mdn; 1962 uint8_t *buf = NULL; 1963 uint_t len; 1964 uint64_t intval, nlevels, blksz, ibs; 1965 uint64_t nblkptr, maxblkid; 1966 1967 if (ostype != DMU_OST_ZFS && ostype != DMU_OST_ZVOL) 1968 return (SET_ERROR(EINVAL)); 1969 1970 /* raw receives also need info about the structure of the metadnode */ 1971 ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval); 1972 if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS) 1973 return (SET_ERROR(EINVAL)); 1974 1975 ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval); 1976 if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS) 1977 return (SET_ERROR(EINVAL)); 1978 1979 ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels); 1980 if (ret != 0 || nlevels > DN_MAX_LEVELS) 1981 return (SET_ERROR(EINVAL)); 1982 1983 ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz); 1984 if (ret != 0 || blksz < SPA_MINBLOCKSIZE) 1985 return (SET_ERROR(EINVAL)); 1986 else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa)) 1987 return (SET_ERROR(ENOTSUP)); 1988 1989 ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs); 1990 if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT || ibs > DN_MAX_INDBLKSHIFT) 1991 return (SET_ERROR(ENOTSUP)); 1992 1993 ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr); 1994 if (ret != 0 || nblkptr != DN_MAX_NBLKPTR) 1995 return (SET_ERROR(ENOTSUP)); 1996 1997 ret = nvlist_lookup_uint64(nvl, "mdn_maxblkid", &maxblkid); 1998 if (ret != 0) 1999 return (SET_ERROR(EINVAL)); 2000 2001 ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len); 2002 if (ret != 0 || len != ZIO_OBJSET_MAC_LEN) 2003 return (SET_ERROR(EINVAL)); 2004 2005 ret = dmu_objset_from_ds(ds, &os); 2006 if (ret != 0) 2007 return (ret); 2008 2009 /* 2010 * Useraccounting is not portable and must be done with the keys loaded. 2011 * Therefore, whenever we do any kind of receive the useraccounting 2012 * must not be present. 2013 */ 2014 ASSERT0(os->os_flags & OBJSET_FLAG_USERACCOUNTING_COMPLETE); 2015 2016 mdn = DMU_META_DNODE(os); 2017 2018 /* 2019 * If we already created the objset, make sure its unchangeable 2020 * properties match the ones received in the nvlist. 2021 */ 2022 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2023 if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) && 2024 (mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz || 2025 mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) { 2026 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2027 return (SET_ERROR(EINVAL)); 2028 } 2029 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2030 2031 /* 2032 * Check that the ivset guid of the fromds matches the one from the 2033 * send stream. Older versions of the encryption code did not have 2034 * an ivset guid on the from dataset and did not send one in the 2035 * stream. For these streams we provide the 2036 * zfs_disable_ivset_guid_check tunable to allow these datasets to 2037 * be received with a generated ivset guid. 2038 */ 2039 if (fromds != NULL && !zfs_disable_ivset_guid_check) { 2040 uint64_t from_ivset_guid = 0; 2041 intval = 0; 2042 2043 (void) nvlist_lookup_uint64(nvl, "from_ivset_guid", &intval); 2044 (void) zap_lookup(tx->tx_pool->dp_meta_objset, 2045 fromds->ds_object, DS_FIELD_IVSET_GUID, 2046 sizeof (from_ivset_guid), 1, &from_ivset_guid); 2047 2048 if (intval == 0 || from_ivset_guid == 0) 2049 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISSING)); 2050 2051 if (intval != from_ivset_guid) 2052 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISMATCH)); 2053 } 2054 2055 /* 2056 * Check that the ivset guid of the fromds matches the one from the 2057 * send stream. Older versions of the encryption code did not have 2058 * an ivset guid on the from dataset and did not send one in the 2059 * stream. For these streams we provide the 2060 * zfs_disable_ivset_guid_check tunable to allow these datasets to 2061 * be received with a generated ivset guid. 2062 */ 2063 if (fromds != NULL && !zfs_disable_ivset_guid_check) { 2064 uint64_t from_ivset_guid = 0; 2065 intval = 0; 2066 2067 (void) nvlist_lookup_uint64(nvl, "from_ivset_guid", &intval); 2068 (void) zap_lookup(tx->tx_pool->dp_meta_objset, 2069 fromds->ds_object, DS_FIELD_IVSET_GUID, 2070 sizeof (from_ivset_guid), 1, &from_ivset_guid); 2071 2072 if (intval == 0 || from_ivset_guid == 0) 2073 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISSING)); 2074 2075 if (intval != from_ivset_guid) 2076 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISMATCH)); 2077 } 2078 2079 return (0); 2080 } 2081 2082 static void 2083 dsl_crypto_recv_raw_objset_sync(dsl_dataset_t *ds, dmu_objset_type_t ostype, 2084 nvlist_t *nvl, dmu_tx_t *tx) 2085 { 2086 dsl_pool_t *dp = tx->tx_pool; 2087 objset_t *os; 2088 dnode_t *mdn; 2089 zio_t *zio; 2090 uint8_t *portable_mac; 2091 uint_t len; 2092 uint64_t compress, checksum, nlevels, blksz, ibs, maxblkid; 2093 boolean_t newds = B_FALSE; 2094 2095 VERIFY0(dmu_objset_from_ds(ds, &os)); 2096 mdn = DMU_META_DNODE(os); 2097 2098 /* 2099 * Fetch the values we need from the nvlist. "to_ivset_guid" must 2100 * be set on the snapshot, which doesn't exist yet. The receive 2101 * code will take care of this for us later. 2102 */ 2103 compress = fnvlist_lookup_uint64(nvl, "mdn_compress"); 2104 checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum"); 2105 nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels"); 2106 blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz"); 2107 ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift"); 2108 maxblkid = fnvlist_lookup_uint64(nvl, "mdn_maxblkid"); 2109 VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac, 2110 &len)); 2111 2112 /* if we haven't created an objset for the ds yet, do that now */ 2113 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2114 if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) { 2115 (void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds, 2116 dsl_dataset_get_blkptr(ds), ostype, nlevels, blksz, 2117 ibs, tx); 2118 newds = B_TRUE; 2119 } 2120 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2121 2122 /* 2123 * Set the portable MAC. The local MAC will always be zero since the 2124 * incoming data will all be portable and user accounting will be 2125 * deferred until the next mount. Afterwards, flag the os to be 2126 * written out raw next time. 2127 */ 2128 arc_release(os->os_phys_buf, &os->os_phys_buf); 2129 bcopy(portable_mac, os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN); 2130 bzero(os->os_phys->os_local_mac, ZIO_OBJSET_MAC_LEN); 2131 os->os_next_write_raw[tx->tx_txg & TXG_MASK] = B_TRUE; 2132 2133 /* set metadnode compression and checksum */ 2134 mdn->dn_compress = compress; 2135 mdn->dn_checksum = checksum; 2136 2137 rw_enter(&mdn->dn_struct_rwlock, RW_WRITER); 2138 dnode_new_blkid(mdn, maxblkid, tx, B_FALSE, B_TRUE); 2139 rw_exit(&mdn->dn_struct_rwlock); 2140 2141 /* 2142 * We can't normally dirty the dataset in syncing context unless 2143 * we are creating a new dataset. In this case, we perform a 2144 * pseudo txg sync here instead. 2145 */ 2146 if (newds) { 2147 dsl_dataset_dirty(ds, tx); 2148 } else { 2149 zio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED); 2150 dsl_dataset_sync(ds, zio, tx); 2151 VERIFY0(zio_wait(zio)); 2152 2153 /* dsl_dataset_sync_done will drop this reference. */ 2154 dmu_buf_add_ref(ds->ds_dbuf, ds); 2155 dsl_dataset_sync_done(ds, tx); 2156 } 2157 } 2158 2159 int 2160 dsl_crypto_recv_raw_key_check(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2161 { 2162 int ret; 2163 objset_t *mos = tx->tx_pool->dp_meta_objset; 2164 uint8_t *buf = NULL; 2165 uint_t len; 2166 uint64_t intval, key_guid, version; 2167 boolean_t is_passphrase = B_FALSE; 2168 2169 ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT); 2170 2171 /* 2172 * Read and check all the encryption values from the nvlist. We need 2173 * all of the fields of a DSL Crypto Key, as well as a fully specified 2174 * wrapping key. 2175 */ 2176 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval); 2177 if (ret != 0 || intval >= ZIO_CRYPT_FUNCTIONS || 2178 intval <= ZIO_CRYPT_OFF) 2179 return (SET_ERROR(EINVAL)); 2180 2181 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval); 2182 if (ret != 0) 2183 return (SET_ERROR(EINVAL)); 2184 2185 /* 2186 * If this is an incremental receive make sure the given key guid 2187 * matches the one we already have. 2188 */ 2189 if (ds->ds_dir->dd_crypto_obj != 0) { 2190 ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj, 2191 DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2192 if (ret != 0) 2193 return (ret); 2194 if (intval != key_guid) 2195 return (SET_ERROR(EACCES)); 2196 } 2197 2198 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2199 &buf, &len); 2200 if (ret != 0 || len != MASTER_KEY_MAX_LEN) 2201 return (SET_ERROR(EINVAL)); 2202 2203 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2204 &buf, &len); 2205 if (ret != 0 || len != SHA512_HMAC_KEYLEN) 2206 return (SET_ERROR(EINVAL)); 2207 2208 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len); 2209 if (ret != 0 || len != WRAPPING_IV_LEN) 2210 return (SET_ERROR(EINVAL)); 2211 2212 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len); 2213 if (ret != 0 || len != WRAPPING_MAC_LEN) 2214 return (SET_ERROR(EINVAL)); 2215 2216 /* 2217 * We don't support receiving old on-disk formats. The version 0 2218 * implementation protected several fields in an objset that were 2219 * not always portable during a raw receive. As a result, we call 2220 * the old version an on-disk errata #3. 2221 */ 2222 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_VERSION, &version); 2223 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) 2224 return (SET_ERROR(ENOTSUP)); 2225 2226 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 2227 &intval); 2228 if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS || 2229 intval == ZFS_KEYFORMAT_NONE) 2230 return (SET_ERROR(EINVAL)); 2231 2232 is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE); 2233 2234 /* 2235 * for raw receives we allow any number of pbkdf2iters since there 2236 * won't be a chance for the user to change it. 2237 */ 2238 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 2239 &intval); 2240 if (ret != 0 || (is_passphrase == (intval == 0))) 2241 return (SET_ERROR(EINVAL)); 2242 2243 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 2244 &intval); 2245 if (ret != 0 || (is_passphrase == (intval == 0))) 2246 return (SET_ERROR(EINVAL)); 2247 2248 return (0); 2249 } 2250 2251 void 2252 dsl_crypto_recv_raw_key_sync(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2253 { 2254 dsl_pool_t *dp = tx->tx_pool; 2255 objset_t *mos = dp->dp_meta_objset; 2256 dsl_dir_t *dd = ds->ds_dir; 2257 uint_t len; 2258 uint64_t rddobj, one = 1; 2259 uint8_t *keydata, *hmac_keydata, *iv, *mac; 2260 uint64_t crypt, key_guid, keyformat, iters, salt; 2261 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2262 char *keylocation = "prompt"; 2263 2264 /* lookup the values we need to create the DSL Crypto Key */ 2265 crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE); 2266 key_guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID); 2267 keyformat = fnvlist_lookup_uint64(nvl, 2268 zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 2269 iters = fnvlist_lookup_uint64(nvl, 2270 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 2271 salt = fnvlist_lookup_uint64(nvl, 2272 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 2273 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2274 &keydata, &len)); 2275 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2276 &hmac_keydata, &len)); 2277 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len)); 2278 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len)); 2279 2280 /* if this is a new dataset setup the DSL Crypto Key. */ 2281 if (dd->dd_crypto_obj == 0) { 2282 /* zapify the dsl dir so we can add the key object to it */ 2283 dmu_buf_will_dirty(dd->dd_dbuf, tx); 2284 dsl_dir_zapify(dd, tx); 2285 2286 /* create the DSL Crypto Key on disk and activate the feature */ 2287 dd->dd_crypto_obj = zap_create(mos, 2288 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2289 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2290 dd->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT, 2291 sizeof (uint64_t), 1, &one, tx)); 2292 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2293 dd->dd_crypto_obj, DSL_CRYPTO_KEY_VERSION, 2294 sizeof (uint64_t), 1, &version, tx)); 2295 2296 dsl_dataset_activate_feature(ds->ds_object, 2297 SPA_FEATURE_ENCRYPTION, (void *)(uintptr_t)B_TRUE, tx); 2298 ds->ds_feature[SPA_FEATURE_ENCRYPTION] = 2299 (void *)(uintptr_t)B_TRUE; 2300 2301 /* save the dd_crypto_obj on disk */ 2302 VERIFY0(zap_add(mos, dd->dd_object, DD_FIELD_CRYPTO_KEY_OBJ, 2303 sizeof (uint64_t), 1, &dd->dd_crypto_obj, tx)); 2304 2305 /* 2306 * Set the keylocation to prompt by default. If keylocation 2307 * has been provided via the properties, this will be overridden 2308 * later. 2309 */ 2310 dsl_prop_set_sync_impl(ds, 2311 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 2312 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 2313 keylocation, tx); 2314 2315 rddobj = dd->dd_object; 2316 } else { 2317 VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &rddobj)); 2318 } 2319 2320 /* sync the key data to the ZAP object on disk */ 2321 dsl_crypto_key_sync_impl(mos, dd->dd_crypto_obj, crypt, 2322 rddobj, key_guid, iv, mac, keydata, hmac_keydata, keyformat, salt, 2323 iters, tx); 2324 } 2325 2326 int 2327 dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx) 2328 { 2329 int ret; 2330 dsl_crypto_recv_key_arg_t *dcrka = arg; 2331 dsl_dataset_t *ds = NULL, *fromds = NULL; 2332 2333 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2334 FTAG, &ds); 2335 if (ret != 0) 2336 goto out; 2337 2338 if (dcrka->dcrka_fromobj != 0) { 2339 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_fromobj, 2340 FTAG, &fromds); 2341 if (ret != 0) 2342 goto out; 2343 } 2344 2345 ret = dsl_crypto_recv_raw_objset_check(ds, fromds, 2346 dcrka->dcrka_ostype, dcrka->dcrka_nvl, tx); 2347 if (ret != 0) 2348 goto out; 2349 2350 /* 2351 * We run this check even if we won't be doing this part of 2352 * the receive now so that we don't make the user wait until 2353 * the receive finishes to fail. 2354 */ 2355 ret = dsl_crypto_recv_raw_key_check(ds, dcrka->dcrka_nvl, tx); 2356 if (ret != 0) 2357 goto out; 2358 2359 out: 2360 if (ds != NULL) 2361 dsl_dataset_rele(ds, FTAG); 2362 if (fromds != NULL) 2363 dsl_dataset_rele(fromds, FTAG); 2364 return (ret); 2365 } 2366 2367 void 2368 dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx) 2369 { 2370 dsl_crypto_recv_key_arg_t *dcrka = arg; 2371 dsl_dataset_t *ds; 2372 2373 VERIFY0(dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2374 FTAG, &ds)); 2375 dsl_crypto_recv_raw_objset_sync(ds, dcrka->dcrka_ostype, 2376 dcrka->dcrka_nvl, tx); 2377 if (dcrka->dcrka_do_key) 2378 dsl_crypto_recv_raw_key_sync(ds, dcrka->dcrka_nvl, tx); 2379 dsl_dataset_rele(ds, FTAG); 2380 } 2381 2382 /* 2383 * This function is used to sync an nvlist representing a DSL Crypto Key and 2384 * the associated encryption parameters. The key will be written exactly as is 2385 * without wrapping it. 2386 */ 2387 int 2388 dsl_crypto_recv_raw(const char *poolname, uint64_t dsobj, uint64_t fromobj, 2389 dmu_objset_type_t ostype, nvlist_t *nvl, boolean_t do_key) 2390 { 2391 dsl_crypto_recv_key_arg_t dcrka; 2392 2393 dcrka.dcrka_dsobj = dsobj; 2394 dcrka.dcrka_fromobj = fromobj; 2395 dcrka.dcrka_ostype = ostype; 2396 dcrka.dcrka_nvl = nvl; 2397 dcrka.dcrka_do_key = do_key; 2398 2399 return (dsl_sync_task(poolname, dsl_crypto_recv_key_check, 2400 dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL)); 2401 } 2402 2403 int 2404 dsl_crypto_populate_key_nvlist(dsl_dataset_t *ds, uint64_t from_ivset_guid, 2405 nvlist_t **nvl_out) 2406 { 2407 int ret; 2408 objset_t *os; 2409 dnode_t *mdn; 2410 uint64_t rddobj; 2411 nvlist_t *nvl = NULL; 2412 uint64_t dckobj = ds->ds_dir->dd_crypto_obj; 2413 dsl_dir_t *rdd = NULL; 2414 dsl_pool_t *dp = ds->ds_dir->dd_pool; 2415 objset_t *mos = dp->dp_meta_objset; 2416 uint64_t crypt = 0, key_guid = 0, format = 0; 2417 uint64_t iters = 0, salt = 0, version = 0; 2418 uint64_t to_ivset_guid = 0; 2419 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 2420 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 2421 uint8_t iv[WRAPPING_IV_LEN]; 2422 uint8_t mac[WRAPPING_MAC_LEN]; 2423 2424 ASSERT(dckobj != 0); 2425 2426 VERIFY0(dmu_objset_from_ds(ds, &os)); 2427 mdn = DMU_META_DNODE(os); 2428 2429 ret = nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP); 2430 if (ret != 0) 2431 goto error; 2432 2433 /* lookup values from the DSL Crypto Key */ 2434 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 2435 &crypt); 2436 if (ret != 0) 2437 goto error; 2438 2439 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2440 if (ret != 0) 2441 goto error; 2442 2443 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 2444 MASTER_KEY_MAX_LEN, raw_keydata); 2445 if (ret != 0) 2446 goto error; 2447 2448 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 2449 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 2450 if (ret != 0) 2451 goto error; 2452 2453 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 2454 iv); 2455 if (ret != 0) 2456 goto error; 2457 2458 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 2459 mac); 2460 if (ret != 0) 2461 goto error; 2462 2463 /* see zfs_disable_ivset_guid_check tunable for errata info */ 2464 ret = zap_lookup(mos, ds->ds_object, DS_FIELD_IVSET_GUID, 8, 1, 2465 &to_ivset_guid); 2466 if (ret != 0) 2467 ASSERT3U(dp->dp_spa->spa_errata, !=, 0); 2468 2469 /* 2470 * We don't support raw sends of legacy on-disk formats. See the 2471 * comment in dsl_crypto_recv_key_check() for details. 2472 */ 2473 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 2474 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) { 2475 dp->dp_spa->spa_errata = ZPOOL_ERRATA_ZOL_6845_ENCRYPTION; 2476 ret = SET_ERROR(ENOTSUP); 2477 goto error; 2478 } 2479 2480 /* 2481 * Lookup wrapping key properties. An early version of the code did 2482 * not correctly add these values to the wrapping key or the DSL 2483 * Crypto Key on disk for non encryption roots, so to be safe we 2484 * always take the slightly circuitous route of looking it up from 2485 * the encryption root's key. 2486 */ 2487 ret = dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj); 2488 if (ret != 0) 2489 goto error; 2490 2491 dsl_pool_config_enter(dp, FTAG); 2492 2493 ret = dsl_dir_hold_obj(dp, rddobj, NULL, FTAG, &rdd); 2494 if (ret != 0) 2495 goto error_unlock; 2496 2497 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2498 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &format); 2499 if (ret != 0) 2500 goto error_unlock; 2501 2502 if (format == ZFS_KEYFORMAT_PASSPHRASE) { 2503 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2504 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 2505 if (ret != 0) 2506 goto error_unlock; 2507 2508 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2509 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 2510 if (ret != 0) 2511 goto error_unlock; 2512 } 2513 2514 dsl_dir_rele(rdd, FTAG); 2515 dsl_pool_config_exit(dp, FTAG); 2516 2517 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, crypt); 2518 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_GUID, key_guid); 2519 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_VERSION, version); 2520 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2521 raw_keydata, MASTER_KEY_MAX_LEN)); 2522 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2523 raw_hmac_keydata, SHA512_HMAC_KEYLEN)); 2524 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_IV, iv, 2525 WRAPPING_IV_LEN)); 2526 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, mac, 2527 WRAPPING_MAC_LEN)); 2528 VERIFY0(nvlist_add_uint8_array(nvl, "portable_mac", 2529 os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN)); 2530 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), format); 2531 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters); 2532 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt); 2533 fnvlist_add_uint64(nvl, "mdn_checksum", mdn->dn_checksum); 2534 fnvlist_add_uint64(nvl, "mdn_compress", mdn->dn_compress); 2535 fnvlist_add_uint64(nvl, "mdn_nlevels", mdn->dn_nlevels); 2536 fnvlist_add_uint64(nvl, "mdn_blksz", mdn->dn_datablksz); 2537 fnvlist_add_uint64(nvl, "mdn_indblkshift", mdn->dn_indblkshift); 2538 fnvlist_add_uint64(nvl, "mdn_nblkptr", mdn->dn_nblkptr); 2539 fnvlist_add_uint64(nvl, "mdn_maxblkid", mdn->dn_maxblkid); 2540 fnvlist_add_uint64(nvl, "to_ivset_guid", to_ivset_guid); 2541 fnvlist_add_uint64(nvl, "from_ivset_guid", from_ivset_guid); 2542 2543 *nvl_out = nvl; 2544 return (0); 2545 2546 error_unlock: 2547 dsl_pool_config_exit(dp, FTAG); 2548 error: 2549 if (rdd != NULL) 2550 dsl_dir_rele(rdd, FTAG); 2551 nvlist_free(nvl); 2552 2553 *nvl_out = NULL; 2554 return (ret); 2555 } 2556 2557 uint64_t 2558 dsl_crypto_key_create_sync(uint64_t crypt, dsl_wrapping_key_t *wkey, 2559 dmu_tx_t *tx) 2560 { 2561 dsl_crypto_key_t dck; 2562 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2563 uint64_t one = 1ULL; 2564 2565 ASSERT(dmu_tx_is_syncing(tx)); 2566 ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); 2567 ASSERT3U(crypt, >, ZIO_CRYPT_OFF); 2568 2569 /* create the DSL Crypto Key ZAP object */ 2570 dck.dck_obj = zap_create(tx->tx_pool->dp_meta_objset, 2571 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2572 2573 /* fill in the key (on the stack) and sync it to disk */ 2574 dck.dck_wkey = wkey; 2575 VERIFY0(zio_crypt_key_init(crypt, &dck.dck_key)); 2576 2577 dsl_crypto_key_sync(&dck, tx); 2578 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2579 DSL_CRYPTO_KEY_REFCOUNT, sizeof (uint64_t), 1, &one, tx)); 2580 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2581 DSL_CRYPTO_KEY_VERSION, sizeof (uint64_t), 1, &version, tx)); 2582 2583 zio_crypt_key_destroy(&dck.dck_key); 2584 bzero(&dck.dck_key, sizeof (zio_crypt_key_t)); 2585 2586 return (dck.dck_obj); 2587 } 2588 2589 uint64_t 2590 dsl_crypto_key_clone_sync(dsl_dir_t *origindd, dmu_tx_t *tx) 2591 { 2592 objset_t *mos = tx->tx_pool->dp_meta_objset; 2593 2594 ASSERT(dmu_tx_is_syncing(tx)); 2595 2596 VERIFY0(zap_increment(mos, origindd->dd_crypto_obj, 2597 DSL_CRYPTO_KEY_REFCOUNT, 1, tx)); 2598 2599 return (origindd->dd_crypto_obj); 2600 } 2601 2602 void 2603 dsl_crypto_key_destroy_sync(uint64_t dckobj, dmu_tx_t *tx) 2604 { 2605 objset_t *mos = tx->tx_pool->dp_meta_objset; 2606 uint64_t refcnt; 2607 2608 /* Decrement the refcount, destroy if this is the last reference */ 2609 VERIFY0(zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2610 sizeof (uint64_t), 1, &refcnt)); 2611 2612 if (refcnt != 1) { 2613 VERIFY0(zap_increment(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2614 -1, tx)); 2615 } else { 2616 VERIFY0(zap_destroy(mos, dckobj, tx)); 2617 } 2618 } 2619 2620 void 2621 dsl_dataset_crypt_stats(dsl_dataset_t *ds, nvlist_t *nv) 2622 { 2623 uint64_t intval; 2624 dsl_dir_t *dd = ds->ds_dir; 2625 dsl_dir_t *enc_root; 2626 char buf[ZFS_MAX_DATASET_NAME_LEN]; 2627 2628 if (dd->dd_crypto_obj == 0) 2629 return; 2630 2631 intval = dsl_dataset_get_keystatus(dd); 2632 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYSTATUS, intval); 2633 2634 if (dsl_dir_get_crypt(dd, &intval) == 0) 2635 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_ENCRYPTION, intval); 2636 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2637 DSL_CRYPTO_KEY_GUID, 8, 1, &intval) == 0) { 2638 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEY_GUID, intval); 2639 } 2640 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2641 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &intval) == 0) { 2642 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYFORMAT, intval); 2643 } 2644 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2645 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &intval) == 0) { 2646 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_SALT, intval); 2647 } 2648 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2649 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &intval) == 0) { 2650 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_ITERS, intval); 2651 } 2652 if (zap_lookup(dd->dd_pool->dp_meta_objset, ds->ds_object, 2653 DS_FIELD_IVSET_GUID, 8, 1, &intval) == 0) { 2654 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_IVSET_GUID, intval); 2655 } 2656 2657 if (dsl_dir_get_encryption_root_ddobj(dd, &intval) == 0) { 2658 VERIFY0(dsl_dir_hold_obj(dd->dd_pool, intval, NULL, FTAG, 2659 &enc_root)); 2660 dsl_dir_name(enc_root, buf); 2661 dsl_dir_rele(enc_root, FTAG); 2662 dsl_prop_nvlist_add_string(nv, ZFS_PROP_ENCRYPTION_ROOT, buf); 2663 } 2664 } 2665 2666 int 2667 spa_crypt_get_salt(spa_t *spa, uint64_t dsobj, uint8_t *salt) 2668 { 2669 int ret; 2670 dsl_crypto_key_t *dck = NULL; 2671 2672 /* look up the key from the spa's keystore */ 2673 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2674 if (ret != 0) 2675 goto error; 2676 2677 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2678 if (ret != 0) 2679 goto error; 2680 2681 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2682 return (0); 2683 2684 error: 2685 if (dck != NULL) 2686 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2687 return (ret); 2688 } 2689 2690 /* 2691 * Objset blocks are a special case for MAC generation. These blocks have 2 2692 * 256-bit MACs which are embedded within the block itself, rather than a 2693 * single 128 bit MAC. As a result, this function handles encoding and decoding 2694 * the MACs on its own, unlike other functions in this file. 2695 */ 2696 int 2697 spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, 2698 abd_t *abd, uint_t datalen, boolean_t byteswap) 2699 { 2700 int ret; 2701 dsl_crypto_key_t *dck = NULL; 2702 void *buf = abd_borrow_buf_copy(abd, datalen); 2703 objset_phys_t *osp = buf; 2704 uint8_t portable_mac[ZIO_OBJSET_MAC_LEN]; 2705 uint8_t local_mac[ZIO_OBJSET_MAC_LEN]; 2706 2707 /* look up the key from the spa's keystore */ 2708 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2709 if (ret != 0) 2710 goto error; 2711 2712 /* calculate both HMACs */ 2713 ret = zio_crypt_do_objset_hmacs(&dck->dck_key, buf, datalen, 2714 byteswap, portable_mac, local_mac); 2715 if (ret != 0) 2716 goto error; 2717 2718 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2719 2720 /* if we are generating encode the HMACs in the objset_phys_t */ 2721 if (generate) { 2722 bcopy(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN); 2723 bcopy(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN); 2724 abd_return_buf_copy(abd, buf, datalen); 2725 return (0); 2726 } 2727 2728 if (bcmp(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN) != 0 || 2729 bcmp(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2730 abd_return_buf(abd, buf, datalen); 2731 return (SET_ERROR(ECKSUM)); 2732 } 2733 2734 abd_return_buf(abd, buf, datalen); 2735 2736 return (0); 2737 2738 error: 2739 if (dck != NULL) 2740 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2741 abd_return_buf(abd, buf, datalen); 2742 return (ret); 2743 } 2744 2745 int 2746 spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd, 2747 uint_t datalen, uint8_t *mac) 2748 { 2749 int ret; 2750 dsl_crypto_key_t *dck = NULL; 2751 uint8_t *buf = abd_borrow_buf_copy(abd, datalen); 2752 uint8_t digestbuf[ZIO_DATA_MAC_LEN]; 2753 2754 /* look up the key from the spa's keystore */ 2755 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2756 if (ret != 0) 2757 goto error; 2758 2759 /* perform the hmac */ 2760 ret = zio_crypt_do_hmac(&dck->dck_key, buf, datalen, 2761 digestbuf, ZIO_DATA_MAC_LEN); 2762 if (ret != 0) 2763 goto error; 2764 2765 abd_return_buf(abd, buf, datalen); 2766 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2767 2768 /* 2769 * Truncate and fill in mac buffer if we were asked to generate a MAC. 2770 * Otherwise verify that the MAC matched what we expected. 2771 */ 2772 if (generate) { 2773 bcopy(digestbuf, mac, ZIO_DATA_MAC_LEN); 2774 return (0); 2775 } 2776 2777 if (bcmp(digestbuf, mac, ZIO_DATA_MAC_LEN) != 0) 2778 return (SET_ERROR(ECKSUM)); 2779 2780 return (0); 2781 2782 error: 2783 if (dck != NULL) 2784 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2785 abd_return_buf(abd, buf, datalen); 2786 return (ret); 2787 } 2788 2789 /* 2790 * This function serves as a multiplexer for encryption and decryption of 2791 * all blocks (except the L2ARC). For encryption, it will populate the IV, 2792 * salt, MAC, and cabd (the ciphertext). On decryption it will simply use 2793 * these fields to populate pabd (the plaintext). 2794 */ 2795 /* ARGSUSED */ 2796 int 2797 spa_do_crypt_abd(boolean_t encrypt, spa_t *spa, const zbookmark_phys_t *zb, 2798 dmu_object_type_t ot, boolean_t dedup, boolean_t bswap, uint8_t *salt, 2799 uint8_t *iv, uint8_t *mac, uint_t datalen, abd_t *pabd, abd_t *cabd, 2800 boolean_t *no_crypt) 2801 { 2802 int ret; 2803 dsl_crypto_key_t *dck = NULL; 2804 uint8_t *plainbuf = NULL, *cipherbuf = NULL; 2805 2806 ASSERT(spa_feature_is_active(spa, SPA_FEATURE_ENCRYPTION)); 2807 2808 /* look up the key from the spa's keystore */ 2809 ret = spa_keystore_lookup_key(spa, zb->zb_objset, FTAG, &dck); 2810 if (ret != 0) { 2811 ret = SET_ERROR(EACCES); 2812 return (ret); 2813 } 2814 2815 if (encrypt) { 2816 plainbuf = abd_borrow_buf_copy(pabd, datalen); 2817 cipherbuf = abd_borrow_buf(cabd, datalen); 2818 } else { 2819 plainbuf = abd_borrow_buf(pabd, datalen); 2820 cipherbuf = abd_borrow_buf_copy(cabd, datalen); 2821 } 2822 2823 /* 2824 * Both encryption and decryption functions need a salt for key 2825 * generation and an IV. When encrypting a non-dedup block, we 2826 * generate the salt and IV randomly to be stored by the caller. Dedup 2827 * blocks perform a (more expensive) HMAC of the plaintext to obtain 2828 * the salt and the IV. ZIL blocks have their salt and IV generated 2829 * at allocation time in zio_alloc_zil(). On decryption, we simply use 2830 * the provided values. 2831 */ 2832 if (encrypt && ot != DMU_OT_INTENT_LOG && !dedup) { 2833 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2834 if (ret != 0) 2835 goto error; 2836 2837 ret = zio_crypt_generate_iv(iv); 2838 if (ret != 0) 2839 goto error; 2840 } else if (encrypt && dedup) { 2841 ret = zio_crypt_generate_iv_salt_dedup(&dck->dck_key, 2842 plainbuf, datalen, iv, salt); 2843 if (ret != 0) 2844 goto error; 2845 } 2846 2847 /* call lower level function to perform encryption / decryption */ 2848 ret = zio_do_crypt_data(encrypt, &dck->dck_key, ot, bswap, salt, iv, 2849 mac, datalen, plainbuf, cipherbuf, no_crypt); 2850 2851 /* 2852 * Handle injected decryption faults. Unfortunately, we cannot inject 2853 * faults for dnode blocks because we might trigger the panic in 2854 * dbuf_prepare_encrypted_dnode_leaf(), which exists because syncing 2855 * context is not prepared to handle malicious decryption failures. 2856 */ 2857 if (zio_injection_enabled && !encrypt && ot != DMU_OT_DNODE && ret == 0) 2858 ret = zio_handle_decrypt_injection(spa, zb, ot, ECKSUM); 2859 if (ret != 0) 2860 goto error; 2861 2862 if (encrypt) { 2863 abd_return_buf(pabd, plainbuf, datalen); 2864 abd_return_buf_copy(cabd, cipherbuf, datalen); 2865 } else { 2866 abd_return_buf_copy(pabd, plainbuf, datalen); 2867 abd_return_buf(cabd, cipherbuf, datalen); 2868 } 2869 2870 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2871 2872 return (0); 2873 2874 error: 2875 if (encrypt) { 2876 /* zero out any state we might have changed while encrypting */ 2877 bzero(salt, ZIO_DATA_SALT_LEN); 2878 bzero(iv, ZIO_DATA_IV_LEN); 2879 bzero(mac, ZIO_DATA_MAC_LEN); 2880 abd_return_buf(pabd, plainbuf, datalen); 2881 abd_return_buf_copy(cabd, cipherbuf, datalen); 2882 } else { 2883 abd_return_buf_copy(pabd, plainbuf, datalen); 2884 abd_return_buf(cabd, cipherbuf, datalen); 2885 } 2886 2887 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2888 2889 return (ret); 2890 } 2891