]> git.proxmox.com Git - mirror_zfs.git/blame - module/zfs/dsl_crypt.c
projects / mirror_zfs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fixes for #6639
[mirror_zfs.git] / module / zfs / dsl_crypt.c
CommitLineData
b5256303
TC		 1/*
2 * CDDL HEADER START
3 *
4 * This file and its contents are supplied under the terms of the
5 * Common Development and Distribution License ("CDDL"), version 1.0.
6 * You may only use this file in accordance with the terms of version
7 * 1.0 of the CDDL.
8 *
9 * A full copy of the text of the CDDL should have accompanied this
10 * source. A copy of the CDDL is also available via the Internet at
11 * http://www.illumos.org/license/CDDL.
12 *
13 * CDDL HEADER END
14 */
15
16/*
17 * Copyright (c) 2017, Datto, Inc. All rights reserved.
18 */
19
20#include <sys/dsl_crypt.h>
21#include <sys/dsl_pool.h>
22#include <sys/zap.h>
23#include <sys/zil.h>
24#include <sys/dsl_dir.h>
25#include <sys/dsl_prop.h>
26#include <sys/spa_impl.h>
27#include <sys/dmu_objset.h>
28#include <sys/zvol.h>
29
30/*
31 * This file's primary purpose is for managing master encryption keys in
32 * memory and on disk. For more info on how these keys are used, see the
33 * block comment in zio_crypt.c.
34 *
35 * All master keys are stored encrypted on disk in the form of the DSL
36 * Crypto Key ZAP object. The binary key data in this object is always
37 * randomly generated and is encrypted with the user's wrapping key. This
38 * layer of indirection allows the user to change their key without
39 * needing to re-encrypt the entire dataset. The ZAP also holds on to the
40 * (non-encrypted) encryption algorithm identifier, IV, and MAC needed to
41 * safely decrypt the master key. For more info on the user's key see the
42 * block comment in libzfs_crypto.c
43 *
44 * In-memory encryption keys are managed through the spa_keystore. The
45 * keystore consists of 3 AVL trees, which are as follows:
46 *
47 * The Wrapping Key Tree:
48 * The wrapping key (wkey) tree stores the user's keys that are fed into the
49 * kernel through 'zfs load-key' and related commands. Datasets inherit their
50 * parent's wkey by default, so these structures are refcounted. The wrapping
51 * keys remain in memory until they are explicitly unloaded (with
52 * "zfs unload-key"). Unloading is only possible when no datasets are using
53 * them (refcount=0).
54 *
55 * The DSL Crypto Key Tree:
56 * The DSL Crypto Keys (DCK) are the in-memory representation of decrypted
57 * master keys. They are used by the functions in zio_crypt.c to perform
58 * encryption, decryption, and authentication. Snapshots and clones of a given
59 * dataset will share a DSL Crypto Key, so they are also refcounted. Once the
60 * refcount on a key hits zero, it is immediately zeroed out and freed.
61 *
62 * The Crypto Key Mapping Tree:
63 * The zio layer needs to lookup master keys by their dataset object id. Since
64 * the DSL Crypto Keys can belong to multiple datasets, we maintain a tree of
65 * dsl_key_mapping_t's which essentially just map the dataset object id to its
66 * appropriate DSL Crypto Key. The management for creating and destroying these
67 * mappings hooks into the code for owning and disowning datasets. Usually,
68 * there will only be one active dataset owner, but there are times
69 * (particularly during dataset creation and destruction) when this may not be
70 * true or the dataset may not be initialized enough to own. As a result, this
71 * object is also refcounted.
72 */
73
74static void
75dsl_wrapping_key_hold(dsl_wrapping_key_t *wkey, void *tag)
76{
77 (void) refcount_add(&wkey->wk_refcnt, tag);
78}
79
80static void
81dsl_wrapping_key_rele(dsl_wrapping_key_t *wkey, void *tag)
82{
83 (void) refcount_remove(&wkey->wk_refcnt, tag);
84}
85
86static void
87dsl_wrapping_key_free(dsl_wrapping_key_t *wkey)
88{
89 ASSERT0(refcount_count(&wkey->wk_refcnt));
90
91 if (wkey->wk_key.ck_data) {
92 bzero(wkey->wk_key.ck_data,
4807c0ba 93 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length));
b5256303 94 kmem_free(wkey->wk_key.ck_data,
4807c0ba 95 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length));
b5256303
TC		 96 }
97
98 refcount_destroy(&wkey->wk_refcnt);
99 kmem_free(wkey, sizeof (dsl_wrapping_key_t));
100}
101
102static int
103dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat,
104 uint64_t salt, uint64_t iters, dsl_wrapping_key_t **wkey_out)
105{
106 int ret;
107 dsl_wrapping_key_t *wkey;
108
109 /* allocate the wrapping key */
110 wkey = kmem_alloc(sizeof (dsl_wrapping_key_t), KM_SLEEP);
111 if (!wkey)
112 return (SET_ERROR(ENOMEM));
113
114 /* allocate and initialize the underlying crypto key */
115 wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP);
116 if (!wkey->wk_key.ck_data) {
117 ret = ENOMEM;
118 goto error;
119 }
120
121 wkey->wk_key.ck_format = CRYPTO_KEY_RAW;
4807c0ba 122 wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN);
b5256303
TC		 123 bcopy(wkeydata, wkey->wk_key.ck_data, WRAPPING_KEY_LEN);
124
125 /* initialize the rest of the struct */
126 refcount_create(&wkey->wk_refcnt);
127 wkey->wk_keyformat = keyformat;
128 wkey->wk_salt = salt;
129 wkey->wk_iters = iters;
130
131 *wkey_out = wkey;
132 return (0);
133
134error:
135 dsl_wrapping_key_free(wkey);
136
137 *wkey_out = NULL;
138 return (ret);
139}
140
141int
142dsl_crypto_params_create_nvlist(dcp_cmd_t cmd, nvlist_t *props,
143 nvlist_t *crypto_args, dsl_crypto_params_t **dcp_out)
144{
145 int ret;
146 uint64_t crypt = ZIO_CRYPT_INHERIT;
147 uint64_t keyformat = ZFS_KEYFORMAT_NONE;
148 uint64_t salt = 0, iters = 0;
149 dsl_crypto_params_t *dcp = NULL;
150 dsl_wrapping_key_t *wkey = NULL;
151 uint8_t *wkeydata = NULL;
152 uint_t wkeydata_len = 0;
153 char *keylocation = NULL;
154
155 dcp = kmem_zalloc(sizeof (dsl_crypto_params_t), KM_SLEEP);
156 if (!dcp) {
157 ret = SET_ERROR(ENOMEM);
158 goto error;
159 }
160
161 dcp->cp_cmd = cmd;
162
163 /* get relevant arguments from the nvlists */
164 if (props != NULL) {
165 (void) nvlist_lookup_uint64(props,
166 zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt);
167 (void) nvlist_lookup_uint64(props,
168 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat);
169 (void) nvlist_lookup_string(props,
170 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation);
171 (void) nvlist_lookup_uint64(props,
172 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), &salt);
173 (void) nvlist_lookup_uint64(props,
174 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters);
175
176 dcp->cp_crypt = crypt;
177 }
178
179 if (crypto_args != NULL) {
180 (void) nvlist_lookup_uint8_array(crypto_args, "wkeydata",
181 &wkeydata, &wkeydata_len);
182 }
183
184 /* check for valid command */
185 if (dcp->cp_cmd >= DCP_CMD_MAX) {
186 ret = SET_ERROR(EINVAL);
187 goto error;
188 } else {
189 dcp->cp_cmd = cmd;
190 }
191
192 /* check for valid crypt */
193 if (dcp->cp_crypt >= ZIO_CRYPT_FUNCTIONS) {
194 ret = SET_ERROR(EINVAL);
195 goto error;
196 } else {
197 dcp->cp_crypt = crypt;
198 }
199
200 /* check for valid keyformat */
201 if (keyformat >= ZFS_KEYFORMAT_FORMATS) {
202 ret = SET_ERROR(EINVAL);
203 goto error;
204 }
205
206 /* check for a valid keylocation (of any kind) and copy it in */
207 if (keylocation != NULL) {
208 if (!zfs_prop_valid_keylocation(keylocation, B_FALSE)) {
209 ret = SET_ERROR(EINVAL);
210 goto error;
211 }
212
213 dcp->cp_keylocation = spa_strdup(keylocation);
214 }
215
216 /* check wrapping key length, if given */
217 if (wkeydata != NULL && wkeydata_len != WRAPPING_KEY_LEN) {
218 ret = SET_ERROR(EINVAL);
219 goto error;
220 }
221
222 /* if the user asked for the deault crypt, determine that now */
223 if (dcp->cp_crypt == ZIO_CRYPT_ON)
224 dcp->cp_crypt = ZIO_CRYPT_ON_VALUE;
225
226 /* create the wrapping key from the raw data */
227 if (wkeydata != NULL) {
228 /* create the wrapping key with the verified parameters */
229 ret = dsl_wrapping_key_create(wkeydata, keyformat, salt,
230 iters, &wkey);
231 if (ret != 0)
232 goto error;
233
234 dcp->cp_wkey = wkey;
235 }
236
237 /*
238 * Remove the encryption properties from the nvlist since they are not
239 * maintained through the DSL.
240 */
241 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION));
242 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT));
243 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT));
244 (void) nvlist_remove_all(props,
245 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS));
246
247 *dcp_out = dcp;
248
249 return (0);
250
251error:
252 if (wkey != NULL)
253 dsl_wrapping_key_free(wkey);
254 if (dcp != NULL)
255 kmem_free(dcp, sizeof (dsl_crypto_params_t));
256
257 *dcp_out = NULL;
258 return (ret);
259}
260
261void
262dsl_crypto_params_free(dsl_crypto_params_t *dcp, boolean_t unload)
263{
264 if (dcp == NULL)
265 return;
266
267 if (dcp->cp_keylocation != NULL)
268 spa_strfree(dcp->cp_keylocation);
269 if (unload && dcp->cp_wkey != NULL)
270 dsl_wrapping_key_free(dcp->cp_wkey);
271
272 kmem_free(dcp, sizeof (dsl_crypto_params_t));
273}
274
275static int
276spa_crypto_key_compare(const void *a, const void *b)
277{
278 const dsl_crypto_key_t *dcka = a;
279 const dsl_crypto_key_t *dckb = b;
280
281 if (dcka->dck_obj < dckb->dck_obj)
282 return (-1);
283 if (dcka->dck_obj > dckb->dck_obj)
284 return (1);
285 return (0);
286}
287
288static int
289spa_key_mapping_compare(const void *a, const void *b)
290{
291 const dsl_key_mapping_t *kma = a;
292 const dsl_key_mapping_t *kmb = b;
293
294 if (kma->km_dsobj < kmb->km_dsobj)
295 return (-1);
296 if (kma->km_dsobj > kmb->km_dsobj)
297 return (1);
298 return (0);
299}
300
301static int
302spa_wkey_compare(const void *a, const void *b)
303{
304 const dsl_wrapping_key_t *wka = a;
305 const dsl_wrapping_key_t *wkb = b;
306
307 if (wka->wk_ddobj < wkb->wk_ddobj)
308 return (-1);
309 if (wka->wk_ddobj > wkb->wk_ddobj)
310 return (1);
311 return (0);
312}
313
314void
315spa_keystore_init(spa_keystore_t *sk)
316{
317 rw_init(&sk->sk_dk_lock, NULL, RW_DEFAULT, NULL);
318 rw_init(&sk->sk_km_lock, NULL, RW_DEFAULT, NULL);
319 rw_init(&sk->sk_wkeys_lock, NULL, RW_DEFAULT, NULL);
320 avl_create(&sk->sk_dsl_keys, spa_crypto_key_compare,
321 sizeof (dsl_crypto_key_t),
322 offsetof(dsl_crypto_key_t, dck_avl_link));
323 avl_create(&sk->sk_key_mappings, spa_key_mapping_compare,
324 sizeof (dsl_key_mapping_t),
325 offsetof(dsl_key_mapping_t, km_avl_link));
326 avl_create(&sk->sk_wkeys, spa_wkey_compare, sizeof (dsl_wrapping_key_t),
327 offsetof(dsl_wrapping_key_t, wk_avl_link));
328}
329
330void
331spa_keystore_fini(spa_keystore_t *sk)
332{
333 dsl_wrapping_key_t *wkey;
334 void *cookie = NULL;
335
336 ASSERT(avl_is_empty(&sk->sk_dsl_keys));
337 ASSERT(avl_is_empty(&sk->sk_key_mappings));
338
339 while ((wkey = avl_destroy_nodes(&sk->sk_wkeys, &cookie)) != NULL)
340 dsl_wrapping_key_free(wkey);
341
342 avl_destroy(&sk->sk_wkeys);
343 avl_destroy(&sk->sk_key_mappings);
344 avl_destroy(&sk->sk_dsl_keys);
345 rw_destroy(&sk->sk_wkeys_lock);
346 rw_destroy(&sk->sk_km_lock);
347 rw_destroy(&sk->sk_dk_lock);
348}
349
350int
351dsl_dir_get_encryption_root_ddobj(dsl_dir_t *dd, uint64_t *rddobj)
352{
353 if (dd->dd_crypto_obj == 0)
354 return (SET_ERROR(ENOENT));
355
356 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj,
357 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, rddobj));
358}
359
360static int
361spa_keystore_wkey_hold_ddobj_impl(spa_t *spa, uint64_t ddobj,
362 void *tag, dsl_wrapping_key_t **wkey_out)
363{
364 int ret;
365 dsl_wrapping_key_t search_wkey;
366 dsl_wrapping_key_t *found_wkey;
367
368 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_wkeys_lock));
369
370 /* init the search wrapping key */
371 search_wkey.wk_ddobj = ddobj;
372
373 /* lookup the wrapping key */
374 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &search_wkey, NULL);
375 if (!found_wkey) {
376 ret = SET_ERROR(ENOENT);
377 goto error;
378 }
379
380 /* increment the refcount */
381 dsl_wrapping_key_hold(found_wkey, tag);
382
383 *wkey_out = found_wkey;
384 return (0);
385
386error:
387 *wkey_out = NULL;
388 return (ret);
389}
390
391static int
392spa_keystore_wkey_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag,
393 dsl_wrapping_key_t **wkey_out)
394{
395 int ret;
396 dsl_wrapping_key_t *wkey;
397 uint64_t rddobj;
398 boolean_t locked = B_FALSE;
399
400 if (!RW_WRITE_HELD(&spa->spa_keystore.sk_wkeys_lock)) {
401 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_READER);
402 locked = B_TRUE;
403 }
404
405 /* get the ddobj that the keylocation property was inherited from */
406 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj);
407 if (ret != 0)
408 goto error;
409
410 /* lookup the wkey in the avl tree */
411 ret = spa_keystore_wkey_hold_ddobj_impl(spa, rddobj, tag, &wkey);
412 if (ret != 0)
413 goto error;
414
415 /* unlock the wkey tree if we locked it */
416 if (locked)
417 rw_exit(&spa->spa_keystore.sk_wkeys_lock);
418
419 *wkey_out = wkey;
420 return (0);
421
422error:
423 if (locked)
424 rw_exit(&spa->spa_keystore.sk_wkeys_lock);
425
426 *wkey_out = NULL;
427 return (ret);
428}
429
430int
431dsl_crypto_can_set_keylocation(const char *dsname, const char *keylocation)
432{
433 int ret = 0;
434 dsl_dir_t *dd = NULL;
435 dsl_pool_t *dp = NULL;
b5256303
TC		 436 uint64_t rddobj;
437
438 /* hold the dsl dir */
439 ret = dsl_pool_hold(dsname, FTAG, &dp);
440 if (ret != 0)
441 goto out;
442
443 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL);
444 if (ret != 0)
445 goto out;
446
447 /* if dd is not encrypted, the value may only be "none" */
448 if (dd->dd_crypto_obj == 0) {
449 if (strcmp(keylocation, "none") != 0) {
450 ret = SET_ERROR(EACCES);
451 goto out;
452 }
453
454 ret = 0;
455 goto out;
456 }
457
458 /* check for a valid keylocation for encrypted datasets */
459 if (!zfs_prop_valid_keylocation(keylocation, B_TRUE)) {
460 ret = SET_ERROR(EINVAL);
461 goto out;
462 }
463
464 /* check that this is an encryption root */
465 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj);
466 if (ret != 0)
467 goto out;
468
469 if (rddobj != dd->dd_object) {
470 ret = SET_ERROR(EACCES);
471 goto out;
472 }
473
b5256303
TC		 474 dsl_dir_rele(dd, FTAG);
475 dsl_pool_rele(dp, FTAG);
476
477 return (0);
478
479out:
b5256303
TC		 480 if (dd != NULL)
481 dsl_dir_rele(dd, FTAG);
482 if (dp != NULL)
483 dsl_pool_rele(dp, FTAG);
484
485 return (ret);
486}
487
488static void
489dsl_crypto_key_free(dsl_crypto_key_t *dck)
490{
491 ASSERT(refcount_count(&dck->dck_holds) == 0);
492
493 /* destroy the zio_crypt_key_t */
494 zio_crypt_key_destroy(&dck->dck_key);
495
496 /* free the refcount, wrapping key, and lock */
497 refcount_destroy(&dck->dck_holds);
498 if (dck->dck_wkey)
499 dsl_wrapping_key_rele(dck->dck_wkey, dck);
500
501 /* free the key */
502 kmem_free(dck, sizeof (dsl_crypto_key_t));
503}
504
505static void
506dsl_crypto_key_rele(dsl_crypto_key_t *dck, void *tag)
507{
508 if (refcount_remove(&dck->dck_holds, tag) == 0)
509 dsl_crypto_key_free(dck);
510}
511
512static int
513dsl_crypto_key_open(objset_t *mos, dsl_wrapping_key_t *wkey,
514 uint64_t dckobj, void *tag, dsl_crypto_key_t **dck_out)
515{
516 int ret;
517 uint64_t crypt = 0, guid = 0;
518 uint8_t raw_keydata[MASTER_KEY_MAX_LEN];
519 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN];
520 uint8_t iv[WRAPPING_IV_LEN];
521 uint8_t mac[WRAPPING_MAC_LEN];
522 dsl_crypto_key_t *dck;
523
524 /* allocate and initialize the key */
525 dck = kmem_zalloc(sizeof (dsl_crypto_key_t), KM_SLEEP);
526 if (!dck)
527 return (SET_ERROR(ENOMEM));
528
529 /* fetch all of the values we need from the ZAP */
530 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1,
531 &crypt);
532 if (ret != 0)
533 goto error;
534
535 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &guid);
536 if (ret != 0)
537 goto error;
538
539 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1,
540 MASTER_KEY_MAX_LEN, raw_keydata);
541 if (ret != 0)
542 goto error;
543
544 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1,
545 SHA512_HMAC_KEYLEN, raw_hmac_keydata);
546 if (ret != 0)
547 goto error;
548
549 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN,
550 iv);
551 if (ret != 0)
552 goto error;
553
554 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN,
555 mac);
556 if (ret != 0)
557 goto error;
558
559 /*
560 * Unwrap the keys. If there is an error return EACCES to indicate
561 * an authentication failure.
562 */
563 ret = zio_crypt_key_unwrap(&wkey->wk_key, crypt, guid, raw_keydata,
564 raw_hmac_keydata, iv, mac, &dck->dck_key);
565 if (ret != 0) {
566 ret = SET_ERROR(EACCES);
567 goto error;
568 }
569
570 /* finish initializing the dsl_crypto_key_t */
571 refcount_create(&dck->dck_holds);
572 dsl_wrapping_key_hold(wkey, dck);
573 dck->dck_wkey = wkey;
574 dck->dck_obj = dckobj;
575 refcount_add(&dck->dck_holds, tag);
576
577 *dck_out = dck;
578 return (0);
579
580error:
581 if (dck != NULL) {
582 bzero(dck, sizeof (dsl_crypto_key_t));
583 kmem_free(dck, sizeof (dsl_crypto_key_t));
584 }
585
586 *dck_out = NULL;
587 return (ret);
588}
589
590static int
591spa_keystore_dsl_key_hold_impl(spa_t *spa, uint64_t dckobj, void *tag,
592 dsl_crypto_key_t **dck_out)
593{
594 int ret;
595 dsl_crypto_key_t search_dck;
596 dsl_crypto_key_t *found_dck;
597
598 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_dk_lock));
599
600 /* init the search key */
601 search_dck.dck_obj = dckobj;
602
603 /* find the matching key in the keystore */
604 found_dck = avl_find(&spa->spa_keystore.sk_dsl_keys, &search_dck, NULL);
605 if (!found_dck) {
606 ret = SET_ERROR(ENOENT);
607 goto error;
608 }
609
610 /* increment the refcount */
611 refcount_add(&found_dck->dck_holds, tag);
612
613 *dck_out = found_dck;
614 return (0);
615
616error:
617 *dck_out = NULL;
618 return (ret);
619}
620
621static int
622spa_keystore_dsl_key_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag,
623 dsl_crypto_key_t **dck_out)
624{
625 int ret;
626 avl_index_t where;
627 dsl_crypto_key_t *dck = NULL;
628 dsl_wrapping_key_t *wkey = NULL;
629 uint64_t dckobj = dd->dd_crypto_obj;
630
631 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER);
632
633 /* lookup the key in the tree of currently loaded keys */
634 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck);
635 if (!ret) {
636 rw_exit(&spa->spa_keystore.sk_dk_lock);
637 *dck_out = dck;
638 return (0);
639 }
640
641 /* lookup the wrapping key from the keystore */
642 ret = spa_keystore_wkey_hold_dd(spa, dd, FTAG, &wkey);
643 if (ret != 0) {
644 ret = SET_ERROR(EACCES);
645 goto error_unlock;
646 }
647
648 /* read the key from disk */
649 ret = dsl_crypto_key_open(spa->spa_meta_objset, wkey, dckobj,
650 tag, &dck);
651 if (ret != 0)
652 goto error_unlock;
653
654 /*
655 * add the key to the keystore (this should always succeed
656 * since we made sure it didn't exist before)
657 */
658 avl_find(&spa->spa_keystore.sk_dsl_keys, dck, &where);
659 avl_insert(&spa->spa_keystore.sk_dsl_keys, dck, where);
660
661 /* release the wrapping key (the dsl key now has a reference to it) */
662 dsl_wrapping_key_rele(wkey, FTAG);
663
664 rw_exit(&spa->spa_keystore.sk_dk_lock);
665
666 *dck_out = dck;
667 return (0);
668
669error_unlock:
670 rw_exit(&spa->spa_keystore.sk_dk_lock);
671 if (wkey != NULL)
672 dsl_wrapping_key_rele(wkey, FTAG);
673
674 *dck_out = NULL;
675 return (ret);
676}
677
678void
679spa_keystore_dsl_key_rele(spa_t *spa, dsl_crypto_key_t *dck, void *tag)
680{
681 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER);
682
683 if (refcount_remove(&dck->dck_holds, tag) == 0) {
684 avl_remove(&spa->spa_keystore.sk_dsl_keys, dck);
685 dsl_crypto_key_free(dck);
686 }
687
688 rw_exit(&spa->spa_keystore.sk_dk_lock);
689}
690
691int
692spa_keystore_load_wkey_impl(spa_t *spa, dsl_wrapping_key_t *wkey)
693{
694 int ret;
695 avl_index_t where;
696 dsl_wrapping_key_t *found_wkey;
697
698 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER);
699
700 /* insert the wrapping key into the keystore */
701 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where);
702 if (found_wkey != NULL) {
703 ret = SET_ERROR(EEXIST);
704 goto error_unlock;
705 }
706 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where);
707
708 rw_exit(&spa->spa_keystore.sk_wkeys_lock);
709
710 return (0);
711
712error_unlock:
713 rw_exit(&spa->spa_keystore.sk_wkeys_lock);
714 return (ret);
715}
716
717int
718spa_keystore_load_wkey(const char *dsname, dsl_crypto_params_t *dcp,
719 boolean_t noop)
720{
721 int ret;
722 dsl_dir_t *dd = NULL;
723 dsl_crypto_key_t *dck = NULL;
724 dsl_wrapping_key_t *wkey = dcp->cp_wkey;
725 dsl_pool_t *dp = NULL;
726
727 /*
728 * We don't validate the wrapping key's keyformat, salt, or iters
729 * since they will never be needed after the DCK has been wrapped.
730 */
731 if (dcp->cp_wkey == NULL ||
732 dcp->cp_cmd != DCP_CMD_NONE ||
733 dcp->cp_crypt != ZIO_CRYPT_INHERIT ||
734 dcp->cp_keylocation != NULL)
735 return (SET_ERROR(EINVAL));
736
737 ret = dsl_pool_hold(dsname, FTAG, &dp);
738 if (ret != 0)
739 goto error;
740
741 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) {
742 ret = (SET_ERROR(ENOTSUP));
743 goto error;
744 }
745
746 /* hold the dsl dir */
747 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL);
748 if (ret != 0)
749 goto error;
750
751 /* initialize the wkey's ddobj */
752 wkey->wk_ddobj = dd->dd_object;
753
754 /* verify that the wkey is correct by opening its dsl key */
755 ret = dsl_crypto_key_open(dp->dp_meta_objset, wkey,
756 dd->dd_crypto_obj, FTAG, &dck);
757 if (ret != 0)
758 goto error;
759
760 /*
761 * At this point we have verified the key. We can simply cleanup and
762 * return if this is all the user wanted to do.
763 */
764 if (noop)
765 goto error;
766
767 /* insert the wrapping key into the keystore */
768 ret = spa_keystore_load_wkey_impl(dp->dp_spa, wkey);
769 if (ret != 0)
770 goto error;
771
772 dsl_crypto_key_rele(dck, FTAG);
773 dsl_dir_rele(dd, FTAG);
774 dsl_pool_rele(dp, FTAG);
775
776 /* create any zvols under this ds */
777 zvol_create_minors(dp->dp_spa, dsname, B_TRUE);
778
779 return (0);
780
781error:
782 if (dck != NULL)
783 dsl_crypto_key_rele(dck, FTAG);
784 if (dd != NULL)
785 dsl_dir_rele(dd, FTAG);
786 if (dp != NULL)
787 dsl_pool_rele(dp, FTAG);
788
789 return (ret);
790}
791
792int
793spa_keystore_unload_wkey_impl(spa_t *spa, uint64_t ddobj)
794{
795 int ret;
796 dsl_wrapping_key_t search_wkey;
797 dsl_wrapping_key_t *found_wkey;
798
799 /* init the search wrapping key */
800 search_wkey.wk_ddobj = ddobj;
801
802 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER);
803
804 /* remove the wrapping key from the keystore */
805 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys,
806 &search_wkey, NULL);
807 if (!found_wkey) {
808 ret = SET_ERROR(ENOENT);
809 goto error_unlock;
810 } else if (refcount_count(&found_wkey->wk_refcnt) != 0) {
811 ret = SET_ERROR(EBUSY);
812 goto error_unlock;
813 }
814 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey);
815
816 rw_exit(&spa->spa_keystore.sk_wkeys_lock);
817
818 /* free the wrapping key */
819 dsl_wrapping_key_free(found_wkey);
820
821 return (0);
822
823error_unlock:
824 rw_exit(&spa->spa_keystore.sk_wkeys_lock);
825 return (ret);
826}
827
828int
829spa_keystore_unload_wkey(const char *dsname)
830{
831 int ret = 0;
832 dsl_dir_t *dd = NULL;
833 dsl_pool_t *dp = NULL;
834
835 /* hold the dsl dir */
836 ret = dsl_pool_hold(dsname, FTAG, &dp);
837 if (ret != 0)
838 goto error;
839
840 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) {
841 ret = (SET_ERROR(ENOTSUP));
842 goto error;
843 }
844
845 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL);
846 if (ret != 0)
847 goto error;
848
849 /* unload the wkey */
850 ret = spa_keystore_unload_wkey_impl(dp->dp_spa, dd->dd_object);
851 if (ret != 0)
852 goto error;
853
854 dsl_dir_rele(dd, FTAG);
855 dsl_pool_rele(dp, FTAG);
856
857 /* remove any zvols under this ds */
858 zvol_remove_minors(dp->dp_spa, dsname, B_TRUE);
859
860 return (0);
861
862error:
863 if (dd != NULL)
864 dsl_dir_rele(dd, FTAG);
865 if (dp != NULL)
866 dsl_pool_rele(dp, FTAG);
867
868 return (ret);
869}
870
871int
872spa_keystore_create_mapping_impl(spa_t *spa, uint64_t dsobj,
873 dsl_dir_t *dd, void *tag)
874{
875 int ret;
876 avl_index_t where;
877 dsl_key_mapping_t *km = NULL, *found_km;
878 boolean_t should_free = B_FALSE;
879
880 /* allocate the mapping */
881 km = kmem_alloc(sizeof (dsl_key_mapping_t), KM_SLEEP);
882 if (!km)
883 return (SET_ERROR(ENOMEM));
884
885 /* initialize the mapping */
886 refcount_create(&km->km_refcnt);
887
888 ret = spa_keystore_dsl_key_hold_dd(spa, dd, km, &km->km_key);
889 if (ret != 0)
890 goto error;
891
892 km->km_dsobj = dsobj;
893
894 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER);
895
896 /*
897 * If a mapping already exists, simply increment its refcount and
898 * cleanup the one we made. We want to allocate / free outside of
899 * the lock because this lock is also used by the zio layer to lookup
900 * key mappings. Otherwise, use the one we created. Normally, there will
901 * only be one active reference at a time (the objset owner), but there
902 * are times when there could be multiple async users.
903 */
904 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, km, &where);
905 if (found_km != NULL) {
906 should_free = B_TRUE;
907 refcount_add(&found_km->km_refcnt, tag);
908 } else {
909 refcount_add(&km->km_refcnt, tag);
910 avl_insert(&spa->spa_keystore.sk_key_mappings, km, where);
911 }
912
913 rw_exit(&spa->spa_keystore.sk_km_lock);
914
915 if (should_free) {
916 spa_keystore_dsl_key_rele(spa, km->km_key, km);
917 refcount_destroy(&km->km_refcnt);
918 kmem_free(km, sizeof (dsl_key_mapping_t));
919 }
920
921 return (0);
922
923error:
924 if (km->km_key)
925 spa_keystore_dsl_key_rele(spa, km->km_key, km);
926
927 refcount_destroy(&km->km_refcnt);
928 kmem_free(km, sizeof (dsl_key_mapping_t));
929
930 return (ret);
931}
932
933int
934spa_keystore_create_mapping(spa_t *spa, dsl_dataset_t *ds, void *tag)
935{
936 return (spa_keystore_create_mapping_impl(spa, ds->ds_object,
937 ds->ds_dir, tag));
938}
939
940int
941spa_keystore_remove_mapping(spa_t *spa, uint64_t dsobj, void *tag)
942{
943 int ret;
944 dsl_key_mapping_t search_km;
945 dsl_key_mapping_t *found_km;
946 boolean_t should_free = B_FALSE;
947
948 /* init the search key mapping */
949 search_km.km_dsobj = dsobj;
950
951 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER);
952
953 /* find the matching mapping */
954 found_km = avl_find(&spa->spa_keystore.sk_key_mappings,
955 &search_km, NULL);
956 if (found_km == NULL) {
957 ret = SET_ERROR(ENOENT);
958 goto error_unlock;
959 }
960
961 /*
962 * Decrement the refcount on the mapping and remove it from the tree if
963 * it is zero. Try to minimize time spent in this lock by deferring
964 * cleanup work.
965 */
966 if (refcount_remove(&found_km->km_refcnt, tag) == 0) {
967 should_free = B_TRUE;
968 avl_remove(&spa->spa_keystore.sk_key_mappings, found_km);
969 }
970
971 rw_exit(&spa->spa_keystore.sk_km_lock);
972
973 /* destroy the key mapping */
974 if (should_free) {
975 spa_keystore_dsl_key_rele(spa, found_km->km_key, found_km);
976 kmem_free(found_km, sizeof (dsl_key_mapping_t));
977 }
978
979 return (0);
980
981error_unlock:
982 rw_exit(&spa->spa_keystore.sk_km_lock);
983 return (ret);
984}
985
986/*
987 * This function is primarily used by the zio and arc layer to lookup
988 * DSL Crypto Keys for encryption. Callers must release the key with
989 * spa_keystore_dsl_key_rele(). The function may also be called with
990 * dck_out == NULL and tag == NULL to simply check that a key exists
991 * without getting a reference to it.
992 */
993int
994spa_keystore_lookup_key(spa_t *spa, uint64_t dsobj, void *tag,
995 dsl_crypto_key_t **dck_out)
996{
997 int ret;
998 dsl_key_mapping_t search_km;
999 dsl_key_mapping_t *found_km;
1000
1001 ASSERT((tag != NULL && dck_out != NULL) ||
1002 (tag == NULL && dck_out == NULL));
1003
1004 /* init the search key mapping */
1005 search_km.km_dsobj = dsobj;
1006
1007 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER);
1008
1009 /* remove the mapping from the tree */
1010 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, &search_km,
1011 NULL);
1012 if (found_km == NULL) {
1013 ret = SET_ERROR(ENOENT);
1014 goto error_unlock;
1015 }
1016
1017 if (found_km && tag)
1018 refcount_add(&found_km->km_key->dck_holds, tag);
1019
1020 rw_exit(&spa->spa_keystore.sk_km_lock);
1021
1022 if (dck_out != NULL)
1023 *dck_out = found_km->km_key;
1024 return (0);
1025
1026error_unlock:
1027 rw_exit(&spa->spa_keystore.sk_km_lock);
1028
1029 if (dck_out != NULL)
1030 *dck_out = NULL;
1031 return (ret);
1032}
1033
1034static int
1035dmu_objset_check_wkey_loaded(dsl_dir_t *dd)
1036{
1037 int ret;
1038 dsl_wrapping_key_t *wkey = NULL;
1039
1040 ret = spa_keystore_wkey_hold_dd(dd->dd_pool->dp_spa, dd, FTAG,
1041 &wkey);
1042 if (ret != 0)
1043 return (SET_ERROR(EACCES));
1044
1045 dsl_wrapping_key_rele(wkey, FTAG);
1046
1047 return (0);
1048}
1049
1050static zfs_keystatus_t
1051dsl_dataset_get_keystatus(dsl_dir_t *dd)
1052{
1053 /* check if this dd has a has a dsl key */
1054 if (dd->dd_crypto_obj == 0)
1055 return (ZFS_KEYSTATUS_NONE);
1056
1057 return (dmu_objset_check_wkey_loaded(dd) == 0 ?
1058 ZFS_KEYSTATUS_AVAILABLE : ZFS_KEYSTATUS_UNAVAILABLE);
1059}
1060
1061static int
1062dsl_dir_get_crypt(dsl_dir_t *dd, uint64_t *crypt)
1063{
1064 if (dd->dd_crypto_obj == 0) {
1065 *crypt = ZIO_CRYPT_OFF;
1066 return (0);
1067 }
1068
1069 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj,
1070 DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, crypt));
1071}
1072
1073static void
1074dsl_crypto_key_sync_impl(objset_t *mos, uint64_t dckobj, uint64_t crypt,
1075 uint64_t root_ddobj, uint64_t guid, uint8_t *iv, uint8_t *mac,
1076 uint8_t *keydata, uint8_t *hmac_keydata, uint64_t keyformat,
1077 uint64_t salt, uint64_t iters, dmu_tx_t *tx)
1078{
1079 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1,
1080 &crypt, tx));
1081 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1,
1082 &root_ddobj, tx));
1083 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1,
1084 &guid, tx));
1085 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN,
1086 iv, tx));
1087 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN,
1088 mac, tx));
1089 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1,
1090 MASTER_KEY_MAX_LEN, keydata, tx));
1091 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1,
1092 SHA512_HMAC_KEYLEN, hmac_keydata, tx));
1093 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_KEYFORMAT),
1094 8, 1, &keyformat, tx));
1095 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT),
1096 8, 1, &salt, tx));
1097 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS),
1098 8, 1, &iters, tx));
1099}
1100
1101static void
1102dsl_crypto_key_sync(dsl_crypto_key_t *dck, dmu_tx_t *tx)
1103{
1104 zio_crypt_key_t *key = &dck->dck_key;
1105 dsl_wrapping_key_t *wkey = dck->dck_wkey;
1106 uint8_t keydata[MASTER_KEY_MAX_LEN];
1107 uint8_t hmac_keydata[SHA512_HMAC_KEYLEN];
1108 uint8_t iv[WRAPPING_IV_LEN];
1109 uint8_t mac[WRAPPING_MAC_LEN];
1110
1111 ASSERT(dmu_tx_is_syncing(tx));
1112 ASSERT3U(key->zk_crypt, <, ZIO_CRYPT_FUNCTIONS);
1113
1114 /* encrypt and store the keys along with the IV and MAC */
1115 VERIFY0(zio_crypt_key_wrap(&dck->dck_wkey->wk_key, key, iv, mac,
1116 keydata, hmac_keydata));
1117
1118 /* update the ZAP with the obtained values */
1119 dsl_crypto_key_sync_impl(tx->tx_pool->dp_meta_objset, dck->dck_obj,
1120 key->zk_crypt, wkey->wk_ddobj, key->zk_guid, iv, mac, keydata,
1121 hmac_keydata, wkey->wk_keyformat, wkey->wk_salt, wkey->wk_iters,
1122 tx);
1123}
1124
1125typedef struct spa_keystore_change_key_args {
1126 const char *skcka_dsname;
1127 dsl_crypto_params_t *skcka_cp;
1128} spa_keystore_change_key_args_t;
1129
1130static int
1131spa_keystore_change_key_check(void *arg, dmu_tx_t *tx)
1132{
1133 int ret;
1134 dsl_dir_t *dd = NULL;
1135 dsl_pool_t *dp = dmu_tx_pool(tx);
1136 spa_keystore_change_key_args_t *skcka = arg;
1137 dsl_crypto_params_t *dcp = skcka->skcka_cp;
1138 uint64_t rddobj;
1139
1140 /* check for the encryption feature */
1141 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) {
1142 ret = SET_ERROR(ENOTSUP);
1143 goto error;
1144 }
1145
1146 /* check for valid key change command */
1147 if (dcp->cp_cmd != DCP_CMD_NEW_KEY &&
1148 dcp->cp_cmd != DCP_CMD_INHERIT &&
1149 dcp->cp_cmd != DCP_CMD_FORCE_NEW_KEY &&
1150 dcp->cp_cmd != DCP_CMD_FORCE_INHERIT) {
1151 ret = SET_ERROR(EINVAL);
1152 goto error;
1153 }
1154
1155 /* hold the dd */
1156 ret = dsl_dir_hold(dp, skcka->skcka_dsname, FTAG, &dd, NULL);
1157 if (ret != 0)
1158 goto error;
1159
1160 /* verify that the dataset is encrypted */
1161 if (dd->dd_crypto_obj == 0) {
1162 ret = SET_ERROR(EINVAL);
1163 goto error;
1164 }
1165
1166 /* clones must always use their origin's key */
1167 if (dsl_dir_is_clone(dd)) {
1168 ret = SET_ERROR(EINVAL);
1169 goto error;
1170 }
1171
1172 /* lookup the ddobj we are inheriting the keylocation from */
1173 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj);
1174 if (ret != 0)
1175 goto error;
1176
1177 /* Handle inheritence */
1178 if (dcp->cp_cmd == DCP_CMD_INHERIT ||
1179 dcp->cp_cmd == DCP_CMD_FORCE_INHERIT) {
1180 /* no other encryption params should be given */
1181 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT ||
1182 dcp->cp_keylocation != NULL ||
1183 dcp->cp_wkey != NULL) {
1184 ret = SET_ERROR(EINVAL);
1185 goto error;
1186 }
1187
1188 /* check that this is an encryption root */
1189 if (dd->dd_object != rddobj) {
1190 ret = SET_ERROR(EINVAL);
1191 goto error;
1192 }
1193
1194 /* check that the parent is encrypted */
1195 if (dd->dd_parent->dd_crypto_obj == 0) {
1196 ret = SET_ERROR(EINVAL);
1197 goto error;
1198 }
1199
1200 /* if we are rewrapping check that both keys are loaded */
1201 if (dcp->cp_cmd == DCP_CMD_INHERIT) {
1202 ret = dmu_objset_check_wkey_loaded(dd);
1203 if (ret != 0)
1204 goto error;
1205
1206 ret = dmu_objset_check_wkey_loaded(dd->dd_parent);
1207 if (ret != 0)
1208 goto error;
1209 }
1210
1211 dsl_dir_rele(dd, FTAG);
1212 return (0);
1213 }
1214
1215 /* handle forcing an encryption root without rewrapping */
1216 if (dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) {
1217 /* no other encryption params should be given */
1218 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT ||
1219 dcp->cp_keylocation != NULL ||
1220 dcp->cp_wkey != NULL) {
1221 ret = SET_ERROR(EINVAL);
1222 goto error;
1223 }
1224
1225 /* check that this is not an encryption root */
1226 if (dd->dd_object == rddobj) {
1227 ret = SET_ERROR(EINVAL);
1228 goto error;
1229 }
1230
1231 dsl_dir_rele(dd, FTAG);
1232 return (0);
1233 }
1234
1235 /* crypt cannot be changed after creation */
1236 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT) {
1237 ret = SET_ERROR(EINVAL);
1238 goto error;
1239 }
1240
1241 /* we are not inheritting our parent's wkey so we need one ourselves */
1242 if (dcp->cp_wkey == NULL) {
1243 ret = SET_ERROR(EINVAL);
1244 goto error;
1245 }
1246
1247 /* check for a valid keyformat for the new wrapping key */
1248 if (dcp->cp_wkey->wk_keyformat >= ZFS_KEYFORMAT_FORMATS ||
1249 dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_NONE) {
1250 ret = SET_ERROR(EINVAL);
1251 goto error;
1252 }
1253
1254 /*
1255 * If this dataset is not currently an encryption root we need a new
1256 * keylocation for this dataset's new wrapping key. Otherwise we can
1257 * just keep the one we already had.
1258 */
1259 if (dd->dd_object != rddobj && dcp->cp_keylocation == NULL) {
1260 ret = SET_ERROR(EINVAL);
1261 goto error;
1262 }
1263
1264 /* check that the keylocation is valid if it is not NULL */
1265 if (dcp->cp_keylocation != NULL &&
1266 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) {
1267 ret = SET_ERROR(EINVAL);
1268 goto error;
1269 }
1270
1271 /* passphrases require pbkdf2 salt and iters */
1272 if (dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_PASSPHRASE) {
1273 if (dcp->cp_wkey->wk_salt == 0 ||
1274 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) {
1275 ret = SET_ERROR(EINVAL);
1276 goto error;
1277 }
1278 } else {
1279 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) {
1280 ret = SET_ERROR(EINVAL);
1281 goto error;
1282 }
1283 }
1284
1285 /* make sure the dd's wkey is loaded */
1286 ret = dmu_objset_check_wkey_loaded(dd);
1287 if (ret != 0)
1288 goto error;
1289
1290 dsl_dir_rele(dd, FTAG);
1291
1292 return (0);
1293
1294error:
1295 if (dd != NULL)
1296 dsl_dir_rele(dd, FTAG);
1297
1298 return (ret);
1299}
1300
1301
1302static void
1303spa_keystore_change_key_sync_impl(uint64_t rddobj, uint64_t ddobj,
1304 uint64_t new_rddobj, dsl_wrapping_key_t *wkey, dmu_tx_t *tx)
1305{
1306 zap_cursor_t *zc;
1307 zap_attribute_t *za;
1308 dsl_pool_t *dp = dmu_tx_pool(tx);
1309 dsl_dir_t *dd = NULL;
1310 dsl_crypto_key_t *dck = NULL;
1311 uint64_t curr_rddobj;
1312
1313 ASSERT(RW_WRITE_HELD(&dp->dp_spa->spa_keystore.sk_wkeys_lock));
1314
1315 /* hold the dd */
1316 VERIFY0(dsl_dir_hold_obj(dp, ddobj, NULL, FTAG, &dd));
1317
1318 /* ignore hidden dsl dirs */
1319 if (dd->dd_myname[0] == '$' || dd->dd_myname[0] == '%') {
1320 dsl_dir_rele(dd, FTAG);
1321 return;
1322 }
1323
1324 /* stop recursing if this dsl dir didn't inherit from the root */
1325 VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj));
1326
1327 if (curr_rddobj != rddobj) {
1328 dsl_dir_rele(dd, FTAG);
1329 return;
1330 }
1331
1332 /*
1333 * If we don't have a wrapping key just update the dck to reflect the
1334 * new encryption root. Otherwise rewrap the entire dck and re-sync it
1335 * to disk.
1336 */
1337 if (wkey == NULL) {
1338 VERIFY0(zap_update(dp->dp_meta_objset, dd->dd_crypto_obj,
1339 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, &new_rddobj, tx));
1340 } else {
1341 VERIFY0(spa_keystore_dsl_key_hold_dd(dp->dp_spa, dd,
1342 FTAG, &dck));
1343 dsl_wrapping_key_hold(wkey, dck);
1344 dsl_wrapping_key_rele(dck->dck_wkey, dck);
1345 dck->dck_wkey = wkey;
1346 dsl_crypto_key_sync(dck, tx);
1347 spa_keystore_dsl_key_rele(dp->dp_spa, dck, FTAG);
1348 }
1349
1350 zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP);
1351 za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP);
1352
1353 /* Recurse into all child and clone dsl dirs. */
1354 for (zap_cursor_init(zc, dp->dp_meta_objset,
1355 dsl_dir_phys(dd)->dd_child_dir_zapobj);
1356 zap_cursor_retrieve(zc, za) == 0;
1357 zap_cursor_advance(zc)) {
1358 spa_keystore_change_key_sync_impl(rddobj,
1359 za->za_first_integer, new_rddobj, wkey, tx);
1360 }
1361 zap_cursor_fini(zc);
1362
1363 for (zap_cursor_init(zc, dp->dp_meta_objset,
1364 dsl_dir_phys(dd)->dd_clones);
1365 zap_cursor_retrieve(zc, za) == 0;
1366 zap_cursor_advance(zc)) {
1367 dsl_dataset_t *clone;
1368
1369 VERIFY0(dsl_dataset_hold_obj(dp,
1370 za->za_first_integer, FTAG, &clone));
1371 spa_keystore_change_key_sync_impl(rddobj,
1372 clone->ds_dir->dd_object, new_rddobj, wkey, tx);
1373 dsl_dataset_rele(clone, FTAG);
1374 }
1375 zap_cursor_fini(zc);
1376
1377 kmem_free(za, sizeof (zap_attribute_t));
1378 kmem_free(zc, sizeof (zap_cursor_t));
1379
1380 dsl_dir_rele(dd, FTAG);
1381}
1382
1383static void
1384spa_keystore_change_key_sync(void *arg, dmu_tx_t *tx)
1385{
1386 dsl_dataset_t *ds;
1387 avl_index_t where;
1388 dsl_pool_t *dp = dmu_tx_pool(tx);
1389 spa_t *spa = dp->dp_spa;
1390 spa_keystore_change_key_args_t *skcka = arg;
1391 dsl_crypto_params_t *dcp = skcka->skcka_cp;
1392 dsl_wrapping_key_t *wkey = NULL, *found_wkey;
1393 dsl_wrapping_key_t wkey_search;
1394 char *keylocation = dcp->cp_keylocation;
1395 uint64_t rddobj, new_rddobj;
1396
1397 /* create and initialize the wrapping key */
1398 VERIFY0(dsl_dataset_hold(dp, skcka->skcka_dsname, FTAG, &ds));
1399 ASSERT(!ds->ds_is_snapshot);
1400
1401 if (dcp->cp_cmd == DCP_CMD_NEW_KEY ||
1402 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) {
1403 /*
1404 * We are changing to a new wkey. Set additional properties
1405 * which can be sent along with this ioctl. Note that this
1406 * command can set keylocation even if it can't normally be
1407 * set via 'zfs set' due to a non-local keylocation.
1408 */
1409 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) {
1410 wkey = dcp->cp_wkey;
1411 wkey->wk_ddobj = ds->ds_dir->dd_object;
1412 } else {
1413 keylocation = "prompt";
1414 }
1415
1416 if (keylocation != NULL) {
1417 dsl_prop_set_sync_impl(ds,
1418 zfs_prop_to_name(ZFS_PROP_KEYLOCATION),
1419 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1,
1420 keylocation, tx);
1421 }
1422
1423 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj));
1424 new_rddobj = ds->ds_dir->dd_object;
1425 } else {
1426 /*
1427 * We are inheritting the parent's wkey. Unset any local
1428 * keylocation and grab a reference to the wkey.
1429 */
1430 if (dcp->cp_cmd == DCP_CMD_INHERIT) {
1431 VERIFY0(spa_keystore_wkey_hold_dd(spa,
1432 ds->ds_dir->dd_parent, FTAG, &wkey));
1433 }
1434
1435 dsl_prop_set_sync_impl(ds,
1436 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), ZPROP_SRC_NONE,
1437 0, 0, NULL, tx);
1438
1439 rddobj = ds->ds_dir->dd_object;
1440 new_rddobj = ds->ds_dir->dd_parent->dd_object;
1441 }
1442
1443 if (wkey == NULL) {
1444 ASSERT(dcp->cp_cmd == DCP_CMD_FORCE_INHERIT ||
1445 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY);
1446 }
1447
1448 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER);
1449
1450 /* recurse through all children and rewrap their keys */
1451 spa_keystore_change_key_sync_impl(rddobj, ds->ds_dir->dd_object,
1452 new_rddobj, wkey, tx);
1453
1454 /*
1455 * All references to the old wkey should be released now (if it
1456 * existed). Replace the wrapping key.
1457 */
1458 wkey_search.wk_ddobj = ds->ds_dir->dd_object;
1459 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &wkey_search, NULL);
1460 if (found_wkey != NULL) {
1461 ASSERT0(refcount_count(&found_wkey->wk_refcnt));
1462 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey);
1463 dsl_wrapping_key_free(found_wkey);
1464 }
1465
1466 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) {
1467 avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where);
1468 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where);
1469 } else if (wkey != NULL) {
1470 dsl_wrapping_key_rele(wkey, FTAG);
1471 }
1472
1473 rw_exit(&spa->spa_keystore.sk_wkeys_lock);
1474
1475 dsl_dataset_rele(ds, FTAG);
1476}
1477
1478int
1479spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp)
1480{
1481 spa_keystore_change_key_args_t skcka;
1482
1483 /* initialize the args struct */
1484 skcka.skcka_dsname = dsname;
1485 skcka.skcka_cp = dcp;
1486
1487 /*
1488 * Perform the actual work in syncing context. The blocks modified
1489 * here could be calculated but it would require holding the pool
1490 * lock and tarversing all of the datasets that will have their keys
1491 * changed.
1492 */
1493 return (dsl_sync_task(dsname, spa_keystore_change_key_check,
1494 spa_keystore_change_key_sync, &skcka, 15,
1495 ZFS_SPACE_CHECK_RESERVED));
1496}
1497
1498int
1499dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent)
1500{
1501 int ret;
1502 uint64_t curr_rddobj, parent_rddobj;
1503
1504 if (dd->dd_crypto_obj == 0) {
1505 /* children of encrypted parents must be encrypted */
1506 if (newparent->dd_crypto_obj != 0) {
1507 ret = SET_ERROR(EACCES);
1508 goto error;
1509 }
1510
1511 return (0);
1512 }
1513
1514 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj);
1515 if (ret != 0)
1516 goto error;
1517
1518 /*
1519 * if this is not an encryption root, we must make sure we are not
1520 * moving dd to a new encryption root
1521 */
1522 if (dd->dd_object != curr_rddobj) {
1523 ret = dsl_dir_get_encryption_root_ddobj(newparent,
1524 &parent_rddobj);
1525 if (ret != 0)
1526 goto error;
1527
1528 if (parent_rddobj != curr_rddobj) {
1529 ret = SET_ERROR(EACCES);
1530 goto error;
1531 }
1532 }
1533
1534 return (0);
1535
1536error:
1537 return (ret);
1538}
1539
1540/*
1541 * Check to make sure that a promote from targetdd to origindd will not require
1542 * any key rewraps.
1543 */
1544int
1545dsl_dataset_promote_crypt_check(dsl_dir_t *target, dsl_dir_t *origin)
1546{
1547 int ret;
1548 uint64_t rddobj, op_rddobj, tp_rddobj;
1549
1550 /* If the dataset is not encrypted we don't need to check anything */
1551 if (origin->dd_crypto_obj == 0)
1552 return (0);
1553
1554 /*
1555 * If we are not changing the first origin snapshot in a chain
1556 * the encryption root won't change either.
1557 */
1558 if (dsl_dir_is_clone(origin))
1559 return (0);
1560
1561 /*
1562 * If the origin is the encryption root we will update
1563 * the DSL Crypto Key to point to the target instead.
1564 */
1565 ret = dsl_dir_get_encryption_root_ddobj(origin, &rddobj);
1566 if (ret != 0)
1567 return (ret);
1568
1569 if (rddobj == origin->dd_object)
1570 return (0);
1571
1572 /*
1573 * The origin is inheriting its encryption root from its parent.
1574 * Check that the parent of the target has the same encryption root.
1575 */
1576 ret = dsl_dir_get_encryption_root_ddobj(origin->dd_parent, &op_rddobj);
1577 if (ret != 0)
1578 return (ret);
1579
1580 ret = dsl_dir_get_encryption_root_ddobj(target->dd_parent, &tp_rddobj);
1581 if (ret != 0)
1582 return (ret);
1583
1584 if (op_rddobj != tp_rddobj)
1585 return (SET_ERROR(EACCES));
1586
1587 return (0);
1588}
1589
1590void
1591dsl_dataset_promote_crypt_sync(dsl_dir_t *target, dsl_dir_t *origin,
1592 dmu_tx_t *tx)
1593{
1594 uint64_t rddobj;
1595 dsl_pool_t *dp = target->dd_pool;
1596 dsl_dataset_t *targetds;
1597 dsl_dataset_t *originds;
1598 char *keylocation;
1599
1600 if (origin->dd_crypto_obj == 0)
1601 return;
1602 if (dsl_dir_is_clone(origin))
1603 return;
1604
1605 VERIFY0(dsl_dir_get_encryption_root_ddobj(origin, &rddobj));
1606
1607 if (rddobj != origin->dd_object)
1608 return;
1609
1610 /*
1611 * If the target is being promoted to the encyrption root update the
1612 * DSL Crypto Key and keylocation to reflect that. We also need to
1613 * update the DSL Crypto Keys of all children inheritting their
1614 * encryption root to point to the new target. Otherwise, the check
1615 * function ensured that the encryption root will not change.
1616 */
1617 keylocation = kmem_alloc(ZAP_MAXVALUELEN, KM_SLEEP);
1618
1619 VERIFY0(dsl_dataset_hold_obj(dp,
1620 dsl_dir_phys(target)->dd_head_dataset_obj, FTAG, &targetds));
1621 VERIFY0(dsl_dataset_hold_obj(dp,
1622 dsl_dir_phys(origin)->dd_head_dataset_obj, FTAG, &originds));
1623
1624 VERIFY0(dsl_prop_get_dd(origin, zfs_prop_to_name(ZFS_PROP_KEYLOCATION),
1625 1, ZAP_MAXVALUELEN, keylocation, NULL, B_FALSE));
1626 dsl_prop_set_sync_impl(targetds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION),
1627 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, keylocation, tx);
1628 dsl_prop_set_sync_impl(originds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION),
1629 ZPROP_SRC_NONE, 0, 0, NULL, tx);
1630
1631 rw_enter(&dp->dp_spa->spa_keystore.sk_wkeys_lock, RW_WRITER);
1632 spa_keystore_change_key_sync_impl(rddobj, origin->dd_object,
1633 target->dd_object, NULL, tx);
1634 rw_exit(&dp->dp_spa->spa_keystore.sk_wkeys_lock);
1635
1636 dsl_dataset_rele(targetds, FTAG);
1637 dsl_dataset_rele(originds, FTAG);
1638 kmem_free(keylocation, ZAP_MAXVALUELEN);
1639}
1640
1641int
1642dmu_objset_clone_crypt_check(dsl_dir_t *parentdd, dsl_dir_t *origindd)
1643{
1644 int ret;
1645 uint64_t pcrypt, crypt;
1646
1647 /*
1648 * Check that we are not making an unencrypted child of an
1649 * encrypted parent.
1650 */
1651 ret = dsl_dir_get_crypt(parentdd, &pcrypt);
1652 if (ret != 0)
1653 return (ret);
1654
1655 ret = dsl_dir_get_crypt(origindd, &crypt);
1656 if (ret != 0)
1657 return (ret);
1658
1659 ASSERT3U(pcrypt, !=, ZIO_CRYPT_INHERIT);
1660 ASSERT3U(crypt, !=, ZIO_CRYPT_INHERIT);
1661
1662 if (crypt == ZIO_CRYPT_OFF && pcrypt != ZIO_CRYPT_OFF)
1663 return (SET_ERROR(EINVAL));
1664
1665 return (0);
1666}
1667
1668
1669int
1670dmu_objset_create_crypt_check(dsl_dir_t *parentdd, dsl_crypto_params_t *dcp)
1671{
1672 int ret;
1673 uint64_t pcrypt, crypt;
1674
1675 if (dcp->cp_cmd != DCP_CMD_NONE)
1676 return (SET_ERROR(EINVAL));
1677
1678 if (parentdd != NULL) {
1679 ret = dsl_dir_get_crypt(parentdd, &pcrypt);
1680 if (ret != 0)
1681 return (ret);
1682 } else {
1683 pcrypt = ZIO_CRYPT_OFF;
1684 }
1685
1686 crypt = (dcp->cp_crypt == ZIO_CRYPT_INHERIT) ? pcrypt : dcp->cp_crypt;
1687
1688 ASSERT3U(pcrypt, !=, ZIO_CRYPT_INHERIT);
1689 ASSERT3U(crypt, !=, ZIO_CRYPT_INHERIT);
1690
1691 /*
1692 * We can't create an unencrypted child of an encrypted parent
1693 * under any circumstances.
1694 */
1695 if (crypt == ZIO_CRYPT_OFF && pcrypt != ZIO_CRYPT_OFF)
1696 return (SET_ERROR(EINVAL));
1697
1698 /* check for valid dcp with no encryption (inherited or local) */
1699 if (crypt == ZIO_CRYPT_OFF) {
1700 /* Must not specify encryption params */
1701 if (dcp->cp_wkey != NULL ||
1702 (dcp->cp_keylocation != NULL &&
1703 strcmp(dcp->cp_keylocation, "none") != 0))
1704 return (SET_ERROR(EINVAL));
1705
1706 return (0);
1707 }
1708
1709 /*
1710 * We will now definitely be encrypting. Check the feature flag. When
1711 * creating the pool the caller will check this for us since we won't
1712 * technically have the fetaure activated yet.
1713 */
1714 if (parentdd != NULL &&
1715 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa,
1716 SPA_FEATURE_ENCRYPTION)) {
1717 return (SET_ERROR(EOPNOTSUPP));
1718 }
1719
1720 /* handle inheritence */
1721 if (dcp->cp_wkey == NULL) {
1722 ASSERT3P(parentdd, !=, NULL);
1723
1724 /* key must be fully unspecified */
1725 if (dcp->cp_keylocation != NULL)
1726 return (SET_ERROR(EINVAL));
1727
1728 /* parent must have a key to inherit */
1729 if (pcrypt == ZIO_CRYPT_OFF)
1730 return (SET_ERROR(EINVAL));
1731
1732 /* check for parent key */
1733 ret = dmu_objset_check_wkey_loaded(parentdd);
1734 if (ret != 0)
1735 return (ret);
1736
1737 return (0);
1738 }
1739
1740 /* At this point we should have a fully specified key. Check location */
1741 if (dcp->cp_keylocation == NULL ||
1742 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE))
1743 return (SET_ERROR(EINVAL));
1744
1745 /* Must have fully specified keyformat */
1746 switch (dcp->cp_wkey->wk_keyformat) {
1747 case ZFS_KEYFORMAT_HEX:
1748 case ZFS_KEYFORMAT_RAW:
1749 /* requires no pbkdf2 iters and salt */
1750 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0)
1751 return (SET_ERROR(EINVAL));
1752 break;
1753 case ZFS_KEYFORMAT_PASSPHRASE:
1754 /* requires pbkdf2 iters and salt */
1755 if (dcp->cp_wkey->wk_salt == 0 ||
1756 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS)
1757 return (SET_ERROR(EINVAL));
1758 break;
1759 case ZFS_KEYFORMAT_NONE:
1760 default:
1761 /* keyformat must be specified and valid */
1762 return (SET_ERROR(EINVAL));
1763 }
1764
1765 return (0);
1766}
1767
1768void
1769dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd,
1770 dsl_dataset_t *origin, dsl_crypto_params_t *dcp, dmu_tx_t *tx)
1771{
1772 dsl_pool_t *dp = dd->dd_pool;
1773 uint64_t crypt;
1774 dsl_wrapping_key_t *wkey;
1775
1776 /* clones always use their origin's wrapping key */
1777 if (dsl_dir_is_clone(dd)) {
1778 ASSERT3P(dcp, ==, NULL);
1779
1780 /*
1781 * If this is an encrypted clone we just need to clone the
1782 * dck into dd. Zapify the dd so we can do that.
1783 */
1784 if (origin->ds_dir->dd_crypto_obj != 0) {
1785 dmu_buf_will_dirty(dd->dd_dbuf, tx);
1786 dsl_dir_zapify(dd, tx);
1787
1788 dd->dd_crypto_obj =
1789 dsl_crypto_key_clone_sync(origin->ds_dir, tx);
1790 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object,
1791 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1,
1792 &dd->dd_crypto_obj, tx));
1793 }
1794
1795 return;
1796 }
1797
1798 /*
1799 * A NULL dcp at this point indicates this is the origin dataset
1800 * which does not have an objset to encrypt. Raw receives will handle
1801 * encryption seperately later. In both cases we can simply return.
1802 */
1803 if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV)
1804 return;
1805
1806 crypt = dcp->cp_crypt;
1807 wkey = dcp->cp_wkey;
1808
1809 /* figure out the effective crypt */
1810 if (crypt == ZIO_CRYPT_INHERIT && dd->dd_parent != NULL)
1811 VERIFY0(dsl_dir_get_crypt(dd->dd_parent, &crypt));
1812
1813 /* if we aren't doing encryption just return */
1814 if (crypt == ZIO_CRYPT_OFF || crypt == ZIO_CRYPT_INHERIT)
1815 return;
1816
1817 /* zapify the dd so that we can add the crypto key obj to it */
1818 dmu_buf_will_dirty(dd->dd_dbuf, tx);
1819 dsl_dir_zapify(dd, tx);
1820
1821 /* use the new key if given or inherit from the parent */
1822 if (wkey == NULL) {
1823 VERIFY0(spa_keystore_wkey_hold_dd(dp->dp_spa,
1824 dd->dd_parent, FTAG, &wkey));
1825 } else {
1826 wkey->wk_ddobj = dd->dd_object;
1827 }
1828
4807c0ba
TC		 1829 ASSERT3P(wkey, !=, NULL);
1830
b5256303
TC		 1831 /* Create or clone the DSL crypto key and activate the feature */
1832 dd->dd_crypto_obj = dsl_crypto_key_create_sync(crypt, wkey, tx);
1833 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object,
1834 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, &dd->dd_crypto_obj,
1835 tx));
1836 dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, tx);
1837
1838 /*
1839 * If we inherited the wrapping key we release our reference now.
1840 * Otherwise, this is a new key and we need to load it into the
1841 * keystore.
1842 */
1843 if (dcp->cp_wkey == NULL) {
1844 dsl_wrapping_key_rele(wkey, FTAG);
1845 } else {
1846 VERIFY0(spa_keystore_load_wkey_impl(dp->dp_spa, wkey));
1847 }
1848}
1849
1850typedef struct dsl_crypto_recv_key_arg {
1851 uint64_t dcrka_dsobj;
1852 nvlist_t *dcrka_nvl;
1853 dmu_objset_type_t dcrka_ostype;
1854} dsl_crypto_recv_key_arg_t;
1855
1856int
1857dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx)
1858{
1859 int ret;
1860 objset_t *mos = tx->tx_pool->dp_meta_objset;
1861 objset_t *os;
1862 dnode_t *mdn;
1863 dsl_crypto_recv_key_arg_t *dcrka = arg;
1864 nvlist_t *nvl = dcrka->dcrka_nvl;
1865 dsl_dataset_t *ds = NULL;
1866 uint8_t *buf = NULL;
1867 uint_t len;
1868 uint64_t intval, guid, nlevels, blksz, ibs, nblkptr;
1869 boolean_t is_passphrase = B_FALSE;
1870
1871 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, FTAG, &ds);
1872 if (ret != 0)
1873 goto error;
1874
1875 ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT);
1876
1877 /*
1878 * Read and check all the encryption values from the nvlist. We need
1879 * all of the fields of a DSL Crypto Key, as well as a fully specified
1880 * wrapping key.
1881 */
1882 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval);
1883 if (ret != 0 || intval >= ZIO_CRYPT_FUNCTIONS ||
1884 intval <= ZIO_CRYPT_OFF) {
1885 ret = SET_ERROR(EINVAL);
1886 goto error;
1887 }
1888
1889 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval);
1890 if (ret != 0) {
1891 ret = SET_ERROR(EINVAL);
1892 goto error;
1893 }
1894
1895 /*
1896 * If this is an incremental receive make sure the given key guid
1897 * matches the one we already have.
1898 */
1899 if (ds->ds_dir->dd_crypto_obj != 0) {
1900 ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj,
1901 DSL_CRYPTO_KEY_GUID, 8, 1, &guid);
1902 if (ret != 0)
1903 goto error;
1904
1905 if (intval != guid) {
1906 ret = SET_ERROR(EACCES);
1907 goto error;
1908 }
1909 }
1910
1911 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY,
1912 &buf, &len);
1913 if (ret != 0 || len != MASTER_KEY_MAX_LEN) {
1914 ret = SET_ERROR(EINVAL);
1915 goto error;
1916 }
1917
1918 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY,
1919 &buf, &len);
1920 if (ret != 0 || len != SHA512_HMAC_KEYLEN) {
1921 ret = SET_ERROR(EINVAL);
1922 goto error;
1923 }
1924
1925 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len);
1926 if (ret != 0 || len != WRAPPING_IV_LEN) {
1927 ret = SET_ERROR(EINVAL);
1928 goto error;
1929 }
1930
1931 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len);
1932 if (ret != 0 || len != WRAPPING_MAC_LEN) {
1933 ret = SET_ERROR(EINVAL);
1934 goto error;
1935 }
1936
1937
1938 ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len);
1939 if (ret != 0 || len != ZIO_OBJSET_MAC_LEN) {
1940 ret = SET_ERROR(EINVAL);
1941 goto error;
1942 }
1943
1944 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT),
1945 &intval);
1946 if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS ||
1947 intval == ZFS_KEYFORMAT_NONE) {
1948 ret = SET_ERROR(EINVAL);
1949 goto error;
1950 }
1951
1952 is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE);
1953
1954 /*
1955 * for raw receives we allow any number of pbkdf2iters since there
1956 * won't be a chance for the user to change it.
1957 */
1958 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS),
1959 &intval);
1960 if (ret != 0 || (is_passphrase == (intval == 0))) {
1961 ret = SET_ERROR(EINVAL);
1962 goto error;
1963 }
1964
1965 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT),
1966 &intval);
1967 if (ret != 0 || (is_passphrase == (intval == 0))) {
1968 ret = SET_ERROR(EINVAL);
1969 goto error;
1970 }
1971
1972 /* raw receives also need info about the structure of the metadnode */
1973 ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval);
1974 if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS) {
1975 ret = SET_ERROR(EINVAL);
1976 goto error;
1977 }
1978
1979 ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval);
1980 if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS) {
1981 ret = SET_ERROR(EINVAL);
1982 goto error;
1983 }
1984
1985 ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels);
1986 if (ret != 0 || nlevels > DN_MAX_LEVELS) {
1987 ret = SET_ERROR(EINVAL);
1988 goto error;
1989 }
1990
1991 ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz);
1992 if (ret != 0 || blksz < SPA_MINBLOCKSIZE) {
1993 ret = SET_ERROR(EINVAL);
1994 goto error;
1995 } else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa)) {
1996 ret = SET_ERROR(ENOTSUP);
1997 goto error;
1998 }
1999
2000 ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs);
2001 if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT ||
2002 ibs > DN_MAX_INDBLKSHIFT) {
2003 ret = SET_ERROR(ENOTSUP);
2004 goto error;
2005 }
2006
2007 ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr);
2008 if (ret != 0 || nblkptr != DN_MAX_NBLKPTR) {
2009 ret = SET_ERROR(ENOTSUP);
2010 goto error;
2011 }
2012
2013 ret = dmu_objset_from_ds(ds, &os);
2014 if (ret != 0)
2015 goto error;
2016
2017 /*
2018 * Useraccounting is not portable and must be done with the keys loaded.
2019 * Therefore, whenever we do any kind of receive the useraccounting
2020 * must not be present.
2021 */
2022 ASSERT0(os->os_flags & OBJSET_FLAG_USERACCOUNTING_COMPLETE);
2023 ASSERT0(os->os_flags & OBJSET_FLAG_USEROBJACCOUNTING_COMPLETE);
2024
2025 mdn = DMU_META_DNODE(os);
2026
2027 /*
2028 * If we already created the objset, make sure its unchangable
2029 * properties match the ones received in the nvlist.
2030 */
2031 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG);
2032 if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) &&
2033 (mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz ||
2034 mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) {
2035 ret = SET_ERROR(EINVAL);
2036 goto error;
2037 }
2038 rrw_exit(&ds->ds_bp_rwlock, FTAG);
2039
2040 dsl_dataset_rele(ds, FTAG);
2041 return (0);
2042
2043error:
2044 if (ds != NULL)
2045 dsl_dataset_rele(ds, FTAG);
2046 return (ret);
2047}
2048
2049static void
2050dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx)
2051{
2052 dsl_crypto_recv_key_arg_t *dcrka = arg;
2053 uint64_t dsobj = dcrka->dcrka_dsobj;
2054 nvlist_t *nvl = dcrka->dcrka_nvl;
2055 dsl_pool_t *dp = tx->tx_pool;
2056 objset_t *mos = dp->dp_meta_objset;
2057 dsl_dataset_t *ds;
2058 objset_t *os;
2059 dnode_t *mdn;
2060 uint8_t *keydata, *hmac_keydata, *iv, *mac, *portable_mac;
2061 uint_t len;
2062 uint64_t rddobj, one = 1;
2063 uint64_t crypt, guid, keyformat, iters, salt;
2064 uint64_t compress, checksum, nlevels, blksz, ibs;
2065 char *keylocation = "prompt";
2066
2067 VERIFY0(dsl_dataset_hold_obj(dp, dsobj, FTAG, &ds));
2068 VERIFY0(dmu_objset_from_ds(ds, &os));
2069 mdn = DMU_META_DNODE(os);
2070
2071 /* lookup the values we need to create the DSL Crypto Key and objset */
2072 crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE);
2073 guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID);
2074 keyformat = fnvlist_lookup_uint64(nvl,
2075 zfs_prop_to_name(ZFS_PROP_KEYFORMAT));
2076 iters = fnvlist_lookup_uint64(nvl,
2077 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS));
2078 salt = fnvlist_lookup_uint64(nvl,
2079 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT));
2080 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY,
2081 &keydata, &len));
2082 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY,
2083 &hmac_keydata, &len));
2084 VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac,
2085 &len));
2086 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len));
2087 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len));
2088 compress = fnvlist_lookup_uint64(nvl, "mdn_compress");
2089 checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum");
2090 nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels");
2091 blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz");
2092 ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift");
2093
2094 /* if we haven't created an objset for the ds yet, do that now */
2095 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG);
2096 if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) {
2097 (void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds,
2098 dsl_dataset_get_blkptr(ds), dcrka->dcrka_ostype, nlevels,
2099 blksz, ibs, tx);
2100 }
2101 rrw_exit(&ds->ds_bp_rwlock, FTAG);
2102
2103 /*
2104 * Set the portable MAC. The local MAC will always be zero since the
2105 * incoming data will all be portable and user accounting will be
2106 * deferred until the next mount. Afterwards, flag the os to be
2107 * written out raw next time.
2108 */
2109 arc_release(os->os_phys_buf, &os->os_phys_buf);
2110 bcopy(portable_mac, os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN);
2111 bzero(os->os_phys->os_local_mac, ZIO_OBJSET_MAC_LEN);
2112 os->os_next_write_raw = B_TRUE;
2113
2114 /* set metadnode compression and checksum */
2115 mdn->dn_compress = compress;
2116 mdn->dn_checksum = checksum;
2117 dsl_dataset_dirty(ds, tx);
2118
2119 /* if this is a new dataset setup the DSL Crypto Key. */
2120 if (ds->ds_dir->dd_crypto_obj == 0) {
2121 /* zapify the dsl dir so we can add the key object to it */
2122 dmu_buf_will_dirty(ds->ds_dir->dd_dbuf, tx);
2123 dsl_dir_zapify(ds->ds_dir, tx);
2124
2125 /* create the DSL Crypto Key on disk and activate the feature */
2126 ds->ds_dir->dd_crypto_obj = zap_create(mos,
2127 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx);
2128 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset,
2129 ds->ds_dir->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT,
2130 sizeof (uint64_t), 1, &one, tx));
2131
2132 dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, tx);
2133 ds->ds_feature_inuse[SPA_FEATURE_ENCRYPTION] = B_TRUE;
2134
2135 /* save the dd_crypto_obj on disk */
2136 VERIFY0(zap_add(mos, ds->ds_dir->dd_object,
2137 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1,
2138 &ds->ds_dir->dd_crypto_obj, tx));
2139
2140 /*
2141 * Set the keylocation to prompt by default. If keylocation
2142 * has been provided via the properties, this will be overriden
2143 * later.
2144 */
2145 dsl_prop_set_sync_impl(ds,
2146 zfs_prop_to_name(ZFS_PROP_KEYLOCATION),
2147 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1,
2148 keylocation, tx);
2149
2150 rddobj = ds->ds_dir->dd_object;
2151 } else {
2152 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj));
2153 }
2154
2155 /* sync the key data to the ZAP object on disk */
2156 dsl_crypto_key_sync_impl(mos, ds->ds_dir->dd_crypto_obj, crypt,
2157 rddobj, guid, iv, mac, keydata, hmac_keydata, keyformat, salt,
2158 iters, tx);
2159
2160 dsl_dataset_rele(ds, FTAG);
2161}
2162
2163/*
2164 * This function is used to sync an nvlist representing a DSL Crypto Key and
2165 * the associated encryption parameters. The key will be written exactly as is
2166 * without wrapping it.
2167 */
2168int
2169dsl_crypto_recv_key(const char *poolname, uint64_t dsobj,
2170 dmu_objset_type_t ostype, nvlist_t *nvl)
2171{
2172 dsl_crypto_recv_key_arg_t dcrka;
2173
2174 dcrka.dcrka_dsobj = dsobj;
2175 dcrka.dcrka_nvl = nvl;
2176 dcrka.dcrka_ostype = ostype;
2177
2178 return (dsl_sync_task(poolname, dsl_crypto_recv_key_check,
2179 dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL));
2180}
2181
2182int
2183dsl_crypto_populate_key_nvlist(dsl_dataset_t *ds, nvlist_t **nvl_out)
2184{
2185 int ret;
2186 objset_t *os;
2187 dnode_t *mdn;
2188 uint64_t rddobj;
2189 nvlist_t *nvl = NULL;
2190 uint64_t dckobj = ds->ds_dir->dd_crypto_obj;
2191 dsl_pool_t *dp = ds->ds_dir->dd_pool;
2192 objset_t *mos = dp->dp_meta_objset;
2193 uint64_t crypt = 0, guid = 0, format = 0, iters = 0, salt = 0;
2194 uint8_t raw_keydata[MASTER_KEY_MAX_LEN];
2195 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN];
2196 uint8_t iv[WRAPPING_IV_LEN];
2197 uint8_t mac[WRAPPING_MAC_LEN];
2198
2199 ASSERT(dckobj != 0);
2200
2201 VERIFY0(dmu_objset_from_ds(ds, &os));
2202 mdn = DMU_META_DNODE(os);
2203
2204 ret = nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP);
2205 if (ret != 0)
2206 goto error;
2207
2208 /* lookup values from the DSL Crypto Key */
2209 ret = dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj);
2210 if (ret != 0)
2211 goto error;
2212
2213 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1,
2214 &crypt);
2215 if (ret != 0)
2216 goto error;
2217
2218 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &guid);
2219 if (ret != 0)
2220 goto error;
2221
2222 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1,
2223 MASTER_KEY_MAX_LEN, raw_keydata);
2224 if (ret != 0)
2225 goto error;
2226
2227 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1,
2228 SHA512_HMAC_KEYLEN, raw_hmac_keydata);
2229 if (ret != 0)
2230 goto error;
2231
2232 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN,
2233 iv);
2234 if (ret != 0)
2235 goto error;
2236
2237 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN,
2238 mac);
2239 if (ret != 0)
2240 goto error;
2241
2242 /* lookup wrapping key properties */
2243 ret = zap_lookup(dp->dp_meta_objset, dckobj,
2244 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &format);
2245 if (ret != 0)
2246 goto error;
2247
2248 if (format == ZFS_KEYFORMAT_PASSPHRASE) {
2249 ret = zap_lookup(dp->dp_meta_objset, dckobj,
2250 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters);
2251 if (ret != 0)
2252 goto error;
2253
2254 ret = zap_lookup(dp->dp_meta_objset, dckobj,
2255 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt);
2256 if (ret != 0)
2257 goto error;
2258 }
2259
2260 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, crypt);
2261 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_GUID, guid);
2262 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY,
2263 raw_keydata, MASTER_KEY_MAX_LEN));
2264 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY,
2265 raw_hmac_keydata, SHA512_HMAC_KEYLEN));
2266 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_IV, iv,
2267 WRAPPING_IV_LEN));
2268 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, mac,
2269 WRAPPING_MAC_LEN));
2270 VERIFY0(nvlist_add_uint8_array(nvl, "portable_mac",
2271 os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN));
2272 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), format);
2273 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters);
2274 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt);
2275 fnvlist_add_uint64(nvl, "mdn_checksum", mdn->dn_checksum);
2276 fnvlist_add_uint64(nvl, "mdn_compress", mdn->dn_compress);
2277 fnvlist_add_uint64(nvl, "mdn_nlevels", mdn->dn_nlevels);
2278 fnvlist_add_uint64(nvl, "mdn_blksz", mdn->dn_datablksz);
2279 fnvlist_add_uint64(nvl, "mdn_indblkshift", mdn->dn_indblkshift);
2280 fnvlist_add_uint64(nvl, "mdn_nblkptr", mdn->dn_nblkptr);
2281
2282 *nvl_out = nvl;
2283 return (0);
2284
2285error:
2286 nvlist_free(nvl);
2287
2288 *nvl_out = NULL;
2289 return (ret);
2290}
2291
2292uint64_t
2293dsl_crypto_key_create_sync(uint64_t crypt, dsl_wrapping_key_t *wkey,
2294 dmu_tx_t *tx)
2295{
2296 dsl_crypto_key_t dck;
2297 uint64_t one = 1;
2298
2299 ASSERT(dmu_tx_is_syncing(tx));
2300 ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);
2301 ASSERT3U(crypt, >, ZIO_CRYPT_OFF);
2302
2303 /* create the DSL Crypto Key ZAP object */
2304 dck.dck_obj = zap_create(tx->tx_pool->dp_meta_objset,
2305 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx);
2306
2307 /* fill in the key (on the stack) and sync it to disk */
2308 dck.dck_wkey = wkey;
2309 VERIFY0(zio_crypt_key_init(crypt, &dck.dck_key));
2310
2311 dsl_crypto_key_sync(&dck, tx);
2312 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj,
2313 DSL_CRYPTO_KEY_REFCOUNT, sizeof (uint64_t), 1, &one, tx));
2314
2315 zio_crypt_key_destroy(&dck.dck_key);
2316 bzero(&dck.dck_key, sizeof (zio_crypt_key_t));
2317
2318 return (dck.dck_obj);
2319}
2320
2321uint64_t
2322dsl_crypto_key_clone_sync(dsl_dir_t *origindd, dmu_tx_t *tx)
2323{
2324 objset_t *mos = tx->tx_pool->dp_meta_objset;
2325
2326 ASSERT(dmu_tx_is_syncing(tx));
2327
2328 VERIFY0(zap_increment(mos, origindd->dd_crypto_obj,
2329 DSL_CRYPTO_KEY_REFCOUNT, 1, tx));
2330
2331 return (origindd->dd_crypto_obj);
2332}
2333
2334void
2335dsl_crypto_key_destroy_sync(uint64_t dckobj, dmu_tx_t *tx)
2336{
2337 objset_t *mos = tx->tx_pool->dp_meta_objset;
2338 uint64_t refcnt;
2339
2340 /* Decrement the refcount, destroy if this is the last reference */
2341 VERIFY0(zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT,
2342 sizeof (uint64_t), 1, &refcnt));
2343
2344 if (refcnt != 1) {
2345 VERIFY0(zap_increment(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT,
2346 -1, tx));
2347 } else {
2348 VERIFY0(zap_destroy(mos, dckobj, tx));
2349 }
2350}
2351
2352void
2353dsl_dataset_crypt_stats(dsl_dataset_t *ds, nvlist_t *nv)
2354{
2355 uint64_t intval;
2356 dsl_dir_t *dd = ds->ds_dir;
2357 dsl_dir_t *enc_root;
2358 char buf[ZFS_MAX_DATASET_NAME_LEN];
2359
2360 if (dd->dd_crypto_obj == 0)
2361 return;
2362
2363 intval = dsl_dataset_get_keystatus(dd);
2364 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYSTATUS, intval);
2365
2366 if (dsl_dir_get_crypt(dd, &intval) == 0)
2367 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_ENCRYPTION, intval);
2368 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj,
2369 DSL_CRYPTO_KEY_GUID, 8, 1, &intval) == 0) {
2370 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEY_GUID, intval);
2371 }
2372 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj,
2373 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &intval) == 0) {
2374 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYFORMAT, intval);
2375 }
2376 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj,
2377 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &intval) == 0) {
2378 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_SALT, intval);
2379 }
2380 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj,
2381 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &intval) == 0) {
2382 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_ITERS, intval);
2383 }
2384
2385 if (dsl_dir_get_encryption_root_ddobj(dd, &intval) == 0) {
2386 VERIFY0(dsl_dir_hold_obj(dd->dd_pool, intval, NULL, FTAG,
2387 &enc_root));
2388 dsl_dir_name(enc_root, buf);
2389 dsl_dir_rele(enc_root, FTAG);
2390 dsl_prop_nvlist_add_string(nv, ZFS_PROP_ENCRYPTION_ROOT, buf);
2391 }
2392}
2393
2394int
2395spa_crypt_get_salt(spa_t *spa, uint64_t dsobj, uint8_t *salt)
2396{
2397 int ret;
2398 dsl_crypto_key_t *dck = NULL;
2399
2400 /* look up the key from the spa's keystore */
2401 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck);
2402 if (ret != 0)
2403 goto error;
2404
2405 ret = zio_crypt_key_get_salt(&dck->dck_key, salt);
2406 if (ret != 0)
2407 goto error;
2408
2409 spa_keystore_dsl_key_rele(spa, dck, FTAG);
2410 return (0);
2411
2412error:
2413 if (dck != NULL)
2414 spa_keystore_dsl_key_rele(spa, dck, FTAG);
2415 return (ret);
2416}
2417
2418/*
2419 * Objset blocks are a special case for MAC generation. These blocks have 2
2420 * 256-bit MACs which are embedded within the block itself, rather than a
2421 * single 128 bit MAC. As a result, this function handles encoding and decoding
2422 * the MACs on its own, unlike other functions in this file.
2423 */
2424int
2425spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj,
2426 abd_t *abd, uint_t datalen, boolean_t byteswap)
2427{
2428 int ret;
2429 dsl_crypto_key_t *dck = NULL;
2430 void *buf = abd_borrow_buf_copy(abd, datalen);
2431 objset_phys_t *osp = buf;
2432 uint8_t portable_mac[ZIO_OBJSET_MAC_LEN];
2433 uint8_t local_mac[ZIO_OBJSET_MAC_LEN];
2434
2435 /* look up the key from the spa's keystore */
2436 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck);
2437 if (ret != 0)
2438 goto error;
2439
2440 /* calculate both HMACs */
2441 ret = zio_crypt_do_objset_hmacs(&dck->dck_key, buf, datalen,
2442 byteswap, portable_mac, local_mac);
2443 if (ret != 0)
2444 goto error;
2445
2446 spa_keystore_dsl_key_rele(spa, dck, FTAG);
2447
2448 /* if we are generating encode the HMACs in the objset_phys_t */
2449 if (generate) {
2450 bcopy(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN);
2451 bcopy(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN);
2452 abd_return_buf_copy(abd, buf, datalen);
2453 return (0);
2454 }
2455
2456 if (bcmp(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN) != 0 ||
2457 bcmp(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN) != 0) {
2458 abd_return_buf(abd, buf, datalen);
2459 return (SET_ERROR(ECKSUM));
2460 }
2461
2462 abd_return_buf(abd, buf, datalen);
2463
2464 return (0);
2465
2466error:
2467 if (dck != NULL)
2468 spa_keystore_dsl_key_rele(spa, dck, FTAG);
2469 abd_return_buf(abd, buf, datalen);
2470 return (ret);
2471}
2472
2473int
2474spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd,
2475 uint_t datalen, uint8_t *mac)
2476{
2477 int ret;
2478 dsl_crypto_key_t *dck = NULL;
2479 uint8_t *buf = abd_borrow_buf_copy(abd, datalen);
2480 uint8_t digestbuf[ZIO_DATA_MAC_LEN];
2481
2482 /* look up the key from the spa's keystore */
2483 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck);
2484 if (ret != 0)
2485 goto error;
2486
2487 /* perform the hmac */
4807c0ba
TC		 2488 ret = zio_crypt_do_hmac(&dck->dck_key, buf, datalen,
2489 digestbuf, ZIO_DATA_MAC_LEN);
b5256303
TC		 2490 if (ret != 0)
2491 goto error;
2492
2493 abd_return_buf(abd, buf, datalen);
2494 spa_keystore_dsl_key_rele(spa, dck, FTAG);
2495
2496 /*
2497 * Truncate and fill in mac buffer if we were asked to generate a MAC.
2498 * Otherwise verify that the MAC matched what we expected.
2499 */
2500 if (generate) {
2501 bcopy(digestbuf, mac, ZIO_DATA_MAC_LEN);
2502 return (0);
2503 }
2504
2505 if (bcmp(digestbuf, mac, ZIO_DATA_MAC_LEN) != 0)
2506 return (SET_ERROR(ECKSUM));
2507
2508 return (0);
2509
2510error:
2511 if (dck != NULL)
2512 spa_keystore_dsl_key_rele(spa, dck, FTAG);
2513 abd_return_buf(abd, buf, datalen);
2514 return (ret);
2515}
2516
2517/*
2518 * This function serves as a multiplexer for encryption and decryption of
2519 * all blocks (except the L2ARC). For encryption, it will populate the IV,
2520 * salt, MAC, and cabd (the ciphertext). On decryption it will simply use
2521 * these fields to populate pabd (the plaintext).
2522 */
2523int
2524spa_do_crypt_abd(boolean_t encrypt, spa_t *spa, uint64_t dsobj,
2525 const blkptr_t *bp, uint64_t txgid, uint_t datalen, abd_t *pabd,
2526 abd_t *cabd, uint8_t *iv, uint8_t *mac, uint8_t *salt, boolean_t *no_crypt)
2527{
2528 int ret;
2529 dmu_object_type_t ot = BP_GET_TYPE(bp);
2530 dsl_crypto_key_t *dck = NULL;
2531 uint8_t *plainbuf = NULL, *cipherbuf = NULL;
2532
2533 ASSERT(spa_feature_is_active(spa, SPA_FEATURE_ENCRYPTION));
2534 ASSERT(!BP_IS_EMBEDDED(bp));
2535 ASSERT(BP_IS_ENCRYPTED(bp));
2536
2537 /* look up the key from the spa's keystore */
2538 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck);
2539 if (ret != 0)
2540 return (ret);
2541
2542 if (encrypt) {
2543 plainbuf = abd_borrow_buf_copy(pabd, datalen);
2544 cipherbuf = abd_borrow_buf(cabd, datalen);
2545 } else {
2546 plainbuf = abd_borrow_buf(pabd, datalen);
2547 cipherbuf = abd_borrow_buf_copy(cabd, datalen);
2548 }
2549
2550 /*
2551 * Both encryption and decryption functions need a salt for key
2552 * generation and an IV. When encrypting a non-dedup block, we
2553 * generate the salt and IV randomly to be stored by the caller. Dedup
2554 * blocks perform a (more expensive) HMAC of the plaintext to obtain
2555 * the salt and the IV. ZIL blocks have their salt and IV generated
2556 * at allocation time in zio_alloc_zil(). On decryption, we simply use
2557 * the provided values.
2558 */
2559 if (encrypt && ot != DMU_OT_INTENT_LOG && !BP_GET_DEDUP(bp)) {
2560 ret = zio_crypt_key_get_salt(&dck->dck_key, salt);
2561 if (ret != 0)
2562 goto error;
2563
2564 ret = zio_crypt_generate_iv(iv);
2565 if (ret != 0)
2566 goto error;
2567 } else if (encrypt && BP_GET_DEDUP(bp)) {
2568 ret = zio_crypt_generate_iv_salt_dedup(&dck->dck_key,
2569 plainbuf, datalen, iv, salt);
2570 if (ret != 0)
2571 goto error;
2572 }
2573
2574 /* call lower level function to perform encryption / decryption */
2575 ret = zio_do_crypt_data(encrypt, &dck->dck_key, salt, ot, iv, mac,
2576 datalen, BP_SHOULD_BYTESWAP(bp), plainbuf, cipherbuf, no_crypt);
2577 if (ret != 0)
2578 goto error;
2579
2580 if (encrypt) {
2581 abd_return_buf(pabd, plainbuf, datalen);
2582 abd_return_buf_copy(cabd, cipherbuf, datalen);
2583 } else {
2584 abd_return_buf_copy(pabd, plainbuf, datalen);
2585 abd_return_buf(cabd, cipherbuf, datalen);
2586 }
2587
2588 spa_keystore_dsl_key_rele(spa, dck, FTAG);
2589
2590 return (0);
2591
2592error:
2593 if (encrypt) {
2594 /* zero out any state we might have changed while encrypting */
2595 bzero(salt, ZIO_DATA_SALT_LEN);
2596 bzero(iv, ZIO_DATA_IV_LEN);
2597 bzero(mac, ZIO_DATA_MAC_LEN);
2598 abd_return_buf(pabd, plainbuf, datalen);
2599 abd_return_buf_copy(cabd, cipherbuf, datalen);
2600 } else {
2601 abd_return_buf_copy(pabd, plainbuf, datalen);
2602 abd_return_buf(cabd, cipherbuf, datalen);
2603 }
2604
4807c0ba 2605 spa_keystore_dsl_key_rele(spa, dck, FTAG);
b5256303
TC		 2606
2607 return (ret);
2608}
ZFS On Linux mirror for PVE