1 /* 2 * CDDL HEADER START 3 * 4 * This file and its contents are supplied under the terms of the 5 * Common Development and Distribution License ("CDDL"), version 1.0. 6 * You may only use this file in accordance with the terms of version 7 * 1.0 of the CDDL. 8 * 9 * A full copy of the text of the CDDL should have accompanied this 10 * source. A copy of the CDDL is also available via the Internet at 11 * http://www.illumos.org/license/CDDL. 12 * 13 * CDDL HEADER END 14 */ 15 16 /* 17 * Copyright (c) 2017, Datto, Inc. All rights reserved. 18 * Copyright (c) 2018 by Delphix. All rights reserved. 19 */ 20 21 #include <sys/dsl_crypt.h> 22 #include <sys/dsl_pool.h> 23 #include <sys/zap.h> 24 #include <sys/zil.h> 25 #include <sys/dsl_dir.h> 26 #include <sys/dsl_prop.h> 27 #include <sys/spa_impl.h> 28 #include <sys/dmu_objset.h> 29 #include <sys/zvol.h> 30 31 /* 32 * This file's primary purpose is for managing master encryption keys in 33 * memory and on disk. For more info on how these keys are used, see the 34 * block comment in zio_crypt.c. 35 * 36 * All master keys are stored encrypted on disk in the form of the DSL 37 * Crypto Key ZAP object. The binary key data in this object is always 38 * randomly generated and is encrypted with the user's wrapping key. This 39 * layer of indirection allows the user to change their key without 40 * needing to re-encrypt the entire dataset. The ZAP also holds on to the 41 * (non-encrypted) encryption algorithm identifier, IV, and MAC needed to 42 * safely decrypt the master key. For more info on the user's key see the 43 * block comment in libzfs_crypto.c 44 * 45 * In-memory encryption keys are managed through the spa_keystore. The 46 * keystore consists of 3 AVL trees, which are as follows: 47 * 48 * The Wrapping Key Tree: 49 * The wrapping key (wkey) tree stores the user's keys that are fed into the 50 * kernel through 'zfs load-key' and related commands. Datasets inherit their 51 * parent's wkey by default, so these structures are refcounted. The wrapping 52 * keys remain in memory until they are explicitly unloaded (with 53 * "zfs unload-key"). Unloading is only possible when no datasets are using 54 * them (refcount=0). 55 * 56 * The DSL Crypto Key Tree: 57 * The DSL Crypto Keys (DCK) are the in-memory representation of decrypted 58 * master keys. They are used by the functions in zio_crypt.c to perform 59 * encryption, decryption, and authentication. Snapshots and clones of a given 60 * dataset will share a DSL Crypto Key, so they are also refcounted. Once the 61 * refcount on a key hits zero, it is immediately zeroed out and freed. 62 * 63 * The Crypto Key Mapping Tree: 64 * The zio layer needs to lookup master keys by their dataset object id. Since 65 * the DSL Crypto Keys can belong to multiple datasets, we maintain a tree of 66 * dsl_key_mapping_t's which essentially just map the dataset object id to its 67 * appropriate DSL Crypto Key. The management for creating and destroying these 68 * mappings hooks into the code for owning and disowning datasets. Usually, 69 * there will only be one active dataset owner, but there are times 70 * (particularly during dataset creation and destruction) when this may not be 71 * true or the dataset may not be initialized enough to own. As a result, this 72 * object is also refcounted. 73 */ 74 75 /* 76 * This tunable allows datasets to be raw received even if the stream does 77 * not include IVset guids or if the guids don't match. This is used as part 78 * of the resolution for ZPOOL_ERRATA_ZOL_8308_ENCRYPTION. 79 */ 80 int zfs_disable_ivset_guid_check = 0; 81 82 static void 83 dsl_wrapping_key_hold(dsl_wrapping_key_t *wkey, void *tag) 84 { 85 (void) zfs_refcount_add(&wkey->wk_refcnt, tag); 86 } 87 88 static void 89 dsl_wrapping_key_rele(dsl_wrapping_key_t *wkey, void *tag) 90 { 91 (void) zfs_refcount_remove(&wkey->wk_refcnt, tag); 92 } 93 94 static void 95 dsl_wrapping_key_free(dsl_wrapping_key_t *wkey) 96 { 97 ASSERT0(zfs_refcount_count(&wkey->wk_refcnt)); 98 99 if (wkey->wk_key.ck_data) { 100 bzero(wkey->wk_key.ck_data, 101 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 102 kmem_free(wkey->wk_key.ck_data, 103 CRYPTO_BITS2BYTES(wkey->wk_key.ck_length)); 104 } 105 106 zfs_refcount_destroy(&wkey->wk_refcnt); 107 kmem_free(wkey, sizeof (dsl_wrapping_key_t)); 108 } 109 110 static void 111 dsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat, 112 uint64_t salt, uint64_t iters, dsl_wrapping_key_t **wkey_out) 113 { 114 dsl_wrapping_key_t *wkey; 115 116 /* allocate the wrapping key */ 117 wkey = kmem_alloc(sizeof (dsl_wrapping_key_t), KM_SLEEP); 118 119 /* allocate and initialize the underlying crypto key */ 120 wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP); 121 122 wkey->wk_key.ck_format = CRYPTO_KEY_RAW; 123 wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN); 124 bcopy(wkeydata, wkey->wk_key.ck_data, WRAPPING_KEY_LEN); 125 126 /* initialize the rest of the struct */ 127 zfs_refcount_create(&wkey->wk_refcnt); 128 wkey->wk_keyformat = keyformat; 129 wkey->wk_salt = salt; 130 wkey->wk_iters = iters; 131 132 *wkey_out = wkey; 133 } 134 135 int 136 dsl_crypto_params_create_nvlist(dcp_cmd_t cmd, nvlist_t *props, 137 nvlist_t *crypto_args, dsl_crypto_params_t **dcp_out) 138 { 139 int ret; 140 uint64_t crypt = ZIO_CRYPT_INHERIT; 141 uint64_t keyformat = ZFS_KEYFORMAT_NONE; 142 uint64_t salt = 0, iters = 0; 143 dsl_crypto_params_t *dcp = NULL; 144 dsl_wrapping_key_t *wkey = NULL; 145 uint8_t *wkeydata = NULL; 146 uint_t wkeydata_len = 0; 147 char *keylocation = NULL; 148 149 dcp = kmem_zalloc(sizeof (dsl_crypto_params_t), KM_SLEEP); 150 dcp->cp_cmd = cmd; 151 152 /* get relevant arguments from the nvlists */ 153 if (props != NULL) { 154 (void) nvlist_lookup_uint64(props, 155 zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt); 156 (void) nvlist_lookup_uint64(props, 157 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat); 158 (void) nvlist_lookup_string(props, 159 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation); 160 (void) nvlist_lookup_uint64(props, 161 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), &salt); 162 (void) nvlist_lookup_uint64(props, 163 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters); 164 165 dcp->cp_crypt = crypt; 166 } 167 168 if (crypto_args != NULL) { 169 (void) nvlist_lookup_uint8_array(crypto_args, "wkeydata", 170 &wkeydata, &wkeydata_len); 171 } 172 173 /* check for valid command */ 174 if (dcp->cp_cmd >= DCP_CMD_MAX) { 175 ret = SET_ERROR(EINVAL); 176 goto error; 177 } else { 178 dcp->cp_cmd = cmd; 179 } 180 181 /* check for valid crypt */ 182 if (dcp->cp_crypt >= ZIO_CRYPT_FUNCTIONS) { 183 ret = SET_ERROR(EINVAL); 184 goto error; 185 } else { 186 dcp->cp_crypt = crypt; 187 } 188 189 /* check for valid keyformat */ 190 if (keyformat >= ZFS_KEYFORMAT_FORMATS) { 191 ret = SET_ERROR(EINVAL); 192 goto error; 193 } 194 195 /* check for a valid keylocation (of any kind) and copy it in */ 196 if (keylocation != NULL) { 197 if (!zfs_prop_valid_keylocation(keylocation, B_FALSE)) { 198 ret = SET_ERROR(EINVAL); 199 goto error; 200 } 201 202 dcp->cp_keylocation = spa_strdup(keylocation); 203 } 204 205 /* check wrapping key length, if given */ 206 if (wkeydata != NULL && wkeydata_len != WRAPPING_KEY_LEN) { 207 ret = SET_ERROR(EINVAL); 208 goto error; 209 } 210 211 /* if the user asked for the default crypt, determine that now */ 212 if (dcp->cp_crypt == ZIO_CRYPT_ON) 213 dcp->cp_crypt = ZIO_CRYPT_ON_VALUE; 214 215 /* create the wrapping key from the raw data */ 216 if (wkeydata != NULL) { 217 /* create the wrapping key with the verified parameters */ 218 dsl_wrapping_key_create(wkeydata, keyformat, salt, 219 iters, &wkey); 220 dcp->cp_wkey = wkey; 221 } 222 223 /* 224 * Remove the encryption properties from the nvlist since they are not 225 * maintained through the DSL. 226 */ 227 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION)); 228 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 229 (void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 230 (void) nvlist_remove_all(props, 231 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 232 233 *dcp_out = dcp; 234 235 return (0); 236 237 error: 238 if (wkey != NULL) 239 dsl_wrapping_key_free(wkey); 240 if (dcp != NULL) 241 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 242 243 *dcp_out = NULL; 244 return (ret); 245 } 246 247 void 248 dsl_crypto_params_free(dsl_crypto_params_t *dcp, boolean_t unload) 249 { 250 if (dcp == NULL) 251 return; 252 253 if (dcp->cp_keylocation != NULL) 254 spa_strfree(dcp->cp_keylocation); 255 if (unload && dcp->cp_wkey != NULL) 256 dsl_wrapping_key_free(dcp->cp_wkey); 257 258 kmem_free(dcp, sizeof (dsl_crypto_params_t)); 259 } 260 261 static int 262 spa_crypto_key_compare(const void *a, const void *b) 263 { 264 const dsl_crypto_key_t *dcka = a; 265 const dsl_crypto_key_t *dckb = b; 266 267 if (dcka->dck_obj < dckb->dck_obj) 268 return (-1); 269 if (dcka->dck_obj > dckb->dck_obj) 270 return (1); 271 return (0); 272 } 273 274 static int 275 spa_key_mapping_compare(const void *a, const void *b) 276 { 277 const dsl_key_mapping_t *kma = a; 278 const dsl_key_mapping_t *kmb = b; 279 280 if (kma->km_dsobj < kmb->km_dsobj) 281 return (-1); 282 if (kma->km_dsobj > kmb->km_dsobj) 283 return (1); 284 return (0); 285 } 286 287 static int 288 spa_wkey_compare(const void *a, const void *b) 289 { 290 const dsl_wrapping_key_t *wka = a; 291 const dsl_wrapping_key_t *wkb = b; 292 293 if (wka->wk_ddobj < wkb->wk_ddobj) 294 return (-1); 295 if (wka->wk_ddobj > wkb->wk_ddobj) 296 return (1); 297 return (0); 298 } 299 300 void 301 spa_keystore_init(spa_keystore_t *sk) 302 { 303 rw_init(&sk->sk_dk_lock, NULL, RW_DEFAULT, NULL); 304 rw_init(&sk->sk_km_lock, NULL, RW_DEFAULT, NULL); 305 rw_init(&sk->sk_wkeys_lock, NULL, RW_DEFAULT, NULL); 306 avl_create(&sk->sk_dsl_keys, spa_crypto_key_compare, 307 sizeof (dsl_crypto_key_t), 308 offsetof(dsl_crypto_key_t, dck_avl_link)); 309 avl_create(&sk->sk_key_mappings, spa_key_mapping_compare, 310 sizeof (dsl_key_mapping_t), 311 offsetof(dsl_key_mapping_t, km_avl_link)); 312 avl_create(&sk->sk_wkeys, spa_wkey_compare, sizeof (dsl_wrapping_key_t), 313 offsetof(dsl_wrapping_key_t, wk_avl_link)); 314 } 315 316 void 317 spa_keystore_fini(spa_keystore_t *sk) 318 { 319 dsl_wrapping_key_t *wkey; 320 void *cookie = NULL; 321 322 ASSERT(avl_is_empty(&sk->sk_dsl_keys)); 323 ASSERT(avl_is_empty(&sk->sk_key_mappings)); 324 325 while ((wkey = avl_destroy_nodes(&sk->sk_wkeys, &cookie)) != NULL) 326 dsl_wrapping_key_free(wkey); 327 328 avl_destroy(&sk->sk_wkeys); 329 avl_destroy(&sk->sk_key_mappings); 330 avl_destroy(&sk->sk_dsl_keys); 331 rw_destroy(&sk->sk_wkeys_lock); 332 rw_destroy(&sk->sk_km_lock); 333 rw_destroy(&sk->sk_dk_lock); 334 } 335 336 static int 337 dsl_dir_get_encryption_root_ddobj(dsl_dir_t *dd, uint64_t *rddobj) 338 { 339 if (dd->dd_crypto_obj == 0) 340 return (SET_ERROR(ENOENT)); 341 342 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 343 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, rddobj)); 344 } 345 346 static int 347 dsl_dir_get_encryption_version(dsl_dir_t *dd, uint64_t *version) 348 { 349 *version = 0; 350 351 if (dd->dd_crypto_obj == 0) 352 return (SET_ERROR(ENOENT)); 353 354 /* version 0 is implied by ENOENT */ 355 (void) zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 356 DSL_CRYPTO_KEY_VERSION, 8, 1, version); 357 358 return (0); 359 } 360 361 boolean_t 362 dsl_dir_incompatible_encryption_version(dsl_dir_t *dd) 363 { 364 int ret; 365 uint64_t version = 0; 366 367 ret = dsl_dir_get_encryption_version(dd, &version); 368 if (ret != 0) 369 return (B_FALSE); 370 371 return (version != ZIO_CRYPT_KEY_CURRENT_VERSION); 372 } 373 374 static int 375 spa_keystore_wkey_hold_ddobj_impl(spa_t *spa, uint64_t ddobj, 376 void *tag, dsl_wrapping_key_t **wkey_out) 377 { 378 int ret; 379 dsl_wrapping_key_t search_wkey; 380 dsl_wrapping_key_t *found_wkey; 381 382 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_wkeys_lock)); 383 384 /* init the search wrapping key */ 385 search_wkey.wk_ddobj = ddobj; 386 387 /* lookup the wrapping key */ 388 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &search_wkey, NULL); 389 if (!found_wkey) { 390 ret = SET_ERROR(ENOENT); 391 goto error; 392 } 393 394 /* increment the refcount */ 395 dsl_wrapping_key_hold(found_wkey, tag); 396 397 *wkey_out = found_wkey; 398 return (0); 399 400 error: 401 *wkey_out = NULL; 402 return (ret); 403 } 404 405 static int 406 spa_keystore_wkey_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag, 407 dsl_wrapping_key_t **wkey_out) 408 { 409 int ret; 410 dsl_wrapping_key_t *wkey; 411 uint64_t rddobj; 412 boolean_t locked = B_FALSE; 413 414 if (!RW_WRITE_HELD(&spa->spa_keystore.sk_wkeys_lock)) { 415 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_READER); 416 locked = B_TRUE; 417 } 418 419 /* get the ddobj that the keylocation property was inherited from */ 420 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 421 if (ret != 0) 422 goto error; 423 424 /* lookup the wkey in the avl tree */ 425 ret = spa_keystore_wkey_hold_ddobj_impl(spa, rddobj, tag, &wkey); 426 if (ret != 0) 427 goto error; 428 429 /* unlock the wkey tree if we locked it */ 430 if (locked) 431 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 432 433 *wkey_out = wkey; 434 return (0); 435 436 error: 437 if (locked) 438 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 439 440 *wkey_out = NULL; 441 return (ret); 442 } 443 444 int 445 dsl_crypto_can_set_keylocation(const char *dsname, const char *keylocation) 446 { 447 int ret = 0; 448 dsl_dir_t *dd = NULL; 449 dsl_pool_t *dp = NULL; 450 uint64_t rddobj; 451 452 /* hold the dsl dir */ 453 ret = dsl_pool_hold(dsname, FTAG, &dp); 454 if (ret != 0) 455 goto out; 456 457 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 458 if (ret != 0) { 459 dd = NULL; 460 goto out; 461 } 462 463 /* if dd is not encrypted, the value may only be "none" */ 464 if (dd->dd_crypto_obj == 0) { 465 if (strcmp(keylocation, "none") != 0) { 466 ret = SET_ERROR(EACCES); 467 goto out; 468 } 469 470 ret = 0; 471 goto out; 472 } 473 474 /* check for a valid keylocation for encrypted datasets */ 475 if (!zfs_prop_valid_keylocation(keylocation, B_TRUE)) { 476 ret = SET_ERROR(EINVAL); 477 goto out; 478 } 479 480 /* check that this is an encryption root */ 481 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 482 if (ret != 0) 483 goto out; 484 485 if (rddobj != dd->dd_object) { 486 ret = SET_ERROR(EACCES); 487 goto out; 488 } 489 490 dsl_dir_rele(dd, FTAG); 491 dsl_pool_rele(dp, FTAG); 492 493 return (0); 494 495 out: 496 if (dd != NULL) 497 dsl_dir_rele(dd, FTAG); 498 if (dp != NULL) 499 dsl_pool_rele(dp, FTAG); 500 501 return (ret); 502 } 503 504 static void 505 dsl_crypto_key_free(dsl_crypto_key_t *dck) 506 { 507 ASSERT(zfs_refcount_count(&dck->dck_holds) == 0); 508 509 /* destroy the zio_crypt_key_t */ 510 zio_crypt_key_destroy(&dck->dck_key); 511 512 /* free the refcount, wrapping key, and lock */ 513 zfs_refcount_destroy(&dck->dck_holds); 514 if (dck->dck_wkey) 515 dsl_wrapping_key_rele(dck->dck_wkey, dck); 516 517 /* free the key */ 518 kmem_free(dck, sizeof (dsl_crypto_key_t)); 519 } 520 521 static void 522 dsl_crypto_key_rele(dsl_crypto_key_t *dck, void *tag) 523 { 524 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) 525 dsl_crypto_key_free(dck); 526 } 527 528 static int 529 dsl_crypto_key_open(objset_t *mos, dsl_wrapping_key_t *wkey, 530 uint64_t dckobj, void *tag, dsl_crypto_key_t **dck_out) 531 { 532 int ret; 533 uint64_t crypt = 0, guid = 0, version = 0; 534 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 535 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 536 uint8_t iv[WRAPPING_IV_LEN]; 537 uint8_t mac[WRAPPING_MAC_LEN]; 538 dsl_crypto_key_t *dck; 539 540 /* allocate and initialize the key */ 541 dck = kmem_zalloc(sizeof (dsl_crypto_key_t), KM_SLEEP); 542 543 /* fetch all of the values we need from the ZAP */ 544 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 545 &crypt); 546 if (ret != 0) 547 goto error; 548 549 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &guid); 550 if (ret != 0) 551 goto error; 552 553 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 554 MASTER_KEY_MAX_LEN, raw_keydata); 555 if (ret != 0) 556 goto error; 557 558 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 559 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 560 if (ret != 0) 561 goto error; 562 563 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 564 iv); 565 if (ret != 0) 566 goto error; 567 568 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 569 mac); 570 if (ret != 0) 571 goto error; 572 573 /* the initial on-disk format for encryption did not have a version */ 574 (void) zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 575 576 /* 577 * Unwrap the keys. If there is an error return EACCES to indicate 578 * an authentication failure. 579 */ 580 ret = zio_crypt_key_unwrap(&wkey->wk_key, crypt, version, guid, 581 raw_keydata, raw_hmac_keydata, iv, mac, &dck->dck_key); 582 if (ret != 0) { 583 ret = SET_ERROR(EACCES); 584 goto error; 585 } 586 587 /* finish initializing the dsl_crypto_key_t */ 588 zfs_refcount_create(&dck->dck_holds); 589 dsl_wrapping_key_hold(wkey, dck); 590 dck->dck_wkey = wkey; 591 dck->dck_obj = dckobj; 592 zfs_refcount_add(&dck->dck_holds, tag); 593 594 *dck_out = dck; 595 return (0); 596 597 error: 598 if (dck != NULL) { 599 bzero(dck, sizeof (dsl_crypto_key_t)); 600 kmem_free(dck, sizeof (dsl_crypto_key_t)); 601 } 602 603 *dck_out = NULL; 604 return (ret); 605 } 606 607 static int 608 spa_keystore_dsl_key_hold_impl(spa_t *spa, uint64_t dckobj, void *tag, 609 dsl_crypto_key_t **dck_out) 610 { 611 int ret; 612 dsl_crypto_key_t search_dck; 613 dsl_crypto_key_t *found_dck; 614 615 ASSERT(RW_LOCK_HELD(&spa->spa_keystore.sk_dk_lock)); 616 617 /* init the search key */ 618 search_dck.dck_obj = dckobj; 619 620 /* find the matching key in the keystore */ 621 found_dck = avl_find(&spa->spa_keystore.sk_dsl_keys, &search_dck, NULL); 622 if (!found_dck) { 623 ret = SET_ERROR(ENOENT); 624 goto error; 625 } 626 627 /* increment the refcount */ 628 zfs_refcount_add(&found_dck->dck_holds, tag); 629 630 *dck_out = found_dck; 631 return (0); 632 633 error: 634 *dck_out = NULL; 635 return (ret); 636 } 637 638 static int 639 spa_keystore_dsl_key_hold_dd(spa_t *spa, dsl_dir_t *dd, void *tag, 640 dsl_crypto_key_t **dck_out) 641 { 642 int ret; 643 avl_index_t where; 644 dsl_crypto_key_t *dck_io = NULL, *dck_ks = NULL; 645 dsl_wrapping_key_t *wkey = NULL; 646 uint64_t dckobj = dd->dd_crypto_obj; 647 648 /* Lookup the key in the tree of currently loaded keys */ 649 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_READER); 650 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 651 rw_exit(&spa->spa_keystore.sk_dk_lock); 652 if (ret == 0) { 653 *dck_out = dck_ks; 654 return (0); 655 } 656 657 /* Lookup the wrapping key from the keystore */ 658 ret = spa_keystore_wkey_hold_dd(spa, dd, FTAG, &wkey); 659 if (ret != 0) { 660 *dck_out = NULL; 661 return (SET_ERROR(EACCES)); 662 } 663 664 /* Read the key from disk */ 665 ret = dsl_crypto_key_open(spa->spa_meta_objset, wkey, dckobj, 666 tag, &dck_io); 667 if (ret != 0) { 668 dsl_wrapping_key_rele(wkey, FTAG); 669 *dck_out = NULL; 670 return (ret); 671 } 672 673 /* 674 * Add the key to the keystore. It may already exist if it was 675 * added while performing the read from disk. In this case discard 676 * it and return the key from the keystore. 677 */ 678 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 679 ret = spa_keystore_dsl_key_hold_impl(spa, dckobj, tag, &dck_ks); 680 if (ret != 0) { 681 avl_find(&spa->spa_keystore.sk_dsl_keys, dck_io, &where); 682 avl_insert(&spa->spa_keystore.sk_dsl_keys, dck_io, where); 683 *dck_out = dck_io; 684 } else { 685 dsl_crypto_key_free(dck_io); 686 *dck_out = dck_ks; 687 } 688 689 /* Release the wrapping key (the dsl key now has a reference to it) */ 690 dsl_wrapping_key_rele(wkey, FTAG); 691 rw_exit(&spa->spa_keystore.sk_dk_lock); 692 693 return (0); 694 } 695 696 void 697 spa_keystore_dsl_key_rele(spa_t *spa, dsl_crypto_key_t *dck, void *tag) 698 { 699 rw_enter(&spa->spa_keystore.sk_dk_lock, RW_WRITER); 700 701 if (zfs_refcount_remove(&dck->dck_holds, tag) == 0) { 702 avl_remove(&spa->spa_keystore.sk_dsl_keys, dck); 703 dsl_crypto_key_free(dck); 704 } 705 706 rw_exit(&spa->spa_keystore.sk_dk_lock); 707 } 708 709 int 710 spa_keystore_load_wkey_impl(spa_t *spa, dsl_wrapping_key_t *wkey) 711 { 712 int ret; 713 avl_index_t where; 714 dsl_wrapping_key_t *found_wkey; 715 716 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 717 718 /* insert the wrapping key into the keystore */ 719 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 720 if (found_wkey != NULL) { 721 ret = SET_ERROR(EEXIST); 722 goto error_unlock; 723 } 724 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 725 726 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 727 728 return (0); 729 730 error_unlock: 731 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 732 return (ret); 733 } 734 735 int 736 spa_keystore_load_wkey(const char *dsname, dsl_crypto_params_t *dcp, 737 boolean_t noop) 738 { 739 int ret; 740 dsl_dir_t *dd = NULL; 741 dsl_crypto_key_t *dck = NULL; 742 dsl_wrapping_key_t *wkey = dcp->cp_wkey; 743 dsl_pool_t *dp = NULL; 744 uint64_t rddobj, keyformat, salt, iters; 745 746 /* 747 * We don't validate the wrapping key's keyformat, salt, or iters 748 * since they will never be needed after the DCK has been wrapped. 749 */ 750 if (dcp->cp_wkey == NULL || 751 dcp->cp_cmd != DCP_CMD_NONE || 752 dcp->cp_crypt != ZIO_CRYPT_INHERIT || 753 dcp->cp_keylocation != NULL) 754 return (SET_ERROR(EINVAL)); 755 756 ret = dsl_pool_hold(dsname, FTAG, &dp); 757 if (ret != 0) 758 goto error; 759 760 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 761 ret = SET_ERROR(ENOTSUP); 762 goto error; 763 } 764 765 /* hold the dsl dir */ 766 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 767 if (ret != 0) { 768 dd = NULL; 769 goto error; 770 } 771 772 /* confirm that dd is the encryption root */ 773 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 774 if (ret != 0 || rddobj != dd->dd_object) { 775 ret = SET_ERROR(EINVAL); 776 goto error; 777 } 778 779 /* initialize the wkey's ddobj */ 780 wkey->wk_ddobj = dd->dd_object; 781 782 /* verify that the wkey is correct by opening its dsl key */ 783 ret = dsl_crypto_key_open(dp->dp_meta_objset, wkey, 784 dd->dd_crypto_obj, FTAG, &dck); 785 if (ret != 0) 786 goto error; 787 788 /* initialize the wkey encryption parameters from the DSL Crypto Key */ 789 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 790 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &keyformat); 791 if (ret != 0) 792 goto error; 793 794 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 795 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 796 if (ret != 0) 797 goto error; 798 799 ret = zap_lookup(dp->dp_meta_objset, dd->dd_crypto_obj, 800 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 801 if (ret != 0) 802 goto error; 803 804 ASSERT3U(keyformat, <, ZFS_KEYFORMAT_FORMATS); 805 ASSERT3U(keyformat, !=, ZFS_KEYFORMAT_NONE); 806 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, iters != 0); 807 IMPLY(keyformat == ZFS_KEYFORMAT_PASSPHRASE, salt != 0); 808 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, iters == 0); 809 IMPLY(keyformat != ZFS_KEYFORMAT_PASSPHRASE, salt == 0); 810 811 wkey->wk_keyformat = keyformat; 812 wkey->wk_salt = salt; 813 wkey->wk_iters = iters; 814 815 /* 816 * At this point we have verified the wkey and confirmed that it can 817 * be used to decrypt a DSL Crypto Key. We can simply cleanup and 818 * return if this is all the user wanted to do. 819 */ 820 if (noop) 821 goto error; 822 823 /* insert the wrapping key into the keystore */ 824 ret = spa_keystore_load_wkey_impl(dp->dp_spa, wkey); 825 if (ret != 0) 826 goto error; 827 828 dsl_crypto_key_rele(dck, FTAG); 829 dsl_dir_rele(dd, FTAG); 830 dsl_pool_rele(dp, FTAG); 831 832 /* create any zvols under this ds */ 833 zvol_create_minors_recursive(dsname); 834 835 return (0); 836 837 error: 838 if (dck != NULL) 839 dsl_crypto_key_rele(dck, FTAG); 840 if (dd != NULL) 841 dsl_dir_rele(dd, FTAG); 842 if (dp != NULL) 843 dsl_pool_rele(dp, FTAG); 844 845 return (ret); 846 } 847 848 int 849 spa_keystore_unload_wkey_impl(spa_t *spa, uint64_t ddobj) 850 { 851 int ret; 852 dsl_wrapping_key_t search_wkey; 853 dsl_wrapping_key_t *found_wkey; 854 855 /* init the search wrapping key */ 856 search_wkey.wk_ddobj = ddobj; 857 858 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 859 860 /* remove the wrapping key from the keystore */ 861 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, 862 &search_wkey, NULL); 863 if (!found_wkey) { 864 ret = SET_ERROR(EACCES); 865 goto error_unlock; 866 } else if (zfs_refcount_count(&found_wkey->wk_refcnt) != 0) { 867 ret = SET_ERROR(EBUSY); 868 goto error_unlock; 869 } 870 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 871 872 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 873 874 /* free the wrapping key */ 875 dsl_wrapping_key_free(found_wkey); 876 877 return (0); 878 879 error_unlock: 880 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 881 return (ret); 882 } 883 884 int 885 spa_keystore_unload_wkey(const char *dsname) 886 { 887 int ret = 0; 888 dsl_dir_t *dd = NULL; 889 dsl_pool_t *dp = NULL; 890 spa_t *spa = NULL; 891 892 ret = spa_open(dsname, &spa, FTAG); 893 if (ret != 0) 894 return (ret); 895 896 /* 897 * Wait for any outstanding txg IO to complete, releasing any 898 * remaining references on the wkey. 899 */ 900 if (spa_mode(spa) != SPA_MODE_READ) 901 txg_wait_synced(spa->spa_dsl_pool, 0); 902 903 spa_close(spa, FTAG); 904 905 /* hold the dsl dir */ 906 ret = dsl_pool_hold(dsname, FTAG, &dp); 907 if (ret != 0) 908 goto error; 909 910 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 911 ret = (SET_ERROR(ENOTSUP)); 912 goto error; 913 } 914 915 ret = dsl_dir_hold(dp, dsname, FTAG, &dd, NULL); 916 if (ret != 0) { 917 dd = NULL; 918 goto error; 919 } 920 921 /* unload the wkey */ 922 ret = spa_keystore_unload_wkey_impl(dp->dp_spa, dd->dd_object); 923 if (ret != 0) 924 goto error; 925 926 dsl_dir_rele(dd, FTAG); 927 dsl_pool_rele(dp, FTAG); 928 929 /* remove any zvols under this ds */ 930 zvol_remove_minors(dp->dp_spa, dsname, B_TRUE); 931 932 return (0); 933 934 error: 935 if (dd != NULL) 936 dsl_dir_rele(dd, FTAG); 937 if (dp != NULL) 938 dsl_pool_rele(dp, FTAG); 939 940 return (ret); 941 } 942 943 void 944 key_mapping_add_ref(dsl_key_mapping_t *km, void *tag) 945 { 946 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 947 zfs_refcount_add(&km->km_refcnt, tag); 948 } 949 950 /* 951 * The locking here is a little tricky to ensure we don't cause unnecessary 952 * performance problems. We want to release a key mapping whenever someone 953 * decrements the refcount to 0, but freeing the mapping requires removing 954 * it from the spa_keystore, which requires holding sk_km_lock as a writer. 955 * Most of the time we don't want to hold this lock as a writer, since the 956 * same lock is held as a reader for each IO that needs to encrypt / decrypt 957 * data for any dataset and in practice we will only actually free the 958 * mapping after unmounting a dataset. 959 */ 960 void 961 key_mapping_rele(spa_t *spa, dsl_key_mapping_t *km, void *tag) 962 { 963 ASSERT3U(zfs_refcount_count(&km->km_refcnt), >=, 1); 964 965 if (zfs_refcount_remove(&km->km_refcnt, tag) != 0) 966 return; 967 968 /* 969 * We think we are going to need to free the mapping. Add a 970 * reference to prevent most other releasers from thinking 971 * this might be their responsibility. This is inherently 972 * racy, so we will confirm that we are legitimately the 973 * last holder once we have the sk_km_lock as a writer. 974 */ 975 zfs_refcount_add(&km->km_refcnt, FTAG); 976 977 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 978 if (zfs_refcount_remove(&km->km_refcnt, FTAG) != 0) { 979 rw_exit(&spa->spa_keystore.sk_km_lock); 980 return; 981 } 982 983 avl_remove(&spa->spa_keystore.sk_key_mappings, km); 984 rw_exit(&spa->spa_keystore.sk_km_lock); 985 986 spa_keystore_dsl_key_rele(spa, km->km_key, km); 987 zfs_refcount_destroy(&km->km_refcnt); 988 kmem_free(km, sizeof (dsl_key_mapping_t)); 989 } 990 991 int 992 spa_keystore_create_mapping(spa_t *spa, dsl_dataset_t *ds, void *tag, 993 dsl_key_mapping_t **km_out) 994 { 995 int ret; 996 avl_index_t where; 997 dsl_key_mapping_t *km, *found_km; 998 boolean_t should_free = B_FALSE; 999 1000 /* Allocate and initialize the mapping */ 1001 km = kmem_zalloc(sizeof (dsl_key_mapping_t), KM_SLEEP); 1002 zfs_refcount_create(&km->km_refcnt); 1003 1004 ret = spa_keystore_dsl_key_hold_dd(spa, ds->ds_dir, km, &km->km_key); 1005 if (ret != 0) { 1006 zfs_refcount_destroy(&km->km_refcnt); 1007 kmem_free(km, sizeof (dsl_key_mapping_t)); 1008 1009 if (km_out != NULL) 1010 *km_out = NULL; 1011 return (ret); 1012 } 1013 1014 km->km_dsobj = ds->ds_object; 1015 1016 rw_enter(&spa->spa_keystore.sk_km_lock, RW_WRITER); 1017 1018 /* 1019 * If a mapping already exists, simply increment its refcount and 1020 * cleanup the one we made. We want to allocate / free outside of 1021 * the lock because this lock is also used by the zio layer to lookup 1022 * key mappings. Otherwise, use the one we created. Normally, there will 1023 * only be one active reference at a time (the objset owner), but there 1024 * are times when there could be multiple async users. 1025 */ 1026 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, km, &where); 1027 if (found_km != NULL) { 1028 should_free = B_TRUE; 1029 zfs_refcount_add(&found_km->km_refcnt, tag); 1030 if (km_out != NULL) 1031 *km_out = found_km; 1032 } else { 1033 zfs_refcount_add(&km->km_refcnt, tag); 1034 avl_insert(&spa->spa_keystore.sk_key_mappings, km, where); 1035 if (km_out != NULL) 1036 *km_out = km; 1037 } 1038 1039 rw_exit(&spa->spa_keystore.sk_km_lock); 1040 1041 if (should_free) { 1042 spa_keystore_dsl_key_rele(spa, km->km_key, km); 1043 zfs_refcount_destroy(&km->km_refcnt); 1044 kmem_free(km, sizeof (dsl_key_mapping_t)); 1045 } 1046 1047 return (0); 1048 } 1049 1050 int 1051 spa_keystore_remove_mapping(spa_t *spa, uint64_t dsobj, void *tag) 1052 { 1053 int ret; 1054 dsl_key_mapping_t search_km; 1055 dsl_key_mapping_t *found_km; 1056 1057 /* init the search key mapping */ 1058 search_km.km_dsobj = dsobj; 1059 1060 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1061 1062 /* find the matching mapping */ 1063 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, 1064 &search_km, NULL); 1065 if (found_km == NULL) { 1066 ret = SET_ERROR(ENOENT); 1067 goto error_unlock; 1068 } 1069 1070 rw_exit(&spa->spa_keystore.sk_km_lock); 1071 1072 key_mapping_rele(spa, found_km, tag); 1073 1074 return (0); 1075 1076 error_unlock: 1077 rw_exit(&spa->spa_keystore.sk_km_lock); 1078 return (ret); 1079 } 1080 1081 /* 1082 * This function is primarily used by the zio and arc layer to lookup 1083 * DSL Crypto Keys for encryption. Callers must release the key with 1084 * spa_keystore_dsl_key_rele(). The function may also be called with 1085 * dck_out == NULL and tag == NULL to simply check that a key exists 1086 * without getting a reference to it. 1087 */ 1088 int 1089 spa_keystore_lookup_key(spa_t *spa, uint64_t dsobj, void *tag, 1090 dsl_crypto_key_t **dck_out) 1091 { 1092 int ret; 1093 dsl_key_mapping_t search_km; 1094 dsl_key_mapping_t *found_km; 1095 1096 ASSERT((tag != NULL && dck_out != NULL) || 1097 (tag == NULL && dck_out == NULL)); 1098 1099 /* init the search key mapping */ 1100 search_km.km_dsobj = dsobj; 1101 1102 rw_enter(&spa->spa_keystore.sk_km_lock, RW_READER); 1103 1104 /* remove the mapping from the tree */ 1105 found_km = avl_find(&spa->spa_keystore.sk_key_mappings, &search_km, 1106 NULL); 1107 if (found_km == NULL) { 1108 ret = SET_ERROR(ENOENT); 1109 goto error_unlock; 1110 } 1111 1112 if (found_km && tag) 1113 zfs_refcount_add(&found_km->km_key->dck_holds, tag); 1114 1115 rw_exit(&spa->spa_keystore.sk_km_lock); 1116 1117 if (dck_out != NULL) 1118 *dck_out = found_km->km_key; 1119 return (0); 1120 1121 error_unlock: 1122 rw_exit(&spa->spa_keystore.sk_km_lock); 1123 1124 if (dck_out != NULL) 1125 *dck_out = NULL; 1126 return (ret); 1127 } 1128 1129 static int 1130 dmu_objset_check_wkey_loaded(dsl_dir_t *dd) 1131 { 1132 int ret; 1133 dsl_wrapping_key_t *wkey = NULL; 1134 1135 ret = spa_keystore_wkey_hold_dd(dd->dd_pool->dp_spa, dd, FTAG, 1136 &wkey); 1137 if (ret != 0) 1138 return (SET_ERROR(EACCES)); 1139 1140 dsl_wrapping_key_rele(wkey, FTAG); 1141 1142 return (0); 1143 } 1144 1145 static zfs_keystatus_t 1146 dsl_dataset_get_keystatus(dsl_dir_t *dd) 1147 { 1148 /* check if this dd has a has a dsl key */ 1149 if (dd->dd_crypto_obj == 0) 1150 return (ZFS_KEYSTATUS_NONE); 1151 1152 return (dmu_objset_check_wkey_loaded(dd) == 0 ? 1153 ZFS_KEYSTATUS_AVAILABLE : ZFS_KEYSTATUS_UNAVAILABLE); 1154 } 1155 1156 static int 1157 dsl_dir_get_crypt(dsl_dir_t *dd, uint64_t *crypt) 1158 { 1159 if (dd->dd_crypto_obj == 0) { 1160 *crypt = ZIO_CRYPT_OFF; 1161 return (0); 1162 } 1163 1164 return (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 1165 DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, crypt)); 1166 } 1167 1168 static void 1169 dsl_crypto_key_sync_impl(objset_t *mos, uint64_t dckobj, uint64_t crypt, 1170 uint64_t root_ddobj, uint64_t guid, uint8_t *iv, uint8_t *mac, 1171 uint8_t *keydata, uint8_t *hmac_keydata, uint64_t keyformat, 1172 uint64_t salt, uint64_t iters, dmu_tx_t *tx) 1173 { 1174 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 1175 &crypt, tx)); 1176 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1177 &root_ddobj, tx)); 1178 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, 1179 &guid, tx)); 1180 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 1181 iv, tx)); 1182 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 1183 mac, tx)); 1184 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 1185 MASTER_KEY_MAX_LEN, keydata, tx)); 1186 VERIFY0(zap_update(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 1187 SHA512_HMAC_KEYLEN, hmac_keydata, tx)); 1188 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 1189 8, 1, &keyformat, tx)); 1190 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 1191 8, 1, &salt, tx)); 1192 VERIFY0(zap_update(mos, dckobj, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 1193 8, 1, &iters, tx)); 1194 } 1195 1196 static void 1197 dsl_crypto_key_sync(dsl_crypto_key_t *dck, dmu_tx_t *tx) 1198 { 1199 zio_crypt_key_t *key = &dck->dck_key; 1200 dsl_wrapping_key_t *wkey = dck->dck_wkey; 1201 uint8_t keydata[MASTER_KEY_MAX_LEN]; 1202 uint8_t hmac_keydata[SHA512_HMAC_KEYLEN]; 1203 uint8_t iv[WRAPPING_IV_LEN]; 1204 uint8_t mac[WRAPPING_MAC_LEN]; 1205 1206 ASSERT(dmu_tx_is_syncing(tx)); 1207 ASSERT3U(key->zk_crypt, <, ZIO_CRYPT_FUNCTIONS); 1208 1209 /* encrypt and store the keys along with the IV and MAC */ 1210 VERIFY0(zio_crypt_key_wrap(&dck->dck_wkey->wk_key, key, iv, mac, 1211 keydata, hmac_keydata)); 1212 1213 /* update the ZAP with the obtained values */ 1214 dsl_crypto_key_sync_impl(tx->tx_pool->dp_meta_objset, dck->dck_obj, 1215 key->zk_crypt, wkey->wk_ddobj, key->zk_guid, iv, mac, keydata, 1216 hmac_keydata, wkey->wk_keyformat, wkey->wk_salt, wkey->wk_iters, 1217 tx); 1218 } 1219 1220 typedef struct spa_keystore_change_key_args { 1221 const char *skcka_dsname; 1222 dsl_crypto_params_t *skcka_cp; 1223 } spa_keystore_change_key_args_t; 1224 1225 static int 1226 spa_keystore_change_key_check(void *arg, dmu_tx_t *tx) 1227 { 1228 int ret; 1229 dsl_dir_t *dd = NULL; 1230 dsl_pool_t *dp = dmu_tx_pool(tx); 1231 spa_keystore_change_key_args_t *skcka = arg; 1232 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1233 uint64_t rddobj; 1234 1235 /* check for the encryption feature */ 1236 if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_ENCRYPTION)) { 1237 ret = SET_ERROR(ENOTSUP); 1238 goto error; 1239 } 1240 1241 /* check for valid key change command */ 1242 if (dcp->cp_cmd != DCP_CMD_NEW_KEY && 1243 dcp->cp_cmd != DCP_CMD_INHERIT && 1244 dcp->cp_cmd != DCP_CMD_FORCE_NEW_KEY && 1245 dcp->cp_cmd != DCP_CMD_FORCE_INHERIT) { 1246 ret = SET_ERROR(EINVAL); 1247 goto error; 1248 } 1249 1250 /* hold the dd */ 1251 ret = dsl_dir_hold(dp, skcka->skcka_dsname, FTAG, &dd, NULL); 1252 if (ret != 0) { 1253 dd = NULL; 1254 goto error; 1255 } 1256 1257 /* verify that the dataset is encrypted */ 1258 if (dd->dd_crypto_obj == 0) { 1259 ret = SET_ERROR(EINVAL); 1260 goto error; 1261 } 1262 1263 /* clones must always use their origin's key */ 1264 if (dsl_dir_is_clone(dd)) { 1265 ret = SET_ERROR(EINVAL); 1266 goto error; 1267 } 1268 1269 /* lookup the ddobj we are inheriting the keylocation from */ 1270 ret = dsl_dir_get_encryption_root_ddobj(dd, &rddobj); 1271 if (ret != 0) 1272 goto error; 1273 1274 /* Handle inheritance */ 1275 if (dcp->cp_cmd == DCP_CMD_INHERIT || 1276 dcp->cp_cmd == DCP_CMD_FORCE_INHERIT) { 1277 /* no other encryption params should be given */ 1278 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1279 dcp->cp_keylocation != NULL || 1280 dcp->cp_wkey != NULL) { 1281 ret = SET_ERROR(EINVAL); 1282 goto error; 1283 } 1284 1285 /* check that this is an encryption root */ 1286 if (dd->dd_object != rddobj) { 1287 ret = SET_ERROR(EINVAL); 1288 goto error; 1289 } 1290 1291 /* check that the parent is encrypted */ 1292 if (dd->dd_parent->dd_crypto_obj == 0) { 1293 ret = SET_ERROR(EINVAL); 1294 goto error; 1295 } 1296 1297 /* if we are rewrapping check that both keys are loaded */ 1298 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1299 ret = dmu_objset_check_wkey_loaded(dd); 1300 if (ret != 0) 1301 goto error; 1302 1303 ret = dmu_objset_check_wkey_loaded(dd->dd_parent); 1304 if (ret != 0) 1305 goto error; 1306 } 1307 1308 dsl_dir_rele(dd, FTAG); 1309 return (0); 1310 } 1311 1312 /* handle forcing an encryption root without rewrapping */ 1313 if (dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1314 /* no other encryption params should be given */ 1315 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT || 1316 dcp->cp_keylocation != NULL || 1317 dcp->cp_wkey != NULL) { 1318 ret = SET_ERROR(EINVAL); 1319 goto error; 1320 } 1321 1322 /* check that this is not an encryption root */ 1323 if (dd->dd_object == rddobj) { 1324 ret = SET_ERROR(EINVAL); 1325 goto error; 1326 } 1327 1328 dsl_dir_rele(dd, FTAG); 1329 return (0); 1330 } 1331 1332 /* crypt cannot be changed after creation */ 1333 if (dcp->cp_crypt != ZIO_CRYPT_INHERIT) { 1334 ret = SET_ERROR(EINVAL); 1335 goto error; 1336 } 1337 1338 /* we are not inheritting our parent's wkey so we need one ourselves */ 1339 if (dcp->cp_wkey == NULL) { 1340 ret = SET_ERROR(EINVAL); 1341 goto error; 1342 } 1343 1344 /* check for a valid keyformat for the new wrapping key */ 1345 if (dcp->cp_wkey->wk_keyformat >= ZFS_KEYFORMAT_FORMATS || 1346 dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_NONE) { 1347 ret = SET_ERROR(EINVAL); 1348 goto error; 1349 } 1350 1351 /* 1352 * If this dataset is not currently an encryption root we need a new 1353 * keylocation for this dataset's new wrapping key. Otherwise we can 1354 * just keep the one we already had. 1355 */ 1356 if (dd->dd_object != rddobj && dcp->cp_keylocation == NULL) { 1357 ret = SET_ERROR(EINVAL); 1358 goto error; 1359 } 1360 1361 /* check that the keylocation is valid if it is not NULL */ 1362 if (dcp->cp_keylocation != NULL && 1363 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) { 1364 ret = SET_ERROR(EINVAL); 1365 goto error; 1366 } 1367 1368 /* passphrases require pbkdf2 salt and iters */ 1369 if (dcp->cp_wkey->wk_keyformat == ZFS_KEYFORMAT_PASSPHRASE) { 1370 if (dcp->cp_wkey->wk_salt == 0 || 1371 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) { 1372 ret = SET_ERROR(EINVAL); 1373 goto error; 1374 } 1375 } else { 1376 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) { 1377 ret = SET_ERROR(EINVAL); 1378 goto error; 1379 } 1380 } 1381 1382 /* make sure the dd's wkey is loaded */ 1383 ret = dmu_objset_check_wkey_loaded(dd); 1384 if (ret != 0) 1385 goto error; 1386 1387 dsl_dir_rele(dd, FTAG); 1388 1389 return (0); 1390 1391 error: 1392 if (dd != NULL) 1393 dsl_dir_rele(dd, FTAG); 1394 1395 return (ret); 1396 } 1397 1398 /* 1399 * This function deals with the intricacies of updating wrapping 1400 * key references and encryption roots recursively in the event 1401 * of a call to 'zfs change-key' or 'zfs promote'. The 'skip' 1402 * parameter should always be set to B_FALSE when called 1403 * externally. 1404 */ 1405 static void 1406 spa_keystore_change_key_sync_impl(uint64_t rddobj, uint64_t ddobj, 1407 uint64_t new_rddobj, dsl_wrapping_key_t *wkey, boolean_t skip, 1408 dmu_tx_t *tx) 1409 { 1410 int ret; 1411 zap_cursor_t *zc; 1412 zap_attribute_t *za; 1413 dsl_pool_t *dp = dmu_tx_pool(tx); 1414 dsl_dir_t *dd = NULL; 1415 dsl_crypto_key_t *dck = NULL; 1416 uint64_t curr_rddobj; 1417 1418 ASSERT(RW_WRITE_HELD(&dp->dp_spa->spa_keystore.sk_wkeys_lock)); 1419 1420 /* hold the dd */ 1421 VERIFY0(dsl_dir_hold_obj(dp, ddobj, NULL, FTAG, &dd)); 1422 1423 /* ignore special dsl dirs */ 1424 if (dd->dd_myname[0] == '$' || dd->dd_myname[0] == '%') { 1425 dsl_dir_rele(dd, FTAG); 1426 return; 1427 } 1428 1429 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1430 VERIFY(ret == 0 || ret == ENOENT); 1431 1432 /* 1433 * Stop recursing if this dsl dir didn't inherit from the root 1434 * or if this dd is a clone. 1435 */ 1436 if (ret == ENOENT || 1437 (!skip && (curr_rddobj != rddobj || dsl_dir_is_clone(dd)))) { 1438 dsl_dir_rele(dd, FTAG); 1439 return; 1440 } 1441 1442 /* 1443 * If we don't have a wrapping key just update the dck to reflect the 1444 * new encryption root. Otherwise rewrap the entire dck and re-sync it 1445 * to disk. If skip is set, we don't do any of this work. 1446 */ 1447 if (!skip) { 1448 if (wkey == NULL) { 1449 VERIFY0(zap_update(dp->dp_meta_objset, 1450 dd->dd_crypto_obj, 1451 DSL_CRYPTO_KEY_ROOT_DDOBJ, 8, 1, 1452 &new_rddobj, tx)); 1453 } else { 1454 VERIFY0(spa_keystore_dsl_key_hold_dd(dp->dp_spa, dd, 1455 FTAG, &dck)); 1456 dsl_wrapping_key_hold(wkey, dck); 1457 dsl_wrapping_key_rele(dck->dck_wkey, dck); 1458 dck->dck_wkey = wkey; 1459 dsl_crypto_key_sync(dck, tx); 1460 spa_keystore_dsl_key_rele(dp->dp_spa, dck, FTAG); 1461 } 1462 } 1463 1464 zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP); 1465 za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP); 1466 1467 /* Recurse into all child dsl dirs. */ 1468 for (zap_cursor_init(zc, dp->dp_meta_objset, 1469 dsl_dir_phys(dd)->dd_child_dir_zapobj); 1470 zap_cursor_retrieve(zc, za) == 0; 1471 zap_cursor_advance(zc)) { 1472 spa_keystore_change_key_sync_impl(rddobj, 1473 za->za_first_integer, new_rddobj, wkey, B_FALSE, tx); 1474 } 1475 zap_cursor_fini(zc); 1476 1477 /* 1478 * Recurse into all dsl dirs of clones. We utilize the skip parameter 1479 * here so that we don't attempt to process the clones directly. This 1480 * is because the clone and its origin share the same dck, which has 1481 * already been updated. 1482 */ 1483 for (zap_cursor_init(zc, dp->dp_meta_objset, 1484 dsl_dir_phys(dd)->dd_clones); 1485 zap_cursor_retrieve(zc, za) == 0; 1486 zap_cursor_advance(zc)) { 1487 dsl_dataset_t *clone; 1488 1489 VERIFY0(dsl_dataset_hold_obj(dp, za->za_first_integer, 1490 FTAG, &clone)); 1491 spa_keystore_change_key_sync_impl(rddobj, 1492 clone->ds_dir->dd_object, new_rddobj, wkey, B_TRUE, tx); 1493 dsl_dataset_rele(clone, FTAG); 1494 } 1495 zap_cursor_fini(zc); 1496 1497 kmem_free(za, sizeof (zap_attribute_t)); 1498 kmem_free(zc, sizeof (zap_cursor_t)); 1499 1500 dsl_dir_rele(dd, FTAG); 1501 } 1502 1503 static void 1504 spa_keystore_change_key_sync(void *arg, dmu_tx_t *tx) 1505 { 1506 dsl_dataset_t *ds; 1507 avl_index_t where; 1508 dsl_pool_t *dp = dmu_tx_pool(tx); 1509 spa_t *spa = dp->dp_spa; 1510 spa_keystore_change_key_args_t *skcka = arg; 1511 dsl_crypto_params_t *dcp = skcka->skcka_cp; 1512 dsl_wrapping_key_t *wkey = NULL, *found_wkey; 1513 dsl_wrapping_key_t wkey_search; 1514 char *keylocation = dcp->cp_keylocation; 1515 uint64_t rddobj, new_rddobj; 1516 1517 /* create and initialize the wrapping key */ 1518 VERIFY0(dsl_dataset_hold(dp, skcka->skcka_dsname, FTAG, &ds)); 1519 ASSERT(!ds->ds_is_snapshot); 1520 1521 if (dcp->cp_cmd == DCP_CMD_NEW_KEY || 1522 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY) { 1523 /* 1524 * We are changing to a new wkey. Set additional properties 1525 * which can be sent along with this ioctl. Note that this 1526 * command can set keylocation even if it can't normally be 1527 * set via 'zfs set' due to a non-local keylocation. 1528 */ 1529 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1530 wkey = dcp->cp_wkey; 1531 wkey->wk_ddobj = ds->ds_dir->dd_object; 1532 } else { 1533 keylocation = "prompt"; 1534 } 1535 1536 if (keylocation != NULL) { 1537 dsl_prop_set_sync_impl(ds, 1538 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1539 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 1540 keylocation, tx); 1541 } 1542 1543 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj)); 1544 new_rddobj = ds->ds_dir->dd_object; 1545 } else { 1546 /* 1547 * We are inheritting the parent's wkey. Unset any local 1548 * keylocation and grab a reference to the wkey. 1549 */ 1550 if (dcp->cp_cmd == DCP_CMD_INHERIT) { 1551 VERIFY0(spa_keystore_wkey_hold_dd(spa, 1552 ds->ds_dir->dd_parent, FTAG, &wkey)); 1553 } 1554 1555 dsl_prop_set_sync_impl(ds, 1556 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), ZPROP_SRC_NONE, 1557 0, 0, NULL, tx); 1558 1559 rddobj = ds->ds_dir->dd_object; 1560 VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir->dd_parent, 1561 &new_rddobj)); 1562 } 1563 1564 if (wkey == NULL) { 1565 ASSERT(dcp->cp_cmd == DCP_CMD_FORCE_INHERIT || 1566 dcp->cp_cmd == DCP_CMD_FORCE_NEW_KEY); 1567 } 1568 1569 rw_enter(&spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1570 1571 /* recurse through all children and rewrap their keys */ 1572 spa_keystore_change_key_sync_impl(rddobj, ds->ds_dir->dd_object, 1573 new_rddobj, wkey, B_FALSE, tx); 1574 1575 /* 1576 * All references to the old wkey should be released now (if it 1577 * existed). Replace the wrapping key. 1578 */ 1579 wkey_search.wk_ddobj = ds->ds_dir->dd_object; 1580 found_wkey = avl_find(&spa->spa_keystore.sk_wkeys, &wkey_search, NULL); 1581 if (found_wkey != NULL) { 1582 ASSERT0(zfs_refcount_count(&found_wkey->wk_refcnt)); 1583 avl_remove(&spa->spa_keystore.sk_wkeys, found_wkey); 1584 dsl_wrapping_key_free(found_wkey); 1585 } 1586 1587 if (dcp->cp_cmd == DCP_CMD_NEW_KEY) { 1588 avl_find(&spa->spa_keystore.sk_wkeys, wkey, &where); 1589 avl_insert(&spa->spa_keystore.sk_wkeys, wkey, where); 1590 } else if (wkey != NULL) { 1591 dsl_wrapping_key_rele(wkey, FTAG); 1592 } 1593 1594 rw_exit(&spa->spa_keystore.sk_wkeys_lock); 1595 1596 dsl_dataset_rele(ds, FTAG); 1597 } 1598 1599 int 1600 spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp) 1601 { 1602 spa_keystore_change_key_args_t skcka; 1603 1604 /* initialize the args struct */ 1605 skcka.skcka_dsname = dsname; 1606 skcka.skcka_cp = dcp; 1607 1608 /* 1609 * Perform the actual work in syncing context. The blocks modified 1610 * here could be calculated but it would require holding the pool 1611 * lock and traversing all of the datasets that will have their keys 1612 * changed. 1613 */ 1614 return (dsl_sync_task(dsname, spa_keystore_change_key_check, 1615 spa_keystore_change_key_sync, &skcka, 15, 1616 ZFS_SPACE_CHECK_RESERVED)); 1617 } 1618 1619 int 1620 dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent) 1621 { 1622 int ret; 1623 uint64_t curr_rddobj, parent_rddobj; 1624 1625 if (dd->dd_crypto_obj == 0) 1626 return (0); 1627 1628 ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj); 1629 if (ret != 0) 1630 goto error; 1631 1632 /* 1633 * if this is not an encryption root, we must make sure we are not 1634 * moving dd to a new encryption root 1635 */ 1636 if (dd->dd_object != curr_rddobj) { 1637 ret = dsl_dir_get_encryption_root_ddobj(newparent, 1638 &parent_rddobj); 1639 if (ret != 0) 1640 goto error; 1641 1642 if (parent_rddobj != curr_rddobj) { 1643 ret = SET_ERROR(EACCES); 1644 goto error; 1645 } 1646 } 1647 1648 return (0); 1649 1650 error: 1651 return (ret); 1652 } 1653 1654 /* 1655 * Check to make sure that a promote from targetdd to origindd will not require 1656 * any key rewraps. 1657 */ 1658 int 1659 dsl_dataset_promote_crypt_check(dsl_dir_t *target, dsl_dir_t *origin) 1660 { 1661 int ret; 1662 uint64_t rddobj, op_rddobj, tp_rddobj; 1663 1664 /* If the dataset is not encrypted we don't need to check anything */ 1665 if (origin->dd_crypto_obj == 0) 1666 return (0); 1667 1668 /* 1669 * If we are not changing the first origin snapshot in a chain 1670 * the encryption root won't change either. 1671 */ 1672 if (dsl_dir_is_clone(origin)) 1673 return (0); 1674 1675 /* 1676 * If the origin is the encryption root we will update 1677 * the DSL Crypto Key to point to the target instead. 1678 */ 1679 ret = dsl_dir_get_encryption_root_ddobj(origin, &rddobj); 1680 if (ret != 0) 1681 return (ret); 1682 1683 if (rddobj == origin->dd_object) 1684 return (0); 1685 1686 /* 1687 * The origin is inheriting its encryption root from its parent. 1688 * Check that the parent of the target has the same encryption root. 1689 */ 1690 ret = dsl_dir_get_encryption_root_ddobj(origin->dd_parent, &op_rddobj); 1691 if (ret == ENOENT) 1692 return (SET_ERROR(EACCES)); 1693 else if (ret != 0) 1694 return (ret); 1695 1696 ret = dsl_dir_get_encryption_root_ddobj(target->dd_parent, &tp_rddobj); 1697 if (ret == ENOENT) 1698 return (SET_ERROR(EACCES)); 1699 else if (ret != 0) 1700 return (ret); 1701 1702 if (op_rddobj != tp_rddobj) 1703 return (SET_ERROR(EACCES)); 1704 1705 return (0); 1706 } 1707 1708 void 1709 dsl_dataset_promote_crypt_sync(dsl_dir_t *target, dsl_dir_t *origin, 1710 dmu_tx_t *tx) 1711 { 1712 uint64_t rddobj; 1713 dsl_pool_t *dp = target->dd_pool; 1714 dsl_dataset_t *targetds; 1715 dsl_dataset_t *originds; 1716 char *keylocation; 1717 1718 if (origin->dd_crypto_obj == 0) 1719 return; 1720 if (dsl_dir_is_clone(origin)) 1721 return; 1722 1723 VERIFY0(dsl_dir_get_encryption_root_ddobj(origin, &rddobj)); 1724 1725 if (rddobj != origin->dd_object) 1726 return; 1727 1728 /* 1729 * If the target is being promoted to the encryption root update the 1730 * DSL Crypto Key and keylocation to reflect that. We also need to 1731 * update the DSL Crypto Keys of all children inheritting their 1732 * encryption root to point to the new target. Otherwise, the check 1733 * function ensured that the encryption root will not change. 1734 */ 1735 keylocation = kmem_alloc(ZAP_MAXVALUELEN, KM_SLEEP); 1736 1737 VERIFY0(dsl_dataset_hold_obj(dp, 1738 dsl_dir_phys(target)->dd_head_dataset_obj, FTAG, &targetds)); 1739 VERIFY0(dsl_dataset_hold_obj(dp, 1740 dsl_dir_phys(origin)->dd_head_dataset_obj, FTAG, &originds)); 1741 1742 VERIFY0(dsl_prop_get_dd(origin, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1743 1, ZAP_MAXVALUELEN, keylocation, NULL, B_FALSE)); 1744 dsl_prop_set_sync_impl(targetds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1745 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, keylocation, tx); 1746 dsl_prop_set_sync_impl(originds, zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 1747 ZPROP_SRC_NONE, 0, 0, NULL, tx); 1748 1749 rw_enter(&dp->dp_spa->spa_keystore.sk_wkeys_lock, RW_WRITER); 1750 spa_keystore_change_key_sync_impl(rddobj, origin->dd_object, 1751 target->dd_object, NULL, B_FALSE, tx); 1752 rw_exit(&dp->dp_spa->spa_keystore.sk_wkeys_lock); 1753 1754 dsl_dataset_rele(targetds, FTAG); 1755 dsl_dataset_rele(originds, FTAG); 1756 kmem_free(keylocation, ZAP_MAXVALUELEN); 1757 } 1758 1759 int 1760 dmu_objset_create_crypt_check(dsl_dir_t *parentdd, dsl_crypto_params_t *dcp, 1761 boolean_t *will_encrypt) 1762 { 1763 int ret; 1764 uint64_t pcrypt, crypt; 1765 dsl_crypto_params_t dummy_dcp = { 0 }; 1766 1767 if (will_encrypt != NULL) 1768 *will_encrypt = B_FALSE; 1769 1770 if (dcp == NULL) 1771 dcp = &dummy_dcp; 1772 1773 if (dcp->cp_cmd != DCP_CMD_NONE) 1774 return (SET_ERROR(EINVAL)); 1775 1776 if (parentdd != NULL) { 1777 ret = dsl_dir_get_crypt(parentdd, &pcrypt); 1778 if (ret != 0) 1779 return (ret); 1780 } else { 1781 pcrypt = ZIO_CRYPT_OFF; 1782 } 1783 1784 crypt = (dcp->cp_crypt == ZIO_CRYPT_INHERIT) ? pcrypt : dcp->cp_crypt; 1785 1786 ASSERT3U(pcrypt, !=, ZIO_CRYPT_INHERIT); 1787 ASSERT3U(crypt, !=, ZIO_CRYPT_INHERIT); 1788 1789 /* check for valid dcp with no encryption (inherited or local) */ 1790 if (crypt == ZIO_CRYPT_OFF) { 1791 /* Must not specify encryption params */ 1792 if (dcp->cp_wkey != NULL || 1793 (dcp->cp_keylocation != NULL && 1794 strcmp(dcp->cp_keylocation, "none") != 0)) 1795 return (SET_ERROR(EINVAL)); 1796 1797 return (0); 1798 } 1799 1800 if (will_encrypt != NULL) 1801 *will_encrypt = B_TRUE; 1802 1803 /* 1804 * We will now definitely be encrypting. Check the feature flag. When 1805 * creating the pool the caller will check this for us since we won't 1806 * technically have the feature activated yet. 1807 */ 1808 if (parentdd != NULL && 1809 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1810 SPA_FEATURE_ENCRYPTION)) { 1811 return (SET_ERROR(EOPNOTSUPP)); 1812 } 1813 1814 /* Check for errata #4 (encryption enabled, bookmark_v2 disabled) */ 1815 if (parentdd != NULL && 1816 !spa_feature_is_enabled(parentdd->dd_pool->dp_spa, 1817 SPA_FEATURE_BOOKMARK_V2)) { 1818 return (SET_ERROR(EOPNOTSUPP)); 1819 } 1820 1821 /* handle inheritance */ 1822 if (dcp->cp_wkey == NULL) { 1823 ASSERT3P(parentdd, !=, NULL); 1824 1825 /* key must be fully unspecified */ 1826 if (dcp->cp_keylocation != NULL) 1827 return (SET_ERROR(EINVAL)); 1828 1829 /* parent must have a key to inherit */ 1830 if (pcrypt == ZIO_CRYPT_OFF) 1831 return (SET_ERROR(EINVAL)); 1832 1833 /* check for parent key */ 1834 ret = dmu_objset_check_wkey_loaded(parentdd); 1835 if (ret != 0) 1836 return (ret); 1837 1838 return (0); 1839 } 1840 1841 /* At this point we should have a fully specified key. Check location */ 1842 if (dcp->cp_keylocation == NULL || 1843 !zfs_prop_valid_keylocation(dcp->cp_keylocation, B_TRUE)) 1844 return (SET_ERROR(EINVAL)); 1845 1846 /* Must have fully specified keyformat */ 1847 switch (dcp->cp_wkey->wk_keyformat) { 1848 case ZFS_KEYFORMAT_HEX: 1849 case ZFS_KEYFORMAT_RAW: 1850 /* requires no pbkdf2 iters and salt */ 1851 if (dcp->cp_wkey->wk_salt != 0 || dcp->cp_wkey->wk_iters != 0) 1852 return (SET_ERROR(EINVAL)); 1853 break; 1854 case ZFS_KEYFORMAT_PASSPHRASE: 1855 /* requires pbkdf2 iters and salt */ 1856 if (dcp->cp_wkey->wk_salt == 0 || 1857 dcp->cp_wkey->wk_iters < MIN_PBKDF2_ITERATIONS) 1858 return (SET_ERROR(EINVAL)); 1859 break; 1860 case ZFS_KEYFORMAT_NONE: 1861 default: 1862 /* keyformat must be specified and valid */ 1863 return (SET_ERROR(EINVAL)); 1864 } 1865 1866 return (0); 1867 } 1868 1869 void 1870 dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd, 1871 dsl_dataset_t *origin, dsl_crypto_params_t *dcp, dmu_tx_t *tx) 1872 { 1873 dsl_pool_t *dp = dd->dd_pool; 1874 uint64_t crypt; 1875 dsl_wrapping_key_t *wkey; 1876 1877 /* clones always use their origin's wrapping key */ 1878 if (dsl_dir_is_clone(dd)) { 1879 ASSERT3P(dcp, ==, NULL); 1880 1881 /* 1882 * If this is an encrypted clone we just need to clone the 1883 * dck into dd. Zapify the dd so we can do that. 1884 */ 1885 if (origin->ds_dir->dd_crypto_obj != 0) { 1886 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1887 dsl_dir_zapify(dd, tx); 1888 1889 dd->dd_crypto_obj = 1890 dsl_crypto_key_clone_sync(origin->ds_dir, tx); 1891 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1892 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, 1893 &dd->dd_crypto_obj, tx)); 1894 } 1895 1896 return; 1897 } 1898 1899 /* 1900 * A NULL dcp at this point indicates this is the origin dataset 1901 * which does not have an objset to encrypt. Raw receives will handle 1902 * encryption separately later. In both cases we can simply return. 1903 */ 1904 if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV) 1905 return; 1906 1907 crypt = dcp->cp_crypt; 1908 wkey = dcp->cp_wkey; 1909 1910 /* figure out the effective crypt */ 1911 if (crypt == ZIO_CRYPT_INHERIT && dd->dd_parent != NULL) 1912 VERIFY0(dsl_dir_get_crypt(dd->dd_parent, &crypt)); 1913 1914 /* if we aren't doing encryption just return */ 1915 if (crypt == ZIO_CRYPT_OFF || crypt == ZIO_CRYPT_INHERIT) 1916 return; 1917 1918 /* zapify the dd so that we can add the crypto key obj to it */ 1919 dmu_buf_will_dirty(dd->dd_dbuf, tx); 1920 dsl_dir_zapify(dd, tx); 1921 1922 /* use the new key if given or inherit from the parent */ 1923 if (wkey == NULL) { 1924 VERIFY0(spa_keystore_wkey_hold_dd(dp->dp_spa, 1925 dd->dd_parent, FTAG, &wkey)); 1926 } else { 1927 wkey->wk_ddobj = dd->dd_object; 1928 } 1929 1930 ASSERT3P(wkey, !=, NULL); 1931 1932 /* Create or clone the DSL crypto key and activate the feature */ 1933 dd->dd_crypto_obj = dsl_crypto_key_create_sync(crypt, wkey, tx); 1934 VERIFY0(zap_add(dp->dp_meta_objset, dd->dd_object, 1935 DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, &dd->dd_crypto_obj, 1936 tx)); 1937 dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, 1938 (void *)B_TRUE, tx); 1939 1940 /* 1941 * If we inherited the wrapping key we release our reference now. 1942 * Otherwise, this is a new key and we need to load it into the 1943 * keystore. 1944 */ 1945 if (dcp->cp_wkey == NULL) { 1946 dsl_wrapping_key_rele(wkey, FTAG); 1947 } else { 1948 VERIFY0(spa_keystore_load_wkey_impl(dp->dp_spa, wkey)); 1949 } 1950 } 1951 1952 typedef struct dsl_crypto_recv_key_arg { 1953 uint64_t dcrka_dsobj; 1954 uint64_t dcrka_fromobj; 1955 dmu_objset_type_t dcrka_ostype; 1956 nvlist_t *dcrka_nvl; 1957 boolean_t dcrka_do_key; 1958 } dsl_crypto_recv_key_arg_t; 1959 1960 static int 1961 dsl_crypto_recv_raw_objset_check(dsl_dataset_t *ds, dsl_dataset_t *fromds, 1962 dmu_objset_type_t ostype, nvlist_t *nvl, dmu_tx_t *tx) 1963 { 1964 int ret; 1965 objset_t *os; 1966 dnode_t *mdn; 1967 uint8_t *buf = NULL; 1968 uint_t len; 1969 uint64_t intval, nlevels, blksz, ibs; 1970 uint64_t nblkptr, maxblkid; 1971 1972 if (ostype != DMU_OST_ZFS && ostype != DMU_OST_ZVOL) 1973 return (SET_ERROR(EINVAL)); 1974 1975 /* raw receives also need info about the structure of the metadnode */ 1976 ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval); 1977 if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS) 1978 return (SET_ERROR(EINVAL)); 1979 1980 ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval); 1981 if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS) 1982 return (SET_ERROR(EINVAL)); 1983 1984 ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels); 1985 if (ret != 0 || nlevels > DN_MAX_LEVELS) 1986 return (SET_ERROR(EINVAL)); 1987 1988 ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz); 1989 if (ret != 0 || blksz < SPA_MINBLOCKSIZE) 1990 return (SET_ERROR(EINVAL)); 1991 else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa)) 1992 return (SET_ERROR(ENOTSUP)); 1993 1994 ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs); 1995 if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT || ibs > DN_MAX_INDBLKSHIFT) 1996 return (SET_ERROR(ENOTSUP)); 1997 1998 ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr); 1999 if (ret != 0 || nblkptr != DN_MAX_NBLKPTR) 2000 return (SET_ERROR(ENOTSUP)); 2001 2002 ret = nvlist_lookup_uint64(nvl, "mdn_maxblkid", &maxblkid); 2003 if (ret != 0) 2004 return (SET_ERROR(EINVAL)); 2005 2006 ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len); 2007 if (ret != 0 || len != ZIO_OBJSET_MAC_LEN) 2008 return (SET_ERROR(EINVAL)); 2009 2010 ret = dmu_objset_from_ds(ds, &os); 2011 if (ret != 0) 2012 return (ret); 2013 2014 /* 2015 * Useraccounting is not portable and must be done with the keys loaded. 2016 * Therefore, whenever we do any kind of receive the useraccounting 2017 * must not be present. 2018 */ 2019 ASSERT0(os->os_flags & OBJSET_FLAG_USERACCOUNTING_COMPLETE); 2020 ASSERT0(os->os_flags & OBJSET_FLAG_USEROBJACCOUNTING_COMPLETE); 2021 2022 mdn = DMU_META_DNODE(os); 2023 2024 /* 2025 * If we already created the objset, make sure its unchangeable 2026 * properties match the ones received in the nvlist. 2027 */ 2028 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2029 if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) && 2030 (mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz || 2031 mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) { 2032 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2033 return (SET_ERROR(EINVAL)); 2034 } 2035 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2036 2037 /* 2038 * Check that the ivset guid of the fromds matches the one from the 2039 * send stream. Older versions of the encryption code did not have 2040 * an ivset guid on the from dataset and did not send one in the 2041 * stream. For these streams we provide the 2042 * zfs_disable_ivset_guid_check tunable to allow these datasets to 2043 * be received with a generated ivset guid. 2044 */ 2045 if (fromds != NULL && !zfs_disable_ivset_guid_check) { 2046 uint64_t from_ivset_guid = 0; 2047 intval = 0; 2048 2049 (void) nvlist_lookup_uint64(nvl, "from_ivset_guid", &intval); 2050 (void) zap_lookup(tx->tx_pool->dp_meta_objset, 2051 fromds->ds_object, DS_FIELD_IVSET_GUID, 2052 sizeof (from_ivset_guid), 1, &from_ivset_guid); 2053 2054 if (intval == 0 || from_ivset_guid == 0) 2055 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISSING)); 2056 2057 if (intval != from_ivset_guid) 2058 return (SET_ERROR(ZFS_ERR_FROM_IVSET_GUID_MISMATCH)); 2059 } 2060 2061 return (0); 2062 } 2063 2064 static void 2065 dsl_crypto_recv_raw_objset_sync(dsl_dataset_t *ds, dmu_objset_type_t ostype, 2066 nvlist_t *nvl, dmu_tx_t *tx) 2067 { 2068 dsl_pool_t *dp = tx->tx_pool; 2069 objset_t *os; 2070 dnode_t *mdn; 2071 zio_t *zio; 2072 uint8_t *portable_mac; 2073 uint_t len; 2074 uint64_t compress, checksum, nlevels, blksz, ibs, maxblkid; 2075 boolean_t newds = B_FALSE; 2076 2077 VERIFY0(dmu_objset_from_ds(ds, &os)); 2078 mdn = DMU_META_DNODE(os); 2079 2080 /* 2081 * Fetch the values we need from the nvlist. "to_ivset_guid" must 2082 * be set on the snapshot, which doesn't exist yet. The receive 2083 * code will take care of this for us later. 2084 */ 2085 compress = fnvlist_lookup_uint64(nvl, "mdn_compress"); 2086 checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum"); 2087 nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels"); 2088 blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz"); 2089 ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift"); 2090 maxblkid = fnvlist_lookup_uint64(nvl, "mdn_maxblkid"); 2091 VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac, 2092 &len)); 2093 2094 /* if we haven't created an objset for the ds yet, do that now */ 2095 rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); 2096 if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) { 2097 (void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds, 2098 dsl_dataset_get_blkptr(ds), ostype, nlevels, blksz, 2099 ibs, tx); 2100 newds = B_TRUE; 2101 } 2102 rrw_exit(&ds->ds_bp_rwlock, FTAG); 2103 2104 /* 2105 * Set the portable MAC. The local MAC will always be zero since the 2106 * incoming data will all be portable and user accounting will be 2107 * deferred until the next mount. Afterwards, flag the os to be 2108 * written out raw next time. 2109 */ 2110 arc_release(os->os_phys_buf, &os->os_phys_buf); 2111 bcopy(portable_mac, os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN); 2112 bzero(os->os_phys->os_local_mac, ZIO_OBJSET_MAC_LEN); 2113 os->os_next_write_raw[tx->tx_txg & TXG_MASK] = B_TRUE; 2114 2115 /* set metadnode compression and checksum */ 2116 mdn->dn_compress = compress; 2117 mdn->dn_checksum = checksum; 2118 2119 rw_enter(&mdn->dn_struct_rwlock, RW_WRITER); 2120 dnode_new_blkid(mdn, maxblkid, tx, B_FALSE, B_TRUE); 2121 rw_exit(&mdn->dn_struct_rwlock); 2122 2123 /* 2124 * We can't normally dirty the dataset in syncing context unless 2125 * we are creating a new dataset. In this case, we perform a 2126 * pseudo txg sync here instead. 2127 */ 2128 if (newds) { 2129 dsl_dataset_dirty(ds, tx); 2130 } else { 2131 zio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED); 2132 dsl_dataset_sync(ds, zio, tx); 2133 VERIFY0(zio_wait(zio)); 2134 2135 /* dsl_dataset_sync_done will drop this reference. */ 2136 dmu_buf_add_ref(ds->ds_dbuf, ds); 2137 dsl_dataset_sync_done(ds, tx); 2138 } 2139 } 2140 2141 int 2142 dsl_crypto_recv_raw_key_check(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2143 { 2144 int ret; 2145 objset_t *mos = tx->tx_pool->dp_meta_objset; 2146 uint8_t *buf = NULL; 2147 uint_t len; 2148 uint64_t intval, key_guid, version; 2149 boolean_t is_passphrase = B_FALSE; 2150 2151 ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT); 2152 2153 /* 2154 * Read and check all the encryption values from the nvlist. We need 2155 * all of the fields of a DSL Crypto Key, as well as a fully specified 2156 * wrapping key. 2157 */ 2158 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval); 2159 if (ret != 0 || intval >= ZIO_CRYPT_FUNCTIONS || 2160 intval <= ZIO_CRYPT_OFF) 2161 return (SET_ERROR(EINVAL)); 2162 2163 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval); 2164 if (ret != 0) 2165 return (SET_ERROR(EINVAL)); 2166 2167 /* 2168 * If this is an incremental receive make sure the given key guid 2169 * matches the one we already have. 2170 */ 2171 if (ds->ds_dir->dd_crypto_obj != 0) { 2172 ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj, 2173 DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2174 if (ret != 0) 2175 return (ret); 2176 if (intval != key_guid) 2177 return (SET_ERROR(EACCES)); 2178 } 2179 2180 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2181 &buf, &len); 2182 if (ret != 0 || len != MASTER_KEY_MAX_LEN) 2183 return (SET_ERROR(EINVAL)); 2184 2185 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2186 &buf, &len); 2187 if (ret != 0 || len != SHA512_HMAC_KEYLEN) 2188 return (SET_ERROR(EINVAL)); 2189 2190 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len); 2191 if (ret != 0 || len != WRAPPING_IV_LEN) 2192 return (SET_ERROR(EINVAL)); 2193 2194 ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len); 2195 if (ret != 0 || len != WRAPPING_MAC_LEN) 2196 return (SET_ERROR(EINVAL)); 2197 2198 /* 2199 * We don't support receiving old on-disk formats. The version 0 2200 * implementation protected several fields in an objset that were 2201 * not always portable during a raw receive. As a result, we call 2202 * the old version an on-disk errata #3. 2203 */ 2204 ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_VERSION, &version); 2205 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) 2206 return (SET_ERROR(ENOTSUP)); 2207 2208 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 2209 &intval); 2210 if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS || 2211 intval == ZFS_KEYFORMAT_NONE) 2212 return (SET_ERROR(EINVAL)); 2213 2214 is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE); 2215 2216 /* 2217 * for raw receives we allow any number of pbkdf2iters since there 2218 * won't be a chance for the user to change it. 2219 */ 2220 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 2221 &intval); 2222 if (ret != 0 || (is_passphrase == (intval == 0))) 2223 return (SET_ERROR(EINVAL)); 2224 2225 ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 2226 &intval); 2227 if (ret != 0 || (is_passphrase == (intval == 0))) 2228 return (SET_ERROR(EINVAL)); 2229 2230 return (0); 2231 } 2232 2233 void 2234 dsl_crypto_recv_raw_key_sync(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx) 2235 { 2236 dsl_pool_t *dp = tx->tx_pool; 2237 objset_t *mos = dp->dp_meta_objset; 2238 dsl_dir_t *dd = ds->ds_dir; 2239 uint_t len; 2240 uint64_t rddobj, one = 1; 2241 uint8_t *keydata, *hmac_keydata, *iv, *mac; 2242 uint64_t crypt, key_guid, keyformat, iters, salt; 2243 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2244 char *keylocation = "prompt"; 2245 2246 /* lookup the values we need to create the DSL Crypto Key */ 2247 crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE); 2248 key_guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID); 2249 keyformat = fnvlist_lookup_uint64(nvl, 2250 zfs_prop_to_name(ZFS_PROP_KEYFORMAT)); 2251 iters = fnvlist_lookup_uint64(nvl, 2252 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS)); 2253 salt = fnvlist_lookup_uint64(nvl, 2254 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT)); 2255 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2256 &keydata, &len)); 2257 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2258 &hmac_keydata, &len)); 2259 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len)); 2260 VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len)); 2261 2262 /* if this is a new dataset setup the DSL Crypto Key. */ 2263 if (dd->dd_crypto_obj == 0) { 2264 /* zapify the dsl dir so we can add the key object to it */ 2265 dmu_buf_will_dirty(dd->dd_dbuf, tx); 2266 dsl_dir_zapify(dd, tx); 2267 2268 /* create the DSL Crypto Key on disk and activate the feature */ 2269 dd->dd_crypto_obj = zap_create(mos, 2270 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2271 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2272 dd->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT, 2273 sizeof (uint64_t), 1, &one, tx)); 2274 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, 2275 dd->dd_crypto_obj, DSL_CRYPTO_KEY_VERSION, 2276 sizeof (uint64_t), 1, &version, tx)); 2277 2278 dsl_dataset_activate_feature(ds->ds_object, 2279 SPA_FEATURE_ENCRYPTION, (void *)B_TRUE, tx); 2280 ds->ds_feature[SPA_FEATURE_ENCRYPTION] = (void *)B_TRUE; 2281 2282 /* save the dd_crypto_obj on disk */ 2283 VERIFY0(zap_add(mos, dd->dd_object, DD_FIELD_CRYPTO_KEY_OBJ, 2284 sizeof (uint64_t), 1, &dd->dd_crypto_obj, tx)); 2285 2286 /* 2287 * Set the keylocation to prompt by default. If keylocation 2288 * has been provided via the properties, this will be overridden 2289 * later. 2290 */ 2291 dsl_prop_set_sync_impl(ds, 2292 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), 2293 ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, 2294 keylocation, tx); 2295 2296 rddobj = dd->dd_object; 2297 } else { 2298 VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &rddobj)); 2299 } 2300 2301 /* sync the key data to the ZAP object on disk */ 2302 dsl_crypto_key_sync_impl(mos, dd->dd_crypto_obj, crypt, 2303 rddobj, key_guid, iv, mac, keydata, hmac_keydata, keyformat, salt, 2304 iters, tx); 2305 } 2306 2307 static int 2308 dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx) 2309 { 2310 int ret; 2311 dsl_crypto_recv_key_arg_t *dcrka = arg; 2312 dsl_dataset_t *ds = NULL, *fromds = NULL; 2313 2314 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2315 FTAG, &ds); 2316 if (ret != 0) 2317 goto out; 2318 2319 if (dcrka->dcrka_fromobj != 0) { 2320 ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_fromobj, 2321 FTAG, &fromds); 2322 if (ret != 0) 2323 goto out; 2324 } 2325 2326 ret = dsl_crypto_recv_raw_objset_check(ds, fromds, 2327 dcrka->dcrka_ostype, dcrka->dcrka_nvl, tx); 2328 if (ret != 0) 2329 goto out; 2330 2331 /* 2332 * We run this check even if we won't be doing this part of 2333 * the receive now so that we don't make the user wait until 2334 * the receive finishes to fail. 2335 */ 2336 ret = dsl_crypto_recv_raw_key_check(ds, dcrka->dcrka_nvl, tx); 2337 if (ret != 0) 2338 goto out; 2339 2340 out: 2341 if (ds != NULL) 2342 dsl_dataset_rele(ds, FTAG); 2343 if (fromds != NULL) 2344 dsl_dataset_rele(fromds, FTAG); 2345 return (ret); 2346 } 2347 2348 static void 2349 dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx) 2350 { 2351 dsl_crypto_recv_key_arg_t *dcrka = arg; 2352 dsl_dataset_t *ds; 2353 2354 VERIFY0(dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, 2355 FTAG, &ds)); 2356 dsl_crypto_recv_raw_objset_sync(ds, dcrka->dcrka_ostype, 2357 dcrka->dcrka_nvl, tx); 2358 if (dcrka->dcrka_do_key) 2359 dsl_crypto_recv_raw_key_sync(ds, dcrka->dcrka_nvl, tx); 2360 dsl_dataset_rele(ds, FTAG); 2361 } 2362 2363 /* 2364 * This function is used to sync an nvlist representing a DSL Crypto Key and 2365 * the associated encryption parameters. The key will be written exactly as is 2366 * without wrapping it. 2367 */ 2368 int 2369 dsl_crypto_recv_raw(const char *poolname, uint64_t dsobj, uint64_t fromobj, 2370 dmu_objset_type_t ostype, nvlist_t *nvl, boolean_t do_key) 2371 { 2372 dsl_crypto_recv_key_arg_t dcrka; 2373 2374 dcrka.dcrka_dsobj = dsobj; 2375 dcrka.dcrka_fromobj = fromobj; 2376 dcrka.dcrka_ostype = ostype; 2377 dcrka.dcrka_nvl = nvl; 2378 dcrka.dcrka_do_key = do_key; 2379 2380 return (dsl_sync_task(poolname, dsl_crypto_recv_key_check, 2381 dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL)); 2382 } 2383 2384 int 2385 dsl_crypto_populate_key_nvlist(objset_t *os, uint64_t from_ivset_guid, 2386 nvlist_t **nvl_out) 2387 { 2388 int ret; 2389 dsl_dataset_t *ds = os->os_dsl_dataset; 2390 dnode_t *mdn; 2391 uint64_t rddobj; 2392 nvlist_t *nvl = NULL; 2393 uint64_t dckobj = ds->ds_dir->dd_crypto_obj; 2394 dsl_dir_t *rdd = NULL; 2395 dsl_pool_t *dp = ds->ds_dir->dd_pool; 2396 objset_t *mos = dp->dp_meta_objset; 2397 uint64_t crypt = 0, key_guid = 0, format = 0; 2398 uint64_t iters = 0, salt = 0, version = 0; 2399 uint64_t to_ivset_guid = 0; 2400 uint8_t raw_keydata[MASTER_KEY_MAX_LEN]; 2401 uint8_t raw_hmac_keydata[SHA512_HMAC_KEYLEN]; 2402 uint8_t iv[WRAPPING_IV_LEN]; 2403 uint8_t mac[WRAPPING_MAC_LEN]; 2404 2405 ASSERT(dckobj != 0); 2406 2407 mdn = DMU_META_DNODE(os); 2408 2409 nvl = fnvlist_alloc(); 2410 2411 /* lookup values from the DSL Crypto Key */ 2412 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_CRYPTO_SUITE, 8, 1, 2413 &crypt); 2414 if (ret != 0) 2415 goto error; 2416 2417 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_GUID, 8, 1, &key_guid); 2418 if (ret != 0) 2419 goto error; 2420 2421 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MASTER_KEY, 1, 2422 MASTER_KEY_MAX_LEN, raw_keydata); 2423 if (ret != 0) 2424 goto error; 2425 2426 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_HMAC_KEY, 1, 2427 SHA512_HMAC_KEYLEN, raw_hmac_keydata); 2428 if (ret != 0) 2429 goto error; 2430 2431 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_IV, 1, WRAPPING_IV_LEN, 2432 iv); 2433 if (ret != 0) 2434 goto error; 2435 2436 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_MAC, 1, WRAPPING_MAC_LEN, 2437 mac); 2438 if (ret != 0) 2439 goto error; 2440 2441 /* see zfs_disable_ivset_guid_check tunable for errata info */ 2442 ret = zap_lookup(mos, ds->ds_object, DS_FIELD_IVSET_GUID, 8, 1, 2443 &to_ivset_guid); 2444 if (ret != 0) 2445 ASSERT3U(dp->dp_spa->spa_errata, !=, 0); 2446 2447 /* 2448 * We don't support raw sends of legacy on-disk formats. See the 2449 * comment in dsl_crypto_recv_key_check() for details. 2450 */ 2451 ret = zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_VERSION, 8, 1, &version); 2452 if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) { 2453 dp->dp_spa->spa_errata = ZPOOL_ERRATA_ZOL_6845_ENCRYPTION; 2454 ret = SET_ERROR(ENOTSUP); 2455 goto error; 2456 } 2457 2458 /* 2459 * Lookup wrapping key properties. An early version of the code did 2460 * not correctly add these values to the wrapping key or the DSL 2461 * Crypto Key on disk for non encryption roots, so to be safe we 2462 * always take the slightly circuitous route of looking it up from 2463 * the encryption root's key. 2464 */ 2465 ret = dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj); 2466 if (ret != 0) 2467 goto error; 2468 2469 dsl_pool_config_enter(dp, FTAG); 2470 2471 ret = dsl_dir_hold_obj(dp, rddobj, NULL, FTAG, &rdd); 2472 if (ret != 0) 2473 goto error_unlock; 2474 2475 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2476 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &format); 2477 if (ret != 0) 2478 goto error_unlock; 2479 2480 if (format == ZFS_KEYFORMAT_PASSPHRASE) { 2481 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2482 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &iters); 2483 if (ret != 0) 2484 goto error_unlock; 2485 2486 ret = zap_lookup(dp->dp_meta_objset, rdd->dd_crypto_obj, 2487 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &salt); 2488 if (ret != 0) 2489 goto error_unlock; 2490 } 2491 2492 dsl_dir_rele(rdd, FTAG); 2493 dsl_pool_config_exit(dp, FTAG); 2494 2495 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, crypt); 2496 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_GUID, key_guid); 2497 fnvlist_add_uint64(nvl, DSL_CRYPTO_KEY_VERSION, version); 2498 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY, 2499 raw_keydata, MASTER_KEY_MAX_LEN)); 2500 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY, 2501 raw_hmac_keydata, SHA512_HMAC_KEYLEN)); 2502 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_IV, iv, 2503 WRAPPING_IV_LEN)); 2504 VERIFY0(nvlist_add_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, mac, 2505 WRAPPING_MAC_LEN)); 2506 VERIFY0(nvlist_add_uint8_array(nvl, "portable_mac", 2507 os->os_phys->os_portable_mac, ZIO_OBJSET_MAC_LEN)); 2508 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT), format); 2509 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters); 2510 fnvlist_add_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt); 2511 fnvlist_add_uint64(nvl, "mdn_checksum", mdn->dn_checksum); 2512 fnvlist_add_uint64(nvl, "mdn_compress", mdn->dn_compress); 2513 fnvlist_add_uint64(nvl, "mdn_nlevels", mdn->dn_nlevels); 2514 fnvlist_add_uint64(nvl, "mdn_blksz", mdn->dn_datablksz); 2515 fnvlist_add_uint64(nvl, "mdn_indblkshift", mdn->dn_indblkshift); 2516 fnvlist_add_uint64(nvl, "mdn_nblkptr", mdn->dn_nblkptr); 2517 fnvlist_add_uint64(nvl, "mdn_maxblkid", mdn->dn_maxblkid); 2518 fnvlist_add_uint64(nvl, "to_ivset_guid", to_ivset_guid); 2519 fnvlist_add_uint64(nvl, "from_ivset_guid", from_ivset_guid); 2520 2521 *nvl_out = nvl; 2522 return (0); 2523 2524 error_unlock: 2525 dsl_pool_config_exit(dp, FTAG); 2526 error: 2527 if (rdd != NULL) 2528 dsl_dir_rele(rdd, FTAG); 2529 nvlist_free(nvl); 2530 2531 *nvl_out = NULL; 2532 return (ret); 2533 } 2534 2535 uint64_t 2536 dsl_crypto_key_create_sync(uint64_t crypt, dsl_wrapping_key_t *wkey, 2537 dmu_tx_t *tx) 2538 { 2539 dsl_crypto_key_t dck; 2540 uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION; 2541 uint64_t one = 1ULL; 2542 2543 ASSERT(dmu_tx_is_syncing(tx)); 2544 ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS); 2545 ASSERT3U(crypt, >, ZIO_CRYPT_OFF); 2546 2547 /* create the DSL Crypto Key ZAP object */ 2548 dck.dck_obj = zap_create(tx->tx_pool->dp_meta_objset, 2549 DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); 2550 2551 /* fill in the key (on the stack) and sync it to disk */ 2552 dck.dck_wkey = wkey; 2553 VERIFY0(zio_crypt_key_init(crypt, &dck.dck_key)); 2554 2555 dsl_crypto_key_sync(&dck, tx); 2556 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2557 DSL_CRYPTO_KEY_REFCOUNT, sizeof (uint64_t), 1, &one, tx)); 2558 VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, dck.dck_obj, 2559 DSL_CRYPTO_KEY_VERSION, sizeof (uint64_t), 1, &version, tx)); 2560 2561 zio_crypt_key_destroy(&dck.dck_key); 2562 bzero(&dck.dck_key, sizeof (zio_crypt_key_t)); 2563 2564 return (dck.dck_obj); 2565 } 2566 2567 uint64_t 2568 dsl_crypto_key_clone_sync(dsl_dir_t *origindd, dmu_tx_t *tx) 2569 { 2570 objset_t *mos = tx->tx_pool->dp_meta_objset; 2571 2572 ASSERT(dmu_tx_is_syncing(tx)); 2573 2574 VERIFY0(zap_increment(mos, origindd->dd_crypto_obj, 2575 DSL_CRYPTO_KEY_REFCOUNT, 1, tx)); 2576 2577 return (origindd->dd_crypto_obj); 2578 } 2579 2580 void 2581 dsl_crypto_key_destroy_sync(uint64_t dckobj, dmu_tx_t *tx) 2582 { 2583 objset_t *mos = tx->tx_pool->dp_meta_objset; 2584 uint64_t refcnt; 2585 2586 /* Decrement the refcount, destroy if this is the last reference */ 2587 VERIFY0(zap_lookup(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2588 sizeof (uint64_t), 1, &refcnt)); 2589 2590 if (refcnt != 1) { 2591 VERIFY0(zap_increment(mos, dckobj, DSL_CRYPTO_KEY_REFCOUNT, 2592 -1, tx)); 2593 } else { 2594 VERIFY0(zap_destroy(mos, dckobj, tx)); 2595 } 2596 } 2597 2598 void 2599 dsl_dataset_crypt_stats(dsl_dataset_t *ds, nvlist_t *nv) 2600 { 2601 uint64_t intval; 2602 dsl_dir_t *dd = ds->ds_dir; 2603 dsl_dir_t *enc_root; 2604 char buf[ZFS_MAX_DATASET_NAME_LEN]; 2605 2606 if (dd->dd_crypto_obj == 0) 2607 return; 2608 2609 intval = dsl_dataset_get_keystatus(dd); 2610 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYSTATUS, intval); 2611 2612 if (dsl_dir_get_crypt(dd, &intval) == 0) 2613 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_ENCRYPTION, intval); 2614 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2615 DSL_CRYPTO_KEY_GUID, 8, 1, &intval) == 0) { 2616 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEY_GUID, intval); 2617 } 2618 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2619 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), 8, 1, &intval) == 0) { 2620 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_KEYFORMAT, intval); 2621 } 2622 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2623 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), 8, 1, &intval) == 0) { 2624 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_SALT, intval); 2625 } 2626 if (zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, 2627 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), 8, 1, &intval) == 0) { 2628 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_PBKDF2_ITERS, intval); 2629 } 2630 if (zap_lookup(dd->dd_pool->dp_meta_objset, ds->ds_object, 2631 DS_FIELD_IVSET_GUID, 8, 1, &intval) == 0) { 2632 dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_IVSET_GUID, intval); 2633 } 2634 2635 if (dsl_dir_get_encryption_root_ddobj(dd, &intval) == 0) { 2636 if (dsl_dir_hold_obj(dd->dd_pool, intval, NULL, FTAG, 2637 &enc_root) == 0) { 2638 dsl_dir_name(enc_root, buf); 2639 dsl_dir_rele(enc_root, FTAG); 2640 dsl_prop_nvlist_add_string(nv, 2641 ZFS_PROP_ENCRYPTION_ROOT, buf); 2642 } 2643 } 2644 } 2645 2646 int 2647 spa_crypt_get_salt(spa_t *spa, uint64_t dsobj, uint8_t *salt) 2648 { 2649 int ret; 2650 dsl_crypto_key_t *dck = NULL; 2651 2652 /* look up the key from the spa's keystore */ 2653 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2654 if (ret != 0) 2655 goto error; 2656 2657 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2658 if (ret != 0) 2659 goto error; 2660 2661 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2662 return (0); 2663 2664 error: 2665 if (dck != NULL) 2666 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2667 return (ret); 2668 } 2669 2670 /* 2671 * Objset blocks are a special case for MAC generation. These blocks have 2 2672 * 256-bit MACs which are embedded within the block itself, rather than a 2673 * single 128 bit MAC. As a result, this function handles encoding and decoding 2674 * the MACs on its own, unlike other functions in this file. 2675 */ 2676 int 2677 spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, 2678 abd_t *abd, uint_t datalen, boolean_t byteswap) 2679 { 2680 int ret; 2681 dsl_crypto_key_t *dck = NULL; 2682 void *buf = abd_borrow_buf_copy(abd, datalen); 2683 objset_phys_t *osp = buf; 2684 uint8_t portable_mac[ZIO_OBJSET_MAC_LEN]; 2685 uint8_t local_mac[ZIO_OBJSET_MAC_LEN]; 2686 2687 /* look up the key from the spa's keystore */ 2688 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2689 if (ret != 0) 2690 goto error; 2691 2692 /* calculate both HMACs */ 2693 ret = zio_crypt_do_objset_hmacs(&dck->dck_key, buf, datalen, 2694 byteswap, portable_mac, local_mac); 2695 if (ret != 0) 2696 goto error; 2697 2698 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2699 2700 /* if we are generating encode the HMACs in the objset_phys_t */ 2701 if (generate) { 2702 bcopy(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN); 2703 bcopy(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN); 2704 abd_return_buf_copy(abd, buf, datalen); 2705 return (0); 2706 } 2707 2708 if (bcmp(portable_mac, osp->os_portable_mac, ZIO_OBJSET_MAC_LEN) != 0 || 2709 bcmp(local_mac, osp->os_local_mac, ZIO_OBJSET_MAC_LEN) != 0) { 2710 abd_return_buf(abd, buf, datalen); 2711 return (SET_ERROR(ECKSUM)); 2712 } 2713 2714 abd_return_buf(abd, buf, datalen); 2715 2716 return (0); 2717 2718 error: 2719 if (dck != NULL) 2720 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2721 abd_return_buf(abd, buf, datalen); 2722 return (ret); 2723 } 2724 2725 int 2726 spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd, 2727 uint_t datalen, uint8_t *mac) 2728 { 2729 int ret; 2730 dsl_crypto_key_t *dck = NULL; 2731 uint8_t *buf = abd_borrow_buf_copy(abd, datalen); 2732 uint8_t digestbuf[ZIO_DATA_MAC_LEN]; 2733 2734 /* look up the key from the spa's keystore */ 2735 ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck); 2736 if (ret != 0) 2737 goto error; 2738 2739 /* perform the hmac */ 2740 ret = zio_crypt_do_hmac(&dck->dck_key, buf, datalen, 2741 digestbuf, ZIO_DATA_MAC_LEN); 2742 if (ret != 0) 2743 goto error; 2744 2745 abd_return_buf(abd, buf, datalen); 2746 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2747 2748 /* 2749 * Truncate and fill in mac buffer if we were asked to generate a MAC. 2750 * Otherwise verify that the MAC matched what we expected. 2751 */ 2752 if (generate) { 2753 bcopy(digestbuf, mac, ZIO_DATA_MAC_LEN); 2754 return (0); 2755 } 2756 2757 if (bcmp(digestbuf, mac, ZIO_DATA_MAC_LEN) != 0) 2758 return (SET_ERROR(ECKSUM)); 2759 2760 return (0); 2761 2762 error: 2763 if (dck != NULL) 2764 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2765 abd_return_buf(abd, buf, datalen); 2766 return (ret); 2767 } 2768 2769 /* 2770 * This function serves as a multiplexer for encryption and decryption of 2771 * all blocks (except the L2ARC). For encryption, it will populate the IV, 2772 * salt, MAC, and cabd (the ciphertext). On decryption it will simply use 2773 * these fields to populate pabd (the plaintext). 2774 */ 2775 int 2776 spa_do_crypt_abd(boolean_t encrypt, spa_t *spa, const zbookmark_phys_t *zb, 2777 dmu_object_type_t ot, boolean_t dedup, boolean_t bswap, uint8_t *salt, 2778 uint8_t *iv, uint8_t *mac, uint_t datalen, abd_t *pabd, abd_t *cabd, 2779 boolean_t *no_crypt) 2780 { 2781 int ret; 2782 dsl_crypto_key_t *dck = NULL; 2783 uint8_t *plainbuf = NULL, *cipherbuf = NULL; 2784 2785 ASSERT(spa_feature_is_active(spa, SPA_FEATURE_ENCRYPTION)); 2786 2787 /* look up the key from the spa's keystore */ 2788 ret = spa_keystore_lookup_key(spa, zb->zb_objset, FTAG, &dck); 2789 if (ret != 0) { 2790 ret = SET_ERROR(EACCES); 2791 return (ret); 2792 } 2793 2794 if (encrypt) { 2795 plainbuf = abd_borrow_buf_copy(pabd, datalen); 2796 cipherbuf = abd_borrow_buf(cabd, datalen); 2797 } else { 2798 plainbuf = abd_borrow_buf(pabd, datalen); 2799 cipherbuf = abd_borrow_buf_copy(cabd, datalen); 2800 } 2801 2802 /* 2803 * Both encryption and decryption functions need a salt for key 2804 * generation and an IV. When encrypting a non-dedup block, we 2805 * generate the salt and IV randomly to be stored by the caller. Dedup 2806 * blocks perform a (more expensive) HMAC of the plaintext to obtain 2807 * the salt and the IV. ZIL blocks have their salt and IV generated 2808 * at allocation time in zio_alloc_zil(). On decryption, we simply use 2809 * the provided values. 2810 */ 2811 if (encrypt && ot != DMU_OT_INTENT_LOG && !dedup) { 2812 ret = zio_crypt_key_get_salt(&dck->dck_key, salt); 2813 if (ret != 0) 2814 goto error; 2815 2816 ret = zio_crypt_generate_iv(iv); 2817 if (ret != 0) 2818 goto error; 2819 } else if (encrypt && dedup) { 2820 ret = zio_crypt_generate_iv_salt_dedup(&dck->dck_key, 2821 plainbuf, datalen, iv, salt); 2822 if (ret != 0) 2823 goto error; 2824 } 2825 2826 /* call lower level function to perform encryption / decryption */ 2827 ret = zio_do_crypt_data(encrypt, &dck->dck_key, ot, bswap, salt, iv, 2828 mac, datalen, plainbuf, cipherbuf, no_crypt); 2829 2830 /* 2831 * Handle injected decryption faults. Unfortunately, we cannot inject 2832 * faults for dnode blocks because we might trigger the panic in 2833 * dbuf_prepare_encrypted_dnode_leaf(), which exists because syncing 2834 * context is not prepared to handle malicious decryption failures. 2835 */ 2836 if (zio_injection_enabled && !encrypt && ot != DMU_OT_DNODE && ret == 0) 2837 ret = zio_handle_decrypt_injection(spa, zb, ot, ECKSUM); 2838 if (ret != 0) 2839 goto error; 2840 2841 if (encrypt) { 2842 abd_return_buf(pabd, plainbuf, datalen); 2843 abd_return_buf_copy(cabd, cipherbuf, datalen); 2844 } else { 2845 abd_return_buf_copy(pabd, plainbuf, datalen); 2846 abd_return_buf(cabd, cipherbuf, datalen); 2847 } 2848 2849 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2850 2851 return (0); 2852 2853 error: 2854 if (encrypt) { 2855 /* zero out any state we might have changed while encrypting */ 2856 bzero(salt, ZIO_DATA_SALT_LEN); 2857 bzero(iv, ZIO_DATA_IV_LEN); 2858 bzero(mac, ZIO_DATA_MAC_LEN); 2859 abd_return_buf(pabd, plainbuf, datalen); 2860 abd_return_buf_copy(cabd, cipherbuf, datalen); 2861 } else { 2862 abd_return_buf_copy(pabd, plainbuf, datalen); 2863 abd_return_buf(cabd, cipherbuf, datalen); 2864 } 2865 2866 spa_keystore_dsl_key_rele(spa, dck, FTAG); 2867 2868 return (ret); 2869 } 2870 2871 ZFS_MODULE_PARAM(zfs, zfs_, disable_ivset_guid_check, INT, ZMOD_RW, 2872 "Set to allow raw receives without IVset guids"); 2873