Path: blob/main/sys/contrib/openzfs/module/os/linux/zfs/zio_crypt.c
48774 views
// SPDX-License-Identifier: CDDL-1.01/*2* CDDL HEADER START3*4* This file and its contents are supplied under the terms of the5* Common Development and Distribution License ("CDDL"), version 1.0.6* You may only use this file in accordance with the terms of version7* 1.0 of the CDDL.8*9* A full copy of the text of the CDDL should have accompanied this10* source. A copy of the CDDL is also available via the Internet at11* http://www.illumos.org/license/CDDL.12*13* CDDL HEADER END14*/1516/*17* Copyright (c) 2017, Datto, Inc. All rights reserved.18*/1920#include <sys/zio_crypt.h>21#include <sys/dmu.h>22#include <sys/dmu_objset.h>23#include <sys/dnode.h>24#include <sys/fs/zfs.h>25#include <sys/zio.h>26#include <sys/zil.h>27#include <sys/sha2.h>28#include <sys/hkdf.h>29#include <sys/qat.h>3031/*32* This file is responsible for handling all of the details of generating33* encryption parameters and performing encryption and authentication.34*35* BLOCK ENCRYPTION PARAMETERS:36* Encryption /Authentication Algorithm Suite (crypt):37* The encryption algorithm, mode, and key length we are going to use. We38* currently support AES in either GCM or CCM modes with 128, 192, and 256 bit39* keys. All authentication is currently done with SHA512-HMAC.40*41* Plaintext:42* The unencrypted data that we want to encrypt.43*44* Initialization Vector (IV):45* An initialization vector for the encryption algorithms. This is used to46* "tweak" the encryption algorithms so that two blocks of the same data are47* encrypted into different ciphertext outputs, thus obfuscating block patterns.48* The supported encryption modes (AES-GCM and AES-CCM) require that an IV is49* never reused with the same encryption key. This value is stored unencrypted50* and must simply be provided to the decryption function. We use a 96 bit IV51* (as recommended by NIST) for all block encryption. For non-dedup blocks we52* derive the IV randomly. The first 64 bits of the IV are stored in the second53* word of DVA[2] and the remaining 32 bits are stored in the upper 32 bits of54* blk_fill. This is safe because encrypted blocks can't use the upper 32 bits55* of blk_fill. We only encrypt level 0 blocks, which normally have a fill count56* of 1. The only exception is for DMU_OT_DNODE objects, where the fill count of57* level 0 blocks is the number of allocated dnodes in that block. The on-disk58* format supports at most 2^15 slots per L0 dnode block, because the maximum59* block size is 16MB (2^24). In either case, for level 0 blocks this number60* will still be smaller than UINT32_MAX so it is safe to store the IV in the61* top 32 bits of blk_fill, while leaving the bottom 32 bits of the fill count62* for the dnode code.63*64* Master key:65* This is the most important secret data of an encrypted dataset. It is used66* along with the salt to generate that actual encryption keys via HKDF. We67* do not use the master key to directly encrypt any data because there are68* theoretical limits on how much data can actually be safely encrypted with69* any encryption mode. The master key is stored encrypted on disk with the70* user's wrapping key. Its length is determined by the encryption algorithm.71* For details on how this is stored see the block comment in dsl_crypt.c72*73* Salt:74* Used as an input to the HKDF function, along with the master key. We use a75* 64 bit salt, stored unencrypted in the first word of DVA[2]. Any given salt76* can be used for encrypting many blocks, so we cache the current salt and the77* associated derived key in zio_crypt_t so we do not need to derive it again78* needlessly.79*80* Encryption Key:81* A secret binary key, generated from an HKDF function used to encrypt and82* decrypt data.83*84* Message Authentication Code (MAC)85* The MAC is an output of authenticated encryption modes such as AES-GCM and86* AES-CCM. Its purpose is to ensure that an attacker cannot modify encrypted87* data on disk and return garbage to the application. Effectively, it is a88* checksum that can not be reproduced by an attacker. We store the MAC in the89* second 128 bits of blk_cksum, leaving the first 128 bits for a truncated90* regular checksum of the ciphertext which can be used for scrubbing.91*92* OBJECT AUTHENTICATION:93* Some object types, such as DMU_OT_MASTER_NODE cannot be encrypted because94* they contain some info that always needs to be readable. To prevent this95* data from being altered, we authenticate this data using SHA512-HMAC. This96* will produce a MAC (similar to the one produced via encryption) which can97* be used to verify the object was not modified. HMACs do not require key98* rotation or IVs, so we can keep up to the full 3 copies of authenticated99* data.100*101* ZIL ENCRYPTION:102* ZIL blocks have their bp written to disk ahead of the associated data, so we103* cannot store the MAC there as we normally do. For these blocks the MAC is104* stored in the embedded checksum within the zil_chain_t header. The salt and105* IV are generated for the block on bp allocation instead of at encryption106* time. In addition, ZIL blocks have some pieces that must be left in plaintext107* for claiming even though all of the sensitive user data still needs to be108* encrypted. The function zio_crypt_init_uios_zil() handles parsing which109* pieces of the block need to be encrypted. All data that is not encrypted is110* authenticated using the AAD mechanisms that the supported encryption modes111* provide for. In order to preserve the semantics of the ZIL for encrypted112* datasets, the ZIL is not protected at the objset level as described below.113*114* DNODE ENCRYPTION:115* Similarly to ZIL blocks, the core part of each dnode_phys_t needs to be left116* in plaintext for scrubbing and claiming, but the bonus buffers might contain117* sensitive user data. The function zio_crypt_init_uios_dnode() handles parsing118* which pieces of the block need to be encrypted. For more details about119* dnode authentication and encryption, see zio_crypt_init_uios_dnode().120*121* OBJECT SET AUTHENTICATION:122* Up to this point, everything we have encrypted and authenticated has been123* at level 0 (or -2 for the ZIL). If we did not do any further work the124* on-disk format would be susceptible to attacks that deleted or rearranged125* the order of level 0 blocks. Ideally, the cleanest solution would be to126* maintain a tree of authentication MACs going up the bp tree. However, this127* presents a problem for raw sends. Send files do not send information about128* indirect blocks so there would be no convenient way to transfer the MACs and129* they cannot be recalculated on the receive side without the master key which130* would defeat one of the purposes of raw sends in the first place. Instead,131* for the indirect levels of the bp tree, we use a regular SHA512 of the MACs132* from the level below. We also include some portable fields from blk_prop such133* as the lsize and compression algorithm to prevent the data from being134* misinterpreted.135*136* At the objset level, we maintain 2 separate 256 bit MACs in the137* objset_phys_t. The first one is "portable" and is the logical root of the138* MAC tree maintained in the metadnode's bps. The second, is "local" and is139* used as the root MAC for the user accounting objects, which are also not140* transferred via "zfs send". The portable MAC is sent in the DRR_BEGIN payload141* of the send file. The useraccounting code ensures that the useraccounting142* info is not present upon a receive, so the local MAC can simply be cleared143* out at that time. For more info about objset_phys_t authentication, see144* zio_crypt_do_objset_hmacs().145*146* CONSIDERATIONS FOR DEDUP:147* In order for dedup to work, blocks that we want to dedup with one another148* need to use the same IV and encryption key, so that they will have the same149* ciphertext. Normally, one should never reuse an IV with the same encryption150* key or else AES-GCM and AES-CCM can both actually leak the plaintext of both151* blocks. In this case, however, since we are using the same plaintext as152* well all that we end up with is a duplicate of the original ciphertext we153* already had. As a result, an attacker with read access to the raw disk will154* be able to tell which blocks are the same but this information is given away155* by dedup anyway. In order to get the same IVs and encryption keys for156* equivalent blocks of data we use an HMAC of the plaintext. We use an HMAC157* here so that a reproducible checksum of the plaintext is never available to158* the attacker. The HMAC key is kept alongside the master key, encrypted on159* disk. The first 64 bits of the HMAC are used in place of the random salt, and160* the next 96 bits are used as the IV. As a result of this mechanism, dedup161* will only work within a clone family since encrypted dedup requires use of162* the same master and HMAC keys.163*/164165/*166* After encrypting many blocks with the same key we may start to run up167* against the theoretical limits of how much data can securely be encrypted168* with a single key using the supported encryption modes. The most obvious169* limitation is that our risk of generating 2 equivalent 96 bit IVs increases170* the more IVs we generate (which both GCM and CCM modes strictly forbid).171* This risk actually grows surprisingly quickly over time according to the172* Birthday Problem. With a total IV space of 2^(96 bits), and assuming we have173* generated n IVs with a cryptographically secure RNG, the approximate174* probability p(n) of a collision is given as:175*176* p(n) ~= e^(-n*(n-1)/(2*(2^96)))177*178* [http://www.math.cornell.edu/~mec/2008-2009/TianyiZheng/Birthday.html]179*180* Assuming that we want to ensure that p(n) never goes over 1 / 1 trillion181* we must not write more than 398,065,730 blocks with the same encryption key.182* Therefore, we rotate our keys after 400,000,000 blocks have been written by183* generating a new random 64 bit salt for our HKDF encryption key generation184* function.185*/186#define ZFS_KEY_MAX_SALT_USES_DEFAULT 400000000187#define ZFS_CURRENT_MAX_SALT_USES \188(MIN(zfs_key_max_salt_uses, ZFS_KEY_MAX_SALT_USES_DEFAULT))189static unsigned long zfs_key_max_salt_uses = ZFS_KEY_MAX_SALT_USES_DEFAULT;190191typedef struct blkptr_auth_buf {192uint64_t bab_prop; /* blk_prop - portable mask */193uint8_t bab_mac[ZIO_DATA_MAC_LEN]; /* MAC from blk_cksum */194uint64_t bab_pad; /* reserved for future use */195} blkptr_auth_buf_t;196197const zio_crypt_info_t zio_crypt_table[ZIO_CRYPT_FUNCTIONS] = {198{"", ZC_TYPE_NONE, 0, "inherit"},199{"", ZC_TYPE_NONE, 0, "on"},200{"", ZC_TYPE_NONE, 0, "off"},201{SUN_CKM_AES_CCM, ZC_TYPE_CCM, 16, "aes-128-ccm"},202{SUN_CKM_AES_CCM, ZC_TYPE_CCM, 24, "aes-192-ccm"},203{SUN_CKM_AES_CCM, ZC_TYPE_CCM, 32, "aes-256-ccm"},204{SUN_CKM_AES_GCM, ZC_TYPE_GCM, 16, "aes-128-gcm"},205{SUN_CKM_AES_GCM, ZC_TYPE_GCM, 24, "aes-192-gcm"},206{SUN_CKM_AES_GCM, ZC_TYPE_GCM, 32, "aes-256-gcm"}207};208209void210zio_crypt_key_destroy(zio_crypt_key_t *key)211{212rw_destroy(&key->zk_salt_lock);213214/* free crypto templates */215crypto_destroy_ctx_template(key->zk_current_tmpl);216crypto_destroy_ctx_template(key->zk_hmac_tmpl);217218/* zero out sensitive data */219memset(key, 0, sizeof (zio_crypt_key_t));220}221222int223zio_crypt_key_init(uint64_t crypt, zio_crypt_key_t *key)224{225int ret;226crypto_mechanism_t mech = {0};227uint_t keydata_len;228229ASSERT(key != NULL);230ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);231232/*233* Workaround for GCC 12+ with UBSan enabled deficencies.234*235* GCC 12+ invoked with -fsanitize=undefined incorrectly reports the code236* below as violating -Warray-bounds237*/238#if defined(__GNUC__) && !defined(__clang__) && \239((!defined(_KERNEL) && defined(ZFS_UBSAN_ENABLED)) || \240defined(CONFIG_UBSAN))241#pragma GCC diagnostic push242#pragma GCC diagnostic ignored "-Warray-bounds"243#endif244keydata_len = zio_crypt_table[crypt].ci_keylen;245#if defined(__GNUC__) && !defined(__clang__) && \246((!defined(_KERNEL) && defined(ZFS_UBSAN_ENABLED)) || \247defined(CONFIG_UBSAN))248#pragma GCC diagnostic pop249#endif250memset(key, 0, sizeof (zio_crypt_key_t));251rw_init(&key->zk_salt_lock, NULL, RW_DEFAULT, NULL);252253/* fill keydata buffers and salt with random data */254ret = random_get_bytes((uint8_t *)&key->zk_guid, sizeof (uint64_t));255if (ret != 0)256goto error;257258ret = random_get_bytes(key->zk_master_keydata, keydata_len);259if (ret != 0)260goto error;261262ret = random_get_bytes(key->zk_hmac_keydata, SHA512_HMAC_KEYLEN);263if (ret != 0)264goto error;265266ret = random_get_bytes(key->zk_salt, ZIO_DATA_SALT_LEN);267if (ret != 0)268goto error;269270/* derive the current key from the master key */271ret = hkdf_sha512(key->zk_master_keydata, keydata_len, NULL, 0,272key->zk_salt, ZIO_DATA_SALT_LEN, key->zk_current_keydata,273keydata_len);274if (ret != 0)275goto error;276277/* initialize keys for the ICP */278key->zk_current_key.ck_data = key->zk_current_keydata;279key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len);280281key->zk_hmac_key.ck_data = &key->zk_hmac_key;282key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN);283284/*285* Initialize the crypto templates. It's ok if this fails because286* this is just an optimization.287*/288mech.cm_type = crypto_mech2id(zio_crypt_table[crypt].ci_mechname);289ret = crypto_create_ctx_template(&mech, &key->zk_current_key,290&key->zk_current_tmpl);291if (ret != CRYPTO_SUCCESS)292key->zk_current_tmpl = NULL;293294mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);295ret = crypto_create_ctx_template(&mech, &key->zk_hmac_key,296&key->zk_hmac_tmpl);297if (ret != CRYPTO_SUCCESS)298key->zk_hmac_tmpl = NULL;299300key->zk_crypt = crypt;301key->zk_version = ZIO_CRYPT_KEY_CURRENT_VERSION;302key->zk_salt_count = 0;303304return (0);305306error:307zio_crypt_key_destroy(key);308return (ret);309}310311static int312zio_crypt_key_change_salt(zio_crypt_key_t *key)313{314int ret = 0;315uint8_t salt[ZIO_DATA_SALT_LEN];316crypto_mechanism_t mech;317uint_t keydata_len = zio_crypt_table[key->zk_crypt].ci_keylen;318319/* generate a new salt */320ret = random_get_bytes(salt, ZIO_DATA_SALT_LEN);321if (ret != 0)322goto error;323324rw_enter(&key->zk_salt_lock, RW_WRITER);325326/* someone beat us to the salt rotation, just unlock and return */327if (key->zk_salt_count < ZFS_CURRENT_MAX_SALT_USES)328goto out_unlock;329330/* derive the current key from the master key and the new salt */331ret = hkdf_sha512(key->zk_master_keydata, keydata_len, NULL, 0,332salt, ZIO_DATA_SALT_LEN, key->zk_current_keydata, keydata_len);333if (ret != 0)334goto out_unlock;335336/* assign the salt and reset the usage count */337memcpy(key->zk_salt, salt, ZIO_DATA_SALT_LEN);338key->zk_salt_count = 0;339340/* destroy the old context template and create the new one */341crypto_destroy_ctx_template(key->zk_current_tmpl);342ret = crypto_create_ctx_template(&mech, &key->zk_current_key,343&key->zk_current_tmpl);344if (ret != CRYPTO_SUCCESS)345key->zk_current_tmpl = NULL;346347rw_exit(&key->zk_salt_lock);348349return (0);350351out_unlock:352rw_exit(&key->zk_salt_lock);353error:354return (ret);355}356357/* See comment above zfs_key_max_salt_uses definition for details */358int359zio_crypt_key_get_salt(zio_crypt_key_t *key, uint8_t *salt)360{361int ret;362boolean_t salt_change;363364rw_enter(&key->zk_salt_lock, RW_READER);365366memcpy(salt, key->zk_salt, ZIO_DATA_SALT_LEN);367salt_change = (atomic_inc_64_nv(&key->zk_salt_count) >=368ZFS_CURRENT_MAX_SALT_USES);369370rw_exit(&key->zk_salt_lock);371372if (salt_change) {373ret = zio_crypt_key_change_salt(key);374if (ret != 0)375goto error;376}377378return (0);379380error:381return (ret);382}383384/*385* This function handles all encryption and decryption in zfs. When386* encrypting it expects puio to reference the plaintext and cuio to387* reference the ciphertext. cuio must have enough space for the388* ciphertext + room for a MAC. datalen should be the length of the389* plaintext / ciphertext alone.390*/391static int392zio_do_crypt_uio(boolean_t encrypt, uint64_t crypt, crypto_key_t *key,393crypto_ctx_template_t tmpl, uint8_t *ivbuf, uint_t datalen,394zfs_uio_t *puio, zfs_uio_t *cuio, uint8_t *authbuf, uint_t auth_len)395{396int ret;397crypto_data_t plaindata, cipherdata;398CK_AES_CCM_PARAMS ccmp;399CK_AES_GCM_PARAMS gcmp;400crypto_mechanism_t mech;401zio_crypt_info_t crypt_info;402uint_t plain_full_len, maclen;403404ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);405406/* lookup the encryption info */407crypt_info = zio_crypt_table[crypt];408409/* the mac will always be the last iovec_t in the cipher uio */410maclen = cuio->uio_iov[cuio->uio_iovcnt - 1].iov_len;411412ASSERT(maclen <= ZIO_DATA_MAC_LEN);413414/* setup encryption mechanism (same as crypt) */415mech.cm_type = crypto_mech2id(crypt_info.ci_mechname);416417/*418* Strangely, the ICP requires that plain_full_len must include419* the MAC length when decrypting, even though the UIO does not420* need to have the extra space allocated.421*/422if (encrypt) {423plain_full_len = datalen;424} else {425plain_full_len = datalen + maclen;426}427428/*429* setup encryption params (currently only AES CCM and AES GCM430* are supported)431*/432if (crypt_info.ci_crypt_type == ZC_TYPE_CCM) {433ccmp.ulNonceSize = ZIO_DATA_IV_LEN;434ccmp.ulAuthDataSize = auth_len;435ccmp.authData = authbuf;436ccmp.ulMACSize = maclen;437ccmp.nonce = ivbuf;438ccmp.ulDataSize = plain_full_len;439440mech.cm_param = (char *)(&ccmp);441mech.cm_param_len = sizeof (CK_AES_CCM_PARAMS);442} else {443gcmp.ulIvLen = ZIO_DATA_IV_LEN;444gcmp.ulIvBits = CRYPTO_BYTES2BITS(ZIO_DATA_IV_LEN);445gcmp.ulAADLen = auth_len;446gcmp.pAAD = authbuf;447gcmp.ulTagBits = CRYPTO_BYTES2BITS(maclen);448gcmp.pIv = ivbuf;449450mech.cm_param = (char *)(&gcmp);451mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);452}453454/* populate the cipher and plain data structs. */455plaindata.cd_format = CRYPTO_DATA_UIO;456plaindata.cd_offset = 0;457plaindata.cd_uio = puio;458plaindata.cd_length = plain_full_len;459460cipherdata.cd_format = CRYPTO_DATA_UIO;461cipherdata.cd_offset = 0;462cipherdata.cd_uio = cuio;463cipherdata.cd_length = datalen + maclen;464465/* perform the actual encryption */466if (encrypt) {467ret = crypto_encrypt(&mech, &plaindata, key, tmpl, &cipherdata);468if (ret != CRYPTO_SUCCESS) {469ret = SET_ERROR(EIO);470goto error;471}472} else {473ret = crypto_decrypt(&mech, &cipherdata, key, tmpl, &plaindata);474if (ret != CRYPTO_SUCCESS) {475ASSERT3U(ret, ==, CRYPTO_INVALID_MAC);476ret = SET_ERROR(ECKSUM);477goto error;478}479}480481return (0);482483error:484return (ret);485}486487int488zio_crypt_key_wrap(crypto_key_t *cwkey, zio_crypt_key_t *key, uint8_t *iv,489uint8_t *mac, uint8_t *keydata_out, uint8_t *hmac_keydata_out)490{491int ret;492zfs_uio_t puio, cuio;493uint64_t aad[3];494iovec_t plain_iovecs[2], cipher_iovecs[3];495uint64_t crypt = key->zk_crypt;496uint_t enc_len, keydata_len, aad_len;497498ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);499500keydata_len = zio_crypt_table[crypt].ci_keylen;501502/* generate iv for wrapping the master and hmac key */503ret = random_get_pseudo_bytes(iv, WRAPPING_IV_LEN);504if (ret != 0)505goto error;506507/* initialize zfs_uio_ts */508plain_iovecs[0].iov_base = key->zk_master_keydata;509plain_iovecs[0].iov_len = keydata_len;510plain_iovecs[1].iov_base = key->zk_hmac_keydata;511plain_iovecs[1].iov_len = SHA512_HMAC_KEYLEN;512513cipher_iovecs[0].iov_base = keydata_out;514cipher_iovecs[0].iov_len = keydata_len;515cipher_iovecs[1].iov_base = hmac_keydata_out;516cipher_iovecs[1].iov_len = SHA512_HMAC_KEYLEN;517cipher_iovecs[2].iov_base = mac;518cipher_iovecs[2].iov_len = WRAPPING_MAC_LEN;519520/*521* Although we don't support writing to the old format, we do522* support rewrapping the key so that the user can move and523* quarantine datasets on the old format.524*/525if (key->zk_version == 0) {526aad_len = sizeof (uint64_t);527aad[0] = LE_64(key->zk_guid);528} else {529ASSERT3U(key->zk_version, ==, ZIO_CRYPT_KEY_CURRENT_VERSION);530aad_len = sizeof (uint64_t) * 3;531aad[0] = LE_64(key->zk_guid);532aad[1] = LE_64(crypt);533aad[2] = LE_64(key->zk_version);534}535536enc_len = zio_crypt_table[crypt].ci_keylen + SHA512_HMAC_KEYLEN;537puio.uio_iov = plain_iovecs;538puio.uio_iovcnt = 2;539puio.uio_segflg = UIO_SYSSPACE;540cuio.uio_iov = cipher_iovecs;541cuio.uio_iovcnt = 3;542cuio.uio_segflg = UIO_SYSSPACE;543544/* encrypt the keys and store the resulting ciphertext and mac */545ret = zio_do_crypt_uio(B_TRUE, crypt, cwkey, NULL, iv, enc_len,546&puio, &cuio, (uint8_t *)aad, aad_len);547if (ret != 0)548goto error;549550return (0);551552error:553return (ret);554}555556int557zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version,558uint64_t guid, uint8_t *keydata, uint8_t *hmac_keydata, uint8_t *iv,559uint8_t *mac, zio_crypt_key_t *key)560{561crypto_mechanism_t mech;562zfs_uio_t puio, cuio;563uint64_t aad[3];564iovec_t plain_iovecs[2], cipher_iovecs[3];565uint_t enc_len, keydata_len, aad_len;566int ret;567568ASSERT3U(crypt, <, ZIO_CRYPT_FUNCTIONS);569570rw_init(&key->zk_salt_lock, NULL, RW_DEFAULT, NULL);571572keydata_len = zio_crypt_table[crypt].ci_keylen;573574/* initialize zfs_uio_ts */575plain_iovecs[0].iov_base = key->zk_master_keydata;576plain_iovecs[0].iov_len = keydata_len;577plain_iovecs[1].iov_base = key->zk_hmac_keydata;578plain_iovecs[1].iov_len = SHA512_HMAC_KEYLEN;579580cipher_iovecs[0].iov_base = keydata;581cipher_iovecs[0].iov_len = keydata_len;582cipher_iovecs[1].iov_base = hmac_keydata;583cipher_iovecs[1].iov_len = SHA512_HMAC_KEYLEN;584cipher_iovecs[2].iov_base = mac;585cipher_iovecs[2].iov_len = WRAPPING_MAC_LEN;586587if (version == 0) {588aad_len = sizeof (uint64_t);589aad[0] = LE_64(guid);590} else {591ASSERT3U(version, ==, ZIO_CRYPT_KEY_CURRENT_VERSION);592aad_len = sizeof (uint64_t) * 3;593aad[0] = LE_64(guid);594aad[1] = LE_64(crypt);595aad[2] = LE_64(version);596}597598enc_len = keydata_len + SHA512_HMAC_KEYLEN;599puio.uio_iov = plain_iovecs;600puio.uio_segflg = UIO_SYSSPACE;601puio.uio_iovcnt = 2;602cuio.uio_iov = cipher_iovecs;603cuio.uio_iovcnt = 3;604cuio.uio_segflg = UIO_SYSSPACE;605606/* decrypt the keys and store the result in the output buffers */607ret = zio_do_crypt_uio(B_FALSE, crypt, cwkey, NULL, iv, enc_len,608&puio, &cuio, (uint8_t *)aad, aad_len);609if (ret != 0)610goto error;611612/* generate a fresh salt */613ret = random_get_bytes(key->zk_salt, ZIO_DATA_SALT_LEN);614if (ret != 0)615goto error;616617/* derive the current key from the master key */618ret = hkdf_sha512(key->zk_master_keydata, keydata_len, NULL, 0,619key->zk_salt, ZIO_DATA_SALT_LEN, key->zk_current_keydata,620keydata_len);621if (ret != 0)622goto error;623624/* initialize keys for ICP */625key->zk_current_key.ck_data = key->zk_current_keydata;626key->zk_current_key.ck_length = CRYPTO_BYTES2BITS(keydata_len);627628key->zk_hmac_key.ck_data = key->zk_hmac_keydata;629key->zk_hmac_key.ck_length = CRYPTO_BYTES2BITS(SHA512_HMAC_KEYLEN);630631/*632* Initialize the crypto templates. It's ok if this fails because633* this is just an optimization.634*/635mech.cm_type = crypto_mech2id(zio_crypt_table[crypt].ci_mechname);636ret = crypto_create_ctx_template(&mech, &key->zk_current_key,637&key->zk_current_tmpl);638if (ret != CRYPTO_SUCCESS)639key->zk_current_tmpl = NULL;640641mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);642ret = crypto_create_ctx_template(&mech, &key->zk_hmac_key,643&key->zk_hmac_tmpl);644if (ret != CRYPTO_SUCCESS)645key->zk_hmac_tmpl = NULL;646647key->zk_crypt = crypt;648key->zk_version = version;649key->zk_guid = guid;650key->zk_salt_count = 0;651652return (0);653654error:655zio_crypt_key_destroy(key);656return (ret);657}658659int660zio_crypt_generate_iv(uint8_t *ivbuf)661{662int ret;663664/* randomly generate the IV */665ret = random_get_pseudo_bytes(ivbuf, ZIO_DATA_IV_LEN);666if (ret != 0)667goto error;668669return (0);670671error:672memset(ivbuf, 0, ZIO_DATA_IV_LEN);673return (ret);674}675676int677zio_crypt_do_hmac(zio_crypt_key_t *key, uint8_t *data, uint_t datalen,678uint8_t *digestbuf, uint_t digestlen)679{680int ret;681crypto_mechanism_t mech;682crypto_data_t in_data, digest_data;683uint8_t raw_digestbuf[SHA512_DIGEST_LENGTH];684685ASSERT3U(digestlen, <=, SHA512_DIGEST_LENGTH);686687/* initialize sha512-hmac mechanism and crypto data */688mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);689mech.cm_param = NULL;690mech.cm_param_len = 0;691692/* initialize the crypto data */693in_data.cd_format = CRYPTO_DATA_RAW;694in_data.cd_offset = 0;695in_data.cd_length = datalen;696in_data.cd_raw.iov_base = (char *)data;697in_data.cd_raw.iov_len = in_data.cd_length;698699digest_data.cd_format = CRYPTO_DATA_RAW;700digest_data.cd_offset = 0;701digest_data.cd_length = SHA512_DIGEST_LENGTH;702digest_data.cd_raw.iov_base = (char *)raw_digestbuf;703digest_data.cd_raw.iov_len = digest_data.cd_length;704705/* generate the hmac */706ret = crypto_mac(&mech, &in_data, &key->zk_hmac_key, key->zk_hmac_tmpl,707&digest_data);708if (ret != CRYPTO_SUCCESS) {709ret = SET_ERROR(EIO);710goto error;711}712713memcpy(digestbuf, raw_digestbuf, digestlen);714715return (0);716717error:718memset(digestbuf, 0, digestlen);719return (ret);720}721722int723zio_crypt_generate_iv_salt_dedup(zio_crypt_key_t *key, uint8_t *data,724uint_t datalen, uint8_t *ivbuf, uint8_t *salt)725{726int ret;727uint8_t digestbuf[SHA512_DIGEST_LENGTH];728729ret = zio_crypt_do_hmac(key, data, datalen,730digestbuf, SHA512_DIGEST_LENGTH);731if (ret != 0)732return (ret);733734memcpy(salt, digestbuf, ZIO_DATA_SALT_LEN);735memcpy(ivbuf, digestbuf + ZIO_DATA_SALT_LEN, ZIO_DATA_IV_LEN);736737return (0);738}739740/*741* The following functions are used to encode and decode encryption parameters742* into blkptr_t and zil_header_t. The ICP wants to use these parameters as743* byte strings, which normally means that these strings would not need to deal744* with byteswapping at all. However, both blkptr_t and zil_header_t may be745* byteswapped by lower layers and so we must "undo" that byteswap here upon746* decoding and encoding in a non-native byteorder. These functions require747* that the byteorder bit is correct before being called.748*/749void750zio_crypt_encode_params_bp(blkptr_t *bp, uint8_t *salt, uint8_t *iv)751{752uint64_t val64;753uint32_t val32;754755ASSERT(BP_IS_ENCRYPTED(bp));756757if (!BP_SHOULD_BYTESWAP(bp)) {758memcpy(&bp->blk_dva[2].dva_word[0], salt, sizeof (uint64_t));759memcpy(&bp->blk_dva[2].dva_word[1], iv, sizeof (uint64_t));760memcpy(&val32, iv + sizeof (uint64_t), sizeof (uint32_t));761BP_SET_IV2(bp, val32);762} else {763memcpy(&val64, salt, sizeof (uint64_t));764bp->blk_dva[2].dva_word[0] = BSWAP_64(val64);765766memcpy(&val64, iv, sizeof (uint64_t));767bp->blk_dva[2].dva_word[1] = BSWAP_64(val64);768769memcpy(&val32, iv + sizeof (uint64_t), sizeof (uint32_t));770BP_SET_IV2(bp, BSWAP_32(val32));771}772}773774void775zio_crypt_decode_params_bp(const blkptr_t *bp, uint8_t *salt, uint8_t *iv)776{777uint64_t val64;778uint32_t val32;779780ASSERT(BP_IS_PROTECTED(bp));781782/* for convenience, so callers don't need to check */783if (BP_IS_AUTHENTICATED(bp)) {784memset(salt, 0, ZIO_DATA_SALT_LEN);785memset(iv, 0, ZIO_DATA_IV_LEN);786return;787}788789if (!BP_SHOULD_BYTESWAP(bp)) {790memcpy(salt, &bp->blk_dva[2].dva_word[0], sizeof (uint64_t));791memcpy(iv, &bp->blk_dva[2].dva_word[1], sizeof (uint64_t));792793val32 = (uint32_t)BP_GET_IV2(bp);794memcpy(iv + sizeof (uint64_t), &val32, sizeof (uint32_t));795} else {796val64 = BSWAP_64(bp->blk_dva[2].dva_word[0]);797memcpy(salt, &val64, sizeof (uint64_t));798799val64 = BSWAP_64(bp->blk_dva[2].dva_word[1]);800memcpy(iv, &val64, sizeof (uint64_t));801802val32 = BSWAP_32((uint32_t)BP_GET_IV2(bp));803memcpy(iv + sizeof (uint64_t), &val32, sizeof (uint32_t));804}805}806807void808zio_crypt_encode_mac_bp(blkptr_t *bp, uint8_t *mac)809{810uint64_t val64;811812ASSERT(BP_USES_CRYPT(bp));813ASSERT3U(BP_GET_TYPE(bp), !=, DMU_OT_OBJSET);814815if (!BP_SHOULD_BYTESWAP(bp)) {816memcpy(&bp->blk_cksum.zc_word[2], mac, sizeof (uint64_t));817memcpy(&bp->blk_cksum.zc_word[3], mac + sizeof (uint64_t),818sizeof (uint64_t));819} else {820memcpy(&val64, mac, sizeof (uint64_t));821bp->blk_cksum.zc_word[2] = BSWAP_64(val64);822823memcpy(&val64, mac + sizeof (uint64_t), sizeof (uint64_t));824bp->blk_cksum.zc_word[3] = BSWAP_64(val64);825}826}827828void829zio_crypt_decode_mac_bp(const blkptr_t *bp, uint8_t *mac)830{831uint64_t val64;832833ASSERT(BP_USES_CRYPT(bp) || BP_IS_HOLE(bp));834835/* for convenience, so callers don't need to check */836if (BP_GET_TYPE(bp) == DMU_OT_OBJSET) {837memset(mac, 0, ZIO_DATA_MAC_LEN);838return;839}840841if (!BP_SHOULD_BYTESWAP(bp)) {842memcpy(mac, &bp->blk_cksum.zc_word[2], sizeof (uint64_t));843memcpy(mac + sizeof (uint64_t), &bp->blk_cksum.zc_word[3],844sizeof (uint64_t));845} else {846val64 = BSWAP_64(bp->blk_cksum.zc_word[2]);847memcpy(mac, &val64, sizeof (uint64_t));848849val64 = BSWAP_64(bp->blk_cksum.zc_word[3]);850memcpy(mac + sizeof (uint64_t), &val64, sizeof (uint64_t));851}852}853854void855zio_crypt_encode_mac_zil(void *data, uint8_t *mac)856{857zil_chain_t *zilc = data;858859memcpy(&zilc->zc_eck.zec_cksum.zc_word[2], mac, sizeof (uint64_t));860memcpy(&zilc->zc_eck.zec_cksum.zc_word[3], mac + sizeof (uint64_t),861sizeof (uint64_t));862}863864void865zio_crypt_decode_mac_zil(const void *data, uint8_t *mac)866{867/*868* The ZIL MAC is embedded in the block it protects, which will869* not have been byteswapped by the time this function has been called.870* As a result, we don't need to worry about byteswapping the MAC.871*/872const zil_chain_t *zilc = data;873874memcpy(mac, &zilc->zc_eck.zec_cksum.zc_word[2], sizeof (uint64_t));875memcpy(mac + sizeof (uint64_t), &zilc->zc_eck.zec_cksum.zc_word[3],876sizeof (uint64_t));877}878879/*880* This routine takes a block of dnodes (src_abd) and copies only the bonus881* buffers to the same offsets in the dst buffer. datalen should be the size882* of both the src_abd and the dst buffer (not just the length of the bonus883* buffers).884*/885void886zio_crypt_copy_dnode_bonus(abd_t *src_abd, uint8_t *dst, uint_t datalen)887{888uint_t i, max_dnp = datalen >> DNODE_SHIFT;889uint8_t *src;890dnode_phys_t *dnp, *sdnp, *ddnp;891892src = abd_borrow_buf_copy(src_abd, datalen);893894sdnp = (dnode_phys_t *)src;895ddnp = (dnode_phys_t *)dst;896897for (i = 0; i < max_dnp; i += sdnp[i].dn_extra_slots + 1) {898dnp = &sdnp[i];899if (dnp->dn_type != DMU_OT_NONE &&900DMU_OT_IS_ENCRYPTED(dnp->dn_bonustype) &&901dnp->dn_bonuslen != 0) {902memcpy(DN_BONUS(&ddnp[i]), DN_BONUS(dnp),903DN_MAX_BONUS_LEN(dnp));904}905}906907abd_return_buf(src_abd, src, datalen);908}909910/*911* This function decides what fields from blk_prop are included in912* the on-disk various MAC algorithms.913*/914static void915zio_crypt_bp_zero_nonportable_blkprop(blkptr_t *bp, uint64_t version)916{917/*918* Version 0 did not properly zero out all non-portable fields919* as it should have done. We maintain this code so that we can920* do read-only imports of pools on this version.921*/922if (version == 0) {923BP_SET_DEDUP(bp, 0);924BP_SET_CHECKSUM(bp, 0);925BP_SET_PSIZE(bp, SPA_MINBLOCKSIZE);926return;927}928929ASSERT3U(version, ==, ZIO_CRYPT_KEY_CURRENT_VERSION);930931/*932* The hole_birth feature might set these fields even if this bp933* is a hole. We zero them out here to guarantee that raw sends934* will function with or without the feature.935*/936if (BP_IS_HOLE(bp)) {937bp->blk_prop = 0ULL;938return;939}940941/*942* At L0 we want to verify these fields to ensure that data blocks943* can not be reinterpreted. For instance, we do not want an attacker944* to trick us into returning raw lz4 compressed data to the user945* by modifying the compression bits. At higher levels, we cannot946* enforce this policy since raw sends do not convey any information947* about indirect blocks, so these values might be different on the948* receive side. Fortunately, this does not open any new attack949* vectors, since any alterations that can be made to a higher level950* bp must still verify the correct order of the layer below it.951*/952if (BP_GET_LEVEL(bp) != 0) {953BP_SET_BYTEORDER(bp, 0);954BP_SET_COMPRESS(bp, 0);955956/*957* psize cannot be set to zero or it will trigger958* asserts, but the value doesn't really matter as959* long as it is constant.960*/961BP_SET_PSIZE(bp, SPA_MINBLOCKSIZE);962}963964BP_SET_DEDUP(bp, 0);965BP_SET_CHECKSUM(bp, 0);966}967968static void969zio_crypt_bp_auth_init(uint64_t version, boolean_t should_bswap, blkptr_t *bp,970blkptr_auth_buf_t *bab, uint_t *bab_len)971{972blkptr_t tmpbp = *bp;973974if (should_bswap)975byteswap_uint64_array(&tmpbp, sizeof (blkptr_t));976977ASSERT(BP_USES_CRYPT(&tmpbp) || BP_IS_HOLE(&tmpbp));978ASSERT0(BP_IS_EMBEDDED(&tmpbp));979980zio_crypt_decode_mac_bp(&tmpbp, bab->bab_mac);981982/*983* We always MAC blk_prop in LE to ensure portability. This984* must be done after decoding the mac, since the endianness985* will get zero'd out here.986*/987zio_crypt_bp_zero_nonportable_blkprop(&tmpbp, version);988bab->bab_prop = LE_64(tmpbp.blk_prop);989bab->bab_pad = 0ULL;990991/* version 0 did not include the padding */992*bab_len = sizeof (blkptr_auth_buf_t);993if (version == 0)994*bab_len -= sizeof (uint64_t);995}996997static int998zio_crypt_bp_do_hmac_updates(crypto_context_t ctx, uint64_t version,999boolean_t should_bswap, blkptr_t *bp)1000{1001int ret;1002uint_t bab_len;1003blkptr_auth_buf_t bab;1004crypto_data_t cd;10051006zio_crypt_bp_auth_init(version, should_bswap, bp, &bab, &bab_len);1007cd.cd_format = CRYPTO_DATA_RAW;1008cd.cd_offset = 0;1009cd.cd_length = bab_len;1010cd.cd_raw.iov_base = (char *)&bab;1011cd.cd_raw.iov_len = cd.cd_length;10121013ret = crypto_mac_update(ctx, &cd);1014if (ret != CRYPTO_SUCCESS) {1015ret = SET_ERROR(EIO);1016goto error;1017}10181019return (0);10201021error:1022return (ret);1023}10241025static void1026zio_crypt_bp_do_indrect_checksum_updates(SHA2_CTX *ctx, uint64_t version,1027boolean_t should_bswap, blkptr_t *bp)1028{1029uint_t bab_len;1030blkptr_auth_buf_t bab;10311032zio_crypt_bp_auth_init(version, should_bswap, bp, &bab, &bab_len);1033SHA2Update(ctx, &bab, bab_len);1034}10351036static void1037zio_crypt_bp_do_aad_updates(uint8_t **aadp, uint_t *aad_len, uint64_t version,1038boolean_t should_bswap, blkptr_t *bp)1039{1040uint_t bab_len;1041blkptr_auth_buf_t bab;10421043zio_crypt_bp_auth_init(version, should_bswap, bp, &bab, &bab_len);1044memcpy(*aadp, &bab, bab_len);1045*aadp += bab_len;1046*aad_len += bab_len;1047}10481049static int1050zio_crypt_do_dnode_hmac_updates(crypto_context_t ctx, uint64_t version,1051boolean_t should_bswap, dnode_phys_t *dnp)1052{1053int ret, i;1054dnode_phys_t *adnp, tmp_dncore;1055size_t dn_core_size = offsetof(dnode_phys_t, dn_blkptr);1056boolean_t le_bswap = (should_bswap == ZFS_HOST_BYTEORDER);1057crypto_data_t cd;10581059cd.cd_format = CRYPTO_DATA_RAW;1060cd.cd_offset = 0;10611062/*1063* Authenticate the core dnode (masking out non-portable bits).1064* We only copy the first 64 bytes we operate on to avoid the overhead1065* of copying 512-64 unneeded bytes. The compiler seems to be fine1066* with that.1067*/1068memcpy(&tmp_dncore, dnp, dn_core_size);1069adnp = &tmp_dncore;10701071if (le_bswap) {1072adnp->dn_datablkszsec = BSWAP_16(adnp->dn_datablkszsec);1073adnp->dn_bonuslen = BSWAP_16(adnp->dn_bonuslen);1074adnp->dn_maxblkid = BSWAP_64(adnp->dn_maxblkid);1075adnp->dn_used = BSWAP_64(adnp->dn_used);1076}1077adnp->dn_flags &= DNODE_CRYPT_PORTABLE_FLAGS_MASK;1078adnp->dn_used = 0;10791080cd.cd_length = dn_core_size;1081cd.cd_raw.iov_base = (char *)adnp;1082cd.cd_raw.iov_len = cd.cd_length;10831084ret = crypto_mac_update(ctx, &cd);1085if (ret != CRYPTO_SUCCESS) {1086ret = SET_ERROR(EIO);1087goto error;1088}10891090for (i = 0; i < dnp->dn_nblkptr; i++) {1091ret = zio_crypt_bp_do_hmac_updates(ctx, version,1092should_bswap, &dnp->dn_blkptr[i]);1093if (ret != 0)1094goto error;1095}10961097if (dnp->dn_flags & DNODE_FLAG_SPILL_BLKPTR) {1098ret = zio_crypt_bp_do_hmac_updates(ctx, version,1099should_bswap, DN_SPILL_BLKPTR(dnp));1100if (ret != 0)1101goto error;1102}11031104return (0);11051106error:1107return (ret);1108}11091110/*1111* objset_phys_t blocks introduce a number of exceptions to the normal1112* authentication process. objset_phys_t's contain 2 separate HMACS for1113* protecting the integrity of their data. The portable_mac protects the1114* metadnode. This MAC can be sent with a raw send and protects against1115* reordering of data within the metadnode. The local_mac protects the user1116* accounting objects which are not sent from one system to another.1117*1118* In addition, objset blocks are the only blocks that can be modified and1119* written to disk without the key loaded under certain circumstances. During1120* zil_claim() we need to be able to update the zil_header_t to complete1121* claiming log blocks and during raw receives we need to write out the1122* portable_mac from the send file. Both of these actions are possible1123* because these fields are not protected by either MAC so neither one will1124* need to modify the MACs without the key. However, when the modified blocks1125* are written out they will be byteswapped into the host machine's native1126* endianness which will modify fields protected by the MAC. As a result, MAC1127* calculation for objset blocks works slightly differently from other block1128* types. Where other block types MAC the data in whatever endianness is1129* written to disk, objset blocks always MAC little endian version of their1130* values. In the code, should_bswap is the value from BP_SHOULD_BYTESWAP()1131* and le_bswap indicates whether a byteswap is needed to get this block1132* into little endian format.1133*/1134int1135zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen,1136boolean_t should_bswap, uint8_t *portable_mac, uint8_t *local_mac)1137{1138int ret;1139crypto_mechanism_t mech;1140crypto_context_t ctx;1141crypto_data_t cd;1142objset_phys_t *osp = data;1143uint64_t intval;1144boolean_t le_bswap = (should_bswap == ZFS_HOST_BYTEORDER);1145uint8_t raw_portable_mac[SHA512_DIGEST_LENGTH];1146uint8_t raw_local_mac[SHA512_DIGEST_LENGTH];11471148/* initialize HMAC mechanism */1149mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);1150mech.cm_param = NULL;1151mech.cm_param_len = 0;11521153cd.cd_format = CRYPTO_DATA_RAW;1154cd.cd_offset = 0;11551156/* calculate the portable MAC from the portable fields and metadnode */1157ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx);1158if (ret != CRYPTO_SUCCESS) {1159ret = SET_ERROR(EIO);1160goto error;1161}11621163/* add in the os_type */1164intval = (le_bswap) ? osp->os_type : BSWAP_64(osp->os_type);1165cd.cd_length = sizeof (uint64_t);1166cd.cd_raw.iov_base = (char *)&intval;1167cd.cd_raw.iov_len = cd.cd_length;11681169ret = crypto_mac_update(ctx, &cd);1170if (ret != CRYPTO_SUCCESS) {1171ret = SET_ERROR(EIO);1172goto error;1173}11741175/* add in the portable os_flags */1176intval = osp->os_flags;1177if (should_bswap)1178intval = BSWAP_64(intval);1179intval &= OBJSET_CRYPT_PORTABLE_FLAGS_MASK;1180if (!ZFS_HOST_BYTEORDER)1181intval = BSWAP_64(intval);11821183cd.cd_length = sizeof (uint64_t);1184cd.cd_raw.iov_base = (char *)&intval;1185cd.cd_raw.iov_len = cd.cd_length;11861187ret = crypto_mac_update(ctx, &cd);1188if (ret != CRYPTO_SUCCESS) {1189ret = SET_ERROR(EIO);1190goto error;1191}11921193/* add in fields from the metadnode */1194ret = zio_crypt_do_dnode_hmac_updates(ctx, key->zk_version,1195should_bswap, &osp->os_meta_dnode);1196if (ret)1197goto error;11981199/* store the final digest in a temporary buffer and copy what we need */1200cd.cd_length = SHA512_DIGEST_LENGTH;1201cd.cd_raw.iov_base = (char *)raw_portable_mac;1202cd.cd_raw.iov_len = cd.cd_length;12031204ret = crypto_mac_final(ctx, &cd);1205if (ret != CRYPTO_SUCCESS) {1206ret = SET_ERROR(EIO);1207goto error;1208}12091210memcpy(portable_mac, raw_portable_mac, ZIO_OBJSET_MAC_LEN);12111212/*1213* This is necessary here as we check next whether1214* OBJSET_FLAG_USERACCOUNTING_COMPLETE is set in order to1215* decide if the local_mac should be zeroed out. That flag will always1216* be set by dmu_objset_id_quota_upgrade_cb() and1217* dmu_objset_userspace_upgrade_cb() if useraccounting has been1218* completed.1219*/1220intval = osp->os_flags;1221if (should_bswap)1222intval = BSWAP_64(intval);1223boolean_t uacct_incomplete =1224!(intval & OBJSET_FLAG_USERACCOUNTING_COMPLETE);12251226/*1227* The local MAC protects the user, group and project accounting.1228* If these objects are not present, the local MAC is zeroed out.1229*/1230if (uacct_incomplete ||1231(datalen >= OBJSET_PHYS_SIZE_V3 &&1232osp->os_userused_dnode.dn_type == DMU_OT_NONE &&1233osp->os_groupused_dnode.dn_type == DMU_OT_NONE &&1234osp->os_projectused_dnode.dn_type == DMU_OT_NONE) ||1235(datalen >= OBJSET_PHYS_SIZE_V2 &&1236osp->os_userused_dnode.dn_type == DMU_OT_NONE &&1237osp->os_groupused_dnode.dn_type == DMU_OT_NONE) ||1238(datalen <= OBJSET_PHYS_SIZE_V1)) {1239memset(local_mac, 0, ZIO_OBJSET_MAC_LEN);1240return (0);1241}12421243/* calculate the local MAC from the userused and groupused dnodes */1244ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx);1245if (ret != CRYPTO_SUCCESS) {1246ret = SET_ERROR(EIO);1247goto error;1248}12491250/* add in the non-portable os_flags */1251intval = osp->os_flags;1252if (should_bswap)1253intval = BSWAP_64(intval);1254intval &= ~OBJSET_CRYPT_PORTABLE_FLAGS_MASK;1255if (!ZFS_HOST_BYTEORDER)1256intval = BSWAP_64(intval);12571258cd.cd_length = sizeof (uint64_t);1259cd.cd_raw.iov_base = (char *)&intval;1260cd.cd_raw.iov_len = cd.cd_length;12611262ret = crypto_mac_update(ctx, &cd);1263if (ret != CRYPTO_SUCCESS) {1264ret = SET_ERROR(EIO);1265goto error;1266}12671268/* add in fields from the user accounting dnodes */1269if (osp->os_userused_dnode.dn_type != DMU_OT_NONE) {1270ret = zio_crypt_do_dnode_hmac_updates(ctx, key->zk_version,1271should_bswap, &osp->os_userused_dnode);1272if (ret)1273goto error;1274}12751276if (osp->os_groupused_dnode.dn_type != DMU_OT_NONE) {1277ret = zio_crypt_do_dnode_hmac_updates(ctx, key->zk_version,1278should_bswap, &osp->os_groupused_dnode);1279if (ret)1280goto error;1281}12821283if (osp->os_projectused_dnode.dn_type != DMU_OT_NONE &&1284datalen >= OBJSET_PHYS_SIZE_V3) {1285ret = zio_crypt_do_dnode_hmac_updates(ctx, key->zk_version,1286should_bswap, &osp->os_projectused_dnode);1287if (ret)1288goto error;1289}12901291/* store the final digest in a temporary buffer and copy what we need */1292cd.cd_length = SHA512_DIGEST_LENGTH;1293cd.cd_raw.iov_base = (char *)raw_local_mac;1294cd.cd_raw.iov_len = cd.cd_length;12951296ret = crypto_mac_final(ctx, &cd);1297if (ret != CRYPTO_SUCCESS) {1298ret = SET_ERROR(EIO);1299goto error;1300}13011302memcpy(local_mac, raw_local_mac, ZIO_OBJSET_MAC_LEN);13031304return (0);13051306error:1307memset(portable_mac, 0, ZIO_OBJSET_MAC_LEN);1308memset(local_mac, 0, ZIO_OBJSET_MAC_LEN);1309return (ret);1310}13111312static void1313zio_crypt_destroy_uio(zfs_uio_t *uio)1314{1315if (uio->uio_iov)1316kmem_free(uio->uio_iov, uio->uio_iovcnt * sizeof (iovec_t));1317}13181319/*1320* This function parses an uncompressed indirect block and returns a checksum1321* of all the portable fields from all of the contained bps. The portable1322* fields are the MAC and all of the fields from blk_prop except for the dedup,1323* checksum, and psize bits. For an explanation of the purpose of this, see1324* the comment block on object set authentication.1325*/1326static int1327zio_crypt_do_indirect_mac_checksum_impl(boolean_t generate, void *buf,1328uint_t datalen, uint64_t version, boolean_t byteswap, uint8_t *cksum)1329{1330blkptr_t *bp;1331int i, epb = datalen >> SPA_BLKPTRSHIFT;1332SHA2_CTX ctx;1333uint8_t digestbuf[SHA512_DIGEST_LENGTH];13341335/* checksum all of the MACs from the layer below */1336SHA2Init(SHA512, &ctx);1337for (i = 0, bp = buf; i < epb; i++, bp++) {1338zio_crypt_bp_do_indrect_checksum_updates(&ctx, version,1339byteswap, bp);1340}1341SHA2Final(digestbuf, &ctx);13421343if (generate) {1344memcpy(cksum, digestbuf, ZIO_DATA_MAC_LEN);1345return (0);1346}13471348if (memcmp(digestbuf, cksum, ZIO_DATA_MAC_LEN) != 0)1349return (SET_ERROR(ECKSUM));13501351return (0);1352}13531354int1355zio_crypt_do_indirect_mac_checksum(boolean_t generate, void *buf,1356uint_t datalen, boolean_t byteswap, uint8_t *cksum)1357{1358int ret;13591360/*1361* Unfortunately, callers of this function will not always have1362* easy access to the on-disk format version. This info is1363* normally found in the DSL Crypto Key, but the checksum-of-MACs1364* is expected to be verifiable even when the key isn't loaded.1365* Here, instead of doing a ZAP lookup for the version for each1366* zio, we simply try both existing formats.1367*/1368ret = zio_crypt_do_indirect_mac_checksum_impl(generate, buf,1369datalen, ZIO_CRYPT_KEY_CURRENT_VERSION, byteswap, cksum);1370if (ret == ECKSUM) {1371ASSERT(!generate);1372ret = zio_crypt_do_indirect_mac_checksum_impl(generate,1373buf, datalen, 0, byteswap, cksum);1374}13751376return (ret);1377}13781379int1380zio_crypt_do_indirect_mac_checksum_abd(boolean_t generate, abd_t *abd,1381uint_t datalen, boolean_t byteswap, uint8_t *cksum)1382{1383int ret;1384void *buf;13851386buf = abd_borrow_buf_copy(abd, datalen);1387ret = zio_crypt_do_indirect_mac_checksum(generate, buf, datalen,1388byteswap, cksum);1389abd_return_buf(abd, buf, datalen);13901391return (ret);1392}13931394/*1395* Special case handling routine for encrypting / decrypting ZIL blocks.1396* We do not check for the older ZIL chain because the encryption feature1397* was not available before the newer ZIL chain was introduced. The goal1398* here is to encrypt everything except the blkptr_t of a lr_write_t and1399* the zil_chain_t header. Everything that is not encrypted is authenticated.1400*/1401static int1402zio_crypt_init_uios_zil(boolean_t encrypt, uint8_t *plainbuf,1403uint8_t *cipherbuf, uint_t datalen, boolean_t byteswap, zfs_uio_t *puio,1404zfs_uio_t *cuio, uint_t *enc_len, uint8_t **authbuf, uint_t *auth_len,1405boolean_t *no_crypt)1406{1407int ret;1408uint64_t txtype, lr_len, nused;1409uint_t nr_src, nr_dst, crypt_len;1410uint_t aad_len = 0, nr_iovecs = 0, total_len = 0;1411iovec_t *src_iovecs = NULL, *dst_iovecs = NULL;1412uint8_t *src, *dst, *slrp, *dlrp, *blkend, *aadp;1413zil_chain_t *zilc;1414lr_t *lr;1415uint8_t *aadbuf = zio_buf_alloc(datalen);14161417/* cipherbuf always needs an extra iovec for the MAC */1418if (encrypt) {1419src = plainbuf;1420dst = cipherbuf;1421nr_src = 0;1422nr_dst = 1;1423} else {1424src = cipherbuf;1425dst = plainbuf;1426nr_src = 1;1427nr_dst = 0;1428}1429memset(dst, 0, datalen);14301431/* find the start and end record of the log block */1432zilc = (zil_chain_t *)src;1433slrp = src + sizeof (zil_chain_t);1434aadp = aadbuf;1435nused = ((byteswap) ? BSWAP_64(zilc->zc_nused) : zilc->zc_nused);1436ASSERT3U(nused, >=, sizeof (zil_chain_t));1437ASSERT3U(nused, <=, datalen);1438blkend = src + nused;14391440/* calculate the number of encrypted iovecs we will need */1441for (; slrp < blkend; slrp += lr_len) {1442lr = (lr_t *)slrp;14431444if (!byteswap) {1445txtype = lr->lrc_txtype;1446lr_len = lr->lrc_reclen;1447} else {1448txtype = BSWAP_64(lr->lrc_txtype);1449lr_len = BSWAP_64(lr->lrc_reclen);1450}1451ASSERT3U(lr_len, >=, sizeof (lr_t));1452ASSERT3U(lr_len, <=, blkend - slrp);14531454nr_iovecs++;1455if (txtype == TX_WRITE && lr_len != sizeof (lr_write_t))1456nr_iovecs++;1457}14581459nr_src += nr_iovecs;1460nr_dst += nr_iovecs;14611462/* allocate the iovec arrays */1463if (nr_src != 0) {1464src_iovecs = kmem_alloc(nr_src * sizeof (iovec_t), KM_SLEEP);1465if (src_iovecs == NULL) {1466ret = SET_ERROR(ENOMEM);1467goto error;1468}1469}14701471if (nr_dst != 0) {1472dst_iovecs = kmem_alloc(nr_dst * sizeof (iovec_t), KM_SLEEP);1473if (dst_iovecs == NULL) {1474ret = SET_ERROR(ENOMEM);1475goto error;1476}1477}14781479/*1480* Copy the plain zil header over and authenticate everything except1481* the checksum that will store our MAC. If we are writing the data1482* the embedded checksum will not have been calculated yet, so we don't1483* authenticate that.1484*/1485memcpy(dst, src, sizeof (zil_chain_t));1486memcpy(aadp, src, sizeof (zil_chain_t) - sizeof (zio_eck_t));1487aadp += sizeof (zil_chain_t) - sizeof (zio_eck_t);1488aad_len += sizeof (zil_chain_t) - sizeof (zio_eck_t);14891490/* loop over records again, filling in iovecs */1491nr_iovecs = 0;1492slrp = src + sizeof (zil_chain_t);1493dlrp = dst + sizeof (zil_chain_t);14941495for (; slrp < blkend; slrp += lr_len, dlrp += lr_len) {1496lr = (lr_t *)slrp;14971498if (!byteswap) {1499txtype = lr->lrc_txtype;1500lr_len = lr->lrc_reclen;1501} else {1502txtype = BSWAP_64(lr->lrc_txtype);1503lr_len = BSWAP_64(lr->lrc_reclen);1504}15051506/* copy the common lr_t */1507memcpy(dlrp, slrp, sizeof (lr_t));1508memcpy(aadp, slrp, sizeof (lr_t));1509aadp += sizeof (lr_t);1510aad_len += sizeof (lr_t);15111512ASSERT3P(src_iovecs, !=, NULL);1513ASSERT3P(dst_iovecs, !=, NULL);15141515/*1516* If this is a TX_WRITE record we want to encrypt everything1517* except the bp if exists. If the bp does exist we want to1518* authenticate it.1519*/1520if (txtype == TX_WRITE) {1521const size_t o = offsetof(lr_write_t, lr_blkptr);1522crypt_len = o - sizeof (lr_t);1523src_iovecs[nr_iovecs].iov_base = slrp + sizeof (lr_t);1524src_iovecs[nr_iovecs].iov_len = crypt_len;1525dst_iovecs[nr_iovecs].iov_base = dlrp + sizeof (lr_t);1526dst_iovecs[nr_iovecs].iov_len = crypt_len;15271528/* copy the bp now since it will not be encrypted */1529memcpy(dlrp + o, slrp + o, sizeof (blkptr_t));1530memcpy(aadp, slrp + o, sizeof (blkptr_t));1531aadp += sizeof (blkptr_t);1532aad_len += sizeof (blkptr_t);1533nr_iovecs++;1534total_len += crypt_len;15351536if (lr_len != sizeof (lr_write_t)) {1537crypt_len = lr_len - sizeof (lr_write_t);1538src_iovecs[nr_iovecs].iov_base =1539slrp + sizeof (lr_write_t);1540src_iovecs[nr_iovecs].iov_len = crypt_len;1541dst_iovecs[nr_iovecs].iov_base =1542dlrp + sizeof (lr_write_t);1543dst_iovecs[nr_iovecs].iov_len = crypt_len;1544nr_iovecs++;1545total_len += crypt_len;1546}1547} else if (txtype == TX_CLONE_RANGE) {1548const size_t o = offsetof(lr_clone_range_t, lr_nbps);1549crypt_len = o - sizeof (lr_t);1550src_iovecs[nr_iovecs].iov_base = slrp + sizeof (lr_t);1551src_iovecs[nr_iovecs].iov_len = crypt_len;1552dst_iovecs[nr_iovecs].iov_base = dlrp + sizeof (lr_t);1553dst_iovecs[nr_iovecs].iov_len = crypt_len;15541555/* copy the bps now since they will not be encrypted */1556memcpy(dlrp + o, slrp + o, lr_len - o);1557memcpy(aadp, slrp + o, lr_len - o);1558aadp += lr_len - o;1559aad_len += lr_len - o;1560nr_iovecs++;1561total_len += crypt_len;1562} else {1563crypt_len = lr_len - sizeof (lr_t);1564src_iovecs[nr_iovecs].iov_base = slrp + sizeof (lr_t);1565src_iovecs[nr_iovecs].iov_len = crypt_len;1566dst_iovecs[nr_iovecs].iov_base = dlrp + sizeof (lr_t);1567dst_iovecs[nr_iovecs].iov_len = crypt_len;1568nr_iovecs++;1569total_len += crypt_len;1570}1571}15721573*no_crypt = (nr_iovecs == 0);1574*enc_len = total_len;1575*authbuf = aadbuf;1576*auth_len = aad_len;15771578if (encrypt) {1579puio->uio_iov = src_iovecs;1580puio->uio_iovcnt = nr_src;1581cuio->uio_iov = dst_iovecs;1582cuio->uio_iovcnt = nr_dst;1583} else {1584puio->uio_iov = dst_iovecs;1585puio->uio_iovcnt = nr_dst;1586cuio->uio_iov = src_iovecs;1587cuio->uio_iovcnt = nr_src;1588}15891590return (0);15911592error:1593zio_buf_free(aadbuf, datalen);1594if (src_iovecs != NULL)1595kmem_free(src_iovecs, nr_src * sizeof (iovec_t));1596if (dst_iovecs != NULL)1597kmem_free(dst_iovecs, nr_dst * sizeof (iovec_t));15981599*enc_len = 0;1600*authbuf = NULL;1601*auth_len = 0;1602*no_crypt = B_FALSE;1603puio->uio_iov = NULL;1604puio->uio_iovcnt = 0;1605cuio->uio_iov = NULL;1606cuio->uio_iovcnt = 0;1607return (ret);1608}16091610/*1611* Special case handling routine for encrypting / decrypting dnode blocks.1612*/1613static int1614zio_crypt_init_uios_dnode(boolean_t encrypt, uint64_t version,1615uint8_t *plainbuf, uint8_t *cipherbuf, uint_t datalen, boolean_t byteswap,1616zfs_uio_t *puio, zfs_uio_t *cuio, uint_t *enc_len, uint8_t **authbuf,1617uint_t *auth_len, boolean_t *no_crypt)1618{1619int ret;1620uint_t nr_src, nr_dst, crypt_len;1621uint_t aad_len = 0, nr_iovecs = 0, total_len = 0;1622uint_t i, j, max_dnp = datalen >> DNODE_SHIFT;1623iovec_t *src_iovecs = NULL, *dst_iovecs = NULL;1624uint8_t *src, *dst, *aadp;1625dnode_phys_t *dnp, *adnp, *sdnp, *ddnp;1626uint8_t *aadbuf = zio_buf_alloc(datalen);16271628if (encrypt) {1629src = plainbuf;1630dst = cipherbuf;1631nr_src = 0;1632nr_dst = 1;1633} else {1634src = cipherbuf;1635dst = plainbuf;1636nr_src = 1;1637nr_dst = 0;1638}16391640sdnp = (dnode_phys_t *)src;1641ddnp = (dnode_phys_t *)dst;1642aadp = aadbuf;16431644/*1645* Count the number of iovecs we will need to do the encryption by1646* counting the number of bonus buffers that need to be encrypted.1647*/1648for (i = 0; i < max_dnp; i += sdnp[i].dn_extra_slots + 1) {1649/*1650* This block may still be byteswapped. However, all of the1651* values we use are either uint8_t's (for which byteswapping1652* is a noop) or a * != 0 check, which will work regardless1653* of whether or not we byteswap.1654*/1655if (sdnp[i].dn_type != DMU_OT_NONE &&1656DMU_OT_IS_ENCRYPTED(sdnp[i].dn_bonustype) &&1657sdnp[i].dn_bonuslen != 0) {1658nr_iovecs++;1659}1660}16611662nr_src += nr_iovecs;1663nr_dst += nr_iovecs;16641665if (nr_src != 0) {1666src_iovecs = kmem_alloc(nr_src * sizeof (iovec_t), KM_SLEEP);1667if (src_iovecs == NULL) {1668ret = SET_ERROR(ENOMEM);1669goto error;1670}1671}16721673if (nr_dst != 0) {1674dst_iovecs = kmem_alloc(nr_dst * sizeof (iovec_t), KM_SLEEP);1675if (dst_iovecs == NULL) {1676ret = SET_ERROR(ENOMEM);1677goto error;1678}1679}16801681nr_iovecs = 0;16821683/*1684* Iterate through the dnodes again, this time filling in the uios1685* we allocated earlier. We also concatenate any data we want to1686* authenticate onto aadbuf.1687*/1688for (i = 0; i < max_dnp; i += sdnp[i].dn_extra_slots + 1) {1689dnp = &sdnp[i];16901691/* copy over the core fields and blkptrs (kept as plaintext) */1692memcpy(&ddnp[i], dnp,1693(uint8_t *)DN_BONUS(dnp) - (uint8_t *)dnp);16941695if (dnp->dn_flags & DNODE_FLAG_SPILL_BLKPTR) {1696memcpy(DN_SPILL_BLKPTR(&ddnp[i]), DN_SPILL_BLKPTR(dnp),1697sizeof (blkptr_t));1698}16991700/*1701* Handle authenticated data. We authenticate everything in1702* the dnode that can be brought over when we do a raw send.1703* This includes all of the core fields as well as the MACs1704* stored in the bp checksums and all of the portable bits1705* from blk_prop. We include the dnode padding here in case it1706* ever gets used in the future. Some dn_flags and dn_used are1707* not portable so we mask those out values out of the1708* authenticated data.1709*/1710crypt_len = offsetof(dnode_phys_t, dn_blkptr);1711memcpy(aadp, dnp, crypt_len);1712adnp = (dnode_phys_t *)aadp;1713adnp->dn_flags &= DNODE_CRYPT_PORTABLE_FLAGS_MASK;1714adnp->dn_used = 0;1715aadp += crypt_len;1716aad_len += crypt_len;17171718for (j = 0; j < dnp->dn_nblkptr; j++) {1719zio_crypt_bp_do_aad_updates(&aadp, &aad_len,1720version, byteswap, &dnp->dn_blkptr[j]);1721}17221723if (dnp->dn_flags & DNODE_FLAG_SPILL_BLKPTR) {1724zio_crypt_bp_do_aad_updates(&aadp, &aad_len,1725version, byteswap, DN_SPILL_BLKPTR(dnp));1726}17271728/*1729* If this bonus buffer needs to be encrypted, we prepare an1730* iovec_t. The encryption / decryption functions will fill1731* this in for us with the encrypted or decrypted data.1732* Otherwise we add the bonus buffer to the authenticated1733* data buffer and copy it over to the destination. The1734* encrypted iovec extends to DN_MAX_BONUS_LEN(dnp) so that1735* we can guarantee alignment with the AES block size1736* (128 bits).1737*/1738crypt_len = DN_MAX_BONUS_LEN(dnp);1739if (dnp->dn_type != DMU_OT_NONE &&1740DMU_OT_IS_ENCRYPTED(dnp->dn_bonustype) &&1741dnp->dn_bonuslen != 0) {1742ASSERT3U(nr_iovecs, <, nr_src);1743ASSERT3U(nr_iovecs, <, nr_dst);1744ASSERT3P(src_iovecs, !=, NULL);1745ASSERT3P(dst_iovecs, !=, NULL);1746src_iovecs[nr_iovecs].iov_base = DN_BONUS(dnp);1747src_iovecs[nr_iovecs].iov_len = crypt_len;1748dst_iovecs[nr_iovecs].iov_base = DN_BONUS(&ddnp[i]);1749dst_iovecs[nr_iovecs].iov_len = crypt_len;17501751nr_iovecs++;1752total_len += crypt_len;1753} else {1754memcpy(DN_BONUS(&ddnp[i]), DN_BONUS(dnp), crypt_len);1755memcpy(aadp, DN_BONUS(dnp), crypt_len);1756aadp += crypt_len;1757aad_len += crypt_len;1758}1759}17601761*no_crypt = (nr_iovecs == 0);1762*enc_len = total_len;1763*authbuf = aadbuf;1764*auth_len = aad_len;17651766if (encrypt) {1767puio->uio_iov = src_iovecs;1768puio->uio_iovcnt = nr_src;1769cuio->uio_iov = dst_iovecs;1770cuio->uio_iovcnt = nr_dst;1771} else {1772puio->uio_iov = dst_iovecs;1773puio->uio_iovcnt = nr_dst;1774cuio->uio_iov = src_iovecs;1775cuio->uio_iovcnt = nr_src;1776}17771778return (0);17791780error:1781zio_buf_free(aadbuf, datalen);1782if (src_iovecs != NULL)1783kmem_free(src_iovecs, nr_src * sizeof (iovec_t));1784if (dst_iovecs != NULL)1785kmem_free(dst_iovecs, nr_dst * sizeof (iovec_t));17861787*enc_len = 0;1788*authbuf = NULL;1789*auth_len = 0;1790*no_crypt = B_FALSE;1791puio->uio_iov = NULL;1792puio->uio_iovcnt = 0;1793cuio->uio_iov = NULL;1794cuio->uio_iovcnt = 0;1795return (ret);1796}17971798static int1799zio_crypt_init_uios_normal(boolean_t encrypt, uint8_t *plainbuf,1800uint8_t *cipherbuf, uint_t datalen, zfs_uio_t *puio, zfs_uio_t *cuio,1801uint_t *enc_len)1802{1803(void) encrypt;1804int ret;1805uint_t nr_plain = 1, nr_cipher = 2;1806iovec_t *plain_iovecs = NULL, *cipher_iovecs = NULL;18071808/* allocate the iovecs for the plain and cipher data */1809plain_iovecs = kmem_alloc(nr_plain * sizeof (iovec_t),1810KM_SLEEP);1811if (!plain_iovecs) {1812ret = SET_ERROR(ENOMEM);1813goto error;1814}18151816cipher_iovecs = kmem_alloc(nr_cipher * sizeof (iovec_t),1817KM_SLEEP);1818if (!cipher_iovecs) {1819ret = SET_ERROR(ENOMEM);1820goto error;1821}18221823plain_iovecs[0].iov_base = plainbuf;1824plain_iovecs[0].iov_len = datalen;1825cipher_iovecs[0].iov_base = cipherbuf;1826cipher_iovecs[0].iov_len = datalen;18271828*enc_len = datalen;1829puio->uio_iov = plain_iovecs;1830puio->uio_iovcnt = nr_plain;1831cuio->uio_iov = cipher_iovecs;1832cuio->uio_iovcnt = nr_cipher;18331834return (0);18351836error:1837if (plain_iovecs != NULL)1838kmem_free(plain_iovecs, nr_plain * sizeof (iovec_t));1839if (cipher_iovecs != NULL)1840kmem_free(cipher_iovecs, nr_cipher * sizeof (iovec_t));18411842*enc_len = 0;1843puio->uio_iov = NULL;1844puio->uio_iovcnt = 0;1845cuio->uio_iov = NULL;1846cuio->uio_iovcnt = 0;1847return (ret);1848}18491850/*1851* This function builds up the plaintext (puio) and ciphertext (cuio) uios so1852* that they can be used for encryption and decryption by zio_do_crypt_uio().1853* Most blocks will use zio_crypt_init_uios_normal(), with ZIL and dnode blocks1854* requiring special handling to parse out pieces that are to be encrypted. The1855* authbuf is used by these special cases to store additional authenticated1856* data (AAD) for the encryption modes.1857*/1858static int1859zio_crypt_init_uios(boolean_t encrypt, uint64_t version, dmu_object_type_t ot,1860uint8_t *plainbuf, uint8_t *cipherbuf, uint_t datalen, boolean_t byteswap,1861uint8_t *mac, zfs_uio_t *puio, zfs_uio_t *cuio, uint_t *enc_len,1862uint8_t **authbuf, uint_t *auth_len, boolean_t *no_crypt)1863{1864int ret;1865iovec_t *mac_iov;18661867ASSERT(DMU_OT_IS_ENCRYPTED(ot) || ot == DMU_OT_NONE);18681869/* route to handler */1870switch (ot) {1871case DMU_OT_INTENT_LOG:1872ret = zio_crypt_init_uios_zil(encrypt, plainbuf, cipherbuf,1873datalen, byteswap, puio, cuio, enc_len, authbuf, auth_len,1874no_crypt);1875break;1876case DMU_OT_DNODE:1877ret = zio_crypt_init_uios_dnode(encrypt, version, plainbuf,1878cipherbuf, datalen, byteswap, puio, cuio, enc_len, authbuf,1879auth_len, no_crypt);1880break;1881default:1882ret = zio_crypt_init_uios_normal(encrypt, plainbuf, cipherbuf,1883datalen, puio, cuio, enc_len);1884*authbuf = NULL;1885*auth_len = 0;1886*no_crypt = B_FALSE;1887break;1888}18891890if (ret != 0)1891goto error;18921893/* populate the uios */1894puio->uio_segflg = UIO_SYSSPACE;1895cuio->uio_segflg = UIO_SYSSPACE;18961897mac_iov = ((iovec_t *)&cuio->uio_iov[cuio->uio_iovcnt - 1]);1898mac_iov->iov_base = mac;1899mac_iov->iov_len = ZIO_DATA_MAC_LEN;19001901return (0);19021903error:1904return (ret);1905}19061907/*1908* Primary encryption / decryption entrypoint for zio data.1909*/1910int1911zio_do_crypt_data(boolean_t encrypt, zio_crypt_key_t *key,1912dmu_object_type_t ot, boolean_t byteswap, uint8_t *salt, uint8_t *iv,1913uint8_t *mac, uint_t datalen, uint8_t *plainbuf, uint8_t *cipherbuf,1914boolean_t *no_crypt)1915{1916int ret;1917boolean_t locked = B_FALSE;1918uint64_t crypt = key->zk_crypt;1919uint_t keydata_len = zio_crypt_table[crypt].ci_keylen;1920uint_t enc_len, auth_len;1921zfs_uio_t puio, cuio;1922uint8_t enc_keydata[MASTER_KEY_MAX_LEN];1923crypto_key_t tmp_ckey, *ckey = NULL;1924crypto_ctx_template_t tmpl;1925uint8_t *authbuf = NULL;19261927memset(&puio, 0, sizeof (puio));1928memset(&cuio, 0, sizeof (cuio));19291930/*1931* If the needed key is the current one, just use it. Otherwise we1932* need to generate a temporary one from the given salt + master key.1933* If we are encrypting, we must return a copy of the current salt1934* so that it can be stored in the blkptr_t.1935*/1936rw_enter(&key->zk_salt_lock, RW_READER);1937locked = B_TRUE;19381939if (memcmp(salt, key->zk_salt, ZIO_DATA_SALT_LEN) == 0) {1940ckey = &key->zk_current_key;1941tmpl = key->zk_current_tmpl;1942} else {1943rw_exit(&key->zk_salt_lock);1944locked = B_FALSE;19451946ret = hkdf_sha512(key->zk_master_keydata, keydata_len, NULL, 0,1947salt, ZIO_DATA_SALT_LEN, enc_keydata, keydata_len);1948if (ret != 0)1949goto error;19501951tmp_ckey.ck_data = enc_keydata;1952tmp_ckey.ck_length = CRYPTO_BYTES2BITS(keydata_len);19531954ckey = &tmp_ckey;1955tmpl = NULL;1956}19571958/*1959* Attempt to use QAT acceleration if we can. We currently don't1960* do this for metadnode and ZIL blocks, since they have a much1961* more involved buffer layout and the qat_crypt() function only1962* works in-place.1963*/1964if (qat_crypt_use_accel(datalen) &&1965ot != DMU_OT_INTENT_LOG && ot != DMU_OT_DNODE) {1966uint8_t *srcbuf, *dstbuf;19671968if (encrypt) {1969srcbuf = plainbuf;1970dstbuf = cipherbuf;1971} else {1972srcbuf = cipherbuf;1973dstbuf = plainbuf;1974}19751976ret = qat_crypt((encrypt) ? QAT_ENCRYPT : QAT_DECRYPT, srcbuf,1977dstbuf, NULL, 0, iv, mac, ckey, key->zk_crypt, datalen);1978if (ret == CPA_STATUS_SUCCESS) {1979if (locked) {1980rw_exit(&key->zk_salt_lock);1981locked = B_FALSE;1982}19831984return (0);1985}1986/* If the hardware implementation fails fall back to software */1987}19881989/* create uios for encryption */1990ret = zio_crypt_init_uios(encrypt, key->zk_version, ot, plainbuf,1991cipherbuf, datalen, byteswap, mac, &puio, &cuio, &enc_len,1992&authbuf, &auth_len, no_crypt);1993if (ret != 0)1994goto error;19951996/* perform the encryption / decryption in software */1997ret = zio_do_crypt_uio(encrypt, key->zk_crypt, ckey, tmpl, iv, enc_len,1998&puio, &cuio, authbuf, auth_len);1999if (ret != 0)2000goto error;20012002if (locked) {2003rw_exit(&key->zk_salt_lock);2004}20052006if (authbuf != NULL)2007zio_buf_free(authbuf, datalen);2008if (ckey == &tmp_ckey)2009memset(enc_keydata, 0, keydata_len);2010zio_crypt_destroy_uio(&puio);2011zio_crypt_destroy_uio(&cuio);20122013return (0);20142015error:2016if (locked)2017rw_exit(&key->zk_salt_lock);2018if (authbuf != NULL)2019zio_buf_free(authbuf, datalen);2020if (ckey == &tmp_ckey)2021memset(enc_keydata, 0, keydata_len);2022zio_crypt_destroy_uio(&puio);2023zio_crypt_destroy_uio(&cuio);20242025return (ret);2026}20272028/*2029* Simple wrapper around zio_do_crypt_data() to work with abd's instead of2030* linear buffers.2031*/2032int2033zio_do_crypt_abd(boolean_t encrypt, zio_crypt_key_t *key, dmu_object_type_t ot,2034boolean_t byteswap, uint8_t *salt, uint8_t *iv, uint8_t *mac,2035uint_t datalen, abd_t *pabd, abd_t *cabd, boolean_t *no_crypt)2036{2037int ret;2038void *ptmp, *ctmp;20392040if (encrypt) {2041ptmp = abd_borrow_buf_copy(pabd, datalen);2042ctmp = abd_borrow_buf(cabd, datalen);2043} else {2044ptmp = abd_borrow_buf(pabd, datalen);2045ctmp = abd_borrow_buf_copy(cabd, datalen);2046}20472048ret = zio_do_crypt_data(encrypt, key, ot, byteswap, salt, iv, mac,2049datalen, ptmp, ctmp, no_crypt);2050if (ret != 0)2051goto error;20522053if (encrypt) {2054abd_return_buf(pabd, ptmp, datalen);2055abd_return_buf_copy(cabd, ctmp, datalen);2056} else {2057abd_return_buf_copy(pabd, ptmp, datalen);2058abd_return_buf(cabd, ctmp, datalen);2059}20602061return (0);20622063error:2064if (encrypt) {2065abd_return_buf(pabd, ptmp, datalen);2066abd_return_buf_copy(cabd, ctmp, datalen);2067} else {2068abd_return_buf_copy(pabd, ptmp, datalen);2069abd_return_buf(cabd, ctmp, datalen);2070}20712072return (ret);2073}20742075#if defined(_KERNEL)2076module_param(zfs_key_max_salt_uses, ulong, 0644);2077MODULE_PARM_DESC(zfs_key_max_salt_uses, "Max number of times a salt value "2078"can be used for generating encryption keys before it is rotated");2079#endif208020812082