1eb63303Tom Caputi/*
2eb63303Tom Caputi * CDDL HEADER START
3eb63303Tom Caputi *
4eb63303Tom Caputi * This file and its contents are supplied under the terms of the
5eb63303Tom Caputi * Common Development and Distribution License ("CDDL"), version 1.0.
6eb63303Tom Caputi * You may only use this file in accordance with the terms of version
7eb63303Tom Caputi * 1.0 of the CDDL.
8eb63303Tom Caputi *
9eb63303Tom Caputi * A full copy of the text of the CDDL should have accompanied this
10eb63303Tom Caputi * source.  A copy of the CDDL is also available via the Internet at
11eb63303Tom Caputi * http://www.illumos.org/license/CDDL.
12eb63303Tom Caputi *
13eb63303Tom Caputi * CDDL HEADER END
14eb63303Tom Caputi */
15eb63303Tom Caputi
16eb63303Tom Caputi/*
17eb63303Tom Caputi * Copyright (c) 2017, Datto, Inc. All rights reserved.
18eb63303Tom Caputi */
19eb63303Tom Caputi
20eb63303Tom Caputi#include <sys/dsl_crypt.h>
21eb63303Tom Caputi#include <sys/dsl_pool.h>
22eb63303Tom Caputi#include <sys/zap.h>
23eb63303Tom Caputi#include <sys/zil.h>
24eb63303Tom Caputi#include <sys/dsl_dir.h>
25eb63303Tom Caputi#include <sys/dsl_prop.h>
26eb63303Tom Caputi#include <sys/spa_impl.h>
27eb63303Tom Caputi#include <sys/dmu_objset.h>
28eb63303Tom Caputi#include <sys/zvol.h>
29eb63303Tom Caputi
30eb63303Tom Caputi/*
31eb63303Tom Caputi * This file's primary purpose is for managing master encryption keys in
32eb63303Tom Caputi * memory and on disk. For more info on how these keys are used, see the
33eb63303Tom Caputi * block comment in zio_crypt.c.
34eb63303Tom Caputi *
35eb63303Tom Caputi * All master keys are stored encrypted on disk in the form of the DSL
36eb63303Tom Caputi * Crypto Key ZAP object. The binary key data in this object is always
37eb63303Tom Caputi * randomly generated and is encrypted with the user's wrapping key. This
38eb63303Tom Caputi * layer of indirection allows the user to change their key without
39eb63303Tom Caputi * needing to re-encrypt the entire dataset. The ZAP also holds on to the
40eb63303Tom Caputi * (non-encrypted) encryption algorithm identifier, IV, and MAC needed to
41eb63303Tom Caputi * safely decrypt the master key. For more info on the user's key see the
42eb63303Tom Caputi * block comment in libzfs_crypto.c
43eb63303Tom Caputi *
44eb63303Tom Caputi * In-memory encryption keys are managed through the spa_keystore. The
45eb63303Tom Caputi * keystore consists of 3 AVL trees, which are as follows:
46eb63303Tom Caputi *
47eb63303Tom Caputi * The Wrapping Key Tree:
48eb63303Tom Caputi * The wrapping key (wkey) tree stores the user's keys that are fed into the
49eb63303Tom Caputi * kernel through 'zfs load-key' and related commands. Datasets inherit their
50eb63303Tom Caputi * parent's wkey by default, so these structures are refcounted. The wrapping
51eb63303Tom Caputi * keys remain in memory until they are explicitly unloaded (with
52eb63303Tom Caputi * "zfs unload-key"). Unloading is only possible when no datasets are using
53eb63303Tom Caputi * them (refcount=0).
54eb63303Tom Caputi *
55eb63303Tom Caputi * The DSL Crypto Key Tree:
56eb63303Tom Caputi * The DSL Crypto Keys (DCK) are the in-memory representation of decrypted
57eb63303Tom Caputi * master keys. They are used by the functions in zio_crypt.c to perform
58eb63303Tom Caputi * encryption, decryption, and authentication. Snapshots and clones of a given
59eb63303Tom Caputi * dataset will share a DSL Crypto Key, so they are also refcounted. Once the
60eb63303Tom Caputi * refcount on a key hits zero, it is immediately zeroed out and freed.
61eb63303Tom Caputi *
62eb63303Tom Caputi * The Crypto Key Mapping Tree:
63eb63303Tom Caputi * The zio layer needs to lookup master keys by their dataset object id. Since
64eb63303Tom Caputi * the DSL Crypto Keys can belong to multiple datasets, we maintain a tree of
65eb63303Tom Caputi * dsl_key_mapping_t's which essentially just map the dataset object id to its
66eb63303Tom Caputi * appropriate DSL Crypto Key. The management for creating and destroying these
67eb63303Tom Caputi * mappings hooks into the code for owning and disowning datasets. Usually,
68eb63303Tom Caputi * there will only be one active dataset owner, but there are times
69eb63303Tom Caputi * (particularly during dataset creation and destruction) when this may not be
70eb63303Tom Caputi * true or the dataset may not be initialized enough to own. As a result, this
71eb63303Tom Caputi * object is also refcounted.
72eb63303Tom Caputi */
73eb63303Tom Caputi
74eb63303Tom Caputi/*
75eb63303Tom Caputi * This tunable allows datasets to be raw received even if the stream does
76eb63303Tom Caputi * not include IVset guids or if the guids don't match. This is used as part
77eb63303Tom Caputi * of the resolution for ZPOOL_ERRATA_ZOL_8308_ENCRYPTION.
78eb63303Tom Caputi */
79eb63303Tom Caputiint zfs_disable_ivset_guid_check = 0;
80eb63303Tom Caputi
81eb63303Tom Caputistatic void
82eb63303Tom Caputidsl_wrapping_key_hold(dsl_wrapping_key_t *wkey, void *tag)
83eb63303Tom Caputi{
84eb63303Tom Caputi	(void) zfs_refcount_add(&wkey->wk_refcnt, tag);
85eb63303Tom Caputi}
86eb63303Tom Caputi
87eb63303Tom Caputistatic void
88eb63303Tom Caputidsl_wrapping_key_rele(dsl_wrapping_key_t *wkey, void *tag)
89eb63303Tom Caputi{
90eb63303Tom Caputi	(void) zfs_refcount_remove(&wkey->wk_refcnt, tag);
91eb63303Tom Caputi}
92eb63303Tom Caputi
93eb63303Tom Caputistatic void
94eb63303Tom Caputidsl_wrapping_key_free(dsl_wrapping_key_t *wkey)
95eb63303Tom Caputi{
96eb63303Tom Caputi	ASSERT0(zfs_refcount_count(&wkey->wk_refcnt));
97eb63303Tom Caputi
98eb63303Tom Caputi	if (wkey->wk_key.ck_data) {
99eb63303Tom Caputi		bzero(wkey->wk_key.ck_data,
100eb63303Tom Caputi		    CRYPTO_BITS2BYTES(wkey->wk_key.ck_length));
101eb63303Tom Caputi		kmem_free(wkey->wk_key.ck_data,
102eb63303Tom Caputi		    CRYPTO_BITS2BYTES(wkey->wk_key.ck_length));
103eb63303Tom Caputi	}
104eb63303Tom Caputi
105eb63303Tom Caputi	zfs_refcount_destroy(&wkey->wk_refcnt);
106eb63303Tom Caputi	kmem_free(wkey, sizeof (dsl_wrapping_key_t));
107eb63303Tom Caputi}
108eb63303Tom Caputi
109eb63303Tom Caputistatic int
110eb63303Tom Caputidsl_wrapping_key_create(uint8_t *wkeydata, zfs_keyformat_t keyformat,
111eb63303Tom Caputi    uint64_t salt, uint64_t iters, dsl_wrapping_key_t **wkey_out)
112eb63303Tom Caputi{
113eb63303Tom Caputi	int ret;
114eb63303Tom Caputi	dsl_wrapping_key_t *wkey;
115eb63303Tom Caputi
116eb63303Tom Caputi	/* allocate the wrapping key */
117eb63303Tom Caputi	wkey = kmem_alloc(sizeof (dsl_wrapping_key_t), KM_SLEEP);
118eb63303Tom Caputi	if (!wkey)
119eb63303Tom Caputi		return (SET_ERROR(ENOMEM));
120eb63303Tom Caputi
121eb63303Tom Caputi	/* allocate and initialize the underlying crypto key */
122eb63303Tom Caputi	wkey->wk_key.ck_data = kmem_alloc(WRAPPING_KEY_LEN, KM_SLEEP);
123eb63303Tom Caputi	if (!wkey->wk_key.ck_data) {
124eb63303Tom Caputi		ret = SET_ERROR(ENOMEM);
125eb63303Tom Caputi		goto error;
126eb63303Tom Caputi	}
127eb63303Tom Caputi
128eb63303Tom Caputi	wkey->wk_key.ck_format = CRYPTO_KEY_RAW;
129eb63303Tom Caputi	wkey->wk_key.ck_length = CRYPTO_BYTES2BITS(WRAPPING_KEY_LEN);
130eb63303Tom Caputi	bcopy(wkeydata, wkey->wk_key.ck_data, WRAPPING_KEY_LEN);
131eb63303Tom Caputi
132eb63303Tom Caputi	/* initialize the rest of the struct */
133eb63303Tom Caputi	zfs_refcount_create(&wkey->wk_refcnt);
134eb63303Tom Caputi	wkey->wk_keyformat = keyformat;
135eb63303Tom Caputi	wkey->wk_salt = salt;
136eb63303Tom Caputi	wkey->wk_iters = iters;
137eb63303Tom Caputi
138eb63303Tom Caputi	*wkey_out = wkey;
139eb63303Tom Caputi	return (0);
140eb63303Tom Caputi
141eb63303Tom Caputierror:
142eb63303Tom Caputi	dsl_wrapping_key_free(wkey);
143eb63303Tom Caputi
144eb63303Tom Caputi	*wkey_out = NULL;
145eb63303Tom Caputi	return (ret);
146eb63303Tom Caputi}
147eb63303Tom Caputi
148eb63303Tom Caputiint
149eb63303Tom Caputidsl_crypto_params_create_nvlist(dcp_cmd_t cmd, nvlist_t *props,
150eb63303Tom Caputi    nvlist_t *crypto_args, dsl_crypto_params_t **dcp_out)
151eb63303Tom Caputi{
152eb63303Tom Caputi	int ret;
153eb63303Tom Caputi	uint64_t crypt = ZIO_CRYPT_INHERIT;
154eb63303Tom Caputi	uint64_t keyformat = ZFS_KEYFORMAT_NONE;
155eb63303Tom Caputi	uint64_t salt = 0, iters = 0;
156eb63303Tom Caputi	dsl_crypto_params_t *dcp = NULL;
157eb63303Tom Caputi	dsl_wrapping_key_t *wkey = NULL;
158eb63303Tom Caputi	uint8_t *wkeydata = NULL;
159eb63303Tom Caputi	uint_t wkeydata_len = 0;
160eb63303Tom Caputi	char *keylocation = NULL;
161eb63303Tom Caputi
162eb63303Tom Caputi	dcp = kmem_zalloc(sizeof (dsl_crypto_params_t), KM_SLEEP);
163eb63303Tom Caputi	if (!dcp) {
164eb63303Tom Caputi		ret = SET_ERROR(ENOMEM);
165eb63303Tom Caputi		goto error;
166eb63303Tom Caputi	}
167eb63303Tom Caputi
168eb63303Tom Caputi	/* get relevant properties from the nvlist */
169eb63303Tom Caputi	dcp->cp_cmd = cmd;
170eb63303Tom Caputi
171eb63303Tom Caputi	/* get relevant arguments from the nvlists */
172eb63303Tom Caputi	if (props != NULL) {
173eb63303Tom Caputi		(void) nvlist_lookup_uint64(props,
174eb63303Tom Caputi		    zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt);
175eb63303Tom Caputi		(void) nvlist_lookup_uint64(props,
176eb63303Tom Caputi		    zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat);
177eb63303Tom Caputi		(void) nvlist_lookup_string(props,
178eb63303Tom Caputi		    zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation);
179eb63303Tom Caputi		(void) nvlist_lookup_uint64(props,
180eb63303Tom Caputi		    zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), &salt);
181eb63303Tom Caputi		(void) nvlist_lookup_uint64(props,
182eb63303Tom Caputi		    zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters);
183eb63303Tom Caputi		dcp->cp_crypt = crypt;
184eb63303Tom Caputi	}
185eb63303Tom Caputi
186eb63303Tom Caputi	if (crypto_args != NULL) {
187eb63303Tom Caputi		(void) nvlist_lookup_uint8_array(crypto_args, "wkeydata",
188eb63303Tom Caputi		    &wkeydata, &wkeydata_len);
189eb63303Tom Caputi	}
190eb63303Tom Caputi
191eb63303Tom Caputi	/* check for valid command */
192eb63303Tom Caputi	if (dcp->cp_cmd >= DCP_CMD_MAX) {
193eb63303Tom Caputi		ret = SET_ERROR(EINVAL);
194eb63303Tom Caputi		goto error;
195eb63303Tom Caputi	} else {
196eb63303Tom Caputi		dcp->cp_cmd = cmd;
197eb63303Tom Caputi	}
198eb63303Tom Caputi
199eb63303Tom Caputi	/* check for valid crypt */
200eb63303Tom Caputi	if (dcp->cp_crypt >= ZIO_CRYPT_FUNCTIONS) {
201eb63303Tom Caputi		ret = SET_ERROR(EINVAL);
202eb63303Tom Caputi		goto error;
203eb63303Tom Caputi	} else {
204eb63303Tom Caputi		dcp->cp_crypt = crypt;
205eb63303Tom Caputi	}
206eb63303Tom Caputi
207eb63303Tom Caputi	/* check for valid keyformat */
208eb63303Tom Caputi	if (keyformat >= ZFS_KEYFORMAT_FORMATS) {
209eb63303Tom Caputi		ret = SET_ERROR(EINVAL);
210eb63303Tom Caputi		goto error;
211eb63303Tom Caputi	}
212eb63303Tom Caputi
213eb63303Tom Caputi	/* check for a valid keylocation (of any kind) and copy it in */
214eb63303Tom Caputi	if (keylocation != NULL) {
215eb63303Tom Caputi		if (!zfs_prop_valid_keylocation(keylocation, B_FALSE)) {
216eb63303Tom Caputi			ret = SET_ERROR(EINVAL);
217eb63303Tom Caputi			goto error;
218eb63303Tom Caputi		}
219eb63303Tom Caputi
220eb63303Tom Caputi		dcp->cp_keylocation = spa_strdup(keylocation);
221eb63303Tom Caputi	}
222eb63303Tom Caputi
223eb63303Tom Caputi	/* check wrapping key length, if given */
224eb63303Tom Caputi	if (wkeydata != NULL && wkeydata_len != WRAPPING_KEY_LEN) {
225eb63303Tom Caputi		ret = SET_ERROR(EINVAL);
226eb63303Tom Caputi		goto error;
227eb63303Tom Caputi	}
228eb63303Tom Caputi
229eb63303Tom Caputi	/* if the user asked for the deault crypt, determine that now */
230eb63303Tom Caputi	if (dcp->cp_crypt == ZIO_CRYPT_ON)
231eb63303Tom Caputi		dcp->cp_crypt = ZIO_CRYPT_ON_VALUE;
232eb63303Tom Caputi
233eb63303Tom Caputi	/* create the wrapping key from the raw data */
234eb63303Tom Caputi	if (wkeydata != NULL) {
235eb63303Tom Caputi		/* create the wrapping key with the verified parameters */
236eb63303Tom Caputi		ret = dsl_wrapping_key_create(wkeydata, keyformat, salt,
237eb63303Tom Caputi		    iters, &wkey);
238eb63303Tom Caputi		if (ret != 0)
239eb63303Tom Caputi			goto error;
240eb63303Tom Caputi
241eb63303Tom Caputi		dcp->cp_wkey = wkey;
242eb63303Tom Caputi	}
243eb63303Tom Caputi
244eb63303Tom Caputi	/*
245eb63303Tom Caputi	 * Remove the encryption properties from the nvlist since they are not
246eb63303Tom Caputi	 * maintained through the DSL.
247eb63303Tom Caputi	 */
248eb63303Tom Caputi	(void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION));
249eb63303Tom Caputi	(void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT));
250eb63303Tom Caputi	(void) nvlist_remove_all(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT));
251eb63303Tom Caputi	(void) nvlist_remove_all(props,
252eb63303Tom Caputi	    zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS));
253eb63303Tom Caputi
254eb63303Tom Caputi	*dcp_out = dcp;
255eb63303Tom Caputi
256eb63303Tom Caputi	return (0);
257eb63303Tom Caputi
258eb63303Tom Caputierror:
259eb63303Tom Caputi	if (wkey != NULL)
260eb63303Tom Caputi		dsl_wrapping_key_free(wkey);
261