Merge pull request openzfs#35 from FransUrbo/fixes.crypto_module_param

Add module param to ignore MAC checksum errors
FransUrbo · Dec 3, 2013 · dd4670f · dd4670f
2 parents ec17338 + c7a6090
commit dd4670f
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 6 deletions.
diff --git a/README.crypto b/README.crypto
@@ -31,7 +31,7 @@ Required work before Alpha:
 
 * Implement (at least) default cipher, instead of current XOR$20
 
-* Implement MAC checksum, currently checksum errors are ignored.
+* Implement MAC checksum. PLEASE READ README.crypto_checksum !!
 
 * Prompt for key (getpassphrase) needs implementing. It is possible
   that getpass() will suffice on Linux, as it does not limit input to

diff --git a/README.crypto_checksum b/README.crypto_checksum
@@ -0,0 +1,52 @@
+As of commit 2a609fc0527911e516e87e286b2f4ea089bb93c3 (Tue Aug 27,
+03:21:00 2013) zfs-crypto now does a checksum verifications.
+
+This unfortunatly makes any crypted filesystem created before this
+unmountable.
+
+Trying to mount an encrypted filesystem that was created before this
+on a new version module, would give:
+
+	filesystem '<filesystem>' can not be mounted due to error 52
+	cannot mount '<filesystem>': Invalid argument
+
+This verification can be disabled so that mounting an encrypted
+filesystem created when zfs-crypto did not use MAC checksums by adding
+the optional module parameter 'zfs_crypto_ignore_checksum_errors' (set
+to '1' to ignore checksum errors) like so:
+
+	modprobe zfs zfs_crypto_ignore_checksum_errors=1
+
+Then mount the filesystem, copy it to an unencrypted filesystem,
+unmount and destroy the current filesystem. Then reboot (or unload the
+module) then load the module normaly and create a new crypted
+filesystem and copy your data back.
+
+
+It might also be possible (untested!) to simply set the parameter
+'live' by echoing a 1 into the file
+
+	/sys/module/zfs/parameters/zfs_crypto_ignore_checksum_errors
+
+like this:
+
+	echo 1 > /sys/module/zfs/parameters/zfs_crypto_ignore_checksum_errors
+
+and then mount the filesystem again, copying the data to a newly
+created filesystem.
+
+Doing this _AFTER_ creating a new, crypted filesystem would then
+ensure that the sensetive data never touches an unencrypted
+filesystem:
+
+	# echo 0 > /sys/module/zfs/parameters/zfs_crypto_ignore_checksum_errors
+	# zfs create <options> <new_filesystem>
+	# echo 1 > /sys/module/zfs/parameters/zfs_crypto_ignore_checksum_errors
+	# zfs mount <old_filesystem>
+	[copy data from old filesystem to the new filesystem]
+	# zfs umount <old_filesystem>
+	# zfs destroy <old_filesystem>
+	# echo 0 > /sys/module/zfs/parameters/zfs_crypto_ignore_checksum_errors
+
+NOTE: This naturally would need to be done for each one of your
+      crypted filesystem!
diff --git a/module/zfs/zio_checksum.c b/module/zfs/zio_checksum.c
@@ -30,6 +30,8 @@
 #include <sys/zil.h>
 #include <zfs_fletcher.h>
 
+unsigned int zfs_crypto_ignore_checksum_errors = 0; /* Disable crypto checksum checks */
+
 /*
  * Checksum vectors.
  *
@@ -271,25 +273,34 @@ zio_checksum_error(zio_t *zio, zio_bad_cksum_t *info)
 	 * The rest of words 2 and all of word 3 are the crypto MAC so
 	 * ignore those because we can't check them until we do the decryption
 	 * later, nor could we do them if the key wasn't present
+	 *
+	 * If module param 'zfs_crypto_ignore_checksum_errors' is set, ignore
+	 * any checksum errors.
 	 */
 	if (ci->ci_trunc) {
-	  if (!(0 == (
+	  if (!zfs_crypto_ignore_checksum_errors && !(0 == (
 		      (actual_cksum.zc_word[0] - expected_cksum.zc_word[0]) |
 		      (actual_cksum.zc_word[1] - expected_cksum.zc_word[1]) |
 		      (BF64_GET(actual_cksum.zc_word[2], 0, 32) -
 		       BF64_GET(expected_cksum.zc_word[2], 0, 32))))) {
-            return (ECKSUM);
+	    return (ECKSUM);
 	  }
-	} else if (!ZIO_CHECKSUM_EQUAL(actual_cksum, expected_cksum)) {
-	  return (ECKSUM);
+	} else if (!zfs_crypto_ignore_checksum_errors &&
+		   !ZIO_CHECKSUM_EQUAL(actual_cksum, expected_cksum)) {
+	    return (ECKSUM);
 	}
 
 	if (zio_injection_enabled && !zio->io_error &&
 	    (error = zio_handle_fault_injection(zio, ECKSUM)) != 0) {
-
 		info->zbc_injected = 1;
 		return (error);
 	}
 
 	return (0);
 }
+
+#if defined(_KERNEL) && defined(HAVE_SPL)
+module_param(zfs_crypto_ignore_checksum_errors, int, 0644);
+MODULE_PARM_DESC(zfs_crypto_ignore_checksum_errors,
+    "Disable crypto checksum checks");
+#endif