ZFS encryption work in progress. Currently includes Illumos Crypto Po…

…rt, Keystore, and Basic File Encryption implementation. Requires-spl: refs/pull/533/head
openzfs · Mar 7, 2016 · 55ef824 · 55ef824
1 parent 513168a
commit 55ef824
Show file tree

Hide file tree

Showing 111 changed files with 34,572 additions and 149 deletions.
diff --git a/.gitignore b/.gitignore
@@ -26,6 +26,14 @@ modules.order
 Makefile
 Makefile.in
 
+#
+# Eclipse rules - REMOVE BEFORE SUBMITTING
+#
+.settings/
+.cproject
+.project
+.autotools
+
 #
 # Top level generated files specific to this top level dir
 #

diff --git a/cmd/zdb/zdb.c b/cmd/zdb/zdb.c
@@ -59,6 +59,7 @@
 #include <sys/arc.h>
 #include <sys/ddt.h>
 #include <sys/zfeature.h>
+#include <sys/dsl_keychain.h>
 #include <zfs_comutil.h>
 #undef ZFS_MAXNAMELEN
 #include <libzfs.h>
@@ -1353,6 +1354,8 @@ dump_dsl_dir(objset_t *os, uint64_t object, void *data, size_t size)
 	    (u_longlong_t)dd->dd_props_zapobj);
 	(void) printf("\t\tdeleg_zapobj = %llu\n",
 	    (u_longlong_t)dd->dd_deleg_zapobj);
+	(void) printf("\t\tkeychain_obj = %llu\n",
+	    (u_longlong_t)dd->dd_keychain_obj);
 	(void) printf("\t\tflags = %llx\n",
 	    (u_longlong_t)dd->dd_flags);
 
@@ -1814,6 +1817,36 @@ dump_dmu_objset(objset_t *os, uint64_t object, void *data, size_t size)
 {
 }
 
+/*ARGSUSED*/
+static void
+dump_keychain_zap(objset_t *os, uint64_t object, void *data, size_t size)
+{
+	zap_cursor_t zc;
+	zap_attribute_t attr;
+	dsl_crypto_key_phys_t dckp;
+	uint64_t *txgid;
+	size_t keylen;
+
+	dump_zap_stats(os, object);
+	(void) printf("\tKeychain entries by txg:\n");
+
+	for (zap_cursor_init(&zc, os, object);
+		zap_cursor_retrieve(&zc, &attr) == 0; zap_cursor_advance(&zc)) {
+
+		txgid = ((uint64_t *)attr.za_name);
+
+		VERIFY0(zap_lookup_uint64(os, object, txgid, 1, 1,
+			sizeof (dsl_crypto_key_phys_t), &dckp));
+
+		keylen = BYTES_TO_BITS(
+			zio_crypt_table[dckp.dk_crypt_alg].ci_keylen);
+
+		(void) printf("\t\ttxg %llu : wkeylen = %u\n",
+			(u_longlong_t)*txgid, (uint_t)keylen);
+	}
+	zap_cursor_fini(&zc);
+}
+
 static object_viewer_t *object_viewer[DMU_OT_NUMTYPES + 1] = {
 	dump_none,		/* unallocated			*/
 	dump_zap,		/* object directory		*/
@@ -1869,6 +1902,7 @@ static object_viewer_t *object_viewer[DMU_OT_NUMTYPES + 1] = {
 	dump_none,		/* deadlist hdr			*/
 	dump_zap,		/* dsl clones			*/
 	dump_bpobj_subobjs,	/* bpobj subobjs		*/
+	dump_keychain_zap,	/* DSL keychain		*/
 	dump_unknown,		/* Unknown type, must be last	*/
 };
 

diff --git a/cmd/zfs/zfs_main.c b/cmd/zfs/zfs_main.c
@@ -103,6 +103,7 @@ static int zfs_do_holds(int argc, char **argv);
 static int zfs_do_release(int argc, char **argv);
 static int zfs_do_diff(int argc, char **argv);
 static int zfs_do_bookmark(int argc, char **argv);
+static int zfs_do_crypto(int argc, char **argv);
 
 /*
  * Enable a reasonable set of defaults for libumem debugging on DEBUG builds.
@@ -150,6 +151,7 @@ typedef enum {
 	HELP_RELEASE,
 	HELP_DIFF,
 	HELP_BOOKMARK,
+	HELP_CRYPTO,
 } zfs_help_t;
 
 typedef struct zfs_command {
@@ -203,6 +205,7 @@ static zfs_command_t command_table[] = {
 	{ "holds",	zfs_do_holds,		HELP_HOLDS		},
 	{ "release",	zfs_do_release,		HELP_RELEASE		},
 	{ "diff",	zfs_do_diff,		HELP_DIFF		},
+	{ "key",	zfs_do_crypto,		HELP_CRYPTO		},
 };
 
 #define	NCOMMAND	(sizeof (command_table) / sizeof (command_table[0]))
@@ -319,6 +322,9 @@ get_usage(zfs_help_t idx)
 		    "[snapshot|filesystem]\n"));
 	case HELP_BOOKMARK:
 		return (gettext("\tbookmark <snapshot> <bookmark>\n"));
+	case HELP_CRYPTO:
+		return (gettext("\tkey -l <filesystem|volume>\n"
+			"\tkey -u <filesystem|volume>\n"));
 	}
 
 	abort();
@@ -640,7 +646,7 @@ static int
 zfs_do_clone(int argc, char **argv)
 {
 	zfs_handle_t *zhp = NULL;
-	boolean_t parents = B_FALSE;
+	boolean_t parents = B_FALSE, add_key = B_FALSE;
 	nvlist_t *props;
 	int ret = 0;
 	int c;
@@ -649,7 +655,7 @@ zfs_do_clone(int argc, char **argv)
 		nomem();
 
 	/* check options */
-	while ((c = getopt(argc, argv, "o:p")) != -1) {
+	while ((c = getopt(argc, argv, "o:pK")) != -1) {
 		switch (c) {
 		case 'o':
 			if (parseprop(props, optarg) != 0)
@@ -658,6 +664,9 @@ zfs_do_clone(int argc, char **argv)
 		case 'p':
 			parents = B_TRUE;
 			break;
+		case 'K':
+			add_key = B_TRUE;
+			break;
 		case '?':
 			(void) fprintf(stderr, gettext("invalid option '%c'\n"),
 			    optopt);
@@ -703,7 +712,7 @@ zfs_do_clone(int argc, char **argv)
 	}
 
 	/* pass to libzfs */
-	ret = zfs_clone(zhp, argv[1], props);
+	ret = zfs_clone(zhp, argv[1], props, add_key);
 
 	/* create the mountpoint if necessary */
 	if (ret == 0) {
@@ -6699,6 +6708,117 @@ zfs_do_bookmark(int argc, char **argv)
 	return (-1);
 }
 
+static int
+zfs_do_crypto(int argc, char **argv)
+{
+	int c, ret = -1;
+	boolean_t load = B_FALSE, unload = B_FALSE;
+	boolean_t add_key = B_FALSE, rewrap = B_FALSE;
+	nvlist_t *props = NULL;
+	zfs_handle_t *zhp = NULL;
+
+	if (nvlist_alloc(&props, NV_UNIQUE_NAME, 0) != 0)
+		nomem();
+
+	while ((c = getopt(argc, argv, "ulKco:")) != -1) {
+		switch (c) {
+		case 'u':
+			if (ret == 0) {
+				(void) fprintf(stderr, gettext(
+					"multiple actions specified\n"));
+				goto usage;
+			}
+			unload = B_TRUE;
+			ret = 0;
+			break;
+		case 'l':
+			if (ret == 0) {
+				(void) fprintf(stderr, gettext(
+					"multiple actions specified\n"));
+				goto usage;
+			}
+			load = B_TRUE;
+			ret = 0;
+			break;
+		case 'K':
+			if (ret == 0) {
+				(void) fprintf(stderr, gettext(
+					"multiple actions specified\n"));
+				goto usage;
+			}
+			add_key = B_TRUE;
+			ret = 0;
+			break;
+		case 'c':
+			if (ret == 0) {
+				(void) fprintf(stderr, gettext(
+					"multiple actions specified\n"));
+				goto usage;
+			}
+			rewrap = B_TRUE;
+			ret = 0;
+			break;
+		case 'o':
+			if (parseprop(props, optarg) != 0)
+				return (1);
+			break;
+		default:
+			(void) fprintf(stderr,
+			    gettext("invalid option '%c'\n"), optopt);
+			goto usage;
+		}
+	}
+
+	if (ret) {
+		(void) fprintf(stderr,
+			gettext("No action specified\n"));
+		goto usage;
+	}
+
+	if (!rewrap && !nvlist_empty(props)) {
+		(void) fprintf(stderr,
+			gettext("Properties not accepted "
+				"for specified command\n"));
+		goto usage;
+	}
+
+	if (argc < 3) {
+		(void) fprintf(stderr, gettext("Too few arguments\n"));
+		goto usage;
+	}
+
+	zhp = zfs_open(g_zfs, argv[argc - 1],
+		ZFS_TYPE_FILESYSTEM|ZFS_TYPE_VOLUME);
+	if (zhp == NULL)
+		goto usage;
+
+	if (load)
+		ret = zfs_crypto_load_key(zhp);
+	else if (unload)
+		ret = zfs_crypto_unload_key(zhp);
+	else if (add_key)
+		ret = zfs_crypto_add_key(zhp);
+	else
+		ret = zfs_crypto_rewrap(zhp, props);
+
+	if (ret)
+		goto error;
+
+	nvlist_free(props);
+	zfs_close(zhp);
+	return (0);
+
+usage:
+	usage(B_FALSE);
+
+error:
+	if (props)
+		nvlist_free(props);
+	if (zhp)
+		zfs_close(zhp);
+	return (-1);
+}
+
 int
 main(int argc, char **argv)
 {