ZFS encryption work in progress. Currently includes Illumos Crypto Po…

…rt and Keystore implementation.

.gitignore

@@ -26,6 +26,14 @@ modules.order
 Makefile
 Makefile.in
 
+#
+# Eclipse rules - REMOVE BEFORE SUBMITTING
+#
+.settings/
+.cproject
+.project
+.autotools
+
 #
 # Top level generated files specific to this top level dir
 #

cmd/zdb/zdb.c

@@ -59,6 +59,7 @@
 #include <sys/arc.h>
 #include <sys/ddt.h>
 #include <sys/zfeature.h>
+#include <sys/dsl_keychain.h>
 #include <zfs_comutil.h>
 #undef ZFS_MAXNAMELEN
 #include <libzfs.h>
@@ -1353,6 +1354,8 @@ dump_dsl_dir(objset_t *os, uint64_t object, void *data, size_t size)
 	    (u_longlong_t)dd->dd_props_zapobj);
 	(void) printf("\t\tdeleg_zapobj = %llu\n",
 	    (u_longlong_t)dd->dd_deleg_zapobj);
+	(void) printf("\t\tkeychain_obj = %llu\n",
+	    (u_longlong_t)dd->dd_keychain_obj);
 	(void) printf("\t\tflags = %llx\n",
 	    (u_longlong_t)dd->dd_flags);
 
@@ -1814,6 +1817,35 @@ dump_dmu_objset(objset_t *os, uint64_t object, void *data, size_t size)
 {
 }
 
+/*ARGSUSED*/
+static void
+dump_keychain_zap(objset_t *os, uint64_t object, void *data, size_t size)
+{
+	zap_cursor_t zc;
+	zap_attribute_t attr;
+	dsl_crypto_key_phys_t dckp;
+	uint64_t txgid;
+	size_t keylen;
+
+	dump_zap_stats(os, object);
+	(void) printf("\tKeychain entries by txg:\n");
+
+	for (zap_cursor_init(&zc, os, object);
+		zap_cursor_retrieve(&zc, &attr) == 0; zap_cursor_advance(&zc)) {
+
+		txgid = ((uint64_t)*attr.za_name);
+		VERIFY0(zap_lookup_uint64(os, object, &txgid, 1, 1,
+			sizeof (dsl_crypto_key_phys_t), &dckp));
+
+		keylen = BYTES_TO_BITS(
+			zio_crypt_table[dckp.dk_crypt_alg].ci_keylen);
+
+		(void) printf("\t\ttxg %llu : wkeylen = %u\n",
+			(u_longlong_t)txgid, (uint_t)keylen);
+	}
+	zap_cursor_fini(&zc);
+}
+
 static object_viewer_t *object_viewer[DMU_OT_NUMTYPES + 1] = {
 	dump_none,		/* unallocated			*/
 	dump_zap,		/* object directory		*/
@@ -1869,6 +1901,7 @@ static object_viewer_t *object_viewer[DMU_OT_NUMTYPES + 1] = {
 	dump_none,		/* deadlist hdr			*/
 	dump_zap,		/* dsl clones			*/
 	dump_bpobj_subobjs,	/* bpobj subobjs		*/
+	dump_keychain_zap,	/* DSL keychain		*/
 	dump_unknown,		/* Unknown type, must be last	*/
 };
 

cmd/zfs/zfs_main.c

@@ -103,6 +103,7 @@ static int zfs_do_holds(int argc, char **argv);
 static int zfs_do_release(int argc, char **argv);
 static int zfs_do_diff(int argc, char **argv);
 static int zfs_do_bookmark(int argc, char **argv);
+static int zfs_do_crypto(int argc, char **argv);
 
 /*
  * Enable a reasonable set of defaults for libumem debugging on DEBUG builds.
@@ -150,6 +151,7 @@ typedef enum {
 	HELP_RELEASE,
 	HELP_DIFF,
 	HELP_BOOKMARK,
+	HELP_CRYPTO,
 } zfs_help_t;
 
 typedef struct zfs_command {
@@ -203,6 +205,7 @@ static zfs_command_t command_table[] = {
 	{ "holds",	zfs_do_holds,		HELP_HOLDS		},
 	{ "release",	zfs_do_release,		HELP_RELEASE		},
 	{ "diff",	zfs_do_diff,		HELP_DIFF		},
+	{ "key",	zfs_do_crypto,		HELP_CRYPTO		},
 };
 
 #define	NCOMMAND	(sizeof (command_table) / sizeof (command_table[0]))
@@ -319,6 +322,9 @@ get_usage(zfs_help_t idx)
 		    "[snapshot|filesystem]\n"));
 	case HELP_BOOKMARK:
 		return (gettext("\tbookmark <snapshot> <bookmark>\n"));
+	case HELP_CRYPTO:
+		return (gettext("\tkey -l <filesystem|volume>\n"
+			"\tkey -u <filesystem|volume>\n"));
 	}
 
 	abort();
@@ -640,7 +646,7 @@ static int
 zfs_do_clone(int argc, char **argv)
 {
 	zfs_handle_t *zhp = NULL;
-	boolean_t parents = B_FALSE;
+	boolean_t parents = B_FALSE, add_key = B_FALSE;
 	nvlist_t *props;
 	int ret = 0;
 	int c;
@@ -649,7 +655,7 @@ zfs_do_clone(int argc, char **argv)
 		nomem();
 
 	/* check options */
-	while ((c = getopt(argc, argv, "o:p")) != -1) {
+	while ((c = getopt(argc, argv, "o:pK")) != -1) {
 		switch (c) {
 		case 'o':
 			if (parseprop(props, optarg) != 0)
@@ -658,6 +664,9 @@ zfs_do_clone(int argc, char **argv)
 		case 'p':
 			parents = B_TRUE;
 			break;
+		case 'K':
+			add_key = B_TRUE;
+			break;
 		case '?':
 			(void) fprintf(stderr, gettext("invalid option '%c'\n"),
 			    optopt);
@@ -703,7 +712,7 @@ zfs_do_clone(int argc, char **argv)
 	}
 
 	/* pass to libzfs */
-	ret = zfs_clone(zhp, argv[1], props);
+	ret = zfs_clone(zhp, argv[1], props, add_key);
 
 	/* create the mountpoint if necessary */
 	if (ret == 0) {
@@ -6699,6 +6708,117 @@ zfs_do_bookmark(int argc, char **argv)
 	return (-1);
 }
 
+static int
+zfs_do_crypto(int argc, char **argv)
+{
+	int c, ret = -1;
+	boolean_t load = B_FALSE, unload = B_FALSE;
+	boolean_t add_key = B_FALSE, rewrap = B_FALSE;
+	nvlist_t *props = NULL;
+	zfs_handle_t *zhp = NULL;
+
+	if (nvlist_alloc(&props, NV_UNIQUE_NAME, 0) != 0)
+		nomem();
+
+	while ((c = getopt(argc, argv, "ulKco:")) != -1) {
+		switch (c) {
+		case 'u':
+			if (ret == 0) {
+				(void) fprintf(stderr, gettext(
+					"multiple actions specified\n"));
+				goto usage;
+			}
+			unload = B_TRUE;
+			ret = 0;
+			break;
+		case 'l':
+			if (ret == 0) {
+				(void) fprintf(stderr, gettext(
+					"multiple actions specified\n"));
+				goto usage;
+			}
+			load = B_TRUE;
+			ret = 0;
+			break;
+		case 'K':
+			if (ret == 0) {
+				(void) fprintf(stderr, gettext(
+					"multiple actions specified\n"));
+				goto usage;
+			}
+			add_key = B_TRUE;
+			ret = 0;
+			break;
+		case 'c':
+			if (ret == 0) {
+				(void) fprintf(stderr, gettext(
+					"multiple actions specified\n"));
+				goto usage;
+			}
+			rewrap = B_TRUE;
+			ret = 0;
+			break;
+		case 'o':
+			if (parseprop(props, optarg) != 0)
+				return (1);
+			break;
+		default:
+			(void) fprintf(stderr,
+			    gettext("invalid option '%c'\n"), optopt);
+			goto usage;
+		}
+	}
+
+	if (ret) {
+		(void) fprintf(stderr,
+			gettext("No action specified\n"));
+		goto usage;
+	}
+
+	if (!rewrap && !nvlist_empty(props)) {
+		(void) fprintf(stderr,
+			gettext("Properties not accepted "
+				"for specified command\n"));
+		goto usage;
+	}
+
+	if (argc < 3) {
+		(void) fprintf(stderr, gettext("Too few arguments\n"));
+		goto usage;
+	}
+
+	zhp = zfs_open(g_zfs, argv[argc - 1],
+		ZFS_TYPE_FILESYSTEM|ZFS_TYPE_VOLUME);
+	if (zhp == NULL)
+		goto usage;
+
+	if (load)
+		ret = zfs_crypto_load_key(zhp);
+	else if (unload)
+		ret = zfs_crypto_unload_key(zhp);
+	else if (add_key)
+		ret = zfs_crypto_add_key(zhp);
+	else
+		ret = zfs_crypto_rewrap(zhp, props);
+
+	if (ret)
+		goto error;
+
+	nvlist_free(props);
+	zfs_close(zhp);
+	return (0);
+
+usage:
+	usage(B_FALSE);
+
+error:
+	if (props)
+		nvlist_free(props);
+	if (zhp)
+		zfs_close(zhp);
+	return (-1);
+}
+
 int
 main(int argc, char **argv)
 {

cmd/ztest/ztest.c

@@ -3261,7 +3261,7 @@ static int
 ztest_dataset_create(char *dsname)
 {
 	uint64_t zilset = ztest_random(100);
-	int err = dmu_objset_create(dsname, DMU_OST_OTHER, 0,
+	int err = dmu_objset_create(dsname, DMU_OST_OTHER, 0, NULL,
 	    ztest_objset_create_cb, NULL);
 
 	if (err || zilset < 80)
@@ -3423,7 +3423,7 @@ ztest_dmu_objset_create_destroy(ztest_ds_t *zd, uint64_t id)
 	 * Verify that we cannot create an existing dataset.
 	 */
 	VERIFY3U(EEXIST, ==,
-	    dmu_objset_create(name, DMU_OST_OTHER, 0, NULL, NULL));
+	    dmu_objset_create(name, DMU_OST_OTHER, 0, NULL, NULL, NULL));
 
 	/*
 	 * Verify that we can hold an objset that is also owned.
@@ -3557,7 +3557,7 @@ ztest_dsl_dataset_promote_busy(ztest_ds_t *zd, uint64_t id)
 		fatal(0, "dmu_take_snapshot(%s) = %d", snap1name, error);
 	}
 
-	error = dmu_objset_clone(clone1name, snap1name);
+	error = dmu_objset_clone(clone1name, snap1name, NULL);
 	if (error) {
 		if (error == ENOSPC) {
 			ztest_record_enospc(FTAG);
@@ -3584,7 +3584,7 @@ ztest_dsl_dataset_promote_busy(ztest_ds_t *zd, uint64_t id)
 		fatal(0, "dmu_open_snapshot(%s) = %d", snap3name, error);
 	}
 
-	error = dmu_objset_clone(clone2name, snap3name);
+	error = dmu_objset_clone(clone2name, snap3name, NULL);
 	if (error) {
 		if (error == ENOSPC) {
 			ztest_record_enospc(FTAG);
@@ -4883,7 +4883,7 @@ ztest_dmu_snapshot_hold(ztest_ds_t *zd, uint64_t id)
 		fatal(0, "dmu_objset_snapshot(%s) = %d", fullname, error);
 	}
 
-	error = dmu_objset_clone(clonename, fullname);
+	error = dmu_objset_clone(clonename, fullname, NULL);
 	if (error) {
 		if (error == ENOSPC) {
 			ztest_record_enospc("dmu_objset_clone");

configure.ac

@@ -123,12 +123,19 @@ AC_CONFIG_FILES([
 	module/zcommon/Makefile
 	module/zfs/Makefile
 	module/zpios/Makefile
+	module/icp/Makefile
 	include/Makefile
+	include/arch/Makefile
+	include/arch/intel/Makefile
+	include/arch/intel/ia32/Makefile
+	include/arch/intel/ia32/sys/Makefile
+	include/arch/intel/sys/Makefile
 	include/linux/Makefile
 	include/sys/Makefile
 	include/sys/fs/Makefile
 	include/sys/fm/Makefile
 	include/sys/fm/fs/Makefile
+	include/sys/crypto/Makefile
 	scripts/Makefile
 	scripts/zpios-profile/Makefile
 	scripts/zpios-test/Makefile

include/Makefile.am

@@ -1,4 +1,4 @@
-SUBDIRS = linux sys
+SUBDIRS = linux sys arch
 
 COMMON_H = \
 	$(top_srcdir)/include/zfeature_common.h \

include/arch/Makefile.am

@@ -0,0 +1,19 @@
+SUBDIRS = intel
+
+COMMON_H = 
+
+KERNEL_H =
+
+USER_H =
+
+EXTRA_DIST = $(COMMON_H) $(KERNEL_H) $(USER_H)
+
+if CONFIG_USER
+libzfsdir = $(includedir)/libzfs/arch
+libzfs_HEADERS = $(COMMON_H) $(USER_H)
+endif
+
+if CONFIG_KERNEL
+kerneldir = @prefix@/src/zfs-$(VERSION)/include/arch
+kernel_HEADERS = $(COMMON_H) $(KERNEL_H)
+endif

include/arch/intel/Makefile.am

@@ -0,0 +1,19 @@
+SUBDIRS = ia32 sys
+
+COMMON_H = 
+
+KERNEL_H =
+
+USER_H =
+
+EXTRA_DIST = $(COMMON_H) $(KERNEL_H) $(USER_H)
+
+if CONFIG_USER
+libzfsdir = $(includedir)/libzfs/arch
+libzfs_HEADERS = $(COMMON_H) $(USER_H)
+endif
+
+if CONFIG_KERNEL
+kerneldir = @prefix@/src/zfs-$(VERSION)/include/arch
+kernel_HEADERS = $(COMMON_H) $(KERNEL_H)
+endif

include/arch/intel/ia32/Makefile.am

@@ -0,0 +1,19 @@
+SUBDIRS = sys
+
+COMMON_H = 
+
+KERNEL_H =
+
+USER_H =
+
+EXTRA_DIST = $(COMMON_H) $(KERNEL_H) $(USER_H)
+
+if CONFIG_USER
+libzfsdir = $(includedir)/libzfs/arch
+libzfs_HEADERS = $(COMMON_H) $(USER_H)
+endif
+
+if CONFIG_KERNEL
+kerneldir = @prefix@/src/zfs-$(VERSION)/include/arch
+kernel_HEADERS = $(COMMON_H) $(KERNEL_H)
+endif