Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
ZFS Crypto support #494
Comments
|
I'd like to hold off on this for the moment, we have enough other work on our plate and this is a huge change! If Illumos puts together an implementation we'll happily look at integrating it. We would could even use the source from ZFS Pool Version 30 if Oracle decides to release the source 6-12 months from now (unlikely but possible). |
|
If you don't mind LUKS, I might have some time to look at this in a week or two. |
|
I'm OK with making it easier to layer zfs on top of LUKS, that would be nice. It's just not what most people think of when they say zfs encryption support. |
|
I was rather thinking of 'cloning'/'copying' the way LUKS works. Or rather, use the LUKS API inside ZFS. LUKS is used by 'cryptsetup' (configures encrypted block devices) and 'dmsetup' (The Linux Kernel Device Mapper userspace library). So it seems LUKS is an API for device encryption. Using ZFS 'on top of' something like that would probably be easier, but not, as you say, not the intention... |
|
It would be interesting to investigate if what your suggesting is possible. It would result in a second version of zfs encryption which isn't compatible with the pool v30 version but that might not be a big deal. We should be integrating the new feature flag support early next year so it could end up as a Linux-only feature. |
|
I don't think we'll ever going to be compatible with v30... Not any of us, not unless Oracle all of a sudden 'sees the light', and I'm not holding my breath on that! :) Best would be if we could come up with a solution, that would be portable to other OS'es. Don't know how much Linux the 'Linux Unified Key Setup' is, but it's worth a look. I'll start that once I have a workable sharesmb patch. |
baryluk
commented
Dec 15, 2011
|
How about at least reverse engineering v30 format? |
|
Be my guest! Reverse engineering something, especially a crypt algorithm isn't any where near as simple as it sounds! |
baryluk
commented
Dec 16, 2011
|
We know it is using SHA-256, and AES-128 with Incremental mode probably, so actually there is nothing complicated, only some on-disk meta-data needs to be reverse enginered, like which bit is what, and where is salt, and where is stored information that it is AES-128 and not 192 or 256. It should be easy. Unfortunately I do not have access to Solaris right now to test it. |
|
That DO sound easy :). Unfortunatly, we probably have to... I've spent the day looking into LUKS, but it does not seem to fit the purpose :(. It is intended for being placed between the device and the FS. Which means it needs one device (either one physical disk or multiple disks presented as one through raid/md) where it can store data linearly... Kind of. But since ZFS is both a FS and a ... 'device mapper' (?) which have multiple devices, I doubt it will be possible to have LUKS split the data and it's key storage partitions split over multiple physical disk. I haven't looked at the code yet, just the specs but that's what it looks like so far. |
patrykk
commented
Dec 25, 2011
|
Hi, |
akorn
commented
Dec 26, 2011
|
Of course, you shouldn't look at the leaked source if you work on ZFS lest Oracle accuse you of copyright infringement. |
patrykk
commented
Dec 27, 2011
|
Yes, You are right. |
baryluk
commented
Dec 27, 2011
|
LUKS is not an option. ZFS performs encryption on per-dataset/volume/file basis, LUKS works on device level. We already have crypto primitives available in kernel, we already have on-disk format designed, we just need to reverse enginer it (it should be slightly easier than designing it - which in case of crypto-stuff is hard to do properly/securely). Probably ZIL will be the hardest part. Of course looking at leaked source-code is not an option at all. Even for second I wasn't thinking about it. |
|
An interim solution is ecryptfs, which can be installed on top of ZFS. Most RPM and DEB systems have built-in management for ecryptfs, which makes it easy to configure. For maximum performance, dedup and compression should be disabled on any ZFS dataset that hosts a crypto layer. |
|
This ( http://src.opensolaris.org/source/xref/zfs-crypto ) looks very nice, CDDL and lots of zfs crypto stuff. Maybe we should try to cooperate with Illumous for a common port to linux. In any case processors with AES-NI should be supported to gain optimal performance. |
|
I would like to point out that the code linked above has ZPL_VERSION = 3 and SPA_VERSION=15. That's quite old!! |
|
We should certainly work with the other ZFS implementations when any crypto work is being considered. Also it's my understanding that the link your referencing is to some of the early crypto work and it has been significantly reworked before being include in v30. That said, it's still probably a reasonable place to get familiar with the basic design decisions. |
|
Here is Sun's design document for ZFS encryption support: http://hub.opensolaris.org/bin/download/Project+zfs-crypto/files/zfs-crypto-design.pdf We can check out the early code by doing |
mcr-ksh
commented
Sep 26, 2012
|
I would love to see that as well. crypto is an amazing feature. |
FlorianFranzen
commented
Feb 13, 2013
|
The last post was 5 month ago. Did you guys decide on anything? What is the current state? |
gua1
commented
Feb 20, 2013
|
@FloFra |
grahamperrin
commented
Feb 20, 2013
|
In the ZFS on Linux area https://groups.google.com/a/zfsonlinux.org/forum/?fromgroups#!searchin/zfs-discuss/crypto https://groups.google.com/a/zfsonlinux.org/forum/?fromgroups#!searchin/zfs-devel/crypto leads to pool version 33, zfs-crypto (2011-12-22). In the illumos area Whilst https://www.illumos.org/projects/zfs-crypto is not recently updated, there's http://wiki.illumos.org/display/illumos/Project+Ideas (2012-07-18) Device drivers
File systems
I'll align myself with the latter. Elsewhere In irc://irc.freenode.net/#zfs on 2013-11-09, someone attention to code on GitHub. We acknowledged the need for someone to audit that code, so I didn't follow the link. |
|
@grahamperrin mentioned some encryption code on github. It was determined on the mailing list that it includes code from the Solaris 11 leak and is therefore encumbered. We will not be using it. |
sempervictus
commented
Apr 28, 2014
|
I believe the encryption code referred to is located at https://github.com/zfsrogue/zfs-crypto. I've been able to merge and build both the SPL changes (https://github.com/zfsrogue/spl-crypto) and the ZFS branch. |
|
@sempervictus I would be very, very careful using that code (IF you can get it to merge). There's a very, very (yes, yes! :) high risk that that code is the source of my loss of my pool (16TB almost full).... |
|
Also, Rougue isn't really maintaining the code any more (ZoL have gone through a lot of changes since he created the repository). |
|
Actually he is, updating the osx one when I ask etc. He's most likely waiting on 0.6.3 to tag and release. You can ask him to do a merge anytime if there is something you want sooner. |
|
@lundman All I've seen is that he have 'come in' once a month (or 'every now and then') accepting patches, sometimes without any review. There was a couple of pulls I wanted to discuss before merge (they required other ZoL pulls I did to be accepted first, which they weren't/haven't yet - and might not ever be). |
|
You are always running a risk pulling from master, in any repo. The master is the edge of development, he tags releases that are considered stable. It is appreciated that you are brave enough to help debug master of course. But even main ZOL made pool incompatibilities, so you run the risk there too :) He only pulls from ZOL, not really "patches willy nilly" You and I might be the only pull requests there are. Have you considered it is up to us to maintain it, he's just hosting it to ensure the "sights" are off us open source developers. |
|
Fair enough, and I'm not blaming him (or you) in any way for my current predicament - I'm well aware that I take a chance every time I use code that isn't fully testing. I'm just saying that anyone should be very, very careful using it, because I (might - ohhh, I really hope it's "might" and not "have" :) lost my pool and you haven't. I blame myself for not being careful enough. |
sempervictus
commented
Jun 3, 2014
|
Having done some basic digging around the issue, it looks like there are many people offering suggestions for how to get going on this, but everyone's punting to see who jumps off this cliff first. |
Dabbling with encryption is hard and difficult enough, but designing it!? Very few people is knowledgable enough to dare to do this. And if there is such a person, he/she would need extensive knowledge on ZFS as well... I seriously doubt that there is such a person, and if there is, this person is obviously way to busy at the moment with other things (like making sure the open source version of ZFS - any os/dist - is stable and functioning properly).
Asking doesn't cost anything, but time. I'm just to convinced on the answer to bother...
Oracle don't... :). They on the other hand have proved that their 'secret' company statement must be 'Do As Much Evil As Possible'... (no smily on that!) |
|
Large part of the Sun ZFS-Crypto work is in the somewhat advanced kernel key store. Where you can rekey your dataset at any time, and it handles that work for you. I would advocate not being Solaris compatible, you wont be able to import pool v30 without handling hybrid v29 first anyway. I had an informal chat with ZFS dev at last conference, and the idea of having a DMU layer encryption would be a good start. Something you could probably knock out in a couple of days, like at hackathon. Perhaps that could be suggested at the next Open ZFS Day. Although I wrote the Solaris kernel crypto API layer for Linux SPL, I don't think I have the skill to design a new DMU layer. The ABD work is a bit of a porting hassle, mainly as it is a linux only feature and really should be in SPL layer (if it can) as it diverges greatly. It is also strange they add new scatterlist, when ZFS's built in UIOs already are, and are supported in SPL. |
|
@lundman It's very likely some form of the ABD changes will be going back upstream to OpenZFS. The idea is to do this in as compatibile a way as possible so if you have concerns please post them in the pull request. |
|
Ah if they are, I will get on another merge here. It was actually nothing difficult (as I assumed), bar the unexpected |
|
Looks like rogue did another merge two days back, no surprises there, looks like it went normal. As for ADB specifically, I will wait for them to be in master before we tackle the merge. |
behlendorf
added
Difficulty - Hard
and removed
Illumos
labels
Oct 6, 2014
behlendorf
removed this from the 1.0.0 milestone
Oct 6, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 9, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 9, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 9, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 10, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 10, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 10, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 10, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 10, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 10, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 11, 2014
added a commit
to ryao/zfs
that referenced
this issue
Oct 11, 2014
|
Here are some links that might be useful for this: https://hg.openindiana.org/upstream/oracle/onnv-gate-zfscrypto/ In particular, the GRUB2 souce code has a comment saying that its encryption support was implemented mostly using the above blog post as a reference. In addition, the GRUB2 source code shows that bit 62 is used to indicate a block pointer to an encrypted block and that the hidden dataset property is called "salt". Upon some poking around, it seems that the encryption property is inheritable, but not editable. send streams of encrypted filesystems are not encrypted, but recving to an non-encrypted filesystem is not permitted. Also, the buffers from encrypted datasets are not written to L2ARC. Each dataset has a key chain in ZAP that stores the actual keys used for encryption along with information on which algorithm was used, which txgs were in effect at the time, etcetera. Decryption requires figuring out which key was used for a given txg while encryption requires using the latest. You can read more details at that blog post. |
cancan101
referenced this issue
in ClusterHQ/flocker
Jan 29, 2015
Closed
Support encrypting the ZFS volumes on disk #1108
|
Here are some more documents that might be useful: http://docs.oracle.com/cd/E26502_01/html/E29007/gkkih.html The last two are the Solaris man page and original OpenSolaris design document respectively. |
|
Some discussion of full disk encryption in #gentoo-dev on freenode lead me to poke around. I wrote an outline of the disk format changes mostly via header changes here: |
|
The Linux encryption API is GPL-exported, so we cannot use it without having a fairly unpleasant conversation about whether the GPL-exported symbol restriction is correct. The OpenBSD/FreeBSD AES code is "public domain". We do not have the rights to public domain code in jurisdictions that do not recognize public domain, such as France, so we cannot use that either. The OpenSSL AES code is under the "OpenSSL License", which is a 6-clause variant of the 4-clause BSD license, which is problematic. That said, the Illumos AES code is under the CDDL, so anyone implementing encryption support should have no issue reusing it in ZoL: https://github.com/illumos/illumos-gate/blob/master/usr/src/uts/common/crypto/io/aes.c |
|
@ilovezfs the order will be compress then encrypt so we will have good compression ratios. Removing compression will be strictly for the bonus buffers of dnodes (up to 320 bytes at the tail of the structure). This will not impact file data or other related non-metadata in any way. |
|
Thanks, so space isn't a big deal. However, I still think it would be significantly safer to compress there, too. Anywhere an attacker knows to expect more zeros in the plain text is a problem IMO. |
|
@ilovezfs I don't believe it is, because the data there wont be zeros. It will be the bonus buffer, which is not zeros. The dnode itself will be in plain text for scrubbing purposes. The encryption algorithms we are using require an IV anyway, so this shouldn't be a problem. |
sempervictus
commented
Feb 21, 2016
|
With this whole Apple/Bureau mess going on it dawns on me that we may to
|
I like that idea, but I'm having a hard time thinking of how that could work in such a way that an attacker couldn't simply comment it out. |
|
Better idea: build in a big, beautiful backdoor paid for by Mexico. |
|
@sempervictus Another quick thought on that matter. It should be fairly easy to trick zfs into thinking it is read/write without altering the code at all. All you have to do is set up a dm-snapshot of each volume in the pool and then import the pool using these volumes instead of the originals. At that point, any writes zfs would make to destroy the key would only go to the snapshot's copy-on-write data and not the original volume. As much as I like the idea, I'm not sure there's a way to implement it that isn't easily circumvented |
sempervictus
commented
Feb 22, 2016
|
Any forensics cat worth their salt wouldn't use original media, so that
|
You need to build in support for hardware security modules (HSM) or trusted platform module (TPM) - both of which serve as hardware key stores. In the case of HSM (as I understand it) the device is capable of performing encryption and decryption using encrypted memory buses so it is resistant to cold boot attacks as well as having built-in delays - this is similar to apple's Secure Enclave (as I understand it). I would love to know more about these technologies and their implementation - I only know /of/ them, and that it is the next logical progression for all of my own cryptographic work. |
|
@kpande I can look to that for future implementations. All of that code will pretty much be in userspace so it should be easy to patch in later. As a first implementation I am only planning on supporting raw, hex, and passphrase wrapping keys which may be provided from a prompt or from a file. Right now, the code only accepts raw keys from the prompt. There are placeholders in the code to allow more kinds of keysources, but I still have a lot to do already with the actual data encryption, zfs sending, and many other bits and pieces before I can start to think about other keysources and other accessories like that. |
CMCDragonkai
commented
Feb 24, 2016
|
I've got a TPM device so I can help test it. What's the ETA on this new
|
|
@CMCDragonkai I don't really have a good ETA because (as far as I'm aware of) nobody has looked at my WIP pull request to let me know how close it is to acceptable. This is partially because it is still a WIP, but also because the current work has 109 file changes, so I don't think anybody has had sufficient time to look at it yet. @ALL That said, as another development update for those who are concerned, I am still working on data encryption. I'm hoping to have basic data encryption (as in not the L2ARC or the ZIL) implemented by the end of the week. Unfortunately I had to jump back on another project for the better part of last week, but as of today I should be back to working on this. |
|
I've started work on both testing the portability and review. The initial merge is fairly trivial, just minor Linux headers added, highbit/lowbit was added to a different header to mine. After that is the porting work in icp, which appears to be a stand-alone kmodule, (and ZOL has a few after all). So some files perhaps should be named with "linux" in it, like But I have only started on the second phase. |
|
@lundman Thanks for working on getting this to other platforms. illumos-crypto.c is the only file that is not ported from Illumos and it effectively just initializes everything. Perhaps a better way to do it would be to to move the module_init(), module_exit() and other linux-specific module hooks to a separate linux specific file. However, it seems that the current osx zfs code just |
sempervictus
commented
Feb 24, 2016
|
Pardon the derailment i introduced here with the resistance to BF piece, i On Wed, Feb 24, 2016 at 4:02 AM, Tom Caputi notifications@github.com
|
grahamperrin
commented
Feb 25, 2016
FreeBSDI'm told that ZFS encryption was discussed at the recent FreeBSD Storage Summit, but I don't know whether any part of that discussion was with reference to developments here. Back a few months, #494 (comment):
A little later:
If it helps, I'm aware of: From https://www.freebsd.org/releases/8.2R/relnotes.html (2013-11-13) I see that the FreeBSD crypto(4) framework is also known as opencrypto. |
|
@grahamperrin I wonder if any of them are aware of the development here. It would be a shame to have multiple people working on the same thing.... As for the crypto api, I have ported over the one from Illumos and (pending review / approval) it should suffice for our needs so I think we're doing pretty well on that front already. |
|
Since the basis for the ZoL crypto PR is an illumos crypto API, is there a reason it isn't first being submitted to the openzfs repo (https://github.com/openzfs/openzfs/pulls) sans-illumos-crypto-API-Linux-port before being submitted to ZoL? If it's accepted into ZoL first, and then upstream illumos/openzfs and/or the other openzfs platforms want to request significant changes before integration, there could end up being a bunch of incompatible ZoL pools floating around vs. the final openzfs version, and/or pressure exerted on upstream and the other platforms not to request any changes in order to prevent such incompatibilities, with the only recourse being to try to make everyone aware of the work going on here as soon as possible with big neon signs if they want to have any input. |
|
@ilovezfs I am fine doing it either way. I only started the work here because this is the project I use and wasn't really aware of the other variants. |
|
@tcaputi Yeah, that makes sense. Once you're satisfied that the main cross-platform piece sans the illumos crypto API port is working for you locally, I'd recommend opening the PR there not only for the feedback from illumos land and from the other platforms, but also because their buildbot is particularly vicious and helpful for honing things. |
|
@ilovezfs @tcaputi we definitely need to get buy in from the openZFS developers from other platforms on the core design before this can be merged to ZoL. However, that doesn't mean it won't get merged first in ZoL and then upstreamed. This is already what happens on the other platforms with new features. |
|
@behlendorf That is true strictly speaking, but the scope of this change is a little different from something like adding async_destroy or lz4. |
|
Ah I'd forgotten how it sucks to work with uio on linux as you have to do everything yourself. We could just have separate repos, like we already do for uio code in But it could be tempting to create new standard ZFS macros for uio work, something I thought about doing for ZFS too, but doubt upstream would be bothered with it. The function Thoughts?
|
|
Hmm actually, FreeBSD already has compat for it, so Illumos sources just work, ZOL has uio struct from IllumOS in there and handle the change over elsewhere. So it's just OSX that is weird. So that's a bit selfish, carry on as before :) |
|
@lundman Thats good to know. For the moment its looking like most of the uio will be internal to the crypto code. The current design I'm working on uses the struct in one function only (zio_do_crypt_uio()), which will effectively assemble a set of iovecs into a uio and then encrypt / decrypt them. |
grahamperrin
commented
Feb 26, 2016
OpenZFS Office Hours, maybe? If you like that idea, or if (at this stage) you'd prefer some other exercise towards buy-in, please kick the ball around in irc://chat.freenode.net/#openzfs and/or irc://chat.freenode.net/#freebsd … in the latter, you'll probably find people more tuned in to BSD Now podcasts, with plenty of interest in ZFS. In any case, I'll ping Matt Ahrens.
Back to #494 (comment) on 2016-02-06:
I refrained from promotion around that time mainly because for some PC-BSD developers, it was a particularly busy time of the month (recreating a set of installers for 11.0-CURRENTFEB2016; responding to testers and so on). 2016-02-23 in irc://chat.freenode.net/#pcbsd I drew the attention of Kris Moore (iXsystems) with the following comment, on an issue that affects PersonaCrypt:
Later in a ZFS channel, attention was drawn to #4329 … and so on – so Kris and at least one other well-connected person are aware of work here on 494. A little background, for readers who may be unfamiliar:
Subject to buy-in, stability etc. there's the notion of redesigning PersonaCrypt to benefit from multi-platform encryption and a larger community of developers. |
|
@lundman Just so you are aware, I recently realized that I somehow ported over an older version of the Illumos Crypto layer. The one I have right now will work, but I'd like to talk to someone from Illumos and get a recent and stable version to use. The port only took me a couple of days, and the ICP needs some work anyway to get the assembly to compile only on x86 systems. Hopefully you haven't gotten too far into porting it to OSX, but even if you have I don't think the changes will be drastic. I will work on that next after data encryption is (finally) finished |
|
Quick update: I apologize for the delay, but I had to jump onto another project for a bit. I now have data encryption working for plain file data. The code is written in such a way that partial plaintext objects types can be easily added. Encrypting any object type that does not need to remain partially in the clear should just be a matter of setting a flag on the object type. It was tested with several different combinations of compression, checksumming, dedup, gang writes, encryption algorithms, and with embedded blocks enabled and everything seems to work. @behlendorf I currently am storing the MAC in the last 128 bytes of bp->blk_cksum and the IV in the first 96 bits of bp->blk_pad. The code can be changed pretty easily to store these values wherever the ZFS community deems fit. Before I move this to my master branch and update the PR I want to fix up the ICP while I still have my rather excessive debugging in place. |
|
I pushed a new commit to the PR, featuring plain file contents encryption (as I described above) and a restructured ICP that should build on any architecture, complete with assembly where it is available and generic c functions where it is not. I have spoken with Saso Kiselkov at Illumos about the ICP and he has and which version of the Illumos Crypto Framework I should port. He is currently rewriting a good bit of the AES encryption code, and he told me he expects to see an order of magnitude performance improvement with his changes, but he isn't sure when he will have the time to finish implementing them. I was originally going to re-port the current framework from the master branch of illumos-gate so that we could get AES-NI support working, but I think I might hold off on that now, in hopes that he might finish his implementation while I am working on other things. As it stands, the current ICP works and I am not planning on changing the structure very much once I get to the update. |
|
Ok, so now I compile it the whole way and load the kernel. You create quite a number of new kernel modules, which is the standard on Linux after all. On FBSD and OSX, will probably stay at 2, and on IllumOS, 0. Only annoyance there is the mixture of Linux module sources, and actual crypto-api-sources, like that of
I'm a bit surprised how much ahead O3X is now to ZOL, since there was changes in the zio_checksum API calls, (the edonr and skein commit) but it is trivial to change the number of parameters, and test the flags instead. Or calls to and I have ignored the assembler files, they don't work here. (gcc vs clang?) |
I'm not really creating any new modules other than the ICP itself, although I considered doing that at one point (and it is still possible). What I am currently doing is simply emulating Illumos's kernel module structure within a single module. I stole the directory structure from Illumos, so that the root directory structure represents /usr/src/uts/common/crypto and the algs directory represents /usr/src/common/crypto The only other directories I added were
I'm not sure what you mean by this.... I have never had a
I wonder why the assembly doesnt work. Perhaps I can borrow a mac from someone at work and see what is going on there. |
|
@tcaputi The dir-structure is all fine, and as you say, is like IllumOS. I meant more that any file that includes modctl.h (Linux file yes?) and
I took the assembler out for now, as I have other things to do first, before it can even run, so its not worth worrying about just yet. Also, my comments are not meant to be negative, just reporting in as I port it over to OSX. I am pleased something is happening in this area :) |
The |
|
Huh that is interesting. Then it would be mixed Linux or Illumos code, so #ifdef's it is :) |
|
There, I have brought all that mod* stuff back in, and initialise as expected. I have ported everything I had missed. Currently it dies during init, here:
I have no call to initialise |
|
Hmm actually looks like IllumOS do not initialise it, tsk tsk eh :) |
|
I tried to catch most of those, but there were a lot of places where they rely on zero'd allocation to initialize locks and such. They also didn't have |
|
In case anyone is watching the PR, I pushed a couple of small fixes for encrypted zvols (which are also encrypted now) |
|
@behlendorf or anyone who knows: While I'm asking questions, does anyone know why
Is |
|
I can report partial success. I cleaned up the missing I can create a pool, and encrypted dataset, and copy a file to it, which does not show in the pool image file. First sign of trouble is trying to import the said pool again, but will look into that too. If any OSXers wish to play with it, it is under https://github.com/openzfsonosx/zfs/compare/wip_crypt3 |
|
So I've hit a bit of a roadblock and am not sure what the best solution is. If anybody knows a solution off hand, I would appreciate the input. The problem is regarding partially encrypted types, particularly dnodes. Encrypted datasets currently encrypt dnodes by encrypting bonus buffers, but not the dnode itself. Only a few bonus types need to be encrypted, and for right now I'm just working with System Attribute bonus buffers. Other bonus buffers are left in the clear. This setup should hopefully allow us to scrub datasets and check for errors without the keys being loaded. Before keys can be loaded, several functions ( The problem arises when the dnode block is used again later, when the keys are loaded. At this point zfs sees that the dnode block is cached in the ARC and doesnt bother to reread the data so it comes back with the bonus buffer still encrypted. This obviously breaks any code that relies on that. The solutions I can think of are:
I apologize for the wall of text, but I would appreciate it if anyone had any input on how I should go about doing this. |
sempervictus
commented
Mar 14, 2016
|
@tcaputi: would it be possible to mark the bonus buffers cached in ARC as dirtied elsewhere and thus force a re-read from disk through the decryption routines? Essentially tell the ARC its somehow out of sync with the on-disk data instead of asking it to track every object as encrypted or not (which, being a boolean is small overhead, but as you point out, that's precious space). |
|
@sempervictus: Since I posted the question I found arc_buf_header_t, pointed to by arc_buf_t, which appears to be 1-1 mapped. This struct does have a field for flags, which solves the space problem. I'm still not sure what changes would need to be made to the ARC for this to work. From the top of my head, I know that the ARC has a hashmap of buffers, and I imagine trying to maintain 2 copies of the same buffer in that hashmap could cause problems, since the second one would attempt take the first's place. Short of any other suggestions I plan on spending a lot of time tomorrow reading through arc.c. |
sempervictus
commented
Mar 14, 2016
|
@tcaputi So what you could do is don't do anything to dnode_phys, make it always have encrypted bonus. And make the decryption happens when you read the bonus into the separate bonus buffer. But of course, for other stuff like user data and stuff, you'll likely need to mark it as encrypted/decrypted in ARC. The Illumos camp are working on compressed ARC, you might want to look at it. Maybe you can find some useful idea. https://drive.google.com/file/d/0B5hUzsxe4cdmbEh2eEZDbjY3LXM/view?usp=sharing |
sempervictus
commented
Mar 14, 2016
|
@tuxoko: would it be feasible to create something along the lines of a negative DVA in the arc_buf_hdr_t structure for encrypted data such that repeated access to the encrypted state can still be cached, and the real DVA for decrypted data? |
|
@tuxoko: |
|
I think I'm approaching a solution a solution, although there is now an additional (but hopefully easier) problem. It seems like the best place to decrypt the bonus buffers would be in The issue is that decrypting a single bonus buffer requires decrypting all the bonus buffers in the block. I believe the full DMU_OT_DNODE block should be available as long as a bonus buffer within it is available, but this is still at the very least inefficient. Perhaps this wouldn't be quite as bad of an option if it also cached the other decrypted bonus buffers instead of throwing them away. That said, I had mentioned earlier that we could fit the IV and MAC for a dnode into I'm not sure which method is better here, but I'm (again) open to any input. In the meantime I will continue looking myself. |
|
excellent work! |
|
I had to work on another project for a few weeks, but now I am back to working on this full time. After looking at the status of large dnode support in #3542 I am now less averse to using some of the padding in For now I will start working on adding encryption parameters to |
This was referenced Jun 8, 2016
cytrinox
commented
Sep 14, 2016
|
Is it possible to get this into 0.7.0? |
FransUrbo commentedDec 14, 2011
As of ZFS Pool Version 30, there is support for encryption. This part is unfortunatly closed source, so an opensource implementation would be required. That means it would probably not be compatible with the Solaris version 'but who cares' :).
Illumos is apparently working on this at https://www.illumos.org/projects/zfs-crypto. Source repository can be found at https://bitbucket.org/buffyg/illumos-zfs-crypto. Unfortunatly there is no changes since the fork from illumos-gate. Should ZoL start thinking about this or should we just take the back seat?
Don't know how big of a problem this would be, but 'copying' the way that LUKS (Linux Unified Key Setup) do it seems to be a good place to start.