Project

General

Profile

Actions

Bug #13795

open

Encrypted zfs is not compatible with openzfs

Added by jing zhang 9 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
zfs - Zettabyte File System
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Encrypted zfs which is created by illumos-gate cannot be imported by Openzfs in linux.

Steps:

In Hipster
1.zpool create apool
2.zfs create -o encryption=aes-128-ccm -o keyformat=passphrase apool/aes
3.Write some files.

In Linux
4.zpool import -l apool, and input the correct password.
5.I got an EIO error. And the zfs 'aes' has no file.

This is because Openzfs used 'os_projectused_dnode' to calc hmacs, while illumos not.
So the 'local_mac' values are not equal after 'zio_crypt_do_objset_hmacs'.

Reference: Project dnode should be protected by local MAC
https://github.com/openzfs/zfs/commit/7b30ee6bafe91ebd3b34433ef3b943fd07a98cea#diff-b55cbc66d9f61ed47a13d41dfab8c2b0e078813a2d0aa5da9008356324833018

diff --git a/usr/src/uts/common/fs/zfs/zio_crypt.c b/usr/src/uts/common/fs/zfs/zio_crypt.c
index 47c104e642..9aa42b33ff 100644
--- a/usr/src/uts/common/fs/zfs/zio_crypt.c
+++ b/usr/src/uts/common/fs/zfs/zio_crypt.c
@@ -1298,15 +1298,27 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen,
        }

        /* add in fields from the user accounting dnodes */
-       ret = zio_crypt_do_dnode_hmac_updates(ctx, key->zk_version,
-           should_bswap, &osp->os_userused_dnode);
-       if (ret)
-               goto error;
+       if (osp->os_userused_dnode.dn_type != DMU_OT_NONE) {
+               ret = zio_crypt_do_dnode_hmac_updates(ctx, key->zk_version,
+                   should_bswap, &osp->os_userused_dnode);
+               if (ret)
+                       goto error;
+       }

-       ret = zio_crypt_do_dnode_hmac_updates(ctx, key->zk_version,
-           should_bswap, &osp->os_groupused_dnode);
-       if (ret)
-               goto error;
+       if (osp->os_groupused_dnode.dn_type != DMU_OT_NONE) {
+               ret = zio_crypt_do_dnode_hmac_updates(ctx, key->zk_version,
+                   should_bswap, &osp->os_groupused_dnode);
+               if (ret)
+                       goto error;
+       }
+
+       if (osp->os_projectused_dnode.dn_type != DMU_OT_NONE &&
+           datalen >= OBJSET_PHYS_SIZE_V3) {
+               ret = zio_crypt_do_dnode_hmac_updates(ctx, key->zk_version,
+                   should_bswap, &osp->os_projectused_dnode);
+               if (ret)
+                       goto error;
+       }

        /* store the final digest in a temporary buffer and copy what we need */
        cd.cd_length = SHA512_DIGEST_LENGTH;

Actions

Also available in: Atom PDF