-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This commit implements the Chacha20-Poly1305 AEAD from RFC 8439 as a new algorithm option for encrypted datasets. AES (and particularly the default AES-GCM mode used in OpenZFS) is known to be very slow on systems without hardware assistance. There are many such machines out there could make good use of OpenZFS, especially low-cost machines and small boards that would otherwise make very nice storage machines. The Raspberry Pi series of machines are a good example. The best option for these systems is an encryption option that performs well in software. Chacha20-Poly1305 is the current "standard" option for this in many contexts, and is a good choice for OpenZFS. The core Chacha20 and Poly1305 implementations are taken from Loup Valliant's Monocypher. These were chosen because they are compact, easy to read, easy to use and the author has written extensively about its development, all of which give me confidence that there are unlikely to be any surprises. I've added a KCF-style module to the ICP to implement the AEAD. This implements just enough for OpenZFS, and is not suitable as a general-purpose KCF for Illumos (though it could be the starting point for one). For FreeBSD, which does not use the ICP, I've instead hooked it up to FreeBSD's builtin crypto stack. The rest is adding an enabling property value and a feature flag and and hooking it up to all the right touch points, and documentation updates. The existing tests that cycle through the possible encryption options have been extended to add one more. I've added a test to ensure that raw receives of chacha20-poly1305 datasets do the right thing based on the state of the feature flag on the receiving side. There's also a test unit that runs the test vectors in RFC 8439 against Chacha20, Poly1305 and the AEAD in the ICP that combines them. This is most useful as a sanity check during future work to add alternate (accelerated) implementations. Finally, manual interop testing has been done to confirm that pools and streams can be moved between Linux and FreeBSD correctly. Light and uncontrolled performance testing on a Raspberry Pi 4B (Broadcom BCM2711, no hardware AES) writing to a chacha20-poly1305 dataset was ~2.4x faster than aes-256-gcm on the same hardware. On a Fitlet2 (Celeron J3455, AES-NI but no AVX (#10846)) it was ~1.3x faster. Signed-off-by: Rob Norris <[email protected]>
- Loading branch information
Showing
33 changed files
with
2,064 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -37,8 +37,9 @@ | |
.\" Copyright 2019 Joyent, Inc. | ||
.\" Copyright (c) 2019, Kjeld Schouten-Lebbing | ||
.\" Copyright (c) 2022 Hewlett Packard Enterprise Development LP. | ||
.\" Copyright (c) 2023, Rob Norris <[email protected]> | ||
.\" | ||
.Dd August 8, 2023 | ||
.Dd October 27, 2023 | ||
.Dt ZFSPROPS 7 | ||
.Os | ||
. | ||
|
@@ -1077,7 +1078,7 @@ This property can also be referred to by its shortened column name, | |
.It Xo | ||
.Sy encryption Ns = Ns Sy off Ns | Ns Sy on Ns | Ns Sy aes-128-ccm Ns | Ns | ||
.Sy aes-192-ccm Ns | Ns Sy aes-256-ccm Ns | Ns Sy aes-128-gcm Ns | Ns | ||
.Sy aes-192-gcm Ns | Ns Sy aes-256-gcm | ||
.Sy aes-192-gcm Ns | Ns Sy aes-256-gcm Ns | Ns Sy chacha20-poly1305 | ||
.Xc | ||
Controls the encryption cipher suite (block cipher, key length, and mode) used | ||
for this dataset. | ||
|
@@ -1096,6 +1097,12 @@ selected, which is currently | |
In order to provide consistent data protection, encryption must be specified at | ||
dataset creation time and it cannot be changed afterwards. | ||
.Pp | ||
On systems lacking hardware-accelerated AES (many non-x86 boards) | ||
.Sy chacha20-poly1305 | ||
will usually offer better performance without compromising security. | ||
On x86, or when datasets may be mounted on on older versions of ZFS, an AES | ||
suite is the best choice. | ||
.Pp | ||
For more details and caveats about encryption see the | ||
.Sx Encryption | ||
section of | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,8 +17,9 @@ | |
.\" Copyright (c) 2019, Klara Inc. | ||
.\" Copyright (c) 2019, Allan Jude | ||
.\" Copyright (c) 2021, Colm Buckley <[email protected]> | ||
.\" Copyright (c) 2023, Rob Norris <[email protected]> | ||
.\" | ||
.Dd June 23, 2022 | ||
.Dd October 27, 2023 | ||
.Dt ZPOOL-FEATURES 7 | ||
.Os | ||
. | ||
|
@@ -398,6 +399,21 @@ returned to the | |
.Sy enabled | ||
state when all bookmarks with these fields are destroyed. | ||
. | ||
.feature org.openzfs chacha20_poly1305 no encryption extensible_dataset | ||
This feature enables the use of the ChaCha20-Poly1305 cipher suite for encrypted | ||
datasets. | ||
On systems lacking hardware-accelerated AES (many non-x86 boards), this suite | ||
will usually offer better performance than AES suites without compromising | ||
security. | ||
.Pp | ||
This feature becomes | ||
.Sy active | ||
when an encrypted dataset is created with | ||
.Nm encryption Ns = Ns Sy chacha20-poly1305 | ||
and will be returned to the | ||
.Sy enabled | ||
state when all datasets that use this feature are destroyed. | ||
. | ||
.feature org.openzfs device_rebuild yes | ||
This feature enables the ability for the | ||
.Nm zpool Cm attach | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
/* | ||
* Copyright (c) 2017-2019, Loup Vaillant | ||
* All rights reserved. | ||
* | ||
* | ||
* Redistribution and use in source and binary forms, with or without | ||
* modification, are permitted provided that the following conditions are | ||
* met: | ||
* | ||
* 1. Redistributions of source code must retain the above copyright | ||
* notice, this list of conditions and the following disclaimer. | ||
* | ||
* 2. Redistributions in binary form must reproduce the above copyright | ||
* notice, this list of conditions and the following disclaimer in the | ||
* documentation and/or other materials provided with the | ||
* distribution. | ||
* | ||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | ||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | ||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | ||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
*/ | ||
|
||
/* | ||
* Monocypher 4.0.2 (Poly1305, Chacha20, and supporting utilities) | ||
* adapted for OpenZFS by Rob Norris <[email protected]> | ||
*/ | ||
|
||
/* | ||
* Note: this follows the Monocypher style rather than the OpenZFS style to | ||
* keep the diff to the bare minimum. This is important for making it easy to | ||
* compare the two and confirm that they are in fact the same. The diff should | ||
* be almost entirely in deleted lines. | ||
*/ | ||
|
||
#ifndef MONOCYPHER_H | ||
#define MONOCYPHER_H | ||
|
||
#include <sys/types.h> | ||
|
||
|
||
// Constant time comparisons | ||
// ------------------------- | ||
|
||
// Return 0 if a and b are equal, -1 otherwise | ||
int crypto_verify16(const uint8_t a[16], const uint8_t b[16]); | ||
|
||
// Erase sensitive data | ||
// -------------------- | ||
void crypto_wipe(void *secret, size_t size); | ||
|
||
|
||
// Chacha20 | ||
// -------- | ||
|
||
// Unauthenticated stream cipher. | ||
// Don't forget to add authentication. | ||
uint32_t crypto_chacha20_ietf(uint8_t *cipher_text, | ||
const uint8_t *plain_text, | ||
size_t text_size, | ||
const uint8_t key[32], | ||
const uint8_t nonce[12], | ||
uint32_t ctr); | ||
|
||
|
||
// Poly 1305 | ||
// --------- | ||
|
||
// This is a *one time* authenticator. | ||
// Disclosing the mac reveals the key. | ||
|
||
// Incremental interface | ||
typedef struct { | ||
// Do not rely on the size or contents of this type, | ||
// for they may change without notice. | ||
uint8_t c[16]; // chunk of the message | ||
size_t c_idx; // How many bytes are there in the chunk. | ||
uint32_t r [4]; // constant multiplier (from the secret key) | ||
uint32_t pad[4]; // random number added at the end (from the secret key) | ||
uint32_t h [5]; // accumulated hash | ||
} crypto_poly1305_ctx; | ||
|
||
void crypto_poly1305_init (crypto_poly1305_ctx *ctx, const uint8_t key[32]); | ||
void crypto_poly1305_update(crypto_poly1305_ctx *ctx, | ||
const uint8_t *message, size_t message_size); | ||
void crypto_poly1305_final (crypto_poly1305_ctx *ctx, uint8_t mac[16]); | ||
|
||
#endif /* MONOCYPHER_H */ |
Oops, something went wrong.