Better handling for future crypto parameters #14577
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The intent is that this is like ENOTSUP, but specifically for when something can't be done because we have no support for the requested crypto parameters; eg unlocking a dataset or receiving a stream encrypted with a suite we don't support. Its not intended to be recoverable without upgrading ZFS itself. If the request could be made to work by enabling a feature or modifying some other configuration item, then some other code should be used. Signed-off-by: Rob Norris <[email protected]>
In the future we might have more crypto suites (ie new values for the `encryption` property. Right now trying to load a key on such a future crypto suite will look up suite parameters off the end of the crypto table, resulting in misbehaviour and/or crashes (or, with debug enabled, trip the assertion in `zio_crypt_key_unwrap`). Instead, lets check the value we got from the dataset, and if we can't handle it, abort early. Signed-off-by: Rob Norris <[email protected]>
When receiving a raw stream encrypted with an unknown crypto suite, `zfs recv` would report a generic `invalid backup stream` (EINVAL). While technically correct, its not super helpful, so lets ship a more specific error code and message. Signed-off-by: Rob Norris <[email protected]>
Signed-off-by: Rob Norris <[email protected]>
mcmilk
approved these changes
Mar 5, 2023
ryao
suggested changes
Mar 6, 2023
There was a problem hiding this comment.
Since all of these commits collectively relate to ZFS_ERR_CRYPTO_NOTSUP, I think they should be squashed into a single commit. I realize the irony of saying this, given that I have been doing plenty of small commits lately, but keeping those separate at least serves a documentation purpose. Here, the documentation that we would get from separate commits is self explanatory based on where the changes are being made, so there is no reason for these changes to be kept in separate commits.
behlendorf
approved these changes
Mar 7, 2023
mcmilk
pushed a commit
to mcmilk/zfs
that referenced
this pull request
Mar 13, 2023
The intent is that this is like ENOTSUP, but specifically for when something can't be done because we have no support for the requested crypto parameters; eg unlocking a dataset or receiving a stream encrypted with a suite we don't support. Its not intended to be recoverable without upgrading ZFS itself. If the request could be made to work by enabling a feature or modifying some other configuration item, then some other code should be used. load-key: In the future we might have more crypto suites (ie new values for the `encryption` property. Right now trying to load a key on such a future crypto suite will look up suite parameters off the end of the crypto table, resulting in misbehaviour and/or crashes (or, with debug enabled, trip the assertion in `zio_crypt_key_unwrap`). Instead, lets check the value we got from the dataset, and if we can't handle it, abort early. recv: When receiving a raw stream encrypted with an unknown crypto suite, `zfs recv` would report a generic `invalid backup stream` (EINVAL). While technically correct, its not super helpful, so lets ship a more specific error code and message. Reviewed-by: Tino Reichardt <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Richard Yao <[email protected]> Signed-off-by: Rob Norris <[email protected]> Closes openzfs#14577
lundman
pushed a commit
to openzfsonwindows/openzfs
that referenced
this pull request
Mar 16, 2023
The intent is that this is like ENOTSUP, but specifically for when something can't be done because we have no support for the requested crypto parameters; eg unlocking a dataset or receiving a stream encrypted with a suite we don't support. Its not intended to be recoverable without upgrading ZFS itself. If the request could be made to work by enabling a feature or modifying some other configuration item, then some other code should be used. load-key: In the future we might have more crypto suites (ie new values for the `encryption` property. Right now trying to load a key on such a future crypto suite will look up suite parameters off the end of the crypto table, resulting in misbehaviour and/or crashes (or, with debug enabled, trip the assertion in `zio_crypt_key_unwrap`). Instead, lets check the value we got from the dataset, and if we can't handle it, abort early. recv: When receiving a raw stream encrypted with an unknown crypto suite, `zfs recv` would report a generic `invalid backup stream` (EINVAL). While technically correct, its not super helpful, so lets ship a more specific error code and message. Reviewed-by: Tino Reichardt <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Richard Yao <[email protected]> Signed-off-by: Rob Norris <[email protected]> Closes openzfs#14577
This was referenced May 7, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
While testing #14249, I found a couple of places where OpenZFS doesn't cope well when presented with a dataset or stream that uses an unknown crypto suite. While its too late for those already deployed, we can at least make it that newer ZFS installs are able to fail gracefully rather than crash or do something weird.
Description
This introduces a new ioctl return,
ZFS_ERR_CRYPTO_NOTSUP, and returns it when either we try to load an encryption key for a dataset that uses an unknown crypto suite (encryptionproperty value) or receive a raw backup stream that uses an unknown encryption key.zfs sendandzfs load-keyhave been updated to produce a nicer error message in those cases.This is technically a very small ABI change, in that the
ZFS_IOC_RECV_NEWandZFS_IOC_LOAD_KEYcan return a previously-unseen error code. Older versions of the ZFS-provided tools will handle these fine in their fallback error handlers, and I can't imagine any other users of those ioctls not having a similar fallback. If it was a problem,EINVALorENOTSUPare both plausible alternatives though they do muddy the meaning of those a little.How Has This Been Tested?
Tested by hand by creating a dataset with
-o encryption=chacha20-poly1305(#14249) and a backup stream from it, and then loading it / receiving it into a ZFS build at master (620a977) and with this PR.Before:
Before (with
--enable-debug):After:
No additions to the test suite. I'm not really sure how to do this other than either checking in or cooking a dataset or backup stream under the hood, and that seems like it could be pretty brittle.
Types of changes
Checklist:
Signed-off-by.