Detect and prevent mixed raw and non-raw sends

[tcaputi]

Currently, there is an issue in the raw receive code where
raw receives are allowed to happen on top of previously
non-raw received datasets. This is a problem because the
source-side dataset doesn't know about how the blocks on
the destination were encrypted. As a result, any MAC in
the objset's checksum-of-MACs tree that is a parent of both
blocks encrypted on the source and blocks encrypted by the
destination will be incorrect. This will result in
authentication errors when we decrypt the dataset.

This patch fixes this issue by adding a new check to the
raw receive code. The code now maintains an "IVset guid",
which acts as an identifier for the set of IVs used to
encrypt a given snapshot. When a snapshot is raw received,
the destination snapshot will take this value from the
DRR_BEGIN payload. Non-raw receives and normal "zfs snap"
operations will cause ZFS to generate a new IVset guid.
When a raw incremental stream is received, ZFS will check
that the "from" IVset guid in the stream matches that of
the "from" destination snapshot. If they do not match, the
code will error out the receive, preventing the problem.

WIP: Still working on reverse compatibility for existing encrypted datasets.

Signed-off-by: Tom Caputi [email protected]

Motivation and Context

This issue was originally found and reported by Jason King.

How Has This Been Tested?

send_mixed_raw.ksh has been added to ensure the new code detects and prevents mixed raw. The patch has also been tested against. Some sample datasets that Jason provided and it seems to work correctly now.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• All commit messages are properly formatted and contain Signed-off-by.

[DeHackEd]

Umm... Last time zfs_bookmark_phys_t was changed we ended up with errata 1 (2094). Is this safe now?
Never mind, I see what you're up to.

[tcaputi]

@DeHackEd We're still working on on-disk reverse compatibility, but zfs_bookmark_phys_t was going to get bigger with redacted send / recv anyway. We may have to file an errata for this, but that isn't clear yet.

[ahrens]

maybe we should only add these if they are nonzero?

[tcaputi]

My thought process at the time was that this would allow us to identify source systems that have the new version of zfs that supports ivset guids, but are sending an old snapshot without one set.

[ahrens]

Does the code care about that, or is that just in case developers want to inspect the send stream with zstreamdump and make inferences based on it?

[tcaputi]

Thats just mostly for developers / debugging.

[tcaputi]

All the code and tests should now be ready for review. I'm still working on the wording for the errata page, but I expect that PR should be made tomorrow.

[codecov]

Codecov Report

Merging #8308 into master will increase coverage by 0.18%.
The diff coverage is 87.5%.

@@            Coverage Diff             @@
##           master    #8308      +/-   ##
==========================================
+ Coverage   78.53%   78.72%   +0.18%     
==========================================
  Files         380      380              
  Lines      116007   116091      +84     
==========================================
+ Hits        91108    91391     +283     
+ Misses      24899    24700     -199

Flag	Coverage Δ
#kernel	79.19% <92.92%> (+0.22%)	⬆️
#user	67.47% <16.07%> (+0.24%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 762f9ef...95226b6. Read the comment docs.

[lundman]

This is what we are all waiting on yes? :) Will fix that last issue?

[tcaputi]

Hopefully, yes.

[tcaputi]

Related errata documentation PR for the website: zfsonlinux/zfsonlinux.github.com#45

[tcaputi]

For reference, these are the commands used to generate the test pool for the errata handling test:

truncate -s 100M /root/missing_ivset.dat
zpool create -f missing_ivset /root/missing_ivset.dat
echo 'password' | zfs create -o encryption=on -o keyformat=passphrase missing_ivset/testfs
echo 'password' | zfs create -V 10M -o encryption=on -o keyformat=passphrase missing_ivset/testvol

touch /missing_ivset/filea
yes | dd of=/dev/zvol/missing_ivset/testvol bs=512 count=1 seek=0
zfs snap missing_ivset/testfs@snap1
zfs snap missing_ivset/testvol@snap1

touch /missing_ivset/fileb
yes | dd of=/dev/zvol/missing_ivset/testvol bs=512 count=1 seek=4096
zfs snap missing_ivset/testfs@snap2
zfs snap missing_ivset/testvol@snap2
zfs bookmark missing_ivset/testfs@snap2 missing_ivset/testfs#snap2
zfs bookmark missing_ivset/testvol@snap2 missing_ivset/testvol#snap2

touch /missing_ivset/filec
yes | dd of=/dev/zvol/missing_ivset/testvol bs=512 count=1 seek=8192
zfs snap missing_ivset/testfs@snap3
zfs snap missing_ivset/testvol@snap3
zpool export missing_ivset

[behlendorf]

This looks good. I'll see about doing some additional manual testing latter this week. In the meanwhile, it looks like this change introduced a small memory leak and it needs to be rebased.

[tcaputi]

@behlendorf your comments have been addressed. The memory leak was actually an existing leak that the new tests exposed (now fixed in the PR). I would appreciate it if someone could look at the changes related to that to make sure I didn't miss any cases. The fixes for that are all in dmu_recv_stream()

[ahrens]

Does the code care about that, or is that just in case developers want to inspect the send stream with zstreamdump and make inferences based on it?

[ahrens]

Doing this without checking if the dataset is zapified won't work right, for a few reasons:

1. on debug bits, this will panic (see zap_lockdir())
2. on nondebug bits on other platforms (e.g. illumos), this will probably panic, since the check in zap_lockdir_impl() is unique to ZoL.
3. on nondebug bits on ZoL, this will return EINVAL (incorrect channel program) when we want ENOENT (property not present). See zcp_handle_error().

[lundman]

(it would make my life easier if new changes were new commits instead of force-pushed over the one, and only squashed right before merging at the end :) )

[pcd1193182]

Other than matt's comments, everything looks good to me. I was mostly looking at the send/recv logic, since that's what I know best.

[tcaputi]

@ahrens a new version has been pushed to address your comments.
@lundman the changes were pushed as a new commit :)

[JMoVS]

is there any way an existing pool with the top-level-dataset being an encrypted one to transfer the data on the pool? Or will I have to backup the pool, destroy it and start fresh?

[tcaputi]

Hmmm. That is a good point. @behlendorf do you know of a way to do this?

[behlendorf]

Good question. Sorry no, I can't think of a great way to do this.

[JMoVS]

ugh, ok, thx. Note to self: Never create root datasets with experimental features 😆

[JMoVS]

@kpande It is possible to create a different encryption root, but that doesn't help me in getting rid of the top dataset. I think this should maybe be made clear for Admins in Errata #4? Like "if you have a top-level encryptionroot, you can either create a new one below it and live with the errata or backup the pool and recreate it with the bookmark v2 feature"