2008-11-20 20:01:55 +00:00
|
|
|
/*
|
|
|
|
* CDDL HEADER START
|
|
|
|
*
|
|
|
|
* The contents of this file are subject to the terms of the
|
|
|
|
* Common Development and Distribution License (the "License").
|
|
|
|
* You may not use this file except in compliance with the License.
|
|
|
|
*
|
|
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
|
|
* or http://www.opensolaris.org/os/licensing.
|
|
|
|
* See the License for the specific language governing permissions
|
|
|
|
* and limitations under the License.
|
|
|
|
*
|
|
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
|
|
*
|
|
|
|
* CDDL HEADER END
|
|
|
|
*/
|
|
|
|
/*
|
2010-08-26 21:24:34 +00:00
|
|
|
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
|
2018-02-08 16:32:45 +00:00
|
|
|
* Copyright (c) 2012, 2017 by Delphix. All rights reserved.
|
2016-06-09 18:46:42 +00:00
|
|
|
* Copyright 2016 RackTop Systems.
|
2017-06-17 00:21:11 +00:00
|
|
|
* Copyright (c) 2017, Intel Corporation.
|
2008-11-20 20:01:55 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _SYS_ZFS_IOCTL_H
|
|
|
|
#define _SYS_ZFS_IOCTL_H
|
|
|
|
|
|
|
|
#include <sys/cred.h>
|
|
|
|
#include <sys/dmu.h>
|
|
|
|
#include <sys/zio.h>
|
|
|
|
#include <sys/dsl_deleg.h>
|
2010-05-28 20:45:14 +00:00
|
|
|
#include <sys/spa.h>
|
2010-08-26 21:24:34 +00:00
|
|
|
#include <sys/zfs_stat.h>
|
2008-11-20 20:01:55 +00:00
|
|
|
|
|
|
|
#ifdef _KERNEL
|
|
|
|
#include <sys/nvpair.h>
|
|
|
|
#endif /* _KERNEL */
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
extern "C" {
|
|
|
|
#endif
|
|
|
|
|
2013-08-28 11:45:09 +00:00
|
|
|
/*
|
|
|
|
* The structures in this file are passed between userland and the
|
|
|
|
* kernel. Userland may be running a 32-bit process, while the kernel
|
|
|
|
* is 64-bit. Therefore, these structures need to compile the same in
|
|
|
|
* 32-bit and 64-bit. This means not using type "long", and adding
|
|
|
|
* explicit padding so that the 32-bit structure will not be packed more
|
|
|
|
* tightly than the 64-bit structure (which requires 64-bit alignment).
|
|
|
|
*/
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
/*
|
|
|
|
* Property values for snapdir
|
|
|
|
*/
|
|
|
|
#define ZFS_SNAPDIR_HIDDEN 0
|
|
|
|
#define ZFS_SNAPDIR_VISIBLE 1
|
|
|
|
|
2013-02-13 23:11:59 +00:00
|
|
|
/*
|
|
|
|
* Property values for snapdev
|
|
|
|
*/
|
|
|
|
#define ZFS_SNAPDEV_HIDDEN 0
|
|
|
|
#define ZFS_SNAPDEV_VISIBLE 1
|
2013-10-28 16:22:15 +00:00
|
|
|
/*
|
|
|
|
* Property values for acltype
|
|
|
|
*/
|
|
|
|
#define ZFS_ACLTYPE_OFF 0
|
|
|
|
#define ZFS_ACLTYPE_POSIXACL 1
|
2013-02-13 23:11:59 +00:00
|
|
|
|
2010-05-28 20:45:14 +00:00
|
|
|
/*
|
|
|
|
* Field manipulation macros for the drr_versioninfo field of the
|
|
|
|
* send stream header.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Header types for zfs send streams.
|
|
|
|
*/
|
|
|
|
typedef enum drr_headertype {
|
|
|
|
DMU_SUBSTREAM = 0x1,
|
|
|
|
DMU_COMPOUNDSTREAM = 0x2
|
|
|
|
} drr_headertype_t;
|
|
|
|
|
|
|
|
#define DMU_GET_STREAM_HDRTYPE(vi) BF64_GET((vi), 0, 2)
|
|
|
|
#define DMU_SET_STREAM_HDRTYPE(vi, x) BF64_SET((vi), 0, 2, x)
|
|
|
|
|
|
|
|
#define DMU_GET_FEATUREFLAGS(vi) BF64_GET((vi), 2, 30)
|
|
|
|
#define DMU_SET_FEATUREFLAGS(vi, x) BF64_SET((vi), 2, 30, x)
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Feature flags for zfs send streams (flags in drr_versioninfo)
|
|
|
|
*/
|
|
|
|
|
2016-01-06 21:22:48 +00:00
|
|
|
#define DMU_BACKUP_FEATURE_DEDUP (1 << 0)
|
|
|
|
#define DMU_BACKUP_FEATURE_DEDUPPROPS (1 << 1)
|
|
|
|
#define DMU_BACKUP_FEATURE_SA_SPILL (1 << 2)
|
2014-06-05 21:19:08 +00:00
|
|
|
/* flags #3 - #15 are reserved for incompatible closed-source implementations */
|
2016-01-06 21:22:48 +00:00
|
|
|
#define DMU_BACKUP_FEATURE_EMBED_DATA (1 << 16)
|
2016-07-11 17:45:52 +00:00
|
|
|
#define DMU_BACKUP_FEATURE_LZ4 (1 << 17)
|
2014-11-03 20:15:08 +00:00
|
|
|
/* flag #18 is reserved for a Delphix feature */
|
2016-01-06 21:22:48 +00:00
|
|
|
#define DMU_BACKUP_FEATURE_LARGE_BLOCKS (1 << 19)
|
|
|
|
#define DMU_BACKUP_FEATURE_RESUMING (1 << 20)
|
2017-05-18 17:02:16 +00:00
|
|
|
/* flag #21 is reserved for a Delphix feature */
|
2016-07-11 17:45:52 +00:00
|
|
|
#define DMU_BACKUP_FEATURE_COMPRESSED (1 << 22)
|
2017-05-18 17:02:16 +00:00
|
|
|
#define DMU_BACKUP_FEATURE_LARGE_DNODE (1 << 23)
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
#define DMU_BACKUP_FEATURE_RAW (1 << 24)
|
2010-05-28 20:45:14 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Mask of all supported backup features
|
|
|
|
*/
|
|
|
|
#define DMU_BACKUP_FEATURE_MASK (DMU_BACKUP_FEATURE_DEDUP | \
|
2014-06-05 21:19:08 +00:00
|
|
|
DMU_BACKUP_FEATURE_DEDUPPROPS | DMU_BACKUP_FEATURE_SA_SPILL | \
|
2016-07-11 17:45:52 +00:00
|
|
|
DMU_BACKUP_FEATURE_EMBED_DATA | DMU_BACKUP_FEATURE_LZ4 | \
|
2016-01-06 21:22:48 +00:00
|
|
|
DMU_BACKUP_FEATURE_RESUMING | DMU_BACKUP_FEATURE_LARGE_BLOCKS | \
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
DMU_BACKUP_FEATURE_COMPRESSED | DMU_BACKUP_FEATURE_LARGE_DNODE | \
|
|
|
|
DMU_BACKUP_FEATURE_RAW)
|
2010-05-28 20:45:14 +00:00
|
|
|
|
|
|
|
/* Are all features in the given flag word currently supported? */
|
|
|
|
#define DMU_STREAM_SUPPORTED(x) (!((x) & ~DMU_BACKUP_FEATURE_MASK))
|
|
|
|
|
2016-01-06 21:22:48 +00:00
|
|
|
typedef enum dmu_send_resume_token_version {
|
|
|
|
ZFS_SEND_RESUME_TOKEN_VERSION = 1
|
|
|
|
} dmu_send_resume_token_version_t;
|
|
|
|
|
2010-05-28 20:45:14 +00:00
|
|
|
/*
|
|
|
|
* The drr_versioninfo field of the dmu_replay_record has the
|
|
|
|
* following layout:
|
|
|
|
*
|
|
|
|
* 64 56 48 40 32 24 16 8 0
|
|
|
|
* +-------+-------+-------+-------+-------+-------+-------+-------+
|
|
|
|
* | reserved | feature-flags |C|S|
|
|
|
|
* +-------+-------+-------+-------+-------+-------+-------+-------+
|
|
|
|
*
|
|
|
|
* The low order two bits indicate the header type: SUBSTREAM (0x1)
|
|
|
|
* or COMPOUNDSTREAM (0x2). Using two bits for this is historical:
|
|
|
|
* this field used to be a version number, where the two version types
|
|
|
|
* were 1 and 2. Using two bits for this allows earlier versions of
|
|
|
|
* the code to be able to recognize send streams that don't use any
|
|
|
|
* of the features indicated by feature flags.
|
|
|
|
*/
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
#define DMU_BACKUP_MAGIC 0x2F5bacbacULL
|
|
|
|
|
2016-06-09 18:46:42 +00:00
|
|
|
/*
|
|
|
|
* Send stream flags. Bits 24-31 are reserved for vendor-specific
|
|
|
|
* implementations and should not be used.
|
|
|
|
*/
|
2008-11-20 20:01:55 +00:00
|
|
|
#define DRR_FLAG_CLONE (1<<0)
|
|
|
|
#define DRR_FLAG_CI_DATA (1<<1)
|
2016-06-09 18:18:16 +00:00
|
|
|
/*
|
|
|
|
* This send stream, if it is a full send, includes the FREE and FREEOBJECT
|
|
|
|
* records that are created by the sending process. This means that the send
|
|
|
|
* stream can be received as a clone, even though it is not an incremental.
|
|
|
|
* This is not implemented as a feature flag, because the receiving side does
|
|
|
|
* not need to have implemented it to receive this stream; it is fully backwards
|
|
|
|
* compatible. We need a flag, though, because full send streams without it
|
|
|
|
* cannot necessarily be received as a clone correctly.
|
|
|
|
*/
|
|
|
|
#define DRR_FLAG_FREERECORDS (1<<2)
|
2008-11-20 20:01:55 +00:00
|
|
|
|
2010-05-28 20:45:14 +00:00
|
|
|
/*
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
* flags in the drr_flags field in the DRR_WRITE, DRR_SPILL, DRR_OBJECT,
|
|
|
|
* DRR_WRITE_BYREF, and DRR_OBJECT_RANGE blocks
|
2010-05-28 20:45:14 +00:00
|
|
|
*/
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
#define DRR_CHECKSUM_DEDUP (1<<0) /* not used for DRR_SPILL blocks */
|
2017-08-23 23:54:24 +00:00
|
|
|
#define DRR_RAW_BYTESWAP (1<<1)
|
2010-05-28 20:45:14 +00:00
|
|
|
|
|
|
|
#define DRR_IS_DEDUP_CAPABLE(flags) ((flags) & DRR_CHECKSUM_DEDUP)
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
#define DRR_IS_RAW_BYTESWAPPED(flags) ((flags) & DRR_RAW_BYTESWAP)
|
2010-05-28 20:45:14 +00:00
|
|
|
|
2016-07-11 17:45:52 +00:00
|
|
|
/* deal with compressed drr_write replay records */
|
|
|
|
#define DRR_WRITE_COMPRESSED(drrw) ((drrw)->drr_compressiontype != 0)
|
|
|
|
#define DRR_WRITE_PAYLOAD_SIZE(drrw) \
|
|
|
|
(DRR_WRITE_COMPRESSED(drrw) ? (drrw)->drr_compressed_size : \
|
|
|
|
(drrw)->drr_logical_size)
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
#define DRR_SPILL_PAYLOAD_SIZE(drrs) \
|
2017-08-23 23:54:24 +00:00
|
|
|
((drrs)->drr_compressed_size ? \
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
(drrs)->drr_compressed_size : (drrs)->drr_length)
|
|
|
|
#define DRR_OBJECT_PAYLOAD_SIZE(drro) \
|
2017-08-23 23:54:24 +00:00
|
|
|
((drro)->drr_raw_bonuslen != 0 ? \
|
|
|
|
(drro)->drr_raw_bonuslen : P2ROUNDUP((drro)->drr_bonuslen, 8))
|
2016-07-11 17:45:52 +00:00
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
/*
|
|
|
|
* zfs ioctl command structure
|
|
|
|
*/
|
|
|
|
typedef struct dmu_replay_record {
|
|
|
|
enum {
|
|
|
|
DRR_BEGIN, DRR_OBJECT, DRR_FREEOBJECTS,
|
2010-05-28 20:45:14 +00:00
|
|
|
DRR_WRITE, DRR_FREE, DRR_END, DRR_WRITE_BYREF,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
DRR_SPILL, DRR_WRITE_EMBEDDED, DRR_OBJECT_RANGE,
|
|
|
|
DRR_NUMTYPES
|
2008-11-20 20:01:55 +00:00
|
|
|
} drr_type;
|
|
|
|
uint32_t drr_payloadlen;
|
|
|
|
union {
|
|
|
|
struct drr_begin {
|
|
|
|
uint64_t drr_magic;
|
2010-05-28 20:45:14 +00:00
|
|
|
uint64_t drr_versioninfo; /* was drr_version */
|
2008-11-20 20:01:55 +00:00
|
|
|
uint64_t drr_creation_time;
|
|
|
|
dmu_objset_type_t drr_type;
|
|
|
|
uint32_t drr_flags;
|
|
|
|
uint64_t drr_toguid;
|
|
|
|
uint64_t drr_fromguid;
|
|
|
|
char drr_toname[MAXNAMELEN];
|
|
|
|
} drr_begin;
|
|
|
|
struct drr_end {
|
|
|
|
zio_cksum_t drr_checksum;
|
2010-05-28 20:45:14 +00:00
|
|
|
uint64_t drr_toguid;
|
2008-11-20 20:01:55 +00:00
|
|
|
} drr_end;
|
|
|
|
struct drr_object {
|
|
|
|
uint64_t drr_object;
|
|
|
|
dmu_object_type_t drr_type;
|
|
|
|
dmu_object_type_t drr_bonustype;
|
|
|
|
uint32_t drr_blksz;
|
|
|
|
uint32_t drr_bonuslen;
|
2010-05-28 20:45:14 +00:00
|
|
|
uint8_t drr_checksumtype;
|
2008-11-20 20:01:55 +00:00
|
|
|
uint8_t drr_compress;
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-17 01:25:34 +00:00
|
|
|
uint8_t drr_dn_slots;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
uint8_t drr_flags;
|
|
|
|
uint32_t drr_raw_bonuslen;
|
2010-05-28 20:45:14 +00:00
|
|
|
uint64_t drr_toguid;
|
2017-11-08 19:12:59 +00:00
|
|
|
/* only (possibly) nonzero for raw streams */
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
uint8_t drr_indblkshift;
|
|
|
|
uint8_t drr_nlevels;
|
|
|
|
uint8_t drr_nblkptr;
|
2017-11-08 19:12:59 +00:00
|
|
|
uint8_t drr_pad[5];
|
|
|
|
uint64_t drr_maxblkid;
|
2008-11-20 20:01:55 +00:00
|
|
|
/* bonus content follows */
|
|
|
|
} drr_object;
|
|
|
|
struct drr_freeobjects {
|
|
|
|
uint64_t drr_firstobj;
|
|
|
|
uint64_t drr_numobjs;
|
2010-05-28 20:45:14 +00:00
|
|
|
uint64_t drr_toguid;
|
2008-11-20 20:01:55 +00:00
|
|
|
} drr_freeobjects;
|
|
|
|
struct drr_write {
|
|
|
|
uint64_t drr_object;
|
|
|
|
dmu_object_type_t drr_type;
|
|
|
|
uint32_t drr_pad;
|
|
|
|
uint64_t drr_offset;
|
2016-07-11 17:45:52 +00:00
|
|
|
uint64_t drr_logical_size;
|
2010-05-28 20:45:14 +00:00
|
|
|
uint64_t drr_toguid;
|
|
|
|
uint8_t drr_checksumtype;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
uint8_t drr_flags;
|
2016-07-11 17:45:52 +00:00
|
|
|
uint8_t drr_compressiontype;
|
|
|
|
uint8_t drr_pad2[5];
|
|
|
|
/* deduplication key */
|
|
|
|
ddt_key_t drr_key;
|
|
|
|
/* only nonzero if drr_compressiontype is not 0 */
|
|
|
|
uint64_t drr_compressed_size;
|
2017-08-23 23:54:24 +00:00
|
|
|
/* only nonzero for raw streams */
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
uint8_t drr_salt[ZIO_DATA_SALT_LEN];
|
|
|
|
uint8_t drr_iv[ZIO_DATA_IV_LEN];
|
|
|
|
uint8_t drr_mac[ZIO_DATA_MAC_LEN];
|
2008-11-20 20:01:55 +00:00
|
|
|
/* content follows */
|
|
|
|
} drr_write;
|
|
|
|
struct drr_free {
|
|
|
|
uint64_t drr_object;
|
|
|
|
uint64_t drr_offset;
|
|
|
|
uint64_t drr_length;
|
2010-05-28 20:45:14 +00:00
|
|
|
uint64_t drr_toguid;
|
2008-11-20 20:01:55 +00:00
|
|
|
} drr_free;
|
2010-05-28 20:45:14 +00:00
|
|
|
struct drr_write_byref {
|
|
|
|
/* where to put the data */
|
|
|
|
uint64_t drr_object;
|
|
|
|
uint64_t drr_offset;
|
|
|
|
uint64_t drr_length;
|
|
|
|
uint64_t drr_toguid;
|
|
|
|
/* where to find the prior copy of the data */
|
|
|
|
uint64_t drr_refguid;
|
|
|
|
uint64_t drr_refobject;
|
|
|
|
uint64_t drr_refoffset;
|
|
|
|
/* properties of the data */
|
|
|
|
uint8_t drr_checksumtype;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
uint8_t drr_flags;
|
2010-05-28 20:45:14 +00:00
|
|
|
uint8_t drr_pad2[6];
|
|
|
|
ddt_key_t drr_key; /* deduplication key */
|
|
|
|
} drr_write_byref;
|
|
|
|
struct drr_spill {
|
|
|
|
uint64_t drr_object;
|
|
|
|
uint64_t drr_length;
|
|
|
|
uint64_t drr_toguid;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
uint8_t drr_flags;
|
|
|
|
uint8_t drr_compressiontype;
|
|
|
|
uint8_t drr_pad[6];
|
2017-08-23 23:54:24 +00:00
|
|
|
/* only nonzero for raw streams */
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
uint64_t drr_compressed_size;
|
|
|
|
uint8_t drr_salt[ZIO_DATA_SALT_LEN];
|
|
|
|
uint8_t drr_iv[ZIO_DATA_IV_LEN];
|
|
|
|
uint8_t drr_mac[ZIO_DATA_MAC_LEN];
|
|
|
|
dmu_object_type_t drr_type;
|
2010-05-28 20:45:14 +00:00
|
|
|
/* spill data follows */
|
|
|
|
} drr_spill;
|
2014-06-05 21:19:08 +00:00
|
|
|
struct drr_write_embedded {
|
|
|
|
uint64_t drr_object;
|
|
|
|
uint64_t drr_offset;
|
|
|
|
/* logical length, should equal blocksize */
|
|
|
|
uint64_t drr_length;
|
|
|
|
uint64_t drr_toguid;
|
|
|
|
uint8_t drr_compression;
|
|
|
|
uint8_t drr_etype;
|
|
|
|
uint8_t drr_pad[6];
|
|
|
|
uint32_t drr_lsize; /* uncompressed size of payload */
|
|
|
|
uint32_t drr_psize; /* compr. (real) size of payload */
|
|
|
|
/* (possibly compressed) content follows */
|
|
|
|
} drr_write_embedded;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
struct drr_object_range {
|
|
|
|
uint64_t drr_firstobj;
|
|
|
|
uint64_t drr_numslots;
|
|
|
|
uint64_t drr_toguid;
|
|
|
|
uint8_t drr_salt[ZIO_DATA_SALT_LEN];
|
|
|
|
uint8_t drr_iv[ZIO_DATA_IV_LEN];
|
|
|
|
uint8_t drr_mac[ZIO_DATA_MAC_LEN];
|
|
|
|
uint8_t drr_flags;
|
|
|
|
uint8_t drr_pad[3];
|
|
|
|
} drr_object_range;
|
2015-07-06 03:20:31 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Nore: drr_checksum is overlaid with all record types
|
|
|
|
* except DRR_BEGIN. Therefore its (non-pad) members
|
|
|
|
* must not overlap with members from the other structs.
|
|
|
|
* We accomplish this by putting its members at the very
|
|
|
|
* end of the struct.
|
|
|
|
*/
|
|
|
|
struct drr_checksum {
|
|
|
|
uint64_t drr_pad[34];
|
|
|
|
/*
|
|
|
|
* fletcher-4 checksum of everything preceding the
|
|
|
|
* checksum.
|
|
|
|
*/
|
|
|
|
zio_cksum_t drr_checksum;
|
|
|
|
} drr_checksum;
|
2008-11-20 20:01:55 +00:00
|
|
|
} drr_u;
|
|
|
|
} dmu_replay_record_t;
|
|
|
|
|
2010-08-26 21:24:34 +00:00
|
|
|
/* diff record range types */
|
|
|
|
typedef enum diff_type {
|
|
|
|
DDR_NONE = 0x1,
|
|
|
|
DDR_INUSE = 0x2,
|
|
|
|
DDR_FREE = 0x4
|
|
|
|
} diff_type_t;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The diff reports back ranges of free or in-use objects.
|
|
|
|
*/
|
|
|
|
typedef struct dmu_diff_record {
|
|
|
|
uint64_t ddr_type;
|
|
|
|
uint64_t ddr_first;
|
|
|
|
uint64_t ddr_last;
|
|
|
|
} dmu_diff_record_t;
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
typedef struct zinject_record {
|
|
|
|
uint64_t zi_objset;
|
|
|
|
uint64_t zi_object;
|
|
|
|
uint64_t zi_start;
|
|
|
|
uint64_t zi_end;
|
|
|
|
uint64_t zi_guid;
|
|
|
|
uint32_t zi_level;
|
|
|
|
uint32_t zi_error;
|
|
|
|
uint64_t zi_type;
|
|
|
|
uint32_t zi_freq;
|
2009-07-02 22:44:48 +00:00
|
|
|
uint32_t zi_failfast;
|
2010-05-28 20:45:14 +00:00
|
|
|
char zi_func[MAXNAMELEN];
|
|
|
|
uint32_t zi_iotype;
|
|
|
|
int32_t zi_duration;
|
|
|
|
uint64_t zi_timer;
|
2016-05-23 17:41:29 +00:00
|
|
|
uint64_t zi_nlanes;
|
2013-04-29 22:49:23 +00:00
|
|
|
uint32_t zi_cmd;
|
|
|
|
uint32_t zi_pad;
|
2008-11-20 20:01:55 +00:00
|
|
|
} zinject_record_t;
|
|
|
|
|
|
|
|
#define ZINJECT_NULL 0x1
|
|
|
|
#define ZINJECT_FLUSH_ARC 0x2
|
|
|
|
#define ZINJECT_UNLOAD_SPA 0x4
|
|
|
|
|
2014-02-12 18:30:18 +00:00
|
|
|
#define ZEVENT_NONE 0x0
|
2010-08-26 18:42:43 +00:00
|
|
|
#define ZEVENT_NONBLOCK 0x1
|
|
|
|
#define ZEVENT_SIZE 1024
|
|
|
|
|
2013-11-22 22:52:16 +00:00
|
|
|
#define ZEVENT_SEEK_START 0
|
|
|
|
#define ZEVENT_SEEK_END UINT64_MAX
|
|
|
|
|
2017-06-17 00:21:11 +00:00
|
|
|
/* scaled frequency ranges */
|
|
|
|
#define ZI_PERCENTAGE_MIN 4294UL
|
|
|
|
#define ZI_PERCENTAGE_MAX UINT32_MAX
|
|
|
|
|
2013-04-29 22:49:23 +00:00
|
|
|
typedef enum zinject_type {
|
|
|
|
ZINJECT_UNINITIALIZED,
|
|
|
|
ZINJECT_DATA_FAULT,
|
|
|
|
ZINJECT_DEVICE_FAULT,
|
|
|
|
ZINJECT_LABEL_FAULT,
|
|
|
|
ZINJECT_IGNORED_WRITES,
|
|
|
|
ZINJECT_PANIC,
|
|
|
|
ZINJECT_DELAY_IO,
|
2018-05-02 22:36:20 +00:00
|
|
|
ZINJECT_DECRYPT_FAULT,
|
2013-04-29 22:49:23 +00:00
|
|
|
} zinject_type_t;
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
typedef struct zfs_share {
|
|
|
|
uint64_t z_exportdata;
|
|
|
|
uint64_t z_sharedata;
|
|
|
|
uint64_t z_sharetype; /* 0 = share, 1 = unshare */
|
|
|
|
uint64_t z_sharemax; /* max length of share string */
|
|
|
|
} zfs_share_t;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* ZFS file systems may behave the usual, POSIX-compliant way, where
|
|
|
|
* name lookups are case-sensitive. They may also be set up so that
|
|
|
|
* all the name lookups are case-insensitive, or so that only some
|
|
|
|
* lookups, the ones that set an FIGNORECASE flag, are case-insensitive.
|
|
|
|
*/
|
|
|
|
typedef enum zfs_case {
|
|
|
|
ZFS_CASE_SENSITIVE,
|
|
|
|
ZFS_CASE_INSENSITIVE,
|
|
|
|
ZFS_CASE_MIXED
|
|
|
|
} zfs_case_t;
|
|
|
|
|
2016-01-06 21:22:48 +00:00
|
|
|
/*
|
|
|
|
* Note: this struct must have the same layout in 32-bit and 64-bit, so
|
|
|
|
* that 32-bit processes (like /sbin/zfs) can pass it to the 64-bit
|
|
|
|
* kernel. Therefore, we add padding to it so that no "hidden" padding
|
|
|
|
* is automatically added on 64-bit (but not on 32-bit).
|
|
|
|
*/
|
2008-11-20 20:01:55 +00:00
|
|
|
typedef struct zfs_cmd {
|
2013-08-28 11:45:09 +00:00
|
|
|
char zc_name[MAXPATHLEN]; /* name of pool or dataset */
|
|
|
|
uint64_t zc_nvlist_src; /* really (char *) */
|
|
|
|
uint64_t zc_nvlist_src_size;
|
|
|
|
uint64_t zc_nvlist_dst; /* really (char *) */
|
|
|
|
uint64_t zc_nvlist_dst_size;
|
|
|
|
boolean_t zc_nvlist_dst_filled; /* put an nvlist in dst? */
|
|
|
|
int zc_pad2;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The following members are for legacy ioctls which haven't been
|
|
|
|
* converted to the new method.
|
|
|
|
*/
|
|
|
|
uint64_t zc_history; /* really (char *) */
|
2008-11-20 20:01:55 +00:00
|
|
|
char zc_value[MAXPATHLEN * 2];
|
|
|
|
char zc_string[MAXNAMELEN];
|
|
|
|
uint64_t zc_guid;
|
|
|
|
uint64_t zc_nvlist_conf; /* really (char *) */
|
|
|
|
uint64_t zc_nvlist_conf_size;
|
|
|
|
uint64_t zc_cookie;
|
|
|
|
uint64_t zc_objset_type;
|
|
|
|
uint64_t zc_perm_action;
|
2013-08-28 11:45:09 +00:00
|
|
|
uint64_t zc_history_len;
|
2008-11-20 20:01:55 +00:00
|
|
|
uint64_t zc_history_offset;
|
|
|
|
uint64_t zc_obj;
|
2009-07-02 22:44:48 +00:00
|
|
|
uint64_t zc_iflags; /* internal to zfs(7fs) */
|
2008-11-20 20:01:55 +00:00
|
|
|
zfs_share_t zc_share;
|
|
|
|
dmu_objset_stats_t zc_objset_stats;
|
2016-06-10 00:04:12 +00:00
|
|
|
struct drr_begin zc_begin_record;
|
2008-11-20 20:01:55 +00:00
|
|
|
zinject_record_t zc_inject_record;
|
2014-06-05 21:19:08 +00:00
|
|
|
uint32_t zc_defer_destroy;
|
|
|
|
uint32_t zc_flags;
|
2010-08-26 21:24:34 +00:00
|
|
|
uint64_t zc_action_handle;
|
|
|
|
int zc_cleanup_fd;
|
2012-05-29 17:50:50 +00:00
|
|
|
uint8_t zc_simple;
|
2016-06-10 00:04:12 +00:00
|
|
|
uint8_t zc_pad[3]; /* alignment */
|
2010-08-26 21:24:34 +00:00
|
|
|
uint64_t zc_sendobj;
|
|
|
|
uint64_t zc_fromobj;
|
|
|
|
uint64_t zc_createtxg;
|
|
|
|
zfs_stat_t zc_stat;
|
2008-11-20 20:01:55 +00:00
|
|
|
} zfs_cmd_t;
|
|
|
|
|
2009-07-02 22:44:48 +00:00
|
|
|
typedef struct zfs_useracct {
|
|
|
|
char zu_domain[256];
|
|
|
|
uid_t zu_rid;
|
|
|
|
uint32_t zu_pad;
|
|
|
|
uint64_t zu_space;
|
|
|
|
} zfs_useracct_t;
|
|
|
|
|
2010-08-26 21:24:34 +00:00
|
|
|
#define ZFSDEV_MAX_MINOR (1 << 16)
|
|
|
|
#define ZFS_MIN_MINOR (ZFSDEV_MAX_MINOR + 1)
|
2008-11-20 20:01:55 +00:00
|
|
|
|
2010-05-28 20:45:14 +00:00
|
|
|
#define ZPOOL_EXPORT_AFTER_SPLIT 0x1
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
#ifdef _KERNEL
|
2018-02-08 16:16:23 +00:00
|
|
|
struct objset;
|
|
|
|
struct zfsvfs;
|
2008-11-20 20:01:55 +00:00
|
|
|
|
|
|
|
typedef struct zfs_creat {
|
|
|
|
nvlist_t *zct_zplprops;
|
|
|
|
nvlist_t *zct_props;
|
|
|
|
} zfs_creat_t;
|
|
|
|
|
2018-02-08 16:16:23 +00:00
|
|
|
extern int zfs_secpolicy_snapshot_perms(const char *, cred_t *);
|
|
|
|
extern int zfs_secpolicy_rename_perms(const char *, const char *, cred_t *);
|
|
|
|
extern int zfs_secpolicy_destroy_perms(const char *, cred_t *);
|
2018-02-08 16:32:45 +00:00
|
|
|
extern void zfs_unmount_snap(const char *);
|
2013-09-04 12:00:57 +00:00
|
|
|
extern void zfs_destroy_unmount_origin(const char *);
|
2018-02-08 16:16:23 +00:00
|
|
|
extern boolean_t dataset_name_hidden(const char *);
|
|
|
|
extern int getzfsvfs_impl(struct objset *, struct zfsvfs **);
|
2018-02-08 16:32:45 +00:00
|
|
|
extern int getzfsvfs(const char *, struct zfsvfs **);
|
2013-12-06 22:20:22 +00:00
|
|
|
|
2010-08-26 18:44:39 +00:00
|
|
|
enum zfsdev_state_type {
|
|
|
|
ZST_ONEXIT,
|
|
|
|
ZST_ZEVENT,
|
|
|
|
ZST_ALL,
|
2010-08-26 21:24:34 +00:00
|
|
|
};
|
|
|
|
|
2014-05-08 14:51:01 +00:00
|
|
|
/*
|
|
|
|
* The zfsdev_state_t structure is managed as a singly-linked list
|
|
|
|
* from which items are never deleted. This allows for lock-free
|
|
|
|
* reading of the list so long as assignments to the zs_next and
|
|
|
|
* reads from zs_minor are performed atomically. Empty items are
|
|
|
|
* indicated by storing -1 into zs_minor.
|
|
|
|
*/
|
2010-08-26 18:44:39 +00:00
|
|
|
typedef struct zfsdev_state {
|
2014-05-08 14:51:01 +00:00
|
|
|
struct zfsdev_state *zs_next; /* next zfsdev_state_t link */
|
2010-08-26 18:44:39 +00:00
|
|
|
struct file *zs_file; /* associated file struct */
|
|
|
|
minor_t zs_minor; /* made up minor number */
|
|
|
|
void *zs_onexit; /* onexit data */
|
|
|
|
void *zs_zevent; /* zevent data */
|
|
|
|
} zfsdev_state_t;
|
2010-08-26 21:24:34 +00:00
|
|
|
|
2010-08-26 18:44:39 +00:00
|
|
|
extern void *zfsdev_get_state(minor_t minor, enum zfsdev_state_type which);
|
2015-04-16 13:20:02 +00:00
|
|
|
extern int zfsdev_getminor(struct file *filp, minor_t *minorp);
|
2010-08-26 21:24:34 +00:00
|
|
|
extern minor_t zfsdev_minor_alloc(void);
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
#endif /* _KERNEL */
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#endif /* _SYS_ZFS_IOCTL_H */
|