c/mirror_zfs
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_zfs.git synced 2026-03-22 08:51:30 +03:00
Code Issues Packages Projects Releases Wiki Activity

zdb: add ZFS_KEYFORMAT_RAW support for -K option

Browse Source 
This change adds support for ZFS_KEYFORMAT_RAW to zdb_derive_key in 
zdb.c. The implementation reads the raw key from the file specified 
by the -K option which is consistent with how raw keys are handled in 
the other parts of ZFS, along with a check to ensure that the keyfile 
doesn't have too many bytes.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Patrick Xia <patrickx@google.com>
Closes #17783
This commit is contained in:
patrickxia 2025-09-25 15:05:42 -04:00 committed by Brian Behlendorf
parent 460858dfd6
commit e1a6ec42d4
4 changed files with 100 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
cmd/zdb/zdb.c
View File

@ -3301,6 +3301,7 @@ zdb_derive_key(dsl_dir_t *dd, uint8_t *key_out)
uint64_t keyformat, salt, iters; uint64_t keyformat, salt, iters;
int i; int i;
unsigned char c; unsigned char c;
FILE *f;
VERIFY0(zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj, VERIFY0(zap_lookup(dd->dd_pool->dp_meta_objset, dd->dd_crypto_obj,
zfs_prop_to_name(ZFS_PROP_KEYFORMAT), sizeof (uint64_t), zfs_prop_to_name(ZFS_PROP_KEYFORMAT), sizeof (uint64_t),
@ -3333,6 +3334,25 @@ zdb_derive_key(dsl_dir_t *dd, uint8_t *key_out)
break; break;
case ZFS_KEYFORMAT_RAW:
if ((f = fopen(key_material, "r")) == NULL)
return (B_FALSE);
if (fread(key_out, 1, WRAPPING_KEY_LEN, f) !=
WRAPPING_KEY_LEN) {
(void) fclose(f);
return (B_FALSE);
}
/* Check the key length */
if (fgetc(f) != EOF) {
(void) fclose(f);
return (B_FALSE);
}
(void) fclose(f);
break;
default: default:
fatal("no support for key format %u\n", fatal("no support for key format %u\n",
(unsigned int) keyformat); (unsigned int) keyformat);

8
tests/runfiles/common.run
View File

@ -168,10 +168,10 @@ tags = ['functional', 'cli_root', 'zinject']
tests = ['zdb_002_pos', 'zdb_003_pos', 'zdb_004_pos', 'zdb_005_pos', tests = ['zdb_002_pos', 'zdb_003_pos', 'zdb_004_pos', 'zdb_005_pos',
'zdb_006_pos', 'zdb_args_neg', 'zdb_args_pos', 'zdb_006_pos', 'zdb_args_neg', 'zdb_args_pos',
'zdb_block_size_histogram', 'zdb_checksum', 'zdb_decompress', 'zdb_block_size_histogram', 'zdb_checksum', 'zdb_decompress',
'zdb_display_block', 'zdb_encrypted', 'zdb_label_checksum', 'zdb_display_block', 'zdb_encrypted', 'zdb_encrypted_raw',
'zdb_object_range_neg', 'zdb_object_range_pos', 'zdb_objset_id', 'zdb_label_checksum', 'zdb_object_range_neg', 'zdb_object_range_pos',
'zdb_decompress_zstd', 'zdb_recover', 'zdb_recover_2', 'zdb_backup', 'zdb_objset_id', 'zdb_decompress_zstd', 'zdb_recover', 'zdb_recover_2',
'zdb_tunables'] 'zdb_backup', 'zdb_tunables']
pre = pre =
post = post =
tags = ['functional', 'cli_root', 'zdb'] tags = ['functional', 'cli_root', 'zdb']

1
tests/zfs-tests/tests/Makefile.am
View File

@ -640,6 +640,7 @@ nobase_dist_datadir_zfs_tests_tests_SCRIPTS += \
functional/cli_root/zdb/zdb_decompress_zstd.ksh \ functional/cli_root/zdb/zdb_decompress_zstd.ksh \
functional/cli_root/zdb/zdb_display_block.ksh \ functional/cli_root/zdb/zdb_display_block.ksh \
functional/cli_root/zdb/zdb_encrypted.ksh \ functional/cli_root/zdb/zdb_encrypted.ksh \
functional/cli_root/zdb/zdb_encrypted_raw.ksh \
functional/cli_root/zdb/zdb_label_checksum.ksh \ functional/cli_root/zdb/zdb_label_checksum.ksh \
functional/cli_root/zdb/zdb_object_range_neg.ksh \ functional/cli_root/zdb/zdb_object_range_neg.ksh \
functional/cli_root/zdb/zdb_object_range_pos.ksh \ functional/cli_root/zdb/zdb_object_range_pos.ksh \

75
tests/zfs-tests/tests/functional/cli_root/zdb/zdb_encrypted_raw.ksh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/ksh -p
# SPDX-License-Identifier: CDDL-1.0
#
# CDDL HEADER START
#
# This file and its contents are supplied under the terms of the
# Common Development and Distribution License ("CDDL"), version 1.0.
# You may only use this file in accordance with the terms of version
# 1.0 of the CDDL.
#
# A full copy of the text of the CDDL should have accompanied this
# source. A copy of the CDDL is also available via the Internet at
# http://www.illumos.org/license/CDDL.
#
# CDDL HEADER END
#
#
# Copyright (c) 2023, Klara Inc.
#
. $STF_SUITE/include/libtest.shlib
. $STF_SUITE/tests/functional/cli_root/zfs_load-key/zfs_load-key_common.kshlib
#
# DESCRIPTION:
# 'zdb -K ...' should enable reading from a raw-encrypted dataset
#
# STRATEGY:
# 1. Create an encrypted dataset
# 2. Write some data to a file
# 3. Run zdb -dddd on the file, confirm it can't be read
# 4. Run zdb -K ... -ddddd on the file, confirm it can be read
#
verify_runnable "both"
dataset="$TESTPOOL/$TESTFS2"
file="$TESTDIR2/somefile"
keyfile="$TEST_BASE_DIR/keyfile"
function cleanup
{
datasetexists "$dataset" && destroy_dataset "$dataset" -f
rm -f "$keyfile"
default_cleanup_noexit
}
log_onexit cleanup
log_must default_setup_noexit $DISKS
log_assert "'zdb -K' should enable reading from a raw-encrypted dataset"
# The key must be 32 bytes long.
echo -n "$RAWKEY" > "$keyfile"
log_must zfs create -o mountpoint="$TESTDIR2" \
-o encryption=on -o keyformat=raw -o keylocation="file://$keyfile" \
"$dataset"
echo 'my great encrypted text' > "$file"
typeset -i obj=$(ls -i "$file" | cut -d' ' -f1)
typeset -i size=$(wc -c < "$file")
log_note "test file $file is objid $obj, size $size"
sync_pool "$TESTPOOL" true
log_must eval "zdb -dddd $dataset $obj | grep -q 'object encrypted'"
log_must eval "zdb -K $keyfile -dddd $dataset $obj | grep -q 'size\s$size$'"
log_pass "'zdb -K' enables reading from a raw-encrypted dataset"