Allow block cloning across encrypted datasets. Rebase #14705 to master, added tests.

[oromenahar]

Block cloning is now possible between two encrypted datasets that share the same encryption root.
This is a rebase of #14705 from @pjd and new tests. Sorry don't know how to add new commits to the old PR.

Motivation and Context

Tests are important for this feature. And we can fix a lot with good tests, before handling it to any user.

Description

The tests are described in the commit message.
There is a problem, with childs and siblings. They don't share the same encryption root. Every master key contains a key, an init Vector and a hmac. I guess that the init Vector and/or hmac changes when creating a child. But wanna throw this against the full pipeline. I'm working currently on encryption and key handling, but there is not that much time for me. Until I figure this out, it's just a quick guess without any deep dive and I wanna see the pipeline results.

Missing tests

If I forgot to test something just describe the test and I'm going to add it later.

• cloning from non-encrypted to encrypted datasets
• cloning from encrypted to non-encrypted datasets
• cloning from a snapshot dir to a filesystem that is not the source of that snapshot
• cloning from a filesystem created from a snapshot clone to another unrelated dataset
• moving dataset to a new encryption root
• And so on. Probably some positive versions of these too.
• send | recv (change key) -> clone

How Has This Been Tested?

By running the new test for this.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[oromenahar]

The important case to recover a file from a snapshot is working. So happy recovering files from snapshots.

[robn]

No. See analysis in #14705 (comment) . Cloning encrypted blocks is only possible if they share the same master key, which it can only be between a dataset, its snapshots, and cloned datasets created from those snapshots. The encryption root is irrelevant, as that's only the holder of the wrapping key used to unlock the master key (datasets can be moved to another encryption root).

[mmatuska]

We cannot check against the common encryption root.

Here is a test that makes this not work:

zfs create -o mountpoint=none -o encryption=on -o keyformat=passphrase rpool/ENC1
zfs create rpool/ENC1/ds1
zfs create -o mountpoint=none -o encryption=on -o keyformat=passphrase rpool/ENC2
zfs create rpool/ENC2/ds2
zfs change-key -o keyformat=passphrase rpool/ENC2/ds2
zfs rename rpool/ENC2/ds2 rpool/ENC1/ds2
zfs change-key -i rpool/ENC1/ds2

Now the datasets rpool/ENC1/ds1 and rpool/ENC1/ds2 are under the same encryption root but have different master keys.
Now just copy_file_range(2) a file from ds1 to ds2 and you get a read error when reading the file from ds2.

The safest way would be to compare master keys (or check if the same master key is used), the second safest to allow only snapshots and clones of the same dataset because they have to use the same key.

[scineram]

Encrypted dedup already works only within clone family (same master key). How does the check for that work?

[mmatuska]

@oromenahar @robn I have created #15545 that does the right job IMO

[oromenahar]

I have updated my PR with @mmatuska code. The tests are sucessfull.
There is a function called spa_crypto_key_compare I think we should use this to compare the crypto_keys.

[mmatuska]

I have updated my PR with @mmatuska code. The tests are sucessfull. There is a function called spa_crypto_key_compare I think we should use this to compare the crypto_keys.

I agree we can use spa_crypto_key_compare().
But this functions returns -1, 0 or 1, so we should probably change:

if (spa != dmu_objset_spa(osb))
	return (1);

to this:

if (spa != dmu_objset_spa(osb))
	return (SET_ERROR(EINVAL));

For debugging purposes.

[oromenahar]

if (spa != dmu_objset_spa(osb))
	return (1);

do we even need to check if the spa is the same? And I would say even if they are not the same, the crypto key can't be the same, so the comparing is doing what I expect. Telling me, thats different doesn't matter on what condition. It don't tells you exactly why it's not the same. But this can have several reasons.

If I would change something, it would be

	ret = spa_keystore_lookup_key(spa, obja, FTAG, &dcka);
	if (ret != 0)
		return (ret);

to

	ret = spa_keystore_lookup_key(spa, obja, FTAG, &dcka);
	if (ret != 0)
		return (1);

Or even change it to boolean_t as a return value. Which is just true or false without any error.

All of this is not how the return values of for example memcmp function works but the closest possible solution.

I'm curious to receive your feedback @mmatuska .

[robn]

I am extremely nervous about getting this wrong, so I would like to see a lot of negative tests as well, for things that shouldn't work:

• cloning from non-encrypted to encrypted datasets
• cloning from encrypted to non-encrypted datasets
• cloning from a snapshot dir to a filesystem that is not the source of that snapshot
• cloning from a filesystem created from a snapshot clone to another unrelated dataset
  And so on. Probably some positive versions of these too.

[oromenahar]

Good point for the test. Thanks for the suggestions, add it later.

[Majiir]

This checks that the datasets have the same dsl_crypto_key, which includes the wrapping key. I think that means two datasets with the same master key can have different dsl_crypto_key if one of them had its encryption root changed.

We could instead compare zk_guid which should match as long as the underlying master key is the same. I have a branch with this check, I'll clean it up and share. We should also add a test around this.

[Majiir]

6001dad switches the check to zk_guid and also cleans up the comparison logic according to other review comments.

I'm working on test cases. So far, I have found that performing a raw send into the same pool and then changing the key of one of the datasets is a reasonable way to end up with two different datasets with different encryption roots and the same master key.

[oromenahar]

@Majiir I'm not sure actually. Changing the raw "master" key should be possible unless reencryption/changing the master key will be implemented. spa_crypto_key_compare uses the dck_obj wich should be unique for every master key. This represents the ID of ZAP object. I think this should be the same for a shared master key, shouldn't it?

[oromenahar]

Oh than the ZAP-ID could be different. Maybe you are right. Than spa_crypto_key_compare wouldn't return the truth, if you are right? Not sure, going to debug it in the next days. Thanks for the implementation and the commit.

[Majiir]

The on-disk structure is the wrapping key, not the master key. It's possible in principle for the same master key to be stored in multiple wrapping keys. In those cases, we would expect dck_obj to differ but the master key (and zk_guid) to match.

In testing, I verified with the send | recv+change-key scenario that using spa_crypto_key_compare does not allow block cloning, while it works using the commit I linked above.

[Majiir]

While building tests for this, I ran into a bug where ZFS crashes after send | recv+change-key+cp from another encrypted dataset. Crash log is here.

I still need to get the ZFS test suite running, but for now I have a reproducer in the form of a NixOS VM test. You don't need NixOS to run it, just the Nix package manager, which can run on your (Linux) distro of choice. To run it:

nix run github:Majiir/nixpkgs/35f0c1ad00cf4d72eeb7ffcc78e2e2a1037c6a07#nixosTests.zfs-block-cloning.stable.driver

You can find the test script here.

I tried applying #15543 and it didn't fix the issue.

[oromenahar]

@Majiir do you tested if the wrapping key is different when using send | recv + something....?
If this is so I would a hint to the original crypto_compare_function used a few minutes ago.

How did you crash this? Are you waiting for the sync before doing anything? Do you think it's related to this PR? Was sick last weekend and didn't had time to test/read your nix.

[Majiir]

The crash no longer occurs on latest master (8ad73bf at time of writing) and block cloning works between the original filesystem and the send/recv'd one. 🎉

[oromenahar]

I'm added a list the the first post which contains the missing tests and will later contains a tests wich are implemented. I'm going to update this list when adding a test or somebody suggest a test. I will push a new version of this, including an equal-function (@amotin suggestion), when I added tests, and the discussion with the documentation is finished. Until than I need a nap.

[amotin]

Looks good to me. Just fix checkstyle and few comments.

[oromenahar]

I think we covered a lot of thoughts on three different PRs while working on encrypted cross clone. I prefer if this is merged to master. I want to create an issue to collect different possible test scenarios. I will than create a PR and update the new PR with the tests from time to time. Not all of the tests named above is written by now. But I want that people can see this issue and provide ideas. I would mange this a little bit.

All of this different scenarios must not be based on encrypted cross clone and wouldn't be super related to this PR. I covered some of the important scenarios with test. (hope so)
All of them are working as expected.

Do you think we can merge this @behlendorf and @amotin ?

[oromenahar]

@robn can you please check the test block-cloning kshlib? I changed it to the cross-plattform md5digest as well, and this is your code.