bugzilla-daemon at defect.opensolaris.org
2008-May-29 06:33 UTC
[Bug 2074] New: zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
Summary: zvol_encrypt_001 leaking data that should be encrypted
Classification: Development
Product: zfs-crypto
Version: unspecified
Platform: Other
OS/Version: Solaris
Status: NEW
Severity: major
Priority: P2
Component: other
AssignedTo: ajscarp at yahoo.com
ReportedBy: ajscarp at yahoo.com
QAContact: hua.tang at sun.com
CC: zfs-crypto-discuss at opensolaris.org
Estimated Hours: 0.0
stdout| 1571| /usr/sbin/mkfile 1g /export/home/vdev_file_1
stdout| 1571| /usr/sbin/zpool create -f -o
keysource=hex,file:///net/borg/cube/b
uilds/izick/zfscrypto-test/proto/suites/security/zfs-crypto/etc/hex_key_file
poo
l_1571_1 /export/home/vdev_file_1
stdout| 1571| DEBUG: use_key_material salt (0)
stdout| DEBUG: use_key_material outkey
(843720)=9adf6ac44655ccc414a5e9197a34c527
31f5fe8d9191a7cd3811ab6f69f1078
stdout| DEBUG: use_key_material zic_keylen (32)
stdout| DEBUG: use_key_material zic_key (843720)
stdout| DEBUG: zic_keydata (843720)
stdout| DEBUG: create salt = 0
stdout| DEBUG: cry->key_data_len = 0
stdout| DEBUG: zc->zc_crypto.zic_keydatalen = 32
stdout| DEBUG:
keydata=9adf6ac44655ccc414a5e9197a34c52731f5fe8d9191a7cd3811ab6f6
9f1078
stdout| 1571| /usr/sbin/zfs create -o encryption=on -V 200m pool_1571_1/vol_1
stdout| 1571| /usr/sbin/zpool create -f vol_pool_1
/dev/zvol/dsk/pool_1571_1/vol
_1
stdout| 1571| cp
/net/borg/cube/builds/izick/zfscrypto-test/proto/suites/securit
y/zfs-crypto/etc/file1.txt /vol_pool_1
stdout| 1571| cp
/net/borg/cube/builds/izick/zfscrypto-test/proto/suites/securit
y/zfs-crypto/etc/file2.txt /vol_pool_1
stdout| 1571| cp
/net/borg/cube/builds/izick/zfscrypto-test/proto/suites/securit
y/zfs-crypto/etc/file3.txt /vol_pool_1
stdout| 1571| cp
/net/borg/cube/builds/izick/zfscrypto-test/proto/suites/securit
y/zfs-crypto/etc/file4.txt /vol_pool_1
stdout| 1571| cp
/net/borg/cube/builds/izick/zfscrypto-test/proto/suites/securit
y/zfs-crypto/etc/file5.txt /vol_pool_1
stdout| 1571| cp
/net/borg/cube/builds/izick/zfscrypto-test/proto/suites/securit
y/zfs-crypto/etc/file6.txt /vol_pool_1
stdout| 1571| cp
/net/borg/cube/builds/izick/zfscrypto-test/proto/suites/securit
y/zfs-crypto/etc/file7.txt /vol_pool_1
stdout| 1571| cp
/net/borg/cube/builds/izick/zfscrypto-test/proto/suites/securit
y/zfs-crypto/etc/Hamlet.txt /vol_pool_1
stdout| 1571| /usr/sbin/zpool export vol_pool_1
stdout| 1571| /usr/sbin/zpool export pool_1571_1
Msg| 1571 | [ - Progress ]
Msg| 1571 | Testing data on ZVOL is encrypted
Msg| 1571 |
stdout| 1571| Checking data on the disk. It may take several minutes. Please be
patient.
stdout| 1571| Error: clear text was found in the strings output
Msg| 1571 | [ - Result ]
Msg| 1571 | RESULT: FAIL
----
Doing a strings one vdev_file_1, there are a lot of A''s as if one of
the files
containing "A" was not encrypted..
The part that is curious about this is a clear text dataset (/vol_pool_1) is
contained in an encrypted volume pool_1571_1/vol_1. Is it possible the kernel
is clear text dataset is overriding the encryption?
It would appear not to be a result of residual data on the hard disk since
mkfile zero''s the file
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
bugzilla-daemon at defect.opensolaris.org
2008-May-29 14:59 UTC
[Bug 2074] zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
Darren J Moffat <darrenm at opensolaris.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P2 |P1
Severity|major |blocker
CC| |darrenm at opensolaris.org
Status|NEW |ACCEPTED
--- Comment #1 from Darren J Moffat <darrenm at opensolaris.org>
2008-05-29 07:59:17 ---
I''ve reproduced this.
I''m a little confused because I see stuff going though the zio pipeline
and
being encrypted yet there really is cleartext when I run strings over the
hosting zvol.
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
bugzilla-daemon at defect.opensolaris.org
2008-May-29 15:19 UTC
[Bug 2074] zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
Darren J Moffat <darrenm at opensolaris.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ACCEPTED |FIXINPROGRESS
--- Comment #2 from Darren J Moffat <darrenm at opensolaris.org>
2008-05-29 08:19:30 ---
This is similar to the ZIL case. I believe the fix is to do in
zvol_log_write() what was done in zfs_log_write() which is to never use
WR_INDIRECT when encryption is enabled for the dataset.
diff -r f30d4d60a670 usr/src/uts/common/fs/zfs/zvol.c
--- a/usr/src/uts/common/fs/zfs/zvol.c Thu May 29 15:40:23 2008 +0100
+++ b/usr/src/uts/common/fs/zfs/zvol.c Thu May 29 16:15:27 2008 +0100
@@ -1124,8 +1124,12 @@
ssize_t nbytes = MIN(len, blocksize - P2PHASE(off, blocksize));
itx_t *itx = zil_itx_create(TX_WRITE, sizeof (*lr));
- itx->itx_wr_state - len >
zvol_immediate_write_sz ? WR_INDIRECT :
WR_NEED_COPY;
+ if (len > zvol_immediate_write_sz &&
+ zv->zv_objset->os_crypt != ZIO_CRYPT_OFF) {
+ itx->itx_wr_state = WR_INDIRECT;
+ } else {
+ itx->itx_wr_state = WR_NEED_COPY;
+ }
itx->itx_private = zv;
lr = (lr_write_t *)&itx->itx_lr
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
bugzilla-daemon at defect.opensolaris.org
2008-May-29 16:31 UTC
[Bug 2074] zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
Darren J Moffat <darrenm at opensolaris.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|FIXINPROGRESS |CLOSED
Resolution| |FIXINSOURCE
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
bugzilla-daemon at defect.opensolaris.org
2008-May-29 22:05 UTC
[Bug 2074] zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
Darren J Moffat <darrenm at opensolaris.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|CLOSED |REOPENED
Resolution|FIXINSOURCE |
--- Comment #3 from Darren J Moffat <darrenm at opensolaris.org>
2008-05-29 15:05:38 ---
Fix seems to only partially work plus in the case where I use dd(1) to write
the 10M file of ''A'' to the zvol there appears to be a LOT of
structure visible.
This suggests something serious is up with zvol compared to datasets. Almost
like IV resuse but that seems odd.
More investigation required.
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
bugzilla-daemon at defect.opensolaris.org
2008-May-29 22:07 UTC
[Bug 2074] zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
Darren J Moffat <darrenm at opensolaris.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |ACCEPTED
--- Comment #4 from Darren J Moffat <darrenm at opensolaris.org>
2008-05-29 15:07:46 ---
IV reuse appears to be part of the problem in the direct use of the zvol device
with dd.
Need to check if this is happening in the dataset case as well.
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
bugzilla-daemon at defect.opensolaris.org
2008-Jun-02 15:52 UTC
[Bug 2074] zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
Darren J Moffat <darrenm at opensolaris.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|ajscarp at yahoo.com |darrenm at opensolaris.org
--- Comment #5 from Darren J Moffat <darrenm at opensolaris.org>
2008-06-02 08:52:46 ---
The txg is 0 - this is a problem because that is part of the IV.
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
bugzilla-daemon at defect.opensolaris.org
2008-Jun-11 10:36 UTC
[Bug 2074] zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
Darren J Moffat <darrenm at opensolaris.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ACCEPTED |CAUSEKNOWN
--- Comment #6 from Darren J Moffat <darrenm at opensolaris.org>
2008-06-11 03:36:48 ---
The cause of the "repeating patterns" issue is very likley the txg
begin zero.
I need to track down when we issue writes into the zio with a zero txg or if
that zero txg itself is a bug.
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
bugzilla-daemon at defect.opensolaris.org
2008-Jun-26 17:11 UTC
[Bug 2074] zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
Darren J Moffat <darrenm at opensolaris.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Alias| |BUGSTER:6719689
Status|CAUSEKNOWN |CLOSED
Resolution| |TRACKEDINBUGSTER
--- Comment #7 from Darren J Moffat <darrenm at opensolaris.org>
2008-06-26 10:11:05 ---
BUGSTER:6719689
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
bugzilla-daemon at defect.opensolaris.org
2008-Sep-22 06:07 UTC
[Bug 2074] zvol_encrypt_001 leaking data that should be encrypted
http://defect.opensolaris.org/bz/show_bug.cgi?id=2074
David Comay <David.Comay at Sun.COM> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status Whiteboard| |BugsterCR=6719689
CC| |David.Comay at Sun.COM
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.