zfs: wolfZFS port for OpenZFS 2.4.2 (FIPS fixes; supersedes #341)#346
Draft
ColtonWilley wants to merge 1 commit into
Draft
zfs: wolfZFS port for OpenZFS 2.4.2 (FIPS fixes; supersedes #341)#346ColtonWilley wants to merge 1 commit into
ColtonWilley wants to merge 1 commit into
Conversation
ColtonWilley
force-pushed
the
wolfzfs-2.4.2-fips
branch
from
909e44c to
98b07c7
Compare
Contributor
Author
|
Updated to fold in a small test-wiring fix the OpenZFS test suite exposed: the userspace ICP checksum test programs Full validation on this patch (built from wolfSSL master for
|
Rebase the wolfZFS port to the zfs-2.4.2 release tag and fold in the FIPS
fixes (-287 private-key unlock, GCM-IV approved-DRBG upgrade, provider-native
EVP_KDF userspace key-derivation). Link the userspace ICP checksum test
programs (sha2_test, blake3_test) against libwolfssl. Quote
MODULE_IMPORT_NS("WOLFSSL") for kernel >= 6.13.
RNG: rely on ZFS's native random_get_bytes() for all key/salt/IV material
(it is the wolfCrypt FIPS DRBG once the CRNG kernel patch is installed). The
only delta vs vanilla ZFS is upgrading the two GCM-IV sites in zio_crypt.c
(zio_crypt_key_wrap, zio_crypt_generate_iv) from random_get_pseudo_bytes to
random_get_bytes, so GCM IVs come from an approved DRBG (SP 800-38D requires
it; the xorshift pseudo-RNG is not approved). No direct wc_RNG calls remain;
wolfZFS owns the crypto primitives and the CRNG patch owns RNG.
Validated on Proxmox VE 9.2 (zfs-2.4.2-pve1, kernel 7.0.12-1-pve) and the
OpenZFS test suite: run_crypto 2/2, run_sanity with all failures within the
known vanilla-ZFS environmental baseline, zero regressions.
ColtonWilley
force-pushed
the
wolfzfs-2.4.2-fips
branch
from
98b07c7 to
fe303a2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates the wolfZFS port to OpenZFS 2.4.2 (tag
zfs-2.4.2) and folds in the FIPS fixes. Supersedes #341 (which carried only the -287 unlock) — that PR can be closed.Changes vs the
cd06f79e2portzfs-2.4.2— applies with 0 fuzz to both upstreamzfs-2.4.2and Proxmox2.4.2-pve1.module/zfs/hkdf.c:PRIVATE_KEY_UNLOCKbracket fixesFIPS_PRIVATE_KEY_LOCKED_E(-287) on encrypted dataset creation under wolfCrypt FIPS (this was zfs: fix FIPS_PRIVATE_KEY_LOCKED_E (-287) on encrypted dataset creation under wolfCrypt FIPS #341).wc_InitRng/wc_RNG_GenerateBlock) for thezfs_ioctl_os.ccontrol sites and thezio_crypt.cper-block IV hot path.EVP_KDF "PBKDF2"+RAND_bytessalt, so it routes through an OpenSSL 3.x provider (e.g. wolfProvider).MODULE_IMPORT_NS("WOLFSSL")quoted for kernel >= 6.13.Validation
Built and exercised on Proxmox VE 9.2 (
zfs-2.4.2-pve1, kernel7.0.12-1-pve):zfs-2.4.2and Proxmox2.4.2-pve1.--with-config=kernel) builds:depends: spl,libwolfssl, 28wc_imports, 0_fipssymbols.aes-256-gcm) round-trips through wolfCrypt and survives reboot.Patch stat: 41 files changed, 1002 insertions(+), 28613 deletions(-).