Chacha20-Poly1305 encryption

This commit implements the Chacha20-Poly1305 AEAD from RFC 8439 as a new
algorithm option for encrypted datasets.

AES (and particularly the default AES-GCM mode used in OpenZFS) is known
to be very slow on systems without hardware assistance. There are many
such machines out there could make good use of OpenZFS, especially
low-cost machines and small boards that would otherwise make very nice
storage machines. The Raspberry Pi series of machines are a good
example.

The best option for these systems is an encryption option that performs
well in software. Chacha20-Poly1305 is the current "standard" option for
this in many contexts, and is a good choice for OpenZFS.

The core Chacha20 and Poly1305 implementations are taken from Loup
Valliant's Monocypher. These were chosen because they are compact, easy
to read, easy to use and the author has written extensively about its
development, all of which give me confidence that there are unlikely to
be any surprises.

I've added a KCF-style module to the ICP to implement the AEAD. This
implements just enough for OpenZFS, and is not suitable as a
general-purpose KCF for Illumos (though it could be the starting point
for one).

For FreeBSD, which does not use the ICP, I've instead hooked it up to
FreeBSD's builtin crypto stack.

The rest is adding an enabling property value and a feature flag and and
hooking it up to all the right touch points, and documentation updates.

The existing tests that cycle through the possible encryption options
have been extended to add one more.

I've added a test to ensure that raw receives of chacha20-poly1305
datasets do the right thing based on the state of the feature flag on
the receiving side.

There's also a test unit that runs the test vectors in RFC 8439 against
Chacha20, Poly1305 and the AEAD in the ICP that combines them. This is
most useful as a sanity check during future work to add alternate
(accelerated) implementations.

Finally, manual interop testing has been done to confirm that pools and
streams can be moved between Linux and FreeBSD correctly.

Light and uncontrolled performance testing on a Raspberry Pi 4B
(Broadcom BCM2711, no hardware AES) writing to a chacha20-poly1305
dataset was ~2.4x faster than aes-256-gcm on the same hardware. On a
Fitlet2 (Celeron J3455, AES-NI but no AVX (#10846)) it was ~1.3x faster.

Signed-off-by: Rob Norris <robn@despairlabs.com>

Makefile.am

@@ -124,6 +124,7 @@ cstyle:
 		! -name 'zfs_config.*' ! -name '*.mod.c' \
 		! -name 'opt_global.h' ! -name '*_if*.h' \
 		! -name 'zstd_compat_wrapper.h' \
+		! -name 'monocypher.[ch]' \
 		! -path './module/zstd/lib/*' \
 		! -path './include/sys/lua/*' \
 		! -path './module/lua/l*.[ch]' \

include/os/freebsd/zfs/sys/freebsd_crypto.h

@@ -41,6 +41,7 @@
 #define	SUN_CKM_AES_CCM	"CKM_AES_CCM"
 #define	SUN_CKM_AES_GCM	"CKM_AES_GCM"
 #define	SUN_CKM_SHA512_HMAC	"CKM_SHA512_HMAC"
+#define	SUN_CKM_CHACHA20_POLY1305	"CKM_CHACHA20_POLY1305"
 
 #define	CRYPTO_BITS2BYTES(n) ((n) == 0 ? 0 : (((n) - 1) >> 3) + 1)
 #define	CRYPTO_BYTES2BITS(n) ((n) << 3)

include/sys/crypto/common.h

@@ -109,6 +109,7 @@ typedef uint32_t crypto_keysize_unit_t;
 #define	SUN_CKM_AES_CCM			"CKM_AES_CCM"
 #define	SUN_CKM_AES_GCM			"CKM_AES_GCM"
 #define	SUN_CKM_AES_GMAC		"CKM_AES_GMAC"
+#define	SUN_CKM_CHACHA20_POLY1305	"CKM_CHACHA20_POLY1305"
 
 /* Data arguments of cryptographic operations */
 

include/sys/crypto/icp.h

@@ -26,6 +26,9 @@
 #ifndef	_SYS_CRYPTO_ALGS_H
 #define	_SYS_CRYPTO_ALGS_H
 
+int chapoly_mod_init(void);
+int chapoly_mod_fini(void);
+
 int aes_mod_init(void);
 int aes_mod_fini(void);
 

include/sys/fs/zfs.h

@@ -1825,6 +1825,7 @@ enum zio_encrypt {
 	ZIO_CRYPT_AES_128_GCM,
 	ZIO_CRYPT_AES_192_GCM,
 	ZIO_CRYPT_AES_256_GCM,
+	ZIO_CRYPT_CHACHA20_POLY1305,
 	ZIO_CRYPT_FUNCTIONS
 };
 

include/sys/zio_crypt.h

@@ -45,7 +45,8 @@ struct zbookmark_phys;
 typedef enum zio_crypt_type {
 	ZC_TYPE_NONE = 0,
 	ZC_TYPE_CCM,
-	ZC_TYPE_GCM
+	ZC_TYPE_GCM,
+	ZC_TYPE_CHACHA20_POLY1305,
 } zio_crypt_type_t;
 
 /* table of supported crypto algorithms, modes and keylengths. */
@@ -60,7 +61,7 @@ typedef struct zio_crypt_info {
 #else
 	crypto_mech_name_t ci_mechname;
 #endif
-	/* cipher mode type (GCM, CCM) */
+	/* cipher mode type (GCM, CCM, ChaCha20-Poly1305) */
 	zio_crypt_type_t ci_crypt_type;
 
 	/* length of the encryption key */

include/zfeature_common.h

@@ -81,6 +81,7 @@ typedef enum spa_feature {
 	SPA_FEATURE_BLOCK_CLONING,
 	SPA_FEATURE_AVZ_V2,
 	SPA_FEATURE_REDACTION_LIST_SPILL,
+	SPA_FEATURE_CHACHA20_POLY1305,
 	SPA_FEATURES
 } spa_feature_t;
 

lib/libicp/Makefile.am

@@ -32,9 +32,11 @@ nodist_libicp_la_SOURCES = \
 	module/icp/algs/skein/skein_block.c \
 	module/icp/algs/skein/skein_iv.c \
 	module/icp/illumos-crypto.c \
+	module/icp/monocypher.c \
 	module/icp/io/aes.c \
 	module/icp/io/sha2_mod.c \
 	module/icp/io/skein_mod.c \
+	module/icp/io/chapoly.c \
 	module/icp/core/kcf_sched.c \
 	module/icp/core/kcf_prov_lib.c \
 	module/icp/core/kcf_callprov.c \

lib/libzfs/libzfs.abi

@@ -5822,7 +5822,8 @@
       <enumerator name='SPA_FEATURE_BLOCK_CLONING' value='37'/>
       <enumerator name='SPA_FEATURE_AVZ_V2' value='38'/>
       <enumerator name='SPA_FEATURE_REDACTION_LIST_SPILL' value='39'/>
-      <enumerator name='SPA_FEATURES' value='40'/>
+      <enumerator name='SPA_FEATURE_CHACHA20_POLY1305' value='40'/>
+      <enumerator name='SPA_FEATURES' value='41'/>
     </enum-decl>
     <typedef-decl name='spa_feature_t' type-id='33ecb627' id='d6618c78'/>
     <qualified-type-def type-id='22cce67b' const='yes' id='d2816df0'/>

man/man7/zfsprops.7

@@ -37,8 +37,9 @@
 .\" Copyright 2019 Joyent, Inc.
 .\" Copyright (c) 2019, Kjeld Schouten-Lebbing
 .\" Copyright (c) 2022 Hewlett Packard Enterprise Development LP.
+.\" Copyright (c) 2023, Rob Norris <robn@despairlabs.com>
 .\"
-.Dd August 8, 2023
+.Dd October 27, 2023
 .Dt ZFSPROPS 7
 .Os
 .
@@ -1077,7 +1078,7 @@ This property can also be referred to by its shortened column name,
 .It Xo
 .Sy encryption Ns = Ns Sy off Ns | Ns Sy on Ns | Ns Sy aes-128-ccm Ns | Ns
 .Sy aes-192-ccm Ns | Ns Sy aes-256-ccm Ns | Ns Sy aes-128-gcm Ns | Ns
-.Sy aes-192-gcm Ns | Ns Sy aes-256-gcm
+.Sy aes-192-gcm Ns | Ns Sy aes-256-gcm Ns | Ns Sy chacha20-poly1305
 .Xc
 Controls the encryption cipher suite (block cipher, key length, and mode) used
 for this dataset.
@@ -1096,6 +1097,12 @@ selected, which is currently
 In order to provide consistent data protection, encryption must be specified at
 dataset creation time and it cannot be changed afterwards.
 .Pp
+On systems lacking hardware-accelerated AES (many non-x86 boards)
+.Sy chacha20-poly1305
+will usually offer better performance without compromising security.
+On x86, or when datasets may be mounted on on older versions of ZFS, an AES
+suite is the best choice.
+.Pp
 For more details and caveats about encryption see the
 .Sx Encryption
 section of

man/man7/zpool-features.7

@@ -17,8 +17,9 @@
 .\" Copyright (c) 2019, Klara Inc.
 .\" Copyright (c) 2019, Allan Jude
 .\" Copyright (c) 2021, Colm Buckley <colm@tuatha.org>
+.\" Copyright (c) 2023, Rob Norris <robn@despairlabs.com>
 .\"
-.Dd June 23, 2022
+.Dd October 27, 2023
 .Dt ZPOOL-FEATURES 7
 .Os
 .
@@ -398,6 +399,21 @@ returned to the
 .Sy enabled
 state when all bookmarks with these fields are destroyed.
 .
+.feature org.openzfs chacha20_poly1305 no encryption extensible_dataset
+This feature enables the use of the ChaCha20-Poly1305 cipher suite for encrypted
+datasets.
+On systems lacking hardware-accelerated AES (many non-x86 boards), this suite
+will usually offer better performance than AES suites without compromising
+security.
+.Pp
+This feature becomes
+.Sy active
+when an encrypted dataset is created with
+.Nm encryption Ns = Ns Sy chacha20-poly1305
+and will be returned to the
+.Sy enabled
+state when all datasets that use this feature are destroyed.
+.
 .feature org.openzfs device_rebuild yes
 This feature enables the ability for the
 .Nm zpool Cm attach

module/Kbuild.in

@@ -122,9 +122,11 @@ ICP_OBJS := \
 	core/kcf_prov_tabs.o \
 	core/kcf_sched.o \
 	illumos-crypto.o \
+	monocypher.o \
 	io/aes.o \
 	io/sha2_mod.o \
 	io/skein_mod.o \
+	io/chapoly.o \
 	spi/kcf_spi.o
 
 ICP_OBJS_X86_64 := \

module/icp/illumos-crypto.c

@@ -110,6 +110,7 @@ icp_fini(void)
 	skein_mod_fini();
 	sha2_mod_fini();
 	aes_mod_fini();
+	chapoly_mod_fini();
 	kcf_sched_destroy();
 	kcf_prov_tab_destroy();
 	kcf_destroy_mech_tabs();
@@ -132,6 +133,7 @@ icp_init(void)
 	kcf_sched_init();
 
 	/* initialize algorithms */
+	chapoly_mod_init();
 	aes_mod_init();
 	sha2_mod_init();
 	skein_mod_init();

module/icp/include/monocypher.h

@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2017-2019, Loup Vaillant
+ * All rights reserved.
+ *
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Monocypher 4.0.2 (Poly1305, Chacha20, and supporting utilities)
+ * adapted for OpenZFS by Rob Norris <robn@despairlabs.com>
+ */
+
+/*
+ * Note: this follows the Monocypher style rather than the OpenZFS style to
+ * keep the diff to the bare minimum. This is important for making it easy to
+ * compare the two and confirm that they are in fact the same. The diff should
+ * be almost entirely in deleted lines.
+ */
+
+#ifndef MONOCYPHER_H
+#define MONOCYPHER_H
+
+#include <sys/types.h>
+
+
+// Constant time comparisons
+// -------------------------
+
+// Return 0 if a and b are equal, -1 otherwise
+int crypto_verify16(const uint8_t a[16], const uint8_t b[16]);
+
+// Erase sensitive data
+// --------------------
+void crypto_wipe(void *secret, size_t size);
+
+
+// Chacha20
+// --------
+
+// Unauthenticated stream cipher.
+// Don't forget to add authentication.
+uint32_t crypto_chacha20_ietf(uint8_t       *cipher_text,
+                              const uint8_t *plain_text,
+                              size_t         text_size,
+                              const uint8_t  key[32],
+                              const uint8_t  nonce[12],
+                              uint32_t       ctr);
+
+
+// Poly 1305
+// ---------
+
+// This is a *one time* authenticator.
+// Disclosing the mac reveals the key.
+
+// Incremental interface
+typedef struct {
+	// Do not rely on the size or contents of this type,
+	// for they may change without notice.
+	uint8_t  c[16];  // chunk of the message
+	size_t   c_idx;  // How many bytes are there in the chunk.
+	uint32_t r  [4]; // constant multiplier (from the secret key)
+	uint32_t pad[4]; // random number added at the end (from the secret key)
+	uint32_t h  [5]; // accumulated hash
+} crypto_poly1305_ctx;
+
+void crypto_poly1305_init  (crypto_poly1305_ctx *ctx, const uint8_t key[32]);
+void crypto_poly1305_update(crypto_poly1305_ctx *ctx,
+                            const uint8_t *message, size_t message_size);
+void crypto_poly1305_final (crypto_poly1305_ctx *ctx, uint8_t mac[16]);
+
+#endif /* MONOCYPHER_H */