Commit fe303a2
committed
zfs: wolfZFS port for OpenZFS 2.4.2 (FIPS fixes; supersedes #341)
Rebase the wolfZFS port to the zfs-2.4.2 release tag and fold in the FIPS
fixes (-287 private-key unlock, GCM-IV approved-DRBG upgrade, provider-native
EVP_KDF userspace key-derivation). Link the userspace ICP checksum test
programs (sha2_test, blake3_test) against libwolfssl. Quote
MODULE_IMPORT_NS("WOLFSSL") for kernel >= 6.13.
RNG: rely on ZFS's native random_get_bytes() for all key/salt/IV material
(it is the wolfCrypt FIPS DRBG once the CRNG kernel patch is installed). The
only delta vs vanilla ZFS is upgrading the two GCM-IV sites in zio_crypt.c
(zio_crypt_key_wrap, zio_crypt_generate_iv) from random_get_pseudo_bytes to
random_get_bytes, so GCM IVs come from an approved DRBG (SP 800-38D requires
it; the xorshift pseudo-RNG is not approved). No direct wc_RNG calls remain;
wolfZFS owns the crypto primitives and the CRNG patch owns RNG.
Validated on Proxmox VE 9.2 (zfs-2.4.2-pve1, kernel 7.0.12-1-pve) and the
OpenZFS test suite: run_crypto 2/2, run_sanity with all failures within the
known vanilla-ZFS environmental baseline, zero regressions.1 parent e216394 commit fe303a2
2 files changed
Lines changed: 309 additions & 168 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
8 | | - | |
| 8 | + | |
9 | 9 | | |
10 | | - | |
11 | | - | |
12 | | - | |
| 10 | + | |
13 | 11 | | |
14 | | - | |
15 | | - | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
16 | 15 | | |
17 | 16 | | |
18 | | - | |
19 | | - | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
20 | 34 | | |
21 | 35 | | |
22 | 36 | | |
| |||
151 | 165 | | |
152 | 166 | | |
153 | 167 | | |
154 | | - | |
155 | | - | |
| 168 | + | |
| 169 | + | |
156 | 170 | | |
157 | 171 | | |
158 | 172 | | |
| |||
0 commit comments