apfs/apfstests
0
0
Fork 0
mirror of https://github.com/linux-apfs/apfstests.git synced 2026-05-01 15:01:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

common/encrypt: disambiguate session encryption keys

Browse Source 
Rename the helper functions that add/remove keys from the session
keyring, in order to distinguish them from the helper functions I'll
be adding to add/remove keys from the new filesystem-level keyring.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
This commit is contained in:
Eric Biggers
2019-10-15 11:16:35 -07:00
committed by Eryu Guan
parent 85bb7969ad
commit 4e3ef46d29
11 changed files with 34 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
common/encrypt
+10 -10
View File
@@ -89,7 +89,7 @@ _require_encryption_policy_support()
mkdir $dir mkdir $dir
_require_command "$KEYCTL_PROG" keyctl _require_command "$KEYCTL_PROG" keyctl
_new_session_keyring _new_session_keyring
local keydesc=$(_generate_encryption_key) local keydesc=$(_generate_session_encryption_key)
if _set_encpolicy $dir $keydesc $set_encpolicy_args \ if _set_encpolicy $dir $keydesc $set_encpolicy_args \
2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then 2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then
_notrun "kernel does not support encryption policy: '$set_encpolicy_args'" _notrun "kernel does not support encryption policy: '$set_encpolicy_args'"
@@ -153,7 +153,7 @@ _generate_key_descriptor()
echo $keydesc echo $keydesc
} }
# Generate a raw encryption key, but don't add it to the keyring yet. # Generate a raw encryption key, but don't add it to any keyring yet.
_generate_raw_encryption_key() _generate_raw_encryption_key()
{ {
local raw="" local raw=""
@@ -166,7 +166,7 @@ _generate_raw_encryption_key()
# Add the specified raw encryption key to the session keyring, using the # Add the specified raw encryption key to the session keyring, using the
# specified key descriptor. # specified key descriptor.
_add_encryption_key() _add_session_encryption_key()
{ {
local keydesc=$1 local keydesc=$1
local raw=$2 local raw=$2
@@ -209,26 +209,26 @@ _add_encryption_key()
# keyctl program. It's assumed the caller has already set up a test-scoped # keyctl program. It's assumed the caller has already set up a test-scoped
# session keyring using _new_session_keyring. # session keyring using _new_session_keyring.
# #
_generate_encryption_key() _generate_session_encryption_key()
{ {
local keydesc=$(_generate_key_descriptor) local keydesc=$(_generate_key_descriptor)
local raw=$(_generate_raw_encryption_key) local raw=$(_generate_raw_encryption_key)
_add_encryption_key $keydesc $raw _add_session_encryption_key $keydesc $raw
echo $keydesc echo $keydesc
} }
# Unlink an encryption key from the session keyring, given its key descriptor. # Unlink an encryption key from the session keyring, given its key descriptor.
_unlink_encryption_key() _unlink_session_encryption_key()
{ {
local keydesc=$1 local keydesc=$1
local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc)
$KEYCTL_PROG unlink $keyid >>$seqres.full $KEYCTL_PROG unlink $keyid >>$seqres.full
} }
# Revoke an encryption key from the keyring, given its key descriptor. # Revoke an encryption key from the session keyring, given its key descriptor.
_revoke_encryption_key() _revoke_session_encryption_key()
{ {
local keydesc=$1 local keydesc=$1
local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc)
@@ -412,7 +412,7 @@ _require_get_ciphertext_filename_support()
_scratch_mount _scratch_mount
_new_session_keyring _new_session_keyring
local keydesc=$(_generate_encryption_key) local keydesc=$(_generate_session_encryption_key)
local dir=$SCRATCH_MNT/test.${FUNCNAME[0]} local dir=$SCRATCH_MNT/test.${FUNCNAME[0]}
local file=$dir/$(perl -e 'print "A" x 255') local file=$dir/$(perl -e 'print "A" x 255')
mkdir $dir mkdir $dir
@@ -634,7 +634,7 @@ _verify_ciphertext_for_encryption_policy()
local raw_key=$(_generate_raw_encryption_key) local raw_key=$(_generate_raw_encryption_key)
local keydesc=$(_generate_key_descriptor) local keydesc=$(_generate_key_descriptor)
_new_session_keyring _new_session_keyring
_add_encryption_key $keydesc $raw_key _add_session_encryption_key $keydesc $raw_key
local raw_key_hex=$(echo "$raw_key" | tr -d '\\x') local raw_key_hex=$(echo "$raw_key" | tr -d '\\x')
echo echo
tests/ext4/024
+1 -1
View File
@@ -53,7 +53,7 @@ _new_session_keyring
_scratch_mkfs_encrypted &>>$seqres.full _scratch_mkfs_encrypted &>>$seqres.full
_scratch_mount _scratch_mount
mkdir $SCRATCH_MNT/edir mkdir $SCRATCH_MNT/edir
keydesc=$(_generate_encryption_key) keydesc=$(_generate_session_encryption_key)
_set_encpolicy $SCRATCH_MNT/edir $keydesc _set_encpolicy $SCRATCH_MNT/edir $keydesc
echo foo > $SCRATCH_MNT/edir/file echo foo > $SCRATCH_MNT/edir/file
inum=$(stat -c '%i' $SCRATCH_MNT/edir/file) inum=$(stat -c '%i' $SCRATCH_MNT/edir/file)
tests/generic/397
+2 -2
View File
@@ -45,7 +45,7 @@ _scratch_mkfs_encrypted &>> $seqres.full
_scratch_mount _scratch_mount
mkdir $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir mkdir $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir
keydesc=$(_generate_encryption_key) keydesc=$(_generate_session_encryption_key)
_set_encpolicy $SCRATCH_MNT/edir $keydesc _set_encpolicy $SCRATCH_MNT/edir $keydesc
for dir in $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir; do for dir in $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir; do
touch $dir/empty > /dev/null touch $dir/empty > /dev/null
@@ -92,7 +92,7 @@ filter_create_errors()
-e 's/Operation not permitted/Required key not available/' -e 's/Operation not permitted/Required key not available/'
} }
_unlink_encryption_key $keydesc _unlink_session_encryption_key $keydesc
_scratch_cycle_mount _scratch_cycle_mount
# Check that unencrypted names aren't there # Check that unencrypted names aren't there
tests/generic/398
+4 -4
View File
@@ -68,8 +68,8 @@ edir1=$SCRATCH_MNT/edir1
edir2=$SCRATCH_MNT/edir2 edir2=$SCRATCH_MNT/edir2
udir=$SCRATCH_MNT/udir udir=$SCRATCH_MNT/udir
mkdir $edir1 $edir2 $udir mkdir $edir1 $edir2 $udir
keydesc1=$(_generate_encryption_key) keydesc1=$(_generate_session_encryption_key)
keydesc2=$(_generate_encryption_key) keydesc2=$(_generate_session_encryption_key)
_set_encpolicy $edir1 $keydesc1 _set_encpolicy $edir1 $keydesc1
_set_encpolicy $edir2 $keydesc2 _set_encpolicy $edir2 $keydesc2
touch $edir1/efile1 touch $edir1/efile1
@@ -141,8 +141,8 @@ rm $edir1/fifo $edir2/fifo $udir/fifo
# Now test that *without* access to the encrypted key, we cannot use an exchange # Now test that *without* access to the encrypted key, we cannot use an exchange
# (cross rename) operation to move a forbidden file into an encrypted directory. # (cross rename) operation to move a forbidden file into an encrypted directory.
_unlink_encryption_key $keydesc1 _unlink_session_encryption_key $keydesc1
_unlink_encryption_key $keydesc2 _unlink_session_encryption_key $keydesc2
_scratch_cycle_mount _scratch_cycle_mount
efile1=$(find $edir1 -type f) efile1=$(find $edir1 -type f)
efile2=$(find $edir2 -type f) efile2=$(find $edir2 -type f)
tests/generic/399
+2 -2
View File
@@ -61,7 +61,7 @@ dd if=/dev/zero of=$SCRATCH_DEV bs=$((1024 * 1024)) \
_scratch_mkfs_sized_encrypted $fs_size &>> $seqres.full _scratch_mkfs_sized_encrypted $fs_size &>> $seqres.full
_scratch_mount _scratch_mount
keydesc=$(_generate_encryption_key) keydesc=$(_generate_session_encryption_key)
mkdir $SCRATCH_MNT/encrypted_dir mkdir $SCRATCH_MNT/encrypted_dir
_set_encpolicy $SCRATCH_MNT/encrypted_dir $keydesc _set_encpolicy $SCRATCH_MNT/encrypted_dir $keydesc
@@ -127,7 +127,7 @@ done
# memory than the '-9' preset. The memory needed with our settings will be # memory than the '-9' preset. The memory needed with our settings will be
# 64 * 6.5 = 416 MB; see xz(1). # 64 * 6.5 = 416 MB; see xz(1).
# #
_unlink_encryption_key $keydesc _unlink_session_encryption_key $keydesc
_scratch_unmount _scratch_unmount
fs_compressed_size=$(head -c $fs_size $SCRATCH_DEV | \ fs_compressed_size=$(head -c $fs_size $SCRATCH_DEV | \
xz --lzma2=dict=64M,mf=hc4,mode=fast,nice=16 | \ xz --lzma2=dict=64M,mf=hc4,mode=fast,nice=16 | \
tests/generic/419
+2 -2
View File
@@ -47,11 +47,11 @@ _scratch_mkfs_encrypted &>> $seqres.full
_scratch_mount _scratch_mount
mkdir $SCRATCH_MNT/edir mkdir $SCRATCH_MNT/edir
keydesc=$(_generate_encryption_key) keydesc=$(_generate_session_encryption_key)
_set_encpolicy $SCRATCH_MNT/edir $keydesc _set_encpolicy $SCRATCH_MNT/edir $keydesc
echo a > $SCRATCH_MNT/edir/a echo a > $SCRATCH_MNT/edir/a
echo b > $SCRATCH_MNT/edir/b echo b > $SCRATCH_MNT/edir/b
_unlink_encryption_key $keydesc _unlink_session_encryption_key $keydesc
_scratch_cycle_mount _scratch_cycle_mount
# Note that because encrypted filenames are unpredictable, this needs to be # Note that because encrypted filenames are unpredictable, this needs to be
tests/generic/421
+2 -2
View File
@@ -51,7 +51,7 @@ slice=2
# Create an encrypted file and sync its data to disk. # Create an encrypted file and sync its data to disk.
rm -rf $dir rm -rf $dir
mkdir $dir mkdir $dir
keydesc=$(_generate_encryption_key) keydesc=$(_generate_session_encryption_key)
_set_encpolicy $dir $keydesc _set_encpolicy $dir $keydesc
$XFS_IO_PROG -f $file -c "pwrite 0 $((nproc*slice))M" -c "fsync" > /dev/null $XFS_IO_PROG -f $file -c "pwrite 0 $((nproc*slice))M" -c "fsync" > /dev/null
@@ -71,7 +71,7 @@ done
sleep 1 sleep 1
# Revoke the encryption key. # Revoke the encryption key.
keyid=$(_revoke_encryption_key $keydesc) keyid=$(_revoke_session_encryption_key $keydesc)
# Now try to open the file again. In buggy kernels this caused concurrent # Now try to open the file again. In buggy kernels this caused concurrent
# readers to crash with a NULL pointer dereference during decryption. # readers to crash with a NULL pointer dereference during decryption.
tests/generic/429
+4 -4
View File
@@ -56,7 +56,7 @@ _new_session_keyring
keydesc=$(_generate_key_descriptor) keydesc=$(_generate_key_descriptor)
raw_key=$(_generate_raw_encryption_key) raw_key=$(_generate_raw_encryption_key)
mkdir $SCRATCH_MNT/edir mkdir $SCRATCH_MNT/edir
_add_encryption_key $keydesc $raw_key _add_session_encryption_key $keydesc $raw_key
_set_encpolicy $SCRATCH_MNT/edir $keydesc _set_encpolicy $SCRATCH_MNT/edir $keydesc
# Create two files in the directory: one whose name is valid in the base64 # Create two files in the directory: one whose name is valid in the base64
@@ -96,7 +96,7 @@ show_directory_with_key()
# the correct number of them are listed by readdir, and save them for later. # the correct number of them are listed by readdir, and save them for later.
echo echo
echo "***** Without encryption key *****" echo "***** Without encryption key *****"
_unlink_encryption_key $keydesc _unlink_session_encryption_key $keydesc
_scratch_cycle_mount _scratch_cycle_mount
echo "--- Directory listing:" echo "--- Directory listing:"
ciphertext_names=( $(find $SCRATCH_MNT/edir -mindepth 1 | sort) ) ciphertext_names=( $(find $SCRATCH_MNT/edir -mindepth 1 | sort) )
@@ -109,7 +109,7 @@ show_file_contents
# stale dentries. # stale dentries.
echo echo
echo "***** With encryption key *****" echo "***** With encryption key *****"
_add_encryption_key $keydesc $raw_key _add_session_encryption_key $keydesc $raw_key
show_directory_with_key show_directory_with_key
# Test for ->d_revalidate() race conditions. # Test for ->d_revalidate() race conditions.
@@ -127,7 +127,7 @@ echo "***** After key revocation *****"
exec 3<$SCRATCH_MNT/edir exec 3<$SCRATCH_MNT/edir
exec 4<$SCRATCH_MNT/edir/@@@ exec 4<$SCRATCH_MNT/edir/@@@
exec 5<$SCRATCH_MNT/edir/abcd exec 5<$SCRATCH_MNT/edir/abcd
_revoke_encryption_key $keydesc _revoke_session_encryption_key $keydesc
show_directory_with_key show_directory_with_key
) )
tests/generic/435
+2 -2
View File
@@ -50,7 +50,7 @@ _new_session_keyring
_scratch_mkfs_encrypted &>> $seqres.full _scratch_mkfs_encrypted &>> $seqres.full
_scratch_mount _scratch_mount
mkdir $SCRATCH_MNT/edir mkdir $SCRATCH_MNT/edir
keydesc=$(_generate_encryption_key) keydesc=$(_generate_session_encryption_key)
# -f 0x2: zero-pad to 16-byte boundary (i.e. encryption block boundary) # -f 0x2: zero-pad to 16-byte boundary (i.e. encryption block boundary)
_set_encpolicy $SCRATCH_MNT/edir $keydesc -f 0x2 _set_encpolicy $SCRATCH_MNT/edir $keydesc -f 0x2
@@ -66,7 +66,7 @@ _set_encpolicy $SCRATCH_MNT/edir $keydesc -f 0x2
seq -f "$SCRATCH_MNT/edir/abcdefghijklmnopqrstuvwxyz012345%.0f" 100000 | xargs touch seq -f "$SCRATCH_MNT/edir/abcdefghijklmnopqrstuvwxyz012345%.0f" 100000 | xargs touch
find $SCRATCH_MNT/edir/ -type f | xargs stat -c %i | sort | uniq | wc -l find $SCRATCH_MNT/edir/ -type f | xargs stat -c %i | sort | uniq | wc -l
_unlink_encryption_key $keydesc _unlink_session_encryption_key $keydesc
_scratch_cycle_mount _scratch_cycle_mount
# Verify that every file has a unique inode number and can be removed without # Verify that every file has a unique inode number and can be removed without
tests/generic/440
+4 -4
View File
@@ -46,7 +46,7 @@ _scratch_mkfs_encrypted &>> $seqres.full
_scratch_mount _scratch_mount
keydesc=$(_generate_key_descriptor) keydesc=$(_generate_key_descriptor)
raw_key=$(_generate_raw_encryption_key) raw_key=$(_generate_raw_encryption_key)
_add_encryption_key $keydesc $raw_key _add_session_encryption_key $keydesc $raw_key
# Set up an encrypted directory containing a regular file, a subdirectory, and a # Set up an encrypted directory containing a regular file, a subdirectory, and a
# symlink. # symlink.
@@ -65,7 +65,7 @@ echo
echo "***** Parent has key, but child doesn't *****" echo "***** Parent has key, but child doesn't *****"
exec 3< $SCRATCH_MNT/edir # pin inode with cached key in memory exec 3< $SCRATCH_MNT/edir # pin inode with cached key in memory
ls $SCRATCH_MNT/edir | sort ls $SCRATCH_MNT/edir | sort
_unlink_encryption_key $keydesc _unlink_session_encryption_key $keydesc
cat $SCRATCH_MNT/edir/file |& _filter_scratch cat $SCRATCH_MNT/edir/file |& _filter_scratch
ls $SCRATCH_MNT/edir/subdir ls $SCRATCH_MNT/edir/subdir
cat $SCRATCH_MNT/edir/symlink |& _filter_scratch cat $SCRATCH_MNT/edir/symlink |& _filter_scratch
@@ -79,14 +79,14 @@ exec 3>&-
# plaintext contents, even though its filename is shown in ciphertext! # plaintext contents, even though its filename is shown in ciphertext!
echo echo
echo "***** Child has key, but parent doesn't *****" echo "***** Child has key, but parent doesn't *****"
_add_encryption_key $keydesc $raw_key _add_session_encryption_key $keydesc $raw_key
mkdir $SCRATCH_MNT/edir2 mkdir $SCRATCH_MNT/edir2
_set_encpolicy $SCRATCH_MNT/edir2 $keydesc _set_encpolicy $SCRATCH_MNT/edir2 $keydesc
ln $SCRATCH_MNT/edir/file $SCRATCH_MNT/edir2/link ln $SCRATCH_MNT/edir/file $SCRATCH_MNT/edir2/link
_scratch_cycle_mount _scratch_cycle_mount
cat $SCRATCH_MNT/edir2/link cat $SCRATCH_MNT/edir2/link
exec 3< $SCRATCH_MNT/edir2/link # pin inode with cached key in memory exec 3< $SCRATCH_MNT/edir2/link # pin inode with cached key in memory
_unlink_encryption_key $keydesc _unlink_session_encryption_key $keydesc
stat $SCRATCH_MNT/edir/file |& _filter_scratch stat $SCRATCH_MNT/edir/file |& _filter_scratch
cat "$(find $SCRATCH_MNT/edir/ -type f)" cat "$(find $SCRATCH_MNT/edir/ -type f)"
exec 3>&- exec 3>&-
tests/generic/576
+1 -1
View File
@@ -47,7 +47,7 @@ fsv_file=$edir/file.fsv
# Set up an encrypted directory. # Set up an encrypted directory.
_new_session_keyring _new_session_keyring
keydesc=$(_generate_encryption_key) keydesc=$(_generate_session_encryption_key)
mkdir $edir mkdir $edir
_set_encpolicy $edir $keydesc _set_encpolicy $edir $keydesc