apfs/apfstests
0
0
Fork 0
mirror of https://github.com/linux-apfs/apfstests.git synced 2026-05-01 15:01:44 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
35525fb5ed797fa2dcdf93d6cecc59b452dc8f8c
apfstests/common/encrypt
T
Eric Biggers 35525fb5ed common/encrypt: support requiring other encryption settings 
Update _require_scratch_encryption() to support checking for kernel
support for contents and filenames encryption modes besides the default.
This will be used by some of the ciphertext verification tests.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
2019-05-27 20:14:34 +08:00

261 lines
7.2 KiB
Plaintext
Raw Blame History

##/bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright (c) 2016 Google, Inc. All Rights Reserved.
#
# Functions for setting up and testing file encryption
#
# _require_scratch_encryption [-c CONTENTS_MODE] [-n FILENAMES_MODE]
#
# Require encryption support on the scratch device.
#
# This checks for support for the default type of encryption policy (AES-256-XTS
# and AES-256-CTS). Options can be specified to also require support for a
# different type of encryption policy.
#
_require_scratch_encryption()
{
_require_scratch
_require_xfs_io_command "set_encpolicy"
# The 'test_dummy_encryption' mount option interferes with trying to use
# encryption for real, even if we are just trying to get/set policies
# and never put any keys in the keyring. So skip the real encryption
# tests if the 'test_dummy_encryption' mount option was specified.
_exclude_scratch_mount_option "test_dummy_encryption"
# Make a filesystem on the scratch device with the encryption feature
# enabled. If this fails then probably the userspace tools (e.g.
# e2fsprogs or f2fs-tools) are too old to understand encryption.
if ! _scratch_mkfs_encrypted &>>$seqres.full; then
_notrun "$FSTYP userspace tools do not support encryption"
fi
# Try to mount the filesystem. If this fails then either the kernel
# isn't aware of encryption, or the mkfs options were not compatible
# with encryption (e.g. ext4 with block size != PAGE_SIZE).
if ! _try_scratch_mount &>>$seqres.full; then
_notrun "kernel is unaware of $FSTYP encryption feature," \
"or mkfs options are not compatible with encryption"
fi
# The kernel may be aware of encryption without supporting it. For
# example, for ext4 this is the case with kernels configured with
# CONFIG_EXT4_FS_ENCRYPTION=n. Detect support for encryption by trying
# to set an encryption policy. (For ext4 we could instead check for the
# presence of /sys/fs/ext4/features/encryption, but this is broken on
# some older kernels and is ext4-specific anyway.)
mkdir $SCRATCH_MNT/tmpdir
if _set_encpolicy $SCRATCH_MNT/tmpdir 2>&1 >>$seqres.full | \
egrep -q 'Inappropriate ioctl for device|Operation not supported'
then
_notrun "kernel does not support $FSTYP encryption"
fi
rmdir $SCRATCH_MNT/tmpdir
# If required, check for support for the specific type of encryption
# policy required by the test.
if [ $# -ne 0 ]; then
_require_encryption_policy_support $SCRATCH_MNT "$@"
fi
_scratch_unmount
}
_require_encryption_policy_support()
{
local mnt=$1
local dir=$mnt/tmpdir
local set_encpolicy_args=""
local c
OPTIND=2
while getopts "c:n:" c; do
case $c in
c|n)
set_encpolicy_args+=" -$c $OPTARG"
;;
*)
_fail "Unrecognized option '$c'"
;;
esac
done
set_encpolicy_args=${set_encpolicy_args# }
echo "Checking whether kernel supports encryption policy: $set_encpolicy_args" \
>> $seqres.full
mkdir $dir
_require_command "$KEYCTL_PROG" keyctl
_new_session_keyring
local keydesc=$(_generate_encryption_key)
if _set_encpolicy $dir $keydesc $set_encpolicy_args \
2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then
_notrun "kernel does not support encryption policy: '$set_encpolicy_args'"
fi
# fscrypt allows setting policies with modes it knows about, even
# without kernel crypto API support. E.g. a policy using Adiantum
# encryption can be set on a kernel without CONFIG_CRYPTO_ADIANTUM.
# But actually trying to use such an encrypted directory will fail.
if ! touch $dir/file; then
_notrun "encryption policy '$set_encpolicy_args' is unusable; probably missing kernel crypto API support"
fi
$KEYCTL_PROG clear @s
rm -r $dir
}
_scratch_mkfs_encrypted()
{
case $FSTYP in
ext4|f2fs)
_scratch_mkfs -O encrypt
;;
ubifs)
# erase the UBI volume; reformated automatically on next mount
$UBIUPDATEVOL_PROG ${SCRATCH_DEV} -t
;;
*)
_notrun "No encryption support for $FSTYP"
;;
esac
}
_scratch_mkfs_sized_encrypted()
{
case $FSTYP in
ext4|f2fs)
MKFS_OPTIONS="$MKFS_OPTIONS -O encrypt" _scratch_mkfs_sized $*
;;
*)
_notrun "Filesystem $FSTYP not supported in _scratch_mkfs_sized_encrypted"
;;
esac
}
# Give the invoking shell a new session keyring. This makes any keys we add to
# the session keyring scoped to the lifetime of the test script.
_new_session_keyring()
{
$KEYCTL_PROG new_session >>$seqres.full
}
# Generate a key descriptor (16 character hex string)
_generate_key_descriptor()
{
local keydesc=""
local i
for ((i = 0; i < 8; i++)); do
keydesc="${keydesc}$(printf "%02x" $(( $RANDOM % 256 )))"
done
echo $keydesc
}
# Generate a raw encryption key, but don't add it to the keyring yet.
_generate_raw_encryption_key()
{
local raw=""
local i
for ((i = 0; i < 64; i++)); do
raw="${raw}\\x$(printf "%02x" $(( $RANDOM % 256 )))"
done
echo $raw
}
# Add the specified raw encryption key to the session keyring, using the
# specified key descriptor.
_add_encryption_key()
{
local keydesc=$1
local raw=$2
#
# Add the key to the session keyring. The required structure is:
#
# #define FS_MAX_KEY_SIZE 64
# struct fscrypt_key {
# u32 mode;
# u8 raw[FS_MAX_KEY_SIZE];
# u32 size;
# } __packed;
#
# The kernel ignores 'mode' but requires that 'size' be 64.
#
# Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key
# descriptor hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6
# and later) also allow the common key prefix "fscrypt:" in addition to
# their filesystem-specific key prefix ("ext4:", "f2fs:"). It would be
# nice to use the common key prefix, but for now use the filesystem-
# specific prefix to make it possible to test older kernels...
#
local big_endian=$(echo -ne '\x11' | od -tx2 | head -1 | \
cut -f2 -d' ' | cut -c1 )
if (( big_endian )); then
local mode='\x00\x00\x00\x00'
local size='\x00\x00\x00\x40'
else
local mode='\x00\x00\x00\x00'
local size='\x40\x00\x00\x00'
fi
echo -n -e "${mode}${raw}${size}" |
$KEYCTL_PROG padd logon $FSTYP:$keydesc @s >>$seqres.full
}
#
# Generate a random encryption key, add it to the session keyring, and print out
# the resulting key descriptor (example: "8bf798e1a494e1ec"). Requires the
# keyctl program. It's assumed the caller has already set up a test-scoped
# session keyring using _new_session_keyring.
#
_generate_encryption_key()
{
local keydesc=$(_generate_key_descriptor)
local raw=$(_generate_raw_encryption_key)
_add_encryption_key $keydesc $raw
echo $keydesc
}
# Unlink an encryption key from the session keyring, given its key descriptor.
_unlink_encryption_key()
{
local keydesc=$1
local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc)
$KEYCTL_PROG unlink $keyid >>$seqres.full
}
# Revoke an encryption key from the keyring, given its key descriptor.
_revoke_encryption_key()
{
local keydesc=$1
local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc)
$KEYCTL_PROG revoke $keyid >>$seqres.full
}
# Set an encryption policy on the specified directory.
_set_encpolicy()
{
local dir=$1
shift
$XFS_IO_PROG -c "set_encpolicy $*" "$dir"
}
_user_do_set_encpolicy()
{
local dir=$1
shift
_user_do "$XFS_IO_PROG -c \"set_encpolicy $*\" \"$dir\""
}
# Display the specified file or directory's encryption policy.
_get_encpolicy()
{
local file=$1
shift
$XFS_IO_PROG -c "get_encpolicy $*" "$file"
}
Reference in New Issue View Git Blame Copy Permalink