764 lines
23 KiB
Bash
Executable file
764 lines
23 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
set -eux
|
|
PATH="/usr/bin:/bin:/usr/sbin:/sbin"
|
|
export PATH
|
|
|
|
TMPDIR="$AUTOPKGTEST_TMP"
|
|
|
|
# wrappers
|
|
luks1Format() {
|
|
cryptsetup luksFormat --batch-mode --type=luks1 \
|
|
--pbkdf-force-iterations=1000 \
|
|
"$@"
|
|
}
|
|
luks2Format() {
|
|
cryptsetup luksFormat --batch-mode --type=luks2 \
|
|
--pbkdf=argon2id --pbkdf-force-iterations=4 --pbkdf-memory=32 \
|
|
"$@"
|
|
}
|
|
diff() { command diff --color=auto --text "$@"; }
|
|
|
|
# create disk image
|
|
CRYPT_IMG="$TMPDIR/disk.img"
|
|
CRYPT_DEV=""
|
|
install -m0600 /dev/null "$TMPDIR/keyfile"
|
|
disk_setup() {
|
|
local lo
|
|
for lo in $(losetup -j "$CRYPT_IMG" | cut -sd: -f1); do
|
|
losetup -d "$lo"
|
|
done
|
|
dd if="/dev/zero" of="$CRYPT_IMG" bs=1M count=64
|
|
CRYPT_DEV="$(losetup --find --show -- "$CRYPT_IMG")"
|
|
}
|
|
|
|
|
|
#######################################################################
|
|
# make sure empty passphrases are NEVER accepted
|
|
|
|
disk_setup
|
|
! cryptsetup luksFormat "$CRYPT_DEV" </dev/null || exit 1
|
|
! blkid -p "$CRYPT_DEV" || exit 1
|
|
|
|
! echo -n "" | cryptsetup luksFormat "$CRYPT_DEV" - || exit 1
|
|
! blkid -p "$CRYPT_DEV" || exit 1
|
|
|
|
! cryptsetup luksFormat --batch-mode "$CRYPT_DEV" /dev/null || exit 1
|
|
! blkid -p "$CRYPT_DEV" || exit 1
|
|
|
|
! cryptsetup luksFormat --batch-mode "$CRYPT_DEV" </dev/null || exit 1
|
|
! blkid -p "$CRYPT_DEV" || exit 1
|
|
|
|
! echo -n "" | luks2Format "$CRYPT_DEV" - || exit 1
|
|
! blkid -p "$CRYPT_DEV" || exit 1
|
|
|
|
|
|
#######################################################################
|
|
# LUKS
|
|
|
|
# interactive
|
|
disk_setup
|
|
cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
|
|
luks2Format -- "$CRYPT_DEV" <"$TMPDIR/passphrase"
|
|
t="$(blkid -s TYPE -o value -- "$CRYPT_DEV")"
|
|
test "$t" = "crypto_LUKS"
|
|
|
|
cat >/etc/crypttab <<-EOF
|
|
test0_crypt $CRYPT_DEV none
|
|
EOF
|
|
cryptdisks_start test0_crypt </dev/tty & pid=$!
|
|
|
|
# check command line and environment
|
|
until [ -p /lib/cryptsetup/passfifo ]; do sleep 1; done
|
|
pid2="$(find /proc/[0-9]* -mindepth 1 -maxdepth 1 -name "exe" \
|
|
-execdir sh -euc 'diff -q -- "$0" /usr/lib/cryptsetup/askpass >/dev/null' {} \; \
|
|
-print 2>/dev/null | cut -sd/ -f3)"
|
|
test -n "$pid2"
|
|
printf '%s\0Please unlock disk %s: \0' /lib/cryptsetup/askpass test0_crypt >"$TMPDIR/cmdline"
|
|
diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline" "/proc/$pid2/cmdline"
|
|
tr '\n' '\0' >"$TMPDIR/environ" <<-EOF
|
|
CRYPTTAB_NAME=test0_crypt
|
|
CRYPTTAB_OPTIONS=
|
|
CRYPTTAB_SOURCE=$CRYPT_DEV
|
|
CRYPTTAB_TRIED=0
|
|
_CRYPTTAB_NAME=test0_crypt
|
|
_CRYPTTAB_OPTIONS=
|
|
_CRYPTTAB_SOURCE=$CRYPT_DEV
|
|
EOF
|
|
grep -Ez "^_?CRYPTTAB_" <"/proc/$pid2/environ" | sort -z | diff -u --label=a/environ --label=b/environ -- "$TMPDIR/environ" -
|
|
|
|
# unlock device
|
|
tr -d '\n' <"$TMPDIR/passphrase" >/lib/cryptsetup/passfifo # remove trailing newline
|
|
wait $pid
|
|
stty sane || true
|
|
test -b /dev/mapper/test0_crypt
|
|
|
|
# check default cipher (if it changes we probably want to update the doc and revise some scripts)
|
|
cipher="$(dmsetup table --target=crypt test0_crypt | cut -d" " -f4)"
|
|
test "$cipher" = "aes-xts-plain64"
|
|
|
|
# make sure the kernel keyring is used by default for the encryption key
|
|
key="$(dmsetup table --target=crypt test0_crypt | cut -d" " -f5)"
|
|
test "${key:0:21}" = ":64:logon:cryptsetup:"
|
|
|
|
cryptdisks_stop test0_crypt
|
|
|
|
# remove trailing newline and unlock via key file
|
|
tr -d '\n' <"$TMPDIR/passphrase" >"$TMPDIR/keyfile"
|
|
cat >/etc/crypttab <<-EOF
|
|
test0_crypt $CRYPT_DEV $TMPDIR/keyfile
|
|
EOF
|
|
cryptdisks_start test0_crypt
|
|
test -b /dev/mapper/test0_crypt
|
|
cryptdisks_stop test0_crypt
|
|
|
|
# special characters
|
|
ln -sT -- keyfile "$TMPDIR/key fi:le"
|
|
cat >/etc/crypttab <<-EOF
|
|
test0\\0045crypt $CRYPT_DEV $TMPDIR/key\\0040fi\\0072le
|
|
EOF
|
|
cryptdisks_start "test0%crypt"
|
|
dmsetup table --target=crypt "test0%crypt" | cut -d" " -f5 | grep -F ":64:logon:cryptsetup:" # name in /dev/mapper is probably mangled
|
|
cryptdisks_stop "test0%crypt"
|
|
|
|
|
|
#######################################################################
|
|
# cipher=, size= (plain)
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
cat >/etc/crypttab <<-EOF
|
|
plain_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=twofish-cbc-essiv:sha256,size=256
|
|
EOF
|
|
|
|
cryptdisks_start plain_crypt
|
|
test -b /dev/mapper/plain_crypt
|
|
|
|
# check cipher
|
|
cipher="$(dmsetup table --target=crypt plain_crypt | cut -d" " -f4)"
|
|
test "$cipher" = "twofish-cbc-essiv:sha256"
|
|
|
|
# check encryption key
|
|
xxd -ps -c256 "$TMPDIR/keyfile" >"$TMPDIR/keyfile-hex"
|
|
dmsetup table --target=crypt --showkeys plain_crypt | cut -d" " -f5 | \
|
|
diff --label=a/key --label=b/key "$TMPDIR/keyfile-hex" -
|
|
|
|
cryptdisks_stop plain_crypt
|
|
|
|
|
|
#######################################################################
|
|
# sector-size=
|
|
|
|
disk_setup
|
|
cat >/etc/crypttab <<-EOF
|
|
sector_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,sector-size=4096
|
|
EOF
|
|
|
|
cryptdisks_start sector_crypt
|
|
test -b /dev/mapper/sector_crypt
|
|
|
|
dmsetup table --target=crypt sector_crypt | cut -d" " -f10- | grep -Fw "sector_size:4096"
|
|
|
|
cryptdisks_stop sector_crypt
|
|
|
|
|
|
#######################################################################
|
|
# hash= (interactive, ignored with keyfile)
|
|
|
|
disk_setup
|
|
cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase"
|
|
cat >/etc/crypttab <<-EOF
|
|
hash_crypt $CRYPT_DEV none plain,cipher=aes-xts-plain64,size=256,hash=sha256
|
|
EOF
|
|
|
|
cryptdisks_start hash_crypt </dev/tty & pid=$!
|
|
until [ -p /lib/cryptsetup/passfifo ]; do sleep 1; done
|
|
tr -d '\n' <"$TMPDIR/passphrase" >/lib/cryptsetup/passfifo # remove trailing newline
|
|
wait $pid
|
|
stty sane || true
|
|
test -b /dev/mapper/hash_crypt
|
|
|
|
# check encryption key
|
|
tr -d '\n' <"$TMPDIR/passphrase" | sha256sum | cut -d" " -f1 >"$TMPDIR/passphrase-hash"
|
|
dmsetup table --target=crypt --showkeys hash_crypt | cut -d" " -f5 | \
|
|
diff --label=a/key --label=b/key "$TMPDIR/passphrase-hash" -
|
|
cryptdisks_stop hash_crypt
|
|
|
|
|
|
#######################################################################
|
|
# offset=, skip=
|
|
|
|
offset=2048 # in 512 byte sectors
|
|
skip=256 # in 512 byte sectors
|
|
disk_setup
|
|
cat >/etc/crypttab <<-EOF
|
|
offset_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,offset=$offset,skip=$skip
|
|
EOF
|
|
|
|
# having an existing file system before the offset has no effect (cf. #994056)
|
|
dmsetup create hidden --table "0 $offset linear $CRYPT_DEV 0"
|
|
mke2fs -t ext2 -m0 -Fq /dev/mapper/hidden
|
|
u="$(blkid -p -s UUID -o value /dev/mapper/hidden)"
|
|
dd if=/dev/mapper/hidden of="$TMPDIR/hidden.img" bs=512
|
|
dmsetup remove hidden
|
|
u2="$(blkid -p -s UUID -o value -- "$CRYPT_DEV")"
|
|
test "$u" = "$u2"
|
|
|
|
cryptdisks_start offset_crypt
|
|
test -b /dev/mapper/offset_crypt
|
|
|
|
# check offset and skip values
|
|
offset2="$(dmsetup table --target=crypt offset_crypt | cut -d" " -f8)" && test $offset -eq $offset2
|
|
skip2="$( dmsetup table --target=crypt offset_crypt | cut -d" " -f6)" && test $skip -eq $skip2
|
|
|
|
# ensure that the first 2048 sectors (only) are left zeroed out
|
|
dd if=/dev/zero of=/dev/mapper/offset_crypt bs=1M || true
|
|
cryptdisks_stop offset_crypt
|
|
|
|
dd if="$CRYPT_DEV" of="$TMPDIR/hidden2.img" bs=512 count="$offset"
|
|
command diff -q -- "$TMPDIR/hidden.img" "$TMPDIR/hidden2.img" || exit 1
|
|
! xxd -l32 -s$((offset*512)) -ps -c32 <"$CRYPT_DEV" | grep -Fxq 0000000000000000000000000000000000000000000000000000000000000000
|
|
rm -f -- "$TMPDIR/hidden.img" "$TMPDIR/hidden2.img"
|
|
|
|
|
|
#######################################################################
|
|
# keyfile-offset=, keyfile-size=
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
|
|
install -m0600 /dev/null "$TMPDIR/keyfile2"
|
|
|
|
# keyfile-offset=
|
|
head -c1024 </dev/urandom >"$TMPDIR/keyfile2"
|
|
cat "$TMPDIR/keyfile" >>"$TMPDIR/keyfile2"
|
|
cat >/etc/crypttab <<-EOF
|
|
keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 keyfile-offset=1024
|
|
EOF
|
|
cryptdisks_start keyfile_crypt
|
|
test -b /dev/mapper/keyfile_crypt
|
|
cryptdisks_stop keyfile_crypt
|
|
|
|
# keyfile-size=
|
|
cat "$TMPDIR/keyfile" >"$TMPDIR/keyfile2"
|
|
head -c1024 </dev/urandom >>"$TMPDIR/keyfile2"
|
|
cat >/etc/crypttab <<-EOF
|
|
keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 keyfile-size=32
|
|
EOF
|
|
cryptdisks_start keyfile_crypt
|
|
test -b /dev/mapper/keyfile_crypt
|
|
cryptdisks_stop keyfile_crypt
|
|
|
|
# keyfile-offset= + keyfile-size=
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile2"
|
|
cat "$TMPDIR/keyfile" >>"$TMPDIR/keyfile2"
|
|
head -c32 </dev/urandom >>"$TMPDIR/keyfile2"
|
|
cat >/etc/crypttab <<-EOF
|
|
keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 keyfile-offset=32,keyfile-size=32
|
|
EOF
|
|
cryptdisks_start keyfile_crypt
|
|
test -b /dev/mapper/keyfile_crypt
|
|
cryptdisks_stop keyfile_crypt
|
|
|
|
# make sure the key isn't valid without offset and size
|
|
cat >/etc/crypttab <<-EOF
|
|
keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2
|
|
EOF
|
|
! cryptdisks_start keyfile_crypt
|
|
test ! -b /dev/mapper/keyfile_crypt
|
|
rm -vf -- "$TMPDIR/keyfile2"
|
|
|
|
|
|
#######################################################################
|
|
# key-slot=
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
luks2Format --key-slot=0 -- "$CRYPT_DEV" "$TMPDIR/keyfile"
|
|
|
|
install -m0600 /dev/null "$TMPDIR/keyfile2"
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile2"
|
|
cryptsetup luksAddKey --key-file="$TMPDIR/keyfile" \
|
|
--pbkdf=pbkdf2 --pbkdf-force-iterations=1000 \
|
|
--key-slot=1 -- "$CRYPT_DEV" "$TMPDIR/keyfile2"
|
|
|
|
cryptsetup luksOpen --test-passphrase --key-file="$TMPDIR/keyfile" --key-slot=0 -- "$CRYPT_DEV"
|
|
cryptsetup luksOpen --test-passphrase --key-file="$TMPDIR/keyfile2" --key-slot=1 -- "$CRYPT_DEV"
|
|
|
|
# use slot #1 after trying #0
|
|
cat >/etc/crypttab <<-EOF
|
|
keyslot_crypt $CRYPT_DEV $TMPDIR/keyfile2
|
|
EOF
|
|
cryptdisks_start keyslot_crypt
|
|
test -b /dev/mapper/keyslot_crypt
|
|
cryptdisks_stop keyslot_crypt
|
|
|
|
# use wrong slot #0
|
|
cat >/etc/crypttab <<-EOF
|
|
keyslot_crypt $CRYPT_DEV $TMPDIR/keyfile2 key-slot=0
|
|
EOF
|
|
! cryptdisks_start keyslot_crypt
|
|
test ! -b /dev/mapper/keyslot_crypt
|
|
|
|
# use right slot #1
|
|
cat >/etc/crypttab <<-EOF
|
|
keyslot_crypt $CRYPT_DEV $TMPDIR/keyfile2 key-slot=1
|
|
EOF
|
|
cryptdisks_start keyslot_crypt
|
|
test -b /dev/mapper/keyslot_crypt
|
|
cryptdisks_stop keyslot_crypt
|
|
rm -f -- "$TMPDIR/keyfile2"
|
|
|
|
|
|
#######################################################################
|
|
# header=
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
luks2Format --header="$TMPDIR/crypt_img.hdr" -- "$CRYPT_DEV" "$TMPDIR/keyfile"
|
|
test -f "$TMPDIR/crypt_img.hdr"
|
|
|
|
# make sure the signature is on the header only
|
|
t="$(blkid -s TYPE -o value -- "$TMPDIR/crypt_img.hdr")"
|
|
test "$t" = "crypto_LUKS"
|
|
! blkid -p -- "$CRYPT_DEV"
|
|
|
|
# make sure we can't unlock without the header
|
|
cat >/etc/crypttab <<-EOF
|
|
header_crypt $CRYPT_DEV $TMPDIR/keyfile luks
|
|
EOF
|
|
! cryptdisks_start header_crypt
|
|
test ! -b /dev/mapper/header_crypt
|
|
|
|
# unlock using the header
|
|
cat >/etc/crypttab <<-EOF
|
|
header_crypt $CRYPT_DEV $TMPDIR/keyfile header=$TMPDIR/crypt_img.hdr
|
|
EOF
|
|
cryptdisks_start header_crypt
|
|
test -b /dev/mapper/header_crypt
|
|
cryptdisks_stop header_crypt
|
|
rm -f -- "$TMPDIR/crypt_img.hdr"
|
|
|
|
|
|
#######################################################################
|
|
# readonly
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
|
|
|
|
# unlock readonly from crypttab(5)
|
|
cat >/etc/crypttab <<-EOF
|
|
readonly_crypt $CRYPT_DEV $TMPDIR/keyfile readonly
|
|
EOF
|
|
cryptdisks_start readonly_crypt
|
|
test -b /dev/mapper/readonly_crypt
|
|
dm="$(readlink -e "/dev/mapper/readonly_crypt")"
|
|
ro="$(< "/sys/block/${dm##*/}/ro")"
|
|
test "$ro" -eq 1
|
|
cryptdisks_stop readonly_crypt
|
|
|
|
# unlock readonly with --readonly
|
|
cat >/etc/crypttab <<-EOF
|
|
readonly_crypt $CRYPT_DEV $TMPDIR/keyfile
|
|
EOF
|
|
cryptdisks_start --readonly readonly_crypt
|
|
test -b /dev/mapper/readonly_crypt
|
|
dm="$(readlink -e "/dev/mapper/readonly_crypt")"
|
|
ro="$(< "/sys/block/${dm##*/}/ro")"
|
|
test "$ro" -eq 1
|
|
cryptdisks_stop readonly_crypt
|
|
|
|
# double check that default is read-write
|
|
cryptdisks_start readonly_crypt
|
|
test -b /dev/mapper/readonly_crypt
|
|
dm="$(readlink -e "/dev/mapper/readonly_crypt")"
|
|
ro="$(< "/sys/block/${dm##*/}/ro")"
|
|
test "$ro" -eq 0
|
|
cryptdisks_stop readonly_crypt
|
|
|
|
|
|
#######################################################################
|
|
# tries=
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
|
|
|
|
# fail after 3 tries default
|
|
cat >/etc/crypttab <<-EOF
|
|
tries_crypt $CRYPT_DEV none
|
|
EOF
|
|
|
|
cryptdisks_start tries_crypt </dev/tty & pid=$!
|
|
echo -n bad1 >/lib/cryptsetup/passfifo
|
|
sleep 1
|
|
echo -n bad2 >/lib/cryptsetup/passfifo
|
|
sleep 1
|
|
echo -n bad3 >/lib/cryptsetup/passfifo
|
|
! wait $pid
|
|
stty sane || true
|
|
test ! -b /dev/mapper/tries_crypt
|
|
|
|
# success on the 3rd try
|
|
cryptdisks_start tries_crypt </dev/tty & pid=$!
|
|
echo -n bad1 >/lib/cryptsetup/passfifo
|
|
sleep 1
|
|
echo -n bad2 >/lib/cryptsetup/passfifo
|
|
sleep 1
|
|
cat <"$TMPDIR/keyfile" >/lib/cryptsetup/passfifo
|
|
wait $pid
|
|
stty sane || true
|
|
test -b /dev/mapper/tries_crypt
|
|
cryptdisks_stop tries_crypt
|
|
|
|
# force single try
|
|
cat >/etc/crypttab <<-EOF
|
|
tries_crypt $CRYPT_DEV none tries=1
|
|
EOF
|
|
|
|
cryptdisks_start tries_crypt </dev/tty & pid=$!
|
|
echo -n bad1 >/lib/cryptsetup/passfifo
|
|
! wait $pid
|
|
stty sane || true
|
|
test ! -b /dev/mapper/tries_crypt
|
|
|
|
cryptdisks_start tries_crypt </dev/tty & pid=$!
|
|
cat <"$TMPDIR/keyfile" >/lib/cryptsetup/passfifo
|
|
wait $pid
|
|
stty sane || true
|
|
test -b /dev/mapper/tries_crypt
|
|
cryptdisks_stop tries_crypt
|
|
|
|
|
|
#######################################################################
|
|
# discard
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
|
|
|
|
cat >/etc/crypttab <<-EOF
|
|
flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile discard
|
|
EOF
|
|
|
|
cryptdisks_start flagopt_crypt
|
|
dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "allow_discards"
|
|
cryptdisks_stop flagopt_crypt
|
|
|
|
|
|
#######################################################################
|
|
# same-cpu-crypt
|
|
|
|
cat >/etc/crypttab <<-EOF
|
|
flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile same-cpu-crypt
|
|
EOF
|
|
|
|
cryptdisks_start flagopt_crypt
|
|
dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "same_cpu_crypt"
|
|
cryptdisks_stop flagopt_crypt
|
|
|
|
|
|
#######################################################################
|
|
# submit-from-crypt-cpus
|
|
|
|
cat >/etc/crypttab <<-EOF
|
|
flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile submit-from-crypt-cpus
|
|
EOF
|
|
|
|
cryptdisks_start flagopt_crypt
|
|
dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "submit_from_crypt_cpus"
|
|
cryptdisks_stop flagopt_crypt
|
|
|
|
|
|
#######################################################################
|
|
# no-read-workqueue
|
|
|
|
cat >/etc/crypttab <<-EOF
|
|
flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile no-read-workqueue
|
|
EOF
|
|
|
|
cryptdisks_start flagopt_crypt
|
|
dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "no_read_workqueue"
|
|
cryptdisks_stop flagopt_crypt
|
|
|
|
|
|
#######################################################################
|
|
# no-write-workqueue
|
|
|
|
cat >/etc/crypttab <<-EOF
|
|
flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile no-write-workqueue
|
|
EOF
|
|
|
|
cryptdisks_start flagopt_crypt
|
|
dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "no_write_workqueue"
|
|
cryptdisks_stop flagopt_crypt
|
|
|
|
|
|
#######################################################################
|
|
# swap
|
|
|
|
disk_setup
|
|
cat >/etc/crypttab <<-EOF
|
|
swap_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,swap
|
|
EOF
|
|
|
|
cryptdisks_start swap_crypt
|
|
test -b /dev/mapper/swap_crypt
|
|
|
|
t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt)"
|
|
test "$t" = "swap"
|
|
cryptdisks_stop swap_crypt
|
|
|
|
# refuse to proceed if the target contains a file system...
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
|
|
|
|
cat >/etc/crypttab <<-EOF
|
|
swap_crypt $CRYPT_DEV $TMPDIR/keyfile swap
|
|
swap_crypt2 $CRYPT_DEV $TMPDIR/keyfile
|
|
EOF
|
|
cryptdisks_start swap_crypt2
|
|
mke2fs -t ext4 -m0 -Fq /dev/mapper/swap_crypt2
|
|
t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt2)"
|
|
test "$t" = "ext4"
|
|
cryptdisks_stop swap_crypt2
|
|
|
|
! cryptdisks_start swap_crypt
|
|
test ! -b /dev/mapper/swap_crypt
|
|
|
|
# ... unless that's already a swap device
|
|
cryptdisks_start swap_crypt2
|
|
mkswap -f /dev/mapper/swap_crypt2
|
|
t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt2)"
|
|
test "$t" = "swap"
|
|
u="$(blkid -s UUID -o value /dev/mapper/swap_crypt2)"
|
|
cryptdisks_stop swap_crypt2
|
|
|
|
cryptdisks_start swap_crypt
|
|
test -b /dev/mapper/swap_crypt
|
|
t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt)"
|
|
test "$t" = "swap"
|
|
u2="$(blkid -s UUID -o value /dev/mapper/swap_crypt)"
|
|
test "$u" != "$u2"
|
|
cryptdisks_stop swap_crypt
|
|
|
|
|
|
#######################################################################
|
|
# tmp=
|
|
|
|
disk_setup
|
|
cat >/etc/crypttab <<-EOF
|
|
tmp_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,tmp=ext2
|
|
EOF
|
|
|
|
# run mkfs.ext2
|
|
cryptdisks_start tmp_crypt
|
|
test -b /dev/mapper/tmp_crypt
|
|
|
|
t="$(blkid -s TYPE -o value /dev/mapper/tmp_crypt)"
|
|
test "$t" = "ext2"
|
|
cryptdisks_stop tmp_crypt
|
|
|
|
# default type is ext4
|
|
cat >/etc/crypttab <<-EOF
|
|
tmp_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,tmp
|
|
EOF
|
|
cryptdisks_start tmp_crypt
|
|
t="$(blkid -s TYPE -o value /dev/mapper/tmp_crypt)"
|
|
test "$t" = "ext4"
|
|
cryptdisks_stop tmp_crypt
|
|
|
|
|
|
#######################################################################
|
|
# check=
|
|
|
|
disk_setup
|
|
cat >/etc/crypttab <<-EOF
|
|
check_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256
|
|
EOF
|
|
|
|
# precheck failed: $CRYPT_DEV contains a filesystem
|
|
mke2fs -t ext4 -m0 -Fq -- "$CRYPT_DEV"
|
|
t="$(blkid -s TYPE -o value -- "$CRYPT_DEV")"
|
|
test "$t" = "ext4"
|
|
! cryptdisks_start check_crypt
|
|
test ! -b /dev/mapper/check_crypt
|
|
|
|
# precheck failed: $CRYPT_DEV contains a filesystem at the given offset (cf. #994056)
|
|
offset=2048
|
|
disk_setup
|
|
cat >/etc/crypttab <<-EOF
|
|
check_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,offset=$offset
|
|
EOF
|
|
|
|
dmsetup create hidden --table "0 4096 linear $CRYPT_DEV $offset"
|
|
mke2fs -t ext2 -m0 -Fq /dev/mapper/hidden
|
|
u="$(blkid -p -s UUID -o value /dev/mapper/hidden)"
|
|
dmsetup remove hidden
|
|
u2="$(blkid -p -O$((offset*512)) -s UUID -o value -- "$CRYPT_DEV")"
|
|
test "$u" = "$u2"
|
|
t="$(blkid -p -O$((offset*512)) -s TYPE -o value -- "$CRYPT_DEV")"
|
|
test "$t" = "ext2"
|
|
|
|
! cryptdisks_start check_crypt
|
|
test ! -b /dev/mapper/check_crypt
|
|
|
|
# check failed: mapped device does not contain a known file system
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
cat >/etc/crypttab <<-EOF
|
|
check_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check
|
|
check_crypt2 $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256
|
|
EOF
|
|
|
|
! cryptdisks_start check_crypt
|
|
test ! -b /dev/mapper/check_crypt
|
|
|
|
# success
|
|
cryptdisks_start check_crypt2
|
|
mke2fs -t ext4 -m0 -Fq /dev/mapper/check_crypt2
|
|
u="$(blkid -s UUID -o value /dev/mapper/check_crypt2)"
|
|
cryptdisks_stop check_crypt2
|
|
cryptdisks_start check_crypt
|
|
test -b /dev/mapper/check_crypt
|
|
u2="$(blkid -s UUID -o value /dev/mapper/check_crypt)"
|
|
test "$u" = "$u2"
|
|
cryptdisks_stop check_crypt
|
|
|
|
# custom check
|
|
install -m0755 -- /dev/null "$TMPDIR/check"
|
|
cat >"$TMPDIR/check" <<-EOF
|
|
#!/bin/bash
|
|
printf '%s\\0' "\$0" >"$TMPDIR/cmdline"
|
|
while [ \$# -gt 0 ]; do
|
|
printf '%s\\0' "\$1"
|
|
shift
|
|
done >>"$TMPDIR/cmdline"
|
|
exit 0
|
|
EOF
|
|
|
|
cat >/etc/crypttab <<-EOF
|
|
check_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check=$TMPDIR/check
|
|
EOF
|
|
cryptdisks_start check_crypt
|
|
dm="$(readlink -e "/dev/mapper/check_crypt")"
|
|
cryptdisks_stop check_crypt
|
|
printf '%s\0%s\0' "$TMPDIR/check" "$dm" >"$TMPDIR/cmdline2"
|
|
diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline2" "$TMPDIR/cmdline"
|
|
|
|
|
|
#######################################################################
|
|
# checkargs=
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
cat >/etc/crypttab <<-EOF
|
|
checkargs_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check,checkargs=ext4
|
|
checkargs_crypt2 $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256
|
|
EOF
|
|
|
|
# check failed: mapped device does not contain a known file system
|
|
! cryptdisks_start checkargs_crypt
|
|
test ! -b /dev/mapper/checkargs_crypt
|
|
|
|
# check failed: mapped device is not ext4
|
|
cryptdisks_start checkargs_crypt2
|
|
mke2fs -t ext2 -m0 -Fq /dev/mapper/checkargs_crypt2
|
|
cryptdisks_stop checkargs_crypt2
|
|
! cryptdisks_start checkargs_crypt
|
|
test ! -b /dev/mapper/checkargs_crypt
|
|
|
|
# success
|
|
cryptdisks_start checkargs_crypt2
|
|
mke2fs -t ext4 -m0 -Fq /dev/mapper/checkargs_crypt2
|
|
u="$(blkid -s UUID -o value /dev/mapper/checkargs_crypt2)"
|
|
cryptdisks_stop checkargs_crypt2
|
|
cryptdisks_start checkargs_crypt
|
|
u2="$(blkid -s UUID -o value /dev/mapper/checkargs_crypt)"
|
|
test "$u" = "$u2"
|
|
test -b /dev/mapper/checkargs_crypt
|
|
cryptdisks_stop checkargs_crypt
|
|
|
|
# check failed: mapped device is not ext2
|
|
sed -i "s/checkargs=ext4/checkargs=ext2/" /etc/crypttab
|
|
! cryptdisks_start checkargs_crypt
|
|
test ! -b /dev/mapper/checkargs_crypt
|
|
|
|
# custom check
|
|
cat >/etc/crypttab <<-EOF
|
|
checkargs_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check=$TMPDIR/check,checkargs=foo\\0012b\\0011a\\0054r\\0040
|
|
EOF
|
|
cryptdisks_start checkargs_crypt
|
|
dm="$(readlink -e "/dev/mapper/checkargs_crypt")"
|
|
cryptdisks_stop checkargs_crypt
|
|
printf '%s\0%s\0foo\nb\ta,r \0' "$TMPDIR/check" "$dm" >"$TMPDIR/cmdline2"
|
|
diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline2" "$TMPDIR/cmdline"
|
|
|
|
|
|
#######################################################################
|
|
# noauto
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
|
|
|
|
cat >/etc/crypttab <<-EOF
|
|
noauto_crypt $CRYPT_DEV $TMPDIR/keyfile noauto
|
|
EOF
|
|
cryptdisks_start noauto_crypt
|
|
test -b /dev/mapper/noauto_crypt
|
|
cryptdisks_stop noauto_crypt
|
|
|
|
|
|
#######################################################################
|
|
# (custom) keyscript
|
|
|
|
disk_setup
|
|
head -c32 </dev/urandom >"$TMPDIR/keyfile"
|
|
luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile"
|
|
|
|
KEYSCRIPT="$TMPDIR/decrypt_foo,bar
|
|
b a z"
|
|
|
|
# make sure we export CRYPTTAB_* as documented
|
|
install -m0755 -- /dev/null "$KEYSCRIPT"
|
|
cat >"$KEYSCRIPT" <<-EOF
|
|
#!/bin/bash
|
|
printf '%s\\0' "\$0" >"$TMPDIR/cmdline"
|
|
while [ \$# -gt 0 ]; do
|
|
printf '%s\\0' "\$1"
|
|
shift
|
|
done >>"$TMPDIR/cmdline"
|
|
install -m0600 "/proc/\$\$/environ" "$TMPDIR/environ"
|
|
cat <"$TMPDIR/keyfile"
|
|
EOF
|
|
|
|
# add extra unknown option (visible in $CRYPTTAB_OPTIONS but there is no $CRYPTTAB_OPTION_*)
|
|
cat >/etc/crypttab <<-EOF
|
|
keyscript\\0045crypt $CRYPT_IMG foo\\0011bar\\0040baz nonexistent,keyscript=$TMPDIR/decrypt_foo\\0054bar\\0012b\\0040a\\0040z,luks
|
|
EOF
|
|
|
|
cryptdisks_start "keyscript%crypt"
|
|
dmsetup table --target=crypt "keyscript%crypt" | cut -d" " -f5 | grep -F ":64:logon:cryptsetup:" # name in /dev/mapper is probably mangled
|
|
cryptdisks_stop "keyscript%crypt"
|
|
|
|
# compare command line
|
|
printf '%s\0foo\tbar baz\0' "$KEYSCRIPT" >"$TMPDIR/cmdline2"
|
|
diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline2" "$TMPDIR/cmdline"
|
|
|
|
# compare environment
|
|
tr '\n' '\0' <<-EOF | sed -rz "s|@@DECRYPT_FOOBAR@@|${KEYSCRIPT//$'\n'/"\\n"}|" >"$TMPDIR/environ2"
|
|
CRYPTTAB_KEY=foo bar baz
|
|
CRYPTTAB_NAME=keyscript%crypt
|
|
CRYPTTAB_OPTIONS=nonexistent,keyscript=@@DECRYPT_FOOBAR@@,luks
|
|
CRYPTTAB_OPTION_keyscript=@@DECRYPT_FOOBAR@@
|
|
CRYPTTAB_OPTION_luks=yes
|
|
CRYPTTAB_SOURCE=$CRYPT_IMG
|
|
CRYPTTAB_TRIED=0
|
|
_CRYPTTAB_KEY=foo\\0011bar\\0040baz
|
|
_CRYPTTAB_NAME=keyscript\\0045crypt
|
|
_CRYPTTAB_OPTIONS=nonexistent,keyscript=$TMPDIR/decrypt_foo\\0054bar\\0012b\\0040a\\0040z,luks
|
|
_CRYPTTAB_SOURCE=$CRYPT_IMG
|
|
EOF
|
|
grep -Ez "^_?CRYPTTAB_" <"$TMPDIR/environ" | sort -z | diff -u --label=a/environ --label=b/environ -- "$TMPDIR/environ2" -
|