diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:31:19 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:31:19 +0000 |
commit | 6e33fee6f4a7e2041dd276995b402ca036fcab14 (patch) | |
tree | 85be5c41f2715d7d4d24cfa220197f1e2c778259 /tests/integrity-compat-test | |
parent | Initial commit. (diff) | |
download | cryptsetup-6e33fee6f4a7e2041dd276995b402ca036fcab14.tar.xz cryptsetup-6e33fee6f4a7e2041dd276995b402ca036fcab14.zip |
Adding upstream version 2:2.1.0.upstream/2%2.1.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/integrity-compat-test')
-rwxr-xr-x | tests/integrity-compat-test | 363 |
1 files changed, 363 insertions, 0 deletions
diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test new file mode 100755 index 0000000..58b36e9 --- /dev/null +++ b/tests/integrity-compat-test @@ -0,0 +1,363 @@ +#!/bin/bash +# +# Test integritysetup compatibility. +# +INTSETUP=../integritysetup +INTSETUP_VALGRIND=../.libs/integritysetup +INTSETUP_LIB_VALGRIND=../.libs + +DEV_NAME=dmc_test +DEV=test123.img +DEV2=test124.img +KEY_FILE=key.img + +dmremove() { # device + udevadm settle >/dev/null 2>&1 + dmsetup remove $1 >/dev/null 2>&1 +} + +cleanup() { + [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME + rm -f $DEV $DEV2 $KEY_FILE >/dev/null 2>&1 +} + +fail() +{ + echo + echo "FAILED at line $(caller)" + cleanup + exit 100 +} + +skip() +{ + [ -n "$1" ] && echo "$1" + exit 77 +} + +function dm_integrity_features() +{ + VER_STR=$(dmsetup targets | grep integrity | cut -f2 -dv) + [ -z "$VER_STR" ] && skip "Cannot find dm-integrity target, test skipped." + + VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) + VER_MIN=$(echo $VER_STR | cut -f 2 -d.) + VER_PTC=$(echo $VER_STR | cut -f 3 -d.) + + [ $VER_MAJ -lt 1 ] && return + [ $VER_MIN -gt 1 ] && { + DM_INTEGRITY_META=1 + DM_INTEGRITY_RECALC=1 + } +} + +add_device() { + cleanup + dd if=/dev/urandom of=$KEY_FILE bs=1 count=512 >/dev/null 2>&1 + dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1 + dd if=/dev/zero of=$DEV2 bs=1M count=32 >/dev/null 2>&1 + sync +} + +status_check() # name value +{ + X=$($INTSETUP status $DEV_NAME | grep "$1" | sed 's/.*: //' | sed 's/^[[:space:]]*//') + if [ "$X" != "$2" ] ; then + echo "[status FAIL]" + echo " Expecting $1:$2 got \"$X\"." + fail + fi +} + +dump_check() # name value +{ + X=$($INTSETUP dump $DEV | grep "$1" | cut -d' ' -f 2) + if [ "$X" != "$2" ] ; then + echo "[dump FAIL]" + echo " Expecting $1:$2 got \"$X\"." + fail + fi +} + +kernel_param_check() # number value +{ + X=$(dmsetup table $DEV_NAME | cut -d " " -f $1) + if [ "$X" != $2 ] ; then + echo "[param_check FAIL]" + echo "Expecting $2 got \"$X\"." + fail + fi +} + +function valgrind_setup() +{ + which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind." + [ ! -f $INTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." + export LD_LIBRARY_PATH="$INTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" +} + +function valgrind_run() +{ + INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${INTSETUP_VALGRIND} "$@" +} + +int_check_sum_only() # checksum +{ + VSUM=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1) + if [ "$VSUM" = "$1" ] ; then + echo -n "[CHECKSUM OK]" + else + echo "[FAIL]" + echo " Expecting $1 got $VSUM." + fail + fi +} + +int_check_sum() # alg checksum [keyfile keysize] +{ + if [ -n "$4" ] ; then + KEY_PARAMS="--integrity-key-file $3 --integrity-key-size $4" + else + KEY_PARAMS="" + fi + + # Fill device with zeroes and reopen it + dd if=/dev/zero of=/dev/mapper/$DEV_NAME bs=1M oflag=direct >/dev/null 2>&1 + dmremove $DEV_NAME + + $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device." + + int_check_sum_only $2 +} + +intformat() # alg alg_out tagsize sector_size csum [keyfile keysize] +{ + if [ -n "$7" ] ; then + KEY_PARAMS="--integrity-key-file $6 --integrity-key-size $7" + else + KEY_PARAMS="" + fi + + echo -n "[INTEGRITY:$2:$3:$4]" + echo -n "[FORMAT]" + $INTSETUP format -q --integrity $1 --tag-size $3 --sector-size $4 $KEY_PARAMS $DEV || fail "Cannot format device." + dump_check "tag_size" $3 + dump_check "sector_size" $4 + echo -n "[ACTIVATE]" + $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device." + status_check "tag size" $3 + status_check "integrity" $2 + status_check "sector size" "$4 bytes" + int_check_sum $1 $5 $6 $7 + echo -n "[REMOVE]" + $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." + echo "[OK]" +} + +int_error_detection() # alg tagsize sector_size key_file key_size +{ + if [ -n "$5" ] ; then + KEY_PARAMS="--integrity-key-file $4 --integrity-key-size $5" + else + KEY_PARAMS="" + fi + dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1 + + echo -n "[INTEGRITY:$1:$2:$3]" + echo -n "[FORMAT]" + $INTSETUP format -q --integrity $1 --tag-size $2 --sector-size $3 $KEY_PARAMS $DEV || fail "Cannot format device." + echo -n "[ACTIVATE]" + $INTSETUP open $DEV $DEV_NAME --integrity $1 --integrity-no-journal $KEY_PARAMS || fail "Cannot activate device." + + if [ -n "$4" -a -n "$5" ]; then + echo -n "[KEYED HASH]" + KEY_HEX=$(xxd -c 256 -l $5 -p $4) + [ -z "$KEY_HEX" ] && fail "Cannot decode key." + dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch." + fi + + echo -n "[WRITE DATA]" + echo -n "EXAMPLE TEXT" | dd of=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Cannot write to device." + $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." + + # find offset of data area + ARR=($(dd if=$DEV bs=512 2>/dev/null | hexdump -C | grep 'EXAMPLE TEXT')) + OFF_HEX=${ARR[0]} + OFF_DEC=$((16#$OFF_HEX)) + + echo -n "[CORRUPT DATA:$OFF_DEC]" + echo -n "Z" | dd of=$DEV bs=1 seek=$OFF_DEC conv=notrunc >/dev/null 2>&1 || fail "Cannot write to device." + + echo -n "[DETECT ERROR]" + $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device." + dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 && fail "Error detection failed." + + echo -n "[REMOVE]" + $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." + echo "[OK]" +} + +int_journal() # 1 alg, 2 tagsize, 3 sector_size, 4 watermark, 5 commit_time, 6 journal_integrity, 7 key-file, 8 key-size, 9 journal_integrity_out +{ + echo -n "[INTEGRITY JOURNAL:$6:${4}%:${5}ms]" + echo -n "[FORMAT]" + ARGS="--integrity $1 --journal-watermark $4 --journal-commit-time $5 --journal-integrity $6 --journal-integrity-key-file $7 --journal-integrity-key-size $8" + $INTSETUP format -q --tag-size $2 --sector-size $3 $ARGS $DEV || fail "Cannot format device." + + echo -n "[ACTIVATE]" + + $INTSETUP open $DEV $DEV_NAME $ARGS || fail "Cannot activate device." + + echo -n "[KEYED HASH]" + KEY_HEX=$(xxd -c 256 -l $8 -p $7) + [ -z "$KEY_HEX" ] && fail "Cannot decode key." + dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch." + + status_check "journal watermark" "${4}%" + status_check "journal commit time" "${5} ms" + status_check "journal integrity MAC" $9 + + echo -n "[REMOVE]" + $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." + echo "[OK]" +} + + +int_journal_crypt() # crypt_alg crypt_alg_kernel crypt_key crypt_key_size +{ + echo -n "[JOURNAL CRYPT:$1:${4}B]" + + echo -n "[FORMAT]" + ARGS="--journal-crypt $1 --journal-crypt-key-file $3 --journal-crypt-key-size $4" + $INTSETUP format -q $ARGS $DEV || fail "Cannot format device." + + echo -n "[ACTIVATE]" + $INTSETUP open $DEV $DEV_NAME $ARGS || fail "Cannot activate device." + + KEY_HEX=$(xxd -c 256 -l $4 -p $3) + [ -z "$KEY_HEX" ] && fail "Cannot decode key." + dmsetup table --showkeys $DEV_NAME | grep -q "journal_crypt:$2:$KEY_HEX" || fail "Key mismatch." + + $INTSETUP close $DEV_NAME + echo "[OK]" +} + +int_mode() # alg tag_size sector_size [keyfile keysize] +{ + if [ -n "$5" ] ; then + KEY_PARAMS="--integrity-key-file $4 --integrity-key-size $5" + else + KEY_PARAMS="" + fi + + echo -n "[MODE TESTS:$1:$2:$3]" + ARGS="--tag-size $2 --sector-size $3" + + $INTSETUP format -q $ARGS $KEY_PARAMS $DEV --integrity $1 || fail "Cannot format device." + + echo -n "[JOURNALED WRITES]" + $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device with journal." + status_check "mode" "read/write" + kernel_param_check 7 "J" + + $INTSETUP close $DEV_NAME fail "Cannot deactivate device." + + echo -n "[DIRECT WRITES]" + $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS --integrity-no-journal || fail "Cannot activate device without journal." + status_check "mode" "read/write" + status_check "journal" "not active" + kernel_param_check 7 "D" + + $INTSETUP close $DEV_NAME fail "Cannot deactivate device." + + echo -n "[RECOVERY MODE]" + $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS --integrity-recovery-mode || fail "Cannot activate device in recovery mode." + status_check "mode" "read/write recovery" + kernel_param_check 7 "R" + + $INTSETUP close $DEV_NAME fail "Cannot deactivate device." + + echo "[OK]" +} + +[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." +[ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped." + +[ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run +which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required." +modprobe dm-integrity >/dev/null 2>&1 +dm_integrity_features + +add_device +intformat crc32c crc32c 4 512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7 +intformat crc32 crc32 4 512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7 +intformat sha1 sha1 20 512 6eedd6344dab8875cd185fcd6565dfc869ab36bc57e577f40c685290b1fa7fe7 +intformat sha1 sha1 16 4096 e152ec88227b539cd9cafd8bdb587a1072d720cd6bcebe1398d4136c9e7f337b +intformat sha256 sha256 32 512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11 +intformat hmac-sha256 hmac\(sha256\) 32 512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11 $KEY_FILE 32 +intformat sha256 sha256 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 +intformat hmac-sha256 hmac\(sha256\) 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 $KEY_FILE 32 + +echo "Error detection tests:" +int_error_detection crc32c 4 512 +int_error_detection crc32c 4 4096 +int_error_detection crc32 4 512 +int_error_detection crc32 4 4096 +int_error_detection sha1 20 512 +int_error_detection sha1 16 512 +int_error_detection sha1 20 4096 +int_error_detection sha256 32 512 +int_error_detection sha256 32 4096 + +which xxd >/dev/null 2>&1 || skip "WARNING: xxd tool required." +int_error_detection hmac-sha256 32 512 $KEY_FILE 32 +int_error_detection hmac-sha256 32 4096 $KEY_FILE 32 + +echo "Journal parameters tests:" +# Watermark is calculated in kernel, so it can be rounded down/up +int_journal crc32 4 512 66 1000 hmac-sha256 $KEY_FILE 32 hmac\(sha256\) +int_journal sha256 32 4096 34 5000 hmac-sha1 $KEY_FILE 16 hmac\(sha1\) +int_journal sha1 20 512 75 9999 hmac-sha256 $KEY_FILE 32 hmac\(sha256\) + +echo "Journal encryption tests:" +int_journal_crypt cbc-aes cbc\(aes\) $KEY_FILE 32 +int_journal_crypt cbc-aes cbc\(aes\) $KEY_FILE 16 +int_journal_crypt salsa20 salsa20 $KEY_FILE 32 +int_journal_crypt ctr-aes ctr\(aes\) $KEY_FILE 32 +int_journal_crypt ctr-aes ctr\(aes\) $KEY_FILE 16 + +echo "Mode tests:" +int_mode crc32c 4 512 +int_mode crc32 4 512 +int_mode sha1 20 512 +int_mode sha256 32 512 +int_mode hmac-sha256 32 512 $KEY_FILE 32 +int_mode hmac-sha256 32 4096 $KEY_FILE 32 + +echo -n "Recalculate tags in-kernel:" +add_device +if [ -n "$DM_INTEGRITY_RECALC" ] ; then + $INTSETUP format -q $DEV --no-wipe || fail "Cannot format device." + $INTSETUP open $DEV $DEV_NAME --integrity-recalculate || fail "Cannot activate device." + dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=1M 2>/dev/null || fail "Cannot recalculate tags in-kernel" + int_check_sum_only 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7 + $INTSETUP close $DEV_NAME fail "Cannot deactivate device." + echo "[OK]" +else + echo "[N/A]" +fi + +echo -n "Separate metadata device:" +if [ -n "$DM_INTEGRITY_META" ] ; then + add_device + $INTSETUP format -q $DEV --data-device $DEV2 || fail "Cannot format device." + $INTSETUP open $DEV --data-device $DEV2 $DEV_NAME || fail "Cannot activate device." + int_check_sum_only 83ee47245398adee79bd9c0a8bc57b821e92aba10f5f9ade8a5d1fae4d8c4302 + $INTSETUP status $DEV_NAME | grep -q 'metadata device:' || fail + $INTSETUP close $DEV_NAME fail "Cannot deactivate device." + echo "[OK]" +else + echo "[N/A]" +fi + +cleanup |