blob: ab5db208972a78a6a98d849d1696e3f7867901e0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
|
#!/bin/bash
CRYPTSETUP="../cryptsetup"
MNT_DIR="./mnt_luks"
DEV_NAME="dummy"
DEV_NAME2="ymmud"
PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE"
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
SKIP_COUNT=0
cleanup() {
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
udevadm settle >/dev/null 2>&1
if [ -d "$MNT_DIR" ] ; then
umount -f $MNT_DIR 2>/dev/null
rmdir $MNT_DIR 2>/dev/null
fi
sleep 2
}
fail()
{
if [ -n "$1" ] ; then
echo "FAIL $1 at line $(caller)"
else
echo "FAIL at line $(caller)"
fi
cleanup
exit 100
}
skip()
{
echo "TEST SKIPPED: $1"
cleanup
exit 77
}
function dm_crypt_features()
{
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
[ $VER_MAJ -lt 1 ] && return
[ $VER_MAJ -gt 1 ] && {
DM_PERF_CPU=1
DM_SECTOR_SIZE=1
DM_KEYRING=1
return
}
[ $VER_MIN -lt 14 ] && return
DM_PERF_CPU=1
if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
DM_SECTOR_SIZE=1
fi
if [ $VER_MIN -gt 18 -o \( $VER_MIN -eq 18 -a $VER_PTC -ge 1 \) ]; then
DM_KEYRING=1
fi
}
function dm_crypt_keyring_support()
{
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
# run the test with dm-crypt v1.15.0+ on purpose
# the fix is in dm-crypt v1.18.1+
[ $VER_MAJ -gt 1 ] && return 0
[ $VER_MAJ -lt 1 ] && return 1
[ $VER_MIN -ge 15 ]
}
format() # format
{
dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
echo $PWD1 | $CRYPTSETUP luksFormat --type $1 $DEV -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256
[ $? -ne 0 ] && fail "Format failed."
# test some operation, just in case
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $DEV -i1 --key-slot 1
[ $? -ne 0 ] && fail "Keyslot add failed."
$CRYPTSETUP -q luksKillSlot $DEV 1
[ $? -ne 0 ] && fail "Keyslot removal failed."
}
check_sector_size() # $1 expected sector size
{
$CRYPTSETUP status $DEV_NAME | grep "sector size" | grep -q $1 || fail
if [ $S -gt 512 ]; then
dmsetup table $DEV_NAME | grep -q "sector_size:$1" || fail
fi
}
if [ $(id -u) != 0 ]; then
skip "You must be root to run this test, test skipped."
fi
dm_crypt_features
[ ! -d $MNT_DIR ] && mkdir $MNT_DIR
echo "[1] Using tmpfs for image"
DEV="$MNT_DIR/test.img"
mount -t tmpfs none $MNT_DIR || skip "Mounting tmpfs not available."
format luks1
echo "[2] Kernel dmcrypt performance options"
if [ -z "$DM_PERF_CPU" ]; then
echo "TEST SKIPPED: dmcrypt options not available"
SKIP_COUNT=$((SKIP_COUNT+1))
else
# plain
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
# Hash affects volume key for plain device. Check we can detect it
echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME --hash sha512 --perf-same_cpu_crypt --allow-discards 2>/dev/null && fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards && fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 $DEV $DEV_NAME2 2>/dev/null && fail
$CRYPTSETUP close $DEV_NAME || fail
# LUKS
echo -e "$PWD1" | $CRYPTSETUP open --type luks1 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open --type luks1 $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV_NAME --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV_NAME --allow-discards --perf-same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards && fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME2 2>/dev/null && fail
$CRYPTSETUP close $DEV_NAME || fail
format luks2
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus --persistent || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
$CRYPTSETUP close $DEV_NAME || fail
# Stored in metadata
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards --persistent || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME --persistent || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
$CRYPTSETUP status $DEV_NAME | grep -q discards && fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus --persistent || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards --persistent || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME --perf-submit_from_crypt_cpus || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus && fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME --persistent || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
$CRYPTSETUP status $DEV_NAME | grep -q discards && fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus && fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME --disable-keyring || fail
$CRYPTSETUP status $DEV_NAME | grep -q keyring && fail
if [ -n "$DM_KEYRING" ]; then
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q keyring || fail
fi
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME2 2>/dev/null && fail
$CRYPTSETUP close $DEV_NAME || fail
fi
echo "[3] Kernel dmcrypt sector size options"
echo -e "$PWD1" | $CRYPTSETUP open --type plain --hash sha256 $DEV $DEV_NAME --sector-size 4096 >/dev/null 2>&1
ret=$?
[ -z "$DM_SECTOR_SIZE" -a $ret -eq 0 ] && fail "cryptsetup activated device with --sector-size option on incompatible kernel!"
if [ $ret -ne 0 ] ; then
SKIP_COUNT=$((SKIP_COUNT+1))
if [ $SKIP_COUNT -ge 2 ]; then
skip "dmcrypt sector-size option not available"
fi
echo "TEST SKIPPED: dmcrypt sector-size option not available"
else
$CRYPTSETUP close $DEV_NAME || fail
echo -n "PLAIN sector size:"
echo -e "$PWD1" | $CRYPTSETUP open --type plain --hash sha256 $DEV $DEV_NAME --sector-size 1234 >/dev/null 2>&1 && fail
for S in 512 1024 2048 4096; do
echo -n "[$S]"
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --sector-size $S || fail
check_sector_size $S
$CRYPTSETUP close $DEV_NAME || fail
done
echo
echo -n "LUKS2 sector size:"
echo -e "$PWD1" | $CRYPTSETUP luksFormat --type luks2 -$DEV --sector-size 1234 >/dev/null 2>&1 && fail
for S in 512 1024 2048 4096; do
echo -n "[$S]"
echo -e "$PWD1" | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1000 $DEV --sector-size $S || fail
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME || fail
check_sector_size $S
$CRYPTSETUP close $DEV_NAME || fail
done
echo
fi
cleanup
|
