diff options
Diffstat (limited to '')
| -rwxr-xr-x | tests/compat-test-opal | 36 |
1 files changed, 32 insertions, 4 deletions
diff --git a/tests/compat-test-opal b/tests/compat-test-opal index 3d5c07c..09384d9 100755 --- a/tests/compat-test-opal +++ b/tests/compat-test-opal @@ -234,6 +234,30 @@ function setup_luks2_env() { # $1 key name # $2 keyring to link VK to # $3 key type (optional) +test_vk_link_with_passphrase_check() { + KEY_TYPE=${3:-user} + if [ -z "$3" ]; then + KEY_DESC=$1 + else + KEY_DESC="%$3:$1" + fi + + KEYCTL_KEY_NAME="%$KEY_TYPE:$1" + + echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase." + if [ $KEY_TYPE = "user" ]; then + $CRYPTSETUP open $OPAL2_DEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring." + fi + keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail + + echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring." +} + +# $1 key name +# $2 keyring to link VK to +# $3 key type (optional) test_vk_link() { KEY_TYPE=${3:-user} if [ -z "$3" ]; then @@ -512,9 +536,9 @@ if [ -d /dev/disk/by-uuid ] ; then $CRYPTSETUP -q luksClose $DEV_NAME || fail fi # skip tests using empty passphrases -if [ ! fips_mode ]; then +if ! fips_mode; then # empty passphrase (OPAL admin pin cannot be empty) -echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --force-password || fail $CRYPTSETUP luksOpen -d $KEYE $OPAL2_DEV $DEV_NAME || fail $CRYPTSETUP -q luksClose $DEV_NAME || fail fi @@ -531,9 +555,9 @@ if [ -d /dev/disk/by-uuid ] ; then $CRYPTSETUP -q luksClose $DEV_NAME || fail fi # skip tests using empty passphrases -if [ ! fips_mode ]; then +if ! fips_mode; then # empty passphrase (OPAL admin pin cannot be empty) -echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV || fail +echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --force-password || fail $CRYPTSETUP luksOpen -d $KEYE $OPAL2_DEV $DEV_NAME || fail $CRYPTSETUP -q luksClose $DEV_NAME || fail fi @@ -1234,6 +1258,10 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then # explicitly specify keyring key type test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME" + test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" + test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user" + test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon" + test_vk_link_and_reactivate $KEY_NAME "@u" "user" test_vk_link_and_reactivate $KEY_NAME "@u" [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user" |