summaryrefslogtreecommitdiffstats
path: root/tests/compat-test-opal
diff options
context:
space:
mode:
Diffstat (limited to 'tests/compat-test-opal')
-rwxr-xr-xtests/compat-test-opal112
1 files changed, 59 insertions, 53 deletions
diff --git a/tests/compat-test-opal b/tests/compat-test-opal
index 09384d9..3a71f12 100755
--- a/tests/compat-test-opal
+++ b/tests/compat-test-opal
@@ -415,6 +415,60 @@ function test_device_detached_header() #hdr, #opal_mode, #format_params, #--inte
rm -f $1
}
+function run_token_tests() {
+ $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail
+ $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail
+ # keyslot 5 is inactive
+ $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail
+ # key description is not reachable
+ $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase && fail
+ # wrong passphrase
+ load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
+ $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase 2>/dev/null && fail
+ load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
+ $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase || fail
+ $CRYPTSETUP open --token-only $OPAL2_DEV $DEV_NAME || fail
+ $CRYPTSETUP status $DEV_NAME > /dev/null || fail
+ $CRYPTSETUP luksSuspend $DEV_NAME || fail
+ $CRYPTSETUP luksResume $DEV_NAME <&- || fail
+ $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" && fail
+ $CRYPTSETUP luksSuspend $DEV_NAME || fail
+ $CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+
+ # check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
+ echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 22 || fail
+ # this excludes keyring tokens from unlocking device
+ $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV --test-passphrase && fail
+ $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV $DEV_NAME && fail
+ $CRYPTSETUP status $DEV_NAME > /dev/null && fail
+
+ $CRYPTSETUP token remove --token-id 3 $OPAL2_DEV || fail
+ $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" && fail
+
+ # test we can remove keyslot with token
+ echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $OPAL2_DEV || fail
+ $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail
+ $CRYPTSETUP -q luksKillSlot $OPAL2_DEV 4 || fail
+ $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
+
+ # test we can add unassigned token
+ $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
+ $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
+ $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
+
+ # test token unassign works
+ $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
+ $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV || fail
+ $CRYPTSETUP token unassign --token-id 0 $OPAL2_DEV 2>/dev/null && fail
+ $CRYPTSETUP token unassign -S0 $OPAL2_DEV 2>/dev/null && fail
+ $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV || fail
+ $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
+ $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV 2>/dev/null && fail
+ $CRYPTSETUP token unassign --token-id 0 -S44 $OPAL2_DEV 2>/dev/null && fail
+ $CRYPTSETUP token unassign --token-id 44 -S0 $OPAL2_DEV 2>/dev/null && fail
+}
+
export LANG=C
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
@@ -916,62 +970,14 @@ if dm_crypt_keyring_support && dm_crypt_keyring_new_kernel; then
fi
prepare "[28] tokens" wipe
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail
if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
-
test_and_prepare_keyring
+ echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q || fail
+ run_token_tests
+ keyctl unlink "%user:$TEST_TOKEN0" $TEST_KEYRING || fail
- $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail
- $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail
- # keyslot 5 is inactive
- $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail
- # key description is not reachable
- $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase && fail
- # wrong passphrase
- load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
- $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase 2>/dev/null && fail
- load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
- $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase || fail
- $CRYPTSETUP open --token-only $OPAL2_DEV $DEV_NAME || fail
- $CRYPTSETUP status $DEV_NAME > /dev/null || fail
- $CRYPTSETUP luksSuspend $DEV_NAME || fail
- $CRYPTSETUP luksResume $DEV_NAME <&- || fail
- $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" && fail
- $CRYPTSETUP luksSuspend $DEV_NAME || fail
- $CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail
- $CRYPTSETUP close $DEV_NAME || fail
-
- # check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
- echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 22 || fail
- # this excludes keyring tokens from unlocking device
- $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV --test-passphrase && fail
- $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV $DEV_NAME && fail
- $CRYPTSETUP status $DEV_NAME > /dev/null && fail
-
- $CRYPTSETUP token remove --token-id 3 $OPAL2_DEV || fail
- $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" && fail
-
- # test we can remove keyslot with token
- echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $OPAL2_DEV || fail
- $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail
- $CRYPTSETUP -q luksKillSlot $OPAL2_DEV 4 || fail
- $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
-
- # test we can add unassigned token
- $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
- $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
- $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
-
- # test token unassign works
- $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
- $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV || fail
- $CRYPTSETUP token unassign --token-id 0 $OPAL2_DEV 2>/dev/null && fail
- $CRYPTSETUP token unassign -S0 $OPAL2_DEV 2>/dev/null && fail
- $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV || fail
- $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
- $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV 2>/dev/null && fail
- $CRYPTSETUP token unassign --token-id 0 -S44 $OPAL2_DEV 2>/dev/null && fail
- $CRYPTSETUP token unassign --token-id 44 -S0 $OPAL2_DEV 2>/dev/null && fail
+ echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV -q || fail
+ run_token_tests
fi
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 10 || fail
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 11 --json-file - || fail
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-08 14:57:57 +0000