summaryrefslogtreecommitdiffstats
path: root/tests/luks2-reencryption-test
diff options
context:
space:
mode:
Diffstat (limited to 'tests/luks2-reencryption-test')
-rwxr-xr-xtests/luks2-reencryption-test119
1 files changed, 112 insertions, 7 deletions
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index a647a8c..57acae0 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -4,8 +4,12 @@
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
-CRYPTSETUP_VALGRIND=../.libs/cryptsetup
-CRYPTSETUP_LIB_VALGRIND=../.libs
+if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
+ CRYPTSETUP_VALGRIND=$CRYPTSETUP
+else
+ CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+ CRYPTSETUP_LIB_VALGRIND=../.libs
+fi
FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
FAST_PBKDF_ARGON="--pbkdf-force-iterations 4 --pbkdf-memory 32 --pbkdf-parallel 1"
@@ -26,6 +30,13 @@ PWD1="93R4P4pIqAH8"
PWD2="1cND4319812f"
PWD3="1-9Qu5Ejfnqv"
DEV_LINK="reenc-test-link"
+KEYRING="luks2_reencryption_test_kr"
+KEY_TYPE="user"
+KEY_NAME1="luks2-reencryption-test1"
+KEY_NAME2="luks2-reencryption-test2"
+KEY_SPEC1="${KEYRING}::%${KEY_TYPE}:${KEY_NAME1}"
+KEY_SPEC2="${KEYRING}::%${KEY_TYPE}:${KEY_NAME2}"
+HAVE_KEYRING=0
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
@@ -105,6 +116,13 @@ function remove_mapping()
scsi_debug_teardown $DEV
}
+function cleanup_keyring()
+{
+ if [ $HAVE_KEYRING -eq 1 ]; then
+ keyctl unlink %:$KEYRING "@s" >/dev/null 2>&1 || echo "Failed to unlink test keyring."
+ fi
+}
+
function fail()
{
local frame=0
@@ -112,6 +130,7 @@ function fail()
echo "FAILED backtrace:"
while caller $frame; do ((frame++)); done
remove_mapping
+ cleanup_keyring
exit 2
}
@@ -119,6 +138,7 @@ function skip()
{
[ -n "$1" ] && echo "$1"
remove_mapping
+ cleanup_keyring
exit 77
}
@@ -362,6 +382,38 @@ function reencrypt_recover_online() { # $1 sector size, $2 resilience, $3 digest
echo "[OK]"
}
+function reencrypt_recover_online_vk() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
+ echo -n "resilience mode: $2 ..."
+ local _hdr=""
+ test -z "$4" || _hdr="--header $4"
+
+ echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
+ echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+
+ echo $PWD1 | $CRYPTSETUP open --link-vk-to-keyring $KEY_SPEC1 --link-vk-to-keyring $KEY_SPEC2 $DEV $_hdr $DEV_NAME || fail
+
+ error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
+ echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
+ $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+ fix_writes $OVRDEV $OLD_DEV
+
+ # recovery during activation
+ $CRYPTSETUP open --volume-key-keyring $KEY_NAME1 --volume-key-keyring $KEY_NAME2 $DEV $_hdr $DEV_NAME || fail
+ check_hash_dev /dev/mapper/$DEV_NAME $3
+
+ $CRYPTSETUP luksDump ${4:-$DEV} | grep -q "online-reencrypt"
+ if [ $? -eq 0 ]; then
+ $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail
+ echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --resilience $2 --resume-only -q || fail
+ check_hash_dev /dev/mapper/$DEV_NAME $3
+ fi
+
+ $CRYPTSETUP close $DEV_NAME || fail
+ echo "[OK]"
+}
+
function encrypt_recover() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
wipe_dev $DEV
check_hash_dev $DEV $5
@@ -787,14 +839,27 @@ function reencrypt_online_fixed_size() {
[ -n "$7" -a -f "$7" ] && rm -f $7
}
+function prepare_vk_keyring()
+{
+ local s_desc=$(keyctl rdescribe @s | cut -d';' -f5)
+ local us_desc=$(keyctl rdescribe @us | cut -d';' -f5)
+
+ if [ "$s_desc" = "$us_desc" -a -n "$s_desc" ]; then
+ echo "Session keyring is missing. Giving new one to parent process..."
+ keyctl new_session > /dev/null || fail
+ fi
+
+ keyctl newring $KEYRING "@s" >/dev/null || fail "Failed to setup test keyring environment"
+ keyctl search "@s" keyring $KEYRING >/dev/null 2>&1 || fail "Could not find test keyring in a session keyring."
+}
+
function setup_luks2_env() {
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
- HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring")
- if [ -n "$HAVE_KEYRING" ]; then
+ local check_keyring=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring")
+ if [ -n "$check_keyring" ]; then
HAVE_KEYRING=1
- else
- HAVE_KEYRING=0
+ prepare_vk_keyring
fi
DEF_XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\( keysize: \)\([0-9]\+\)\(.*\)/\2/')
[ -n "$DEF_XTS_KEY" ] || fail "Failed to parse xts mode key size."
@@ -819,7 +884,10 @@ function valgrind_setup()
{
command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
- export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+ [ ! -f valg.sh ] && fail "Unable to get location of valg runner script."
+ if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+ fi
}
function valgrind_run()
@@ -1254,6 +1322,42 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
reencrypt_recover_online 4096 journal $HASH1
fi
+if [ $HAVE_KEYRING -eq 1 ]; then
+ echo "sector size 512->512 (recovery by VK)"
+
+ get_error_offsets 32 $OFFSET
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ wipe $PWD1
+
+ echo "ERR writes to sectors (recovery by VK) [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+ reencrypt_recover_online_vk 512 checksum $HASH1
+ reencrypt_recover_online_vk 512 journal $HASH1
+
+ if [ -n "$DM_SECTOR_SIZE" ]; then
+ echo "sector size 512->4096"
+
+ get_error_offsets 32 $OFFSET 4096
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ wipe $PWD1
+
+ echo "ERR writes to sectors (recovery by VK) [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+ reencrypt_recover_online_vk 4096 checksum $HASH1
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ wipe $PWD1
+ reencrypt_recover_online_vk 4096 journal $HASH1
+
+ echo "sector size 4096->4096"
+
+ get_error_offsets 32 $OFFSET 4096
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
+ wipe $PWD1
+
+ echo "ERR writes to sectors (recovery by VK) [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
+ reencrypt_recover_online_vk 4096 checksum $HASH1
+ reencrypt_recover_online_vk 4096 journal $HASH1
+ fi
+fi
+
echo "[8] Reencryption with detached header recovery"
prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
@@ -2204,4 +2308,5 @@ echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
check_hash_dev_head $DEV 2048 $HASH2
remove_mapping
+cleanup_keyring
exit 0
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 11:38:13 +0000