mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-13 20:00:08 +01:00
Update tests for dm-crypt kernel key bugfix.
cryptsetup now requires dm-crypt v1.18.1 or higher to use kernel keyring service for passing VKs. Also, relevant API functions fail if CRYPT_ACTIVATE_KEYRING_KEY is set, but library is not allowed to use kernel keyring for VK.
This commit is contained in:
Ondrej Kozina
committed by
Milan Broz
Milan Broz
parent
de76628539
commit
2f890dea18
@@ -1239,7 +1239,7 @@ static void ResizeDeviceLuks2(void)
|
||||
else
|
||||
OK_(crypt_resize(cd, CDEVICE_1, 44));
|
||||
// reinstate the volume key in keyring
|
||||
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
OK_(crypt_resize(cd, CDEVICE_1, 43));
|
||||
if (!t_device_size(DMDIR CDEVICE_1, &r_size))
|
||||
EQ_(43, r_size >> SECTOR_SHIFT);
|
||||
@@ -2453,20 +2453,20 @@ static void Luks2Requirements(void)
|
||||
FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
|
||||
OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
|
||||
|
||||
/* crypt_activate_by_keyfile (restricted for activation only) */
|
||||
FAIL_((r = crypt_activate_by_keyfile(cd, CDEVICE_1, 0, KEYFILE1, 0, 0)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
OK_(crypt_activate_by_keyfile(cd, NULL, 0, KEYFILE1, 0, 0));
|
||||
OK_(crypt_activate_by_keyfile(cd, NULL, 0, KEYFILE1, 0, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
OK_(crypt_activate_by_keyfile(cd, NULL, 0, KEYFILE1, 0, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
|
||||
/* crypt_activate_by_volume_key (restricted for activation only) */
|
||||
FAIL_((r = crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
|
||||
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
|
||||
#ifdef KERNEL_KEYRING
|
||||
kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
|
||||
@@ -2479,7 +2479,7 @@ static void Luks2Requirements(void)
|
||||
FAIL_((r = crypt_activate_by_keyring(cd, CDEVICE_1, KEY_DESC_TEST0, 0, 0)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
|
||||
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
#endif
|
||||
|
||||
/* crypt_volume_key_verify (unrestricted) */
|
||||
@@ -2566,7 +2566,7 @@ static void Luks2Requirements(void)
|
||||
FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
|
||||
EQ_(r, -ETXTBSY);
|
||||
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
|
||||
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
#endif
|
||||
OK_(get_luks2_offsets(1, 8192, 0, 0, NULL, &r_payload_offset));
|
||||
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 2));
|
||||
@@ -2635,7 +2635,7 @@ static void Luks2Requirements(void)
|
||||
|
||||
OK_(crypt_init_by_name(&cd, CDEVICE_1));
|
||||
/* load VK in keyring */
|
||||
OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
/* crypt_resize (restricted) */
|
||||
FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
|
||||
@@ -23,8 +23,6 @@ PWD1="93R4P4pIqAH8"
|
||||
PWD2="mymJeD8ivEhE"
|
||||
PWD3="ocMakf3fAcQO"
|
||||
PWDW="rUkL4RUryBom"
|
||||
CHKS_DMCRYPT=vk_in_dmcrypt.chk
|
||||
CHKS_KEYRING=vk_in_keyring.chk
|
||||
TEST_KEYRING_NAME="compattest2_keyring"
|
||||
TEST_TOKEN0="compattest2_desc0"
|
||||
TEST_TOKEN1="compattest2_desc1"
|
||||
@@ -47,7 +45,7 @@ function remove_mapping()
|
||||
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
|
||||
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
|
||||
losetup -d $LOOPDEV >/dev/null 2>&1
|
||||
rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $CHKS_DMCRYPT $CHKS_KEYRING $HEADER_KEYU >/dev/null 2>&1
|
||||
rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU >/dev/null 2>&1
|
||||
|
||||
# unlink whole test keyring
|
||||
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
|
||||
@@ -157,10 +155,13 @@ function dm_crypt_keyring_support()
|
||||
|
||||
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
|
||||
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
|
||||
VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
|
||||
|
||||
[ $VER_MAJ -gt 1 ] && return 0
|
||||
[ $VER_MAJ -lt 1 ] && return 1
|
||||
[ $VER_MIN -ge 15 ]
|
||||
[ $VER_MIN -gt 18 ] && return 0
|
||||
[ $VER_MIN -eq 18 -a $VER_PTC -ge 1 ] && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
function test_and_prepare_keyring() {
|
||||
@@ -619,43 +620,29 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
|
||||
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
|
||||
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
|
||||
|
||||
# FIXME: perhaps better to test in keyring-test script
|
||||
if dm_crypt_keyring_support; then
|
||||
prepare "[32] LUKS2 key in keyring" wipe
|
||||
dd if=/dev/zero of=$HEADER_IMG bs=1M count=4 >/dev/null 2>&1
|
||||
which sha1sum > /dev/null 2>&1 || skip "sha1sum is missing"
|
||||
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
|
||||
# check keyring support detection works as expected
|
||||
rmmod dm-crypt > /dev/null 2>&1 || true
|
||||
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
|
||||
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
|
||||
dd if=/dev/urandom of=/dev/mapper/$DEV_NAME bs=4k count=2500 oflag=direct > /dev/null 2>&1 || fail
|
||||
sha1sum /dev/mapper/$DEV_NAME > $CHKS_KEYRING
|
||||
|
||||
$CRYPTSETUP close $DEV_NAME || fail
|
||||
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
|
||||
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
|
||||
sha1sum /dev/mapper/$DEV_NAME > $CHKS_DMCRYPT
|
||||
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail
|
||||
$CRYPTSETUP close $DEV_NAME || fail
|
||||
|
||||
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
|
||||
dd if=/dev/urandom of=/dev/mapper/$DEV_NAME bs=4k count=2500 oflag=direct > /dev/null 2>&1 || fail
|
||||
sha1sum /dev/mapper/$DEV_NAME > $CHKS_DMCRYPT
|
||||
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
||||
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
|
||||
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
|
||||
sha1sum /dev/mapper/$DEV_NAME > $CHKS_KEYRING
|
||||
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail
|
||||
$CRYPTSETUP close $DEV_NAME || fail
|
||||
|
||||
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
|
||||
dd if=/dev/urandom of=/dev/mapper/$DEV_NAME bs=4k count=2500 oflag=direct > /dev/null 2>&1 || fail
|
||||
sha1sum /dev/mapper/$DEV_NAME > $CHKS_KEYRING
|
||||
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
||||
echo $PWD1 | $CRYPTSETUP luksResume --disable-keyring $DEV_NAME --header $HEADER_IMG || fail
|
||||
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
|
||||
sha1sum /dev/mapper/$DEV_NAME > $CHKS_DMCRYPT
|
||||
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail
|
||||
$CRYPTSETUP close $DEV_NAME || fail
|
||||
fi
|
||||
|
||||
|
||||
@@ -67,6 +67,8 @@ function dm_crypt_keyring_support()
|
||||
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
|
||||
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
|
||||
|
||||
# run the test with dm-crypt v1.15.0+ on purpose
|
||||
# the fix is in dm-crypt v1.18.1+
|
||||
[ $VER_MAJ -gt 1 ] && return 0
|
||||
[ $VER_MAJ -lt 1 ] && return 1
|
||||
[ $VER_MIN -ge 15 ]
|
||||
|
||||
@@ -286,15 +286,15 @@ int _system(const char *command, int warn)
|
||||
return r;
|
||||
}
|
||||
|
||||
static int t_dm_satisfies_version(unsigned target_maj, unsigned target_min,
|
||||
unsigned actual_maj, unsigned actual_min)
|
||||
static int t_dm_satisfies_version(unsigned target_maj, unsigned target_min, unsigned target_patch,
|
||||
unsigned actual_maj, unsigned actual_min, unsigned actual_patch)
|
||||
{
|
||||
if (actual_maj > target_maj)
|
||||
return 1;
|
||||
|
||||
if (actual_maj == target_maj && actual_min >= target_min)
|
||||
if (actual_maj == target_maj && actual_min > target_min)
|
||||
return 1;
|
||||
if (actual_maj == target_maj && actual_min == target_min && actual_patch >= target_patch)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -309,30 +309,30 @@ static void t_dm_set_crypt_compat(const char *dm_version, unsigned crypt_maj,
|
||||
dm_patch = 0;
|
||||
}
|
||||
|
||||
if (t_dm_satisfies_version(1, 2, crypt_maj, crypt_min))
|
||||
if (t_dm_satisfies_version(1, 2, 0, crypt_maj, crypt_min, 0))
|
||||
t_dm_crypt_flags |= T_DM_KEY_WIPE_SUPPORTED;
|
||||
|
||||
if (t_dm_satisfies_version(1, 10, crypt_maj, crypt_min))
|
||||
if (t_dm_satisfies_version(1, 10, 0, crypt_maj, crypt_min, 0))
|
||||
t_dm_crypt_flags |= T_DM_LMK_SUPPORTED;
|
||||
|
||||
if (t_dm_satisfies_version(4, 20, dm_maj, dm_min))
|
||||
if (t_dm_satisfies_version(4, 20, 0, dm_maj, dm_min, 0))
|
||||
t_dm_crypt_flags |= T_DM_SECURE_SUPPORTED;
|
||||
|
||||
if (t_dm_satisfies_version(1, 8, crypt_maj, crypt_min))
|
||||
if (t_dm_satisfies_version(1, 8, 0, crypt_maj, crypt_min, 0))
|
||||
t_dm_crypt_flags |= T_DM_PLAIN64_SUPPORTED;
|
||||
|
||||
if (t_dm_satisfies_version(1, 11, crypt_maj, crypt_min))
|
||||
if (t_dm_satisfies_version(1, 11, 0, crypt_maj, crypt_min, 0))
|
||||
t_dm_crypt_flags |= T_DM_DISCARDS_SUPPORTED;
|
||||
|
||||
if (t_dm_satisfies_version(1, 13, crypt_maj, crypt_min))
|
||||
if (t_dm_satisfies_version(1, 13, 0, crypt_maj, crypt_min, 0))
|
||||
t_dm_crypt_flags |= T_DM_TCW_SUPPORTED;
|
||||
|
||||
if (t_dm_satisfies_version(1, 14, crypt_maj, crypt_min)) {
|
||||
if (t_dm_satisfies_version(1, 14, 0, crypt_maj, crypt_min, 0)) {
|
||||
t_dm_crypt_flags |= T_DM_SAME_CPU_CRYPT_SUPPORTED;
|
||||
t_dm_crypt_flags |= T_DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED;
|
||||
}
|
||||
|
||||
if (t_dm_satisfies_version(1, 15, crypt_maj, crypt_min))
|
||||
if (t_dm_satisfies_version(1, 18, 1, crypt_maj, crypt_min, crypt_patch))
|
||||
t_dm_crypt_flags |= T_DM_KERNEL_KEYRING_SUPPORTED;
|
||||
}
|
||||
|
||||
@@ -349,7 +349,7 @@ static void t_dm_set_verity_compat(const char *dm_version, unsigned verity_maj,
|
||||
* (but some dm-verity targets 1.2 don't support it)
|
||||
* FEC is added in 1.3 as well.
|
||||
*/
|
||||
if (t_dm_satisfies_version(1, 3, verity_maj, verity_min)) {
|
||||
if (t_dm_satisfies_version(1, 3, 0, verity_maj, verity_min, 0)) {
|
||||
t_dm_crypt_flags |= T_DM_VERITY_ON_CORRUPTION_SUPPORTED;
|
||||
t_dm_crypt_flags |= T_DM_VERITY_FEC_SUPPORTED;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user