|
|
|
|
@@ -1,476 +0,0 @@
|
|
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
|
|
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
|
|
|
|
|
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
|
|
|
|
REENC=$CRYPTSETUP_PATH/cryptsetup-reencrypt
|
|
|
|
|
FAST_PBKDF_ARGON="--pbkdf argon2i --pbkdf-force-iterations 4 --pbkdf-memory 32 --pbkdf-parallel 1"
|
|
|
|
|
FAST_PBKDF_PBKDF2="--pbkdf-force-iterations 1000 --pbkdf pbkdf2"
|
|
|
|
|
|
|
|
|
|
DEV_NAME=reenc9768
|
|
|
|
|
DEV_NAME2=reenc1273
|
|
|
|
|
IMG=reenc-data
|
|
|
|
|
IMG_HDR=$IMG.hdr
|
|
|
|
|
ORIG_IMG=reenc-data-orig
|
|
|
|
|
KEY1=key1
|
|
|
|
|
PWD1="93R4P4pIqAH8"
|
|
|
|
|
PWD2="1cND4319812f"
|
|
|
|
|
PWD3="1-9Qu5Ejfnqv"
|
|
|
|
|
|
|
|
|
|
MNT_DIR=./mnt_luks
|
|
|
|
|
START_DIR=$(pwd)
|
|
|
|
|
[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
|
|
|
|
|
|
|
|
function fips_mode()
|
|
|
|
|
{
|
|
|
|
|
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function dm_crypt_features()
|
|
|
|
|
{
|
|
|
|
|
local VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
|
|
|
|
|
[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
|
|
|
|
|
|
|
|
|
|
local VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
|
|
|
|
|
local VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
|
|
|
|
|
|
|
|
|
|
[ $VER_MAJ -lt 1 ] && return
|
|
|
|
|
[ $VER_MAJ -eq 1 -a $VER_MIN -lt 11 ] && return
|
|
|
|
|
ALLOW_DISCARDS=--allow-discards
|
|
|
|
|
[ $VER_MAJ -eq 1 -a $VER_MIN -lt 14 ] && return
|
|
|
|
|
PERF_CPU=--perf-same_cpu_crypt
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function del_scsi_device()
|
|
|
|
|
{
|
|
|
|
|
rmmod scsi_debug >/dev/null 2>&1
|
|
|
|
|
sleep 2
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function remove_mapping()
|
|
|
|
|
{
|
|
|
|
|
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
|
|
|
|
|
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
|
|
|
|
|
rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 >/dev/null 2>&1
|
|
|
|
|
umount $MNT_DIR > /dev/null 2>&1
|
|
|
|
|
rmdir $MNT_DIR > /dev/null 2>&1
|
|
|
|
|
del_scsi_device
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function fail()
|
|
|
|
|
{
|
|
|
|
|
[ -n "$1" ] && echo "$1"
|
|
|
|
|
echo "FAILED backtrace:"
|
|
|
|
|
while caller $frame; do ((frame++)); done
|
|
|
|
|
cd $START_DIR
|
|
|
|
|
remove_mapping
|
|
|
|
|
exit 2
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function skip()
|
|
|
|
|
{
|
|
|
|
|
[ -n "$1" ] && echo "$1"
|
|
|
|
|
exit 77
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function add_scsi_device() {
|
|
|
|
|
del_scsi_device
|
|
|
|
|
if [ -d /sys/module/scsi_debug ] ; then
|
|
|
|
|
echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
|
|
|
|
|
exit 77
|
|
|
|
|
fi
|
|
|
|
|
modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
|
|
|
|
|
if [ $? -ne 0 ] ; then
|
|
|
|
|
echo "This kernel seems to not support proper scsi_debug module, test skipped."
|
|
|
|
|
exit 77
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
sleep 2
|
|
|
|
|
SCSI_DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
|
|
|
|
|
[ -b $SCSI_DEV ] || fail "Cannot find $SCSI_DEV."
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function open_crypt() # $1 pwd, $2 hdr
|
|
|
|
|
{
|
|
|
|
|
if [ -n "$2" ] ; then
|
|
|
|
|
echo "$1" | $CRYPTSETUP luksOpen $IMG $DEV_NAME --header $2 || fail
|
|
|
|
|
elif [ -n "$1" ] ; then
|
|
|
|
|
echo "$1" | $CRYPTSETUP luksOpen $IMG $DEV_NAME || fail
|
|
|
|
|
else
|
|
|
|
|
$CRYPTSETUP luksOpen -d $KEY1 $IMG $DEV_NAME || fail
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function wipe_dev() # $1 dev
|
|
|
|
|
{
|
|
|
|
|
dd if=/dev/zero of=$1 bs=256k conv=notrunc >/dev/null 2>&1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function wipe() # $1 pass
|
|
|
|
|
{
|
|
|
|
|
open_crypt $1
|
|
|
|
|
wipe_dev /dev/mapper/$DEV_NAME
|
|
|
|
|
udevadm settle >/dev/null 2>&1
|
|
|
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function prepare() # $1 dev1_siz
|
|
|
|
|
{
|
|
|
|
|
remove_mapping
|
|
|
|
|
|
|
|
|
|
dd if=/dev/zero of=$IMG bs=1k count=$1 >/dev/null 2>&1
|
|
|
|
|
|
|
|
|
|
if [ ! -e $KEY1 ]; then
|
|
|
|
|
dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function check_hash_dev() # $1 dev, $2 hash, $3 size
|
|
|
|
|
{
|
|
|
|
|
if [ -n "$3" ]; then
|
|
|
|
|
HASH=$(head -c $3 $1 | sha256sum | cut -d' ' -f 1)
|
|
|
|
|
else
|
|
|
|
|
HASH=$(sha256sum $1 | cut -d' ' -f 1)
|
|
|
|
|
fi
|
|
|
|
|
[ $HASH != "$2" ] && fail "HASH differs ($HASH)"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function check_hash() # $1 pwd, $2 hash, $3 hdr
|
|
|
|
|
{
|
|
|
|
|
open_crypt $1 $3
|
|
|
|
|
check_hash_dev /dev/mapper/$DEV_NAME $2
|
|
|
|
|
$CRYPTSETUP remove $DEV_NAME || fail
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function backup_orig()
|
|
|
|
|
{
|
|
|
|
|
sync
|
|
|
|
|
cp $IMG $ORIG_IMG
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function rollback()
|
|
|
|
|
{
|
|
|
|
|
sync
|
|
|
|
|
cp $ORIG_IMG $IMG
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function check_slot() #space separated list of active key slots
|
|
|
|
|
{
|
|
|
|
|
local _out=$($CRYPTSETUP luksDump $IMG | grep -e ": luks2" | sed -e 's/[[:space:]]*\([0-9]\+\):.*/\1/g')
|
|
|
|
|
|
|
|
|
|
local _req
|
|
|
|
|
local _hdr
|
|
|
|
|
local _j
|
|
|
|
|
|
|
|
|
|
for _i in $*; do
|
|
|
|
|
_j=$((_i))
|
|
|
|
|
_req="$_req $_j"
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
for _i in $_out; do
|
|
|
|
|
_j=$((_i))
|
|
|
|
|
_hdr="$_hdr $_j"
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
test "$_req" = "$_hdr"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function simple_scsi_reenc()
|
|
|
|
|
{
|
|
|
|
|
echo -n "$1"
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_ARGON $SCSI_DEV || fail
|
|
|
|
|
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
|
|
|
|
|
HASH=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1)
|
|
|
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
|
|
|
|
|
|
|
|
echo $PWD1 | $REENC -q $FAST_PBKDF_ARGON $SCSI_DEV || fail
|
|
|
|
|
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
|
|
|
|
|
check_hash_dev /dev/mapper/$DEV_NAME $HASH
|
|
|
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function mount_and_test() {
|
|
|
|
|
test -d $MNT_DIR || mkdir -p $MNT_DIR
|
|
|
|
|
mount $@ $MNT_DIR 2>/dev/null || {
|
|
|
|
|
echo -n "failed to mount [SKIP]"
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
rm $MNT_DIR/* 2>/dev/null
|
|
|
|
|
cd $MNT_DIR
|
|
|
|
|
|
|
|
|
|
if [ "${REENC:0:1}" != "/" ] ; then
|
|
|
|
|
MNT_REENC=$START_DIR/$REENC
|
|
|
|
|
else
|
|
|
|
|
MNT_REENC=$REENC
|
|
|
|
|
fi
|
|
|
|
|
echo $PWD2 | $MNT_REENC $START_DIR/$IMG -q --use-fsync --use-directio --write-log $FAST_PBKDF_ARGON || return 1
|
|
|
|
|
cd $START_DIR
|
|
|
|
|
umount $MNT_DIR
|
|
|
|
|
echo -n [OK]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function test_logging_tmpfs() {
|
|
|
|
|
echo -n "[tmpfs]"
|
|
|
|
|
mount_and_test -t tmpfs none -o size=$[25*1024*1024] || return 1
|
|
|
|
|
echo
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function test_logging() {
|
|
|
|
|
echo -n "$1:"
|
|
|
|
|
for img in $(ls img_fs*img.xz) ; do
|
|
|
|
|
wipefs -a $SCSI_DEV > /dev/null
|
|
|
|
|
echo -n "[${img%.img.xz}]"
|
|
|
|
|
xz -d -c $img | dd of=$SCSI_DEV bs=4k >/dev/null 2>&1
|
|
|
|
|
mount_and_test $SCSI_DEV || return 1
|
|
|
|
|
done
|
|
|
|
|
echo
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
|
|
|
|
|
[ ! -x "$REENC" ] && skip "Cannot find $REENC, test skipped."
|
|
|
|
|
which wipefs >/dev/null || skip "Cannot find wipefs, test skipped."
|
|
|
|
|
fips_mode && skip "This test cannot be run in FIPS mode."
|
|
|
|
|
|
|
|
|
|
# REENCRYPTION tests
|
|
|
|
|
|
|
|
|
|
HASH1=b69dae56a14d1a8314ed40664c4033ea0a550eea2673e04df42a66ac6b9faf2c
|
|
|
|
|
HASH4=2daeb1f36095b44b318410b3f4e8b5d989dcc7bb023d1426c492dab0a3053e74
|
|
|
|
|
HASH5=bb9f8df61474d25e71fa00722318cd387396ca1736605e1248821cc0de3d3af8
|
|
|
|
|
HASH6=4d9cbaf3aa0935a8c113f139691b3daf9c94c8d6c278aedc8eec66a4b9f6c8ae
|
|
|
|
|
HASH7=5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
|
|
|
|
|
|
|
|
|
|
echo "[1] Reencryption"
|
|
|
|
|
prepare 8192
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-plain $FAST_PBKDF_ARGON --offset 8192 $IMG || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_ARGON
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q -s 256 $FAST_PBKDF_ARGON
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q -s 256 -c aes-xts-plain64 -h sha256 $FAST_PBKDF_ARGON
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --use-directio $FAST_PBKDF_ARGON
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --master-key-file /dev/urandom $FAST_PBKDF_ARGON
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q -s 512 --master-key-file /dev/urandom $FAST_PBKDF_ARGON
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --luks2-metadata-size 128k -c aes-cbc-plain $FAST_PBKDF_ARGON --offset 8192 $IMG > /dev/null || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_ARGON > /dev/null || fail
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
MDA_SIZE=$($CRYPTSETUP luksDump $IMG | grep "Metadata area: " | cut -f 3 -d ' ')
|
|
|
|
|
test "$MDA_SIZE" -eq 131072 || fail "Unexpected Metadata area size $MDA_SIZE"
|
|
|
|
|
|
|
|
|
|
echo "[2] Reencryption with data shift"
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c aes-cbc-essiv:sha256 -s 128 $FAST_PBKDF_ARGON --offset 8192 $IMG || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q -s 256 --reduce-device-size 1024S $FAST_PBKDF_ARGON || fail
|
|
|
|
|
check_hash $PWD1 $HASH6
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_ARGON || fail
|
|
|
|
|
check_hash $PWD1 $HASH6
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
|
|
|
|
|
|
|
|
|
|
echo "[3] Reencryption with keyfile"
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -d $KEY1 -c aes-cbc-essiv:sha256 -s 128 $FAST_PBKDF_ARGON --offset 8192 $IMG || fail
|
|
|
|
|
wipe
|
|
|
|
|
check_hash "" $HASH5
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksAddKey -d $KEY1 $IMG $FAST_PBKDF_ARGON || fail
|
|
|
|
|
$REENC $IMG -d $KEY1 $FAST_PBKDF_ARGON -q 2>/dev/null && fail
|
|
|
|
|
$REENC $IMG -d $KEY1 -S 0 $FAST_PBKDF_ARGON -q || fail
|
|
|
|
|
check_hash "" $HASH5
|
|
|
|
|
check_slot 0 || fail "Only keyslot 0 expected to be enabled"
|
|
|
|
|
$REENC $IMG -d $KEY1 $FAST_PBKDF_ARGON -q || fail
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
|
|
|
|
|
# FIXME echo $PWD1 | $REENC ...
|
|
|
|
|
|
|
|
|
|
echo "[4] Encryption of not yet encrypted device"
|
|
|
|
|
# well, movin' zeroes :-)
|
|
|
|
|
OFFSET=8192 # default LUKS2 header size
|
|
|
|
|
prepare 8192
|
|
|
|
|
check_hash_dev $IMG $HASH4
|
|
|
|
|
echo $PWD1 | $REENC --type luks2 $IMG -c aes-cbc-essiv:sha256 -s 128 --new --reduce-device-size "$OFFSET"S -q $FAST_PBKDF_ARGON || fail
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
|
|
|
|
|
# 64MiB + 1 KiB
|
|
|
|
|
prepare 65537
|
|
|
|
|
OFFSET=131072
|
|
|
|
|
check_hash_dev $IMG $HASH7 1024
|
|
|
|
|
echo $PWD1 | $REENC --type luks2 $IMG -c aes-cbc-essiv:sha256 -s 128 --new --reduce-device-size "$OFFSET"S -q $FAST_PBKDF_ARGON || fail
|
|
|
|
|
check_hash $PWD1 $HASH7
|
|
|
|
|
$CRYPTSETUP --type luks2 luksDump $IMG > /dev/null || fail
|
|
|
|
|
prepare 8192
|
|
|
|
|
|
|
|
|
|
echo "[5] Reencryption using specific keyslot"
|
|
|
|
|
echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
|
|
|
|
|
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 1 $IMG || fail
|
|
|
|
|
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 2 $IMG || fail
|
|
|
|
|
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 3 $IMG || fail
|
|
|
|
|
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 4 $IMG || fail
|
|
|
|
|
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 5 $IMG || fail
|
|
|
|
|
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 6 $IMG || fail
|
|
|
|
|
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON -S 22 $IMG || fail
|
|
|
|
|
backup_orig
|
|
|
|
|
echo $PWD2 | $REENC $FAST_PBKDF_ARGON -S 0 -q $IMG || fail
|
|
|
|
|
check_slot 0 || fail "Only keyslot 0 expected to be enabled"
|
|
|
|
|
wipe $PWD2
|
|
|
|
|
rollback
|
|
|
|
|
echo $PWD1 | $REENC $FAST_PBKDF_ARGON -S 1 -q $IMG || fail
|
|
|
|
|
check_slot 1 || fail "Only keyslot 1 expected to be enabled"
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
rollback
|
|
|
|
|
echo $PWD2 | $REENC $FAST_PBKDF_ARGON -S 6 -q $IMG || fail
|
|
|
|
|
check_slot 6 || fail "Only keyslot 6 expected to be enabled"
|
|
|
|
|
wipe $PWD2
|
|
|
|
|
rollback
|
|
|
|
|
echo $PWD3 | $REENC $FAST_PBKDF_ARGON -S 22 -q $IMG || fail
|
|
|
|
|
check_slot 22 || fail "Only keyslot 22 expected to be enabled"
|
|
|
|
|
wipe $PWD3
|
|
|
|
|
rollback
|
|
|
|
|
|
|
|
|
|
echo "[6] Reencryption using all active keyslots"
|
|
|
|
|
echo -e "$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD3" | $REENC -q $IMG $FAST_PBKDF_ARGON || fail
|
|
|
|
|
check_slot 0 1 2 3 4 5 6 22 || fail "All keyslots expected to be enabled"
|
|
|
|
|
|
|
|
|
|
echo "[7] Reencryption of block devices with different block size"
|
|
|
|
|
add_scsi_device sector_size=512 dev_size_mb=32
|
|
|
|
|
simple_scsi_reenc "[512 sector]"
|
|
|
|
|
add_scsi_device sector_size=4096 dev_size_mb=32
|
|
|
|
|
simple_scsi_reenc "[4096 sector]"
|
|
|
|
|
add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=32
|
|
|
|
|
simple_scsi_reenc "[4096/512 sector]"
|
|
|
|
|
echo "[OK]"
|
|
|
|
|
|
|
|
|
|
echo "[8] Header only reencryption (hash and iteration time)"
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --keep-key || fail
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --keep-key --pbkdf pbkdf2 --pbkdf-force-iterations 999 2>/dev/null && fail
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --keep-key --pbkdf-force-iterations 3 2>/dev/null && fail
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --keep-key --pbkdf-force-iterations 4 --pbkdf-memory 31 2>/dev/null && fail
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --keep-key --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --hash sha512
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep PBKDF: | sed -e 's/[[:space:]]\+PBKDF:\ \+//g')" = "pbkdf2" ] || fail
|
|
|
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep Hash: | sed -e 's/[[:space:]]\+Hash:\ \+//g')" = "sha512" ] || fail
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --keep-key $FAST_PBKDF_ARGON
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep PBKDF: | sed -e 's/[[:space:]]\+PBKDF:\ \+//g')" = argon2i ] || fail
|
|
|
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Time cost" | sed -e 's/[[:space:]]\+Time\ cost:\ \+//g')" -eq 4 ] || fail
|
|
|
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep Memory | sed -e 's/[[[:space:]]\+Memory:\ \+//g')" -eq 32 ] || fail
|
|
|
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep Threads | sed -e 's/[[[:space:]]\+Threads:\ \+//g')" -eq 1 ] || fail
|
|
|
|
|
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey -S21 $FAST_PBKDF_ARGON $IMG || fail
|
|
|
|
|
echo $PWD2 | $REENC -S21 -q --keep-key --pbkdf pbkdf2 --pbkdf-force-iterations 1000 $IMG || fail
|
|
|
|
|
check_hash $PWD2 $HASH5
|
|
|
|
|
check_slot 21 || fail "Only keyslot 21 expected to be enabled"
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
|
|
|
|
|
|
|
|
|
|
echo "[9] Test log I/Os on various underlying block devices"
|
|
|
|
|
echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
|
|
|
|
|
add_scsi_device sector_size=512 dev_size_mb=32
|
|
|
|
|
test_logging "[512 sector]" || fail
|
|
|
|
|
add_scsi_device sector_size=4096 dev_size_mb=32
|
|
|
|
|
test_logging "[4096 sector]" || fail
|
|
|
|
|
add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
|
|
|
|
|
test_logging "[4096/512 sector]" || fail
|
|
|
|
|
test_logging_tmpfs || fail
|
|
|
|
|
|
|
|
|
|
echo "[10] Removal of encryption"
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --decrypt || fail
|
|
|
|
|
check_hash_dev $IMG $HASH4
|
|
|
|
|
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -S5 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --decrypt || fail
|
|
|
|
|
check_hash_dev $IMG $HASH4
|
|
|
|
|
|
|
|
|
|
echo "[11] Reencryption with tokens"
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey -S23 $FAST_PBKDF_ARGON $IMG || fail
|
|
|
|
|
echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey -S1 $FAST_PBKDF_ARGON $IMG || fail
|
|
|
|
|
echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey -S3 $FAST_PBKDF_ARGON $IMG || fai
|
|
|
|
|
$CRYPTSETUP token add --key-description key-name0 --key-slot 23 --token-id 0 $IMG
|
|
|
|
|
$CRYPTSETUP token add --key-description key-name2 --key-slot 1 --token-id 2 $IMG
|
|
|
|
|
$CRYPTSETUP token add --key-description key-name31 --token-id 31 $IMG
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksKillSlot $IMG 3 || fail
|
|
|
|
|
echo $PWD2 | $REENC $FAST_PBKDF_ARGON -S 23 -q $IMG || fail
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep "0: luks2-keyring" >/dev/null || fail
|
|
|
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A2 -m1 "0: luks2-keyring" | grep Keyslot: | sed -e 's/[[[:space:]]\+Keyslot:\ \+//g')" -eq 23 ] || fail
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep "2: luks2-keyring" >/dev/null || fail
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep "31: luks2-keyring" >/dev/null || fail
|
|
|
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A2 -m1 "31: luks2-keyring" | grep Keyslot: | sed -e 's/[[[:space:]]\+Keyslot:\ \+//g')" -eq 23 ] || fail
|
|
|
|
|
|
|
|
|
|
echo "[12] Reencryption with persistent flags"
|
|
|
|
|
dm_crypt_features
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $IMG $DEV_NAME $ALLOW_DISCARDS $PERF_CPU --persistent || fail
|
|
|
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
|
|
|
echo $PWD1 | $REENC $FAST_PBKDF_ARGON -q $IMG || fail
|
|
|
|
|
if [ -n "$PERF_CPU" ]; then
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep -m1 Flags: | grep same-cpu-crypt > /dev/null || fail
|
|
|
|
|
fi
|
|
|
|
|
if [ -n "$ALLOW_DISCARDS" ]; then
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep -m1 Flags: | grep allow-discards > /dev/null || fail
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "[13] Detached header - adding encryption/reencryption/decryption"
|
|
|
|
|
prepare 8192
|
|
|
|
|
check_hash_dev $IMG $HASH4
|
|
|
|
|
echo $PWD1 | $REENC --type luks2 $IMG -q $FAST_PBKDF_ARGON --header $IMG_HDR --new
|
|
|
|
|
check_hash $PWD1 $HASH4 $IMG_HDR
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_ARGON --header $IMG_HDR
|
|
|
|
|
check_hash $PWD1 $HASH4 $IMG_HDR
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q --header $IMG_HDR --decrypt
|
|
|
|
|
check_hash_dev $IMG $HASH4
|
|
|
|
|
# existing header of zero size
|
|
|
|
|
cat /dev/null >$IMG_HDR
|
|
|
|
|
echo $PWD1 | $REENC --type luks2 $IMG -q $FAST_PBKDF_ARGON --header $IMG_HDR --new
|
|
|
|
|
check_hash $PWD1 $HASH4 $IMG_HDR
|
|
|
|
|
$CRYPTSETUP isLuks $IMG && fail
|
|
|
|
|
$CRYPTSETUP isLuks $IMG_HDR || fail
|
|
|
|
|
$CRYPTSETUP luksDump $IMG_HDR | grep -q "0: luks2" || fail
|
|
|
|
|
|
|
|
|
|
echo "[14] Reencryption with unbound keyslot"
|
|
|
|
|
prepare 8192
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG --offset 8192 || fail
|
|
|
|
|
echo $PWD2 | $CRYPTSETUP -q luksAddKey -S 3 --unbound --key-size 64 $FAST_PBKDF_ARGON $IMG || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep -q "3: luks2 (unbound)" || fail
|
|
|
|
|
echo $PWD2 | $REENC $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
|
|
|
|
echo -e "$PWD1\n$PWD2" | $REENC $IMG -q $FAST_PBKDF_ARGON || fail
|
|
|
|
|
$CRYPTSETUP luksDump $IMG | grep -q "3: luks2 (unbound)" || fail
|
|
|
|
|
|
|
|
|
|
echo "[15] Reencryption after conversion"
|
|
|
|
|
prepare 8192
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_PBKDF2 $IMG --offset 4096 || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH1
|
|
|
|
|
$CRYPTSETUP -q convert --type luks2 $IMG || fail
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_PBKDF2 || fail
|
|
|
|
|
check_hash $PWD1 $HASH1
|
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $FAST_PBKDF_PBKDF2 $IMG --offset 8192 || fail
|
|
|
|
|
wipe $PWD1
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
$CRYPTSETUP -q convert --type luks1 $IMG || fail
|
|
|
|
|
echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_PBKDF2 || fail
|
|
|
|
|
check_hash $PWD1 $HASH5
|
|
|
|
|
|
|
|
|
|
remove_mapping
|
|
|
|
|
exit 0
|
Ondrej Kozina