mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-11 19:00:02 +01:00
Fix invalid assert for hw-opal data segment keys.
hw-opal segment does not receive volume key for data encryption, unlike crypt segment or hw-opal-crypt segment. It gets key encryption key that is passed to device fw which later unlocks the locking range key sealed in the device. The assert may be skipped while volume key is not set. Fixes: #875.
This commit is contained in:
Ondrej Kozina
committed by
Milan Broz
Milan Broz
parent
37ffd30d07
commit
daf6d7402a
@@ -5328,7 +5328,8 @@ static int _activate_luks2_by_volume_key(struct crypt_device *cd,
|
||||
}
|
||||
r = _open_and_activate_reencrypt_device_by_vk(cd, &cd->u.luks2.hdr, name, vk, flags);
|
||||
} else {
|
||||
assert(crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT));
|
||||
/* hw-opal data segment type does not require volume key for activation */
|
||||
assert(!vk || crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT));
|
||||
r = LUKS2_activate(cd, name, vk, external_key, flags);
|
||||
}
|
||||
|
||||
|
||||
@@ -415,6 +415,60 @@ function test_device_detached_header() #hdr, #opal_mode, #format_params, #--inte
|
||||
rm -f $1
|
||||
}
|
||||
|
||||
function run_token_tests() {
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail
|
||||
$CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail
|
||||
# keyslot 5 is inactive
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail
|
||||
# key description is not reachable
|
||||
$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase && fail
|
||||
# wrong passphrase
|
||||
load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
||||
$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase 2>/dev/null && fail
|
||||
load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
||||
$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase || fail
|
||||
$CRYPTSETUP open --token-only $OPAL2_DEV $DEV_NAME || fail
|
||||
$CRYPTSETUP status $DEV_NAME > /dev/null || fail
|
||||
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
||||
$CRYPTSETUP luksResume $DEV_NAME <&- || fail
|
||||
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" && fail
|
||||
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
||||
$CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail
|
||||
$CRYPTSETUP close $DEV_NAME || fail
|
||||
|
||||
# check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
|
||||
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 22 || fail
|
||||
# this excludes keyring tokens from unlocking device
|
||||
$CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV --test-passphrase && fail
|
||||
$CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV $DEV_NAME && fail
|
||||
$CRYPTSETUP status $DEV_NAME > /dev/null && fail
|
||||
|
||||
$CRYPTSETUP token remove --token-id 3 $OPAL2_DEV || fail
|
||||
$CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" && fail
|
||||
|
||||
# test we can remove keyslot with token
|
||||
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $OPAL2_DEV || fail
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail
|
||||
$CRYPTSETUP -q luksKillSlot $OPAL2_DEV 4 || fail
|
||||
$CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
|
||||
|
||||
# test we can add unassigned token
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
|
||||
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
|
||||
$CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
|
||||
|
||||
# test token unassign works
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
|
||||
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV || fail
|
||||
$CRYPTSETUP token unassign --token-id 0 $OPAL2_DEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign -S0 $OPAL2_DEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV || fail
|
||||
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
|
||||
$CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign --token-id 0 -S44 $OPAL2_DEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign --token-id 44 -S0 $OPAL2_DEV 2>/dev/null && fail
|
||||
}
|
||||
|
||||
export LANG=C
|
||||
|
||||
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
|
||||
@@ -916,62 +970,14 @@ if dm_crypt_keyring_support && dm_crypt_keyring_new_kernel; then
|
||||
fi
|
||||
|
||||
prepare "[28] tokens" wipe
|
||||
echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail
|
||||
if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
|
||||
|
||||
test_and_prepare_keyring
|
||||
echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q || fail
|
||||
run_token_tests
|
||||
keyctl unlink "%user:$TEST_TOKEN0" $TEST_KEYRING || fail
|
||||
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail
|
||||
$CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail
|
||||
# keyslot 5 is inactive
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail
|
||||
# key description is not reachable
|
||||
$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase && fail
|
||||
# wrong passphrase
|
||||
load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
||||
$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase 2>/dev/null && fail
|
||||
load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
||||
$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase || fail
|
||||
$CRYPTSETUP open --token-only $OPAL2_DEV $DEV_NAME || fail
|
||||
$CRYPTSETUP status $DEV_NAME > /dev/null || fail
|
||||
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
||||
$CRYPTSETUP luksResume $DEV_NAME <&- || fail
|
||||
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" && fail
|
||||
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
||||
$CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail
|
||||
$CRYPTSETUP close $DEV_NAME || fail
|
||||
|
||||
# check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
|
||||
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 22 || fail
|
||||
# this excludes keyring tokens from unlocking device
|
||||
$CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV --test-passphrase && fail
|
||||
$CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV $DEV_NAME && fail
|
||||
$CRYPTSETUP status $DEV_NAME > /dev/null && fail
|
||||
|
||||
$CRYPTSETUP token remove --token-id 3 $OPAL2_DEV || fail
|
||||
$CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" && fail
|
||||
|
||||
# test we can remove keyslot with token
|
||||
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $OPAL2_DEV || fail
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail
|
||||
$CRYPTSETUP -q luksKillSlot $OPAL2_DEV 4 || fail
|
||||
$CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
|
||||
|
||||
# test we can add unassigned token
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
|
||||
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
|
||||
$CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
|
||||
|
||||
# test token unassign works
|
||||
$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
|
||||
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV || fail
|
||||
$CRYPTSETUP token unassign --token-id 0 $OPAL2_DEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign -S0 $OPAL2_DEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV || fail
|
||||
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
|
||||
$CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign --token-id 0 -S44 $OPAL2_DEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign --token-id 44 -S0 $OPAL2_DEV 2>/dev/null && fail
|
||||
echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV -q || fail
|
||||
run_token_tests
|
||||
fi
|
||||
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 10 || fail
|
||||
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 11 --json-file - || fail
|
||||
|
||||
Reference in New Issue
Block a user