[PATCH 1/2] fstests: fscrypt: enable btrfs testing.

From: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org,
	linux-btrfs@vger.kernel.org, kernel-team@fb.com
Cc: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
Subject: [PATCH 1/2] fstests: fscrypt: enable btrfs testing.
Date: Mon,  5 Sep 2022 20:31:37 -0400	[thread overview]
Message-ID: <0152f016b3dd71b6fe152f71b05bb9517a2e748c.1662417905.git.sweettea-kernel@dorminy.me> (raw)
In-Reply-To: <cover.1662417905.git.sweettea-kernel@dorminy.me>

btrfs' fscrypt integration has more stringent requirements than other
filesystems using fscrypt: the default policy is not permitted.

To make many pass, this adds several common pieces:
- _set_encpolicy tries to automatically use a direct-key Adiantum policy
  for btrfs, if none is set.
- for many tests using a default policy, a filter is applied to make
  default policy for most FS's, or Adiantum for btrfs, work.
- _scratch_mkfs_sized_encrypted can deal with btrfs

These pieces are used in tests to make most generic tests work with
btrfs, and a new test is added resembling generic/395 to account for
btrfs' directory policy.

Signed-off-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
---
 common/encrypt        | 72 +++++++++++++++++++++++++++++++++++-
 common/verity         |  2 +-
 tests/btrfs/298       | 85 +++++++++++++++++++++++++++++++++++++++++++
 tests/btrfs/298.out   | 47 ++++++++++++++++++++++++
 tests/generic/395     | 10 +++--
 tests/generic/395.out | 18 ++++-----
 tests/generic/435     | 10 ++++-
 tests/generic/576     |  3 +-
 tests/generic/576.out |  6 +--
 tests/generic/580     |  5 ++-
 tests/generic/580.out | 18 ++++-----
 tests/generic/581     |  4 +-
 tests/generic/581.out | 12 +++---
 13 files changed, 252 insertions(+), 40 deletions(-)
 create mode 100755 tests/btrfs/298
 create mode 100644 tests/btrfs/298.out

diff --git a/common/encrypt b/common/encrypt
index 8f3c46f6..c2e3e6f6 100644
--- a/common/encrypt
+++ b/common/encrypt
@@ -102,7 +102,7 @@ _require_encryption_policy_support()
 		_scratch_unmount
 		_scratch_mkfs_stable_inodes_encrypted &>> $seqres.full
 		_scratch_mount
-	fi
+	fi;
 
 	mkdir $dir
 	if (( policy_version > 1 )); then
@@ -146,7 +146,7 @@ _require_encryption_policy_support()
 _scratch_mkfs_encrypted()
 {
 	case $FSTYP in
-	ext4|f2fs)
+	btrfs|ext4|f2fs)
 		_scratch_mkfs -O encrypt
 		;;
 	ubifs)
@@ -165,6 +165,9 @@ _scratch_mkfs_sized_encrypted()
 	ext4|f2fs)
 		MKFS_OPTIONS="$MKFS_OPTIONS -O encrypt" _scratch_mkfs_sized $*
 		;;
+	btrfs)
+		_scratch_mkfs_sized $*
+		;;
 	*)
 		_notrun "Filesystem $FSTYP not supported in _scratch_mkfs_sized_encrypted"
 		;;
@@ -356,6 +359,18 @@ _set_encpolicy()
 {
 	local dir=$1
 	shift
+	if [ "$FSTYP" = "btrfs" ]; then
+		# Append DIRECT_KEY flag, and set mode to Adiantum, if not set.
+		if ! [[ "$*" =~ -f ]]; then
+		        set -- "$* -f ${FSCRYPT_POLICY_FLAG_DIRECT_KEY}"
+		fi
+		if ! [[ "$*" =~ -c ]]; then
+		        set -- "$* -c ${FSCRYPT_MODE_ADIANTUM}"
+		fi
+		if ! [[ "$*" =~ -n ]]; then
+		        set -- "$* -n ${FSCRYPT_MODE_ADIANTUM}"
+		fi
+	fi
 
 	$XFS_IO_PROG -c "set_encpolicy $*" "$dir"
 }
@@ -364,6 +379,18 @@ _user_do_set_encpolicy()
 {
 	local dir=$1
 	shift
+       	if [ "$FSTYP" = "btrfs" ]; then
+		# Append DIRECT_KEY flag, and set mode to Adiantum, if not set.
+		if ! [[ "$*" =~ -f ]]; then
+		        set -- "$* -f ${FSCRYPT_POLICY_FLAG_DIRECT_KEY}"
+		fi
+		if ! [[ "$*" =~ -c ]]; then
+		        set -- "$* -c ${FSCRYPT_MODE_ADIANTUM}"
+		fi
+		if ! [[ "$*" =~ -n ]]; then
+		        set -- "$* -n ${FSCRYPT_MODE_ADIANTUM}"
+		fi
+	fi
 
 	_user_do "$XFS_IO_PROG -c \"set_encpolicy $*\" \"$dir\""
 }
@@ -491,6 +518,18 @@ _get_encryption_nonce()
 	local inode=$2
 
 	case $FSTYP in
+	btrfs)
+		# btrfs prints the fscrypt_context like:
+		#
+		# item 18 key (258 FSCRYPT_CTXT_ITEM 0) itemoff 15218 itemsize 40
+		#	value: 0201042000000000000000000000000000000000000000007907c9718128b82caebfa42e881b0163
+		#
+		$BTRFS_UTIL_PROG inspect-internal dump-tree $device | \
+			grep -A 1 "key ($inode FSCRYPT_CTXT_ITEM 0)" | \
+			awk '/value: [[:xdigit:]]+$/ {
+				print substr($0, length($0) - 31, 32);
+			}'
+		;;
 	ext4)
 		# Use debugfs to dump the special xattr named "c", which is the
 		# file's fscrypt_context.  This produces a line like:
@@ -539,6 +578,9 @@ _require_get_encryption_nonce_support()
 {
 	echo "Checking for _get_encryption_nonce() support for $FSTYP" >> $seqres.full
 	case $FSTYP in
+	btrfs)
+		_require_command "$BTRFS_UTIL_PROG" btrfs
+		;;
 	ext4)
 		_require_command "$DEBUGFS_PROG" debugfs
 		;;
@@ -888,6 +930,11 @@ _verify_ciphertext_for_encryption_policy()
 	if (( policy_version > 1 )); then
 		set_encpolicy_args+=" -v 2"
 		crypt_util_args+=" --kdf=HKDF-SHA512"
+		if [ "$FSTYP" = "btrfs" ]; then
+			if (( policy_flags == 0 )); then
+				_notrun "Btrfs does not accept default policies"
+			fi	
+		fi
 		if (( policy_flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY )); then
 			crypt_util_args+=" --direct-key"
 		elif (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 )); then
@@ -1001,3 +1048,24 @@ _filter_nokey_filenames()
 	# of characters that have ever been used in such names.
 	sed "s|${dir}${dir:+/}[A-Za-z0-9+,_-]\+|${dir}${dir:+/}NOKEY_NAME|g"
 }
+
+# Replace the default encryption mode for a filesystem with "DEFAULT".
+_filter_default_encryption_mode()
+{
+	CONTENTS_PREFIX="Contents encryption mode:"
+	DEFAULT_CONTENTS_MODE="1 (AES-256-XTS)"
+	FILENAME_PREFIX="Filenames encryption mode:"
+	DEFAULT_FILENAME_MODE="4 (AES-256-CTS)"
+	DEFAULT_FLAGS="Flags: 0x02"
+	
+	if [ "$FSTYP" = "btrfs" ]; then
+		DEFAULT_CONTENTS_MODE="9 (Adiantum)"
+		DEFAULT_FILENAME_MODE="9 (Adiantum)"
+		DEFAULT_FLAGS="Flags: 0x04"
+	fi
+
+	sed "s/$CONTENTS_PREFIX $DEFAULT_CONTENTS_MODE/$CONTENTS_PREFIX DEFAULT/" | \
+	sed "s/$FILENAME_PREFIX $DEFAULT_FILENAME_MODE/$FILENAME_PREFIX DEFAULT/" | \
+	sed "s/$DEFAULT_FLAGS/Flags: DEFAULT/"
+}
+
diff --git a/common/verity b/common/verity
index cb7fa333..82a4ff90 100644
--- a/common/verity
+++ b/common/verity
@@ -178,7 +178,7 @@ _scratch_mkfs_verity()
 _scratch_mkfs_encrypted_verity()
 {
 	case $FSTYP in
-	ext4)
+	ext4|btrfs)
 		_scratch_mkfs -O encrypt,verity
 		;;
 	f2fs)
diff --git a/tests/btrfs/298 b/tests/btrfs/298
new file mode 100755
index 00000000..ff97fd87
--- /dev/null
+++ b/tests/btrfs/298
@@ -0,0 +1,85 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
+#
+# FS QA Test No. 298
+#
+# Test setting and getting encryption policies. Like generic/395, but allows
+# setting encryption policy on a nonempty directory.
+#
+. ./common/preamble
+_begin_fstest auto quick encrypt
+
+# Import common functions.
+. ./common/filter
+. ./common/encrypt
+
+# real QA test starts here
+_supported_fs generic
+_require_scratch_encryption
+_require_xfs_io_command "get_encpolicy"
+_require_user
+
+_scratch_mkfs_encrypted &>> $seqres.full
+_scratch_mount
+
+# Should be able to set an encryption policy on an empty directory
+empty_dir=$SCRATCH_MNT/empty_dir
+echo -e "\n*** Setting encryption policy on empty directory ***"
+mkdir $empty_dir
+_get_encpolicy $empty_dir |& _filter_scratch
+_set_encpolicy $empty_dir 0000111122223333
+_get_encpolicy $empty_dir | _filter_scratch | _filter_default_encryption_mode
+
+# Should be able to set the same policy again, but not a different one.
+echo -e "\n*** Setting encryption policy again ***"
+_set_encpolicy $empty_dir 0000111122223333
+_get_encpolicy $empty_dir | _filter_scratch | _filter_default_encryption_mode
+_set_encpolicy $empty_dir 4444555566667777 |& _filter_scratch
+_get_encpolicy $empty_dir | _filter_scratch | _filter_default_encryption_mode
+
+# Should be able to set an encryption policy on a nonempty directory
+nonempty_dir=$SCRATCH_MNT/nonempty_dir
+echo -e "\n*** Setting encryption policy on nonempty directory ***"
+mkdir $nonempty_dir
+touch $nonempty_dir/file
+_set_encpolicy $nonempty_dir | _filter_scratch
+_get_encpolicy $nonempty_dir | _filter_scratch
+
+# Should *not* be able to set an encryption policy on a nondirectory file, even
+# an empty one.  Regression test for 002ced4be642: "fscrypto: only allow setting
+# encryption policy on directories".
+nondirectory=$SCRATCH_MNT/nondirectory
+echo -e "\n*** Setting encryption policy on nondirectory ***"
+touch $nondirectory
+_set_encpolicy $nondirectory |& _filter_scratch
+_get_encpolicy $nondirectory |& _filter_scratch
+
+# Should *not* be able to set an encryption policy on another user's directory.
+# Regression test for 163ae1c6ad62: "fscrypto: add authorization check for
+# setting encryption policy".
+unauthorized_dir=$SCRATCH_MNT/unauthorized_dir
+echo -e "\n*** Setting encryption policy on another user's directory ***"
+mkdir $unauthorized_dir
+_user_do_set_encpolicy $unauthorized_dir |& _filter_scratch
+_get_encpolicy $unauthorized_dir |& _filter_scratch
+
+# Should *not* be able to set an encryption policy on a directory on a
+# filesystem mounted readonly.  Regression test for ba63f23d69a3: "fscrypto:
+# require write access to mount to set encryption policy".  Test both a regular
+# readonly filesystem and a readonly bind mount of a read-write filesystem.
+echo -e "\n*** Setting encryption policy on readonly filesystem ***"
+mkdir $SCRATCH_MNT/ro_dir $SCRATCH_MNT/ro_bind_mnt
+_scratch_remount ro
+_set_encpolicy $SCRATCH_MNT/ro_dir |& _filter_scratch
+_get_encpolicy $SCRATCH_MNT/ro_dir |& _filter_scratch
+_scratch_remount rw
+mount --bind $SCRATCH_MNT $SCRATCH_MNT/ro_bind_mnt
+mount -o remount,ro,bind $SCRATCH_MNT/ro_bind_mnt
+_set_encpolicy $SCRATCH_MNT/ro_bind_mnt/ro_dir |& _filter_scratch
+_get_encpolicy $SCRATCH_MNT/ro_bind_mnt/ro_dir |& _filter_scratch
+umount $SCRATCH_MNT/ro_bind_mnt
+
+# success, all done
+status=0
+exit
diff --git a/tests/btrfs/298.out b/tests/btrfs/298.out
new file mode 100644
index 00000000..5e311d3c
--- /dev/null
+++ b/tests/btrfs/298.out
@@ -0,0 +1,47 @@
+QA output created by 298
+
+*** Setting encryption policy on empty directory ***
+SCRATCH_MNT/empty_dir: failed to get encryption policy: No data available
+Encryption policy for SCRATCH_MNT/empty_dir:
+	Policy version: 0
+	Master key descriptor: 0000111122223333
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
+
+*** Setting encryption policy again ***
+Encryption policy for SCRATCH_MNT/empty_dir:
+	Policy version: 0
+	Master key descriptor: 0000111122223333
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
+SCRATCH_MNT/empty_dir: failed to set encryption policy: File exists
+Encryption policy for SCRATCH_MNT/empty_dir:
+	Policy version: 0
+	Master key descriptor: 0000111122223333
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
+
+*** Setting encryption policy on nonempty directory ***
+Encryption policy for SCRATCH_MNT/nonempty_dir:
+	Policy version: 0
+	Master key descriptor: 0000000000000000
+	Contents encryption mode: 9 (Adiantum)
+	Filenames encryption mode: 9 (Adiantum)
+	Flags: 0x04
+
+*** Setting encryption policy on nondirectory ***
+SCRATCH_MNT/nondirectory: failed to set encryption policy: Not a directory
+SCRATCH_MNT/nondirectory: failed to get encryption policy: No data available
+
+*** Setting encryption policy on another user's directory ***
+Permission denied
+SCRATCH_MNT/unauthorized_dir: failed to get encryption policy: No data available
+
+*** Setting encryption policy on readonly filesystem ***
+SCRATCH_MNT/ro_dir: failed to set encryption policy: Read-only file system
+SCRATCH_MNT/ro_dir: failed to get encryption policy: No data available
+SCRATCH_MNT/ro_bind_mnt/ro_dir: failed to set encryption policy: Read-only file system
+SCRATCH_MNT/ro_bind_mnt/ro_dir: failed to get encryption policy: No data available
diff --git a/tests/generic/395 b/tests/generic/395
index ab2ad612..d08544dc 100755
--- a/tests/generic/395
+++ b/tests/generic/395
@@ -22,20 +22,24 @@ _require_user
 _scratch_mkfs_encrypted &>> $seqres.full
 _scratch_mount
 
+if [ "$FSTYP" = "btrfs" ]; then
+	_notrun "Btrfs has a different non-empty directory policy"
+fi
+
 # Should be able to set an encryption policy on an empty directory
 empty_dir=$SCRATCH_MNT/empty_dir
 echo -e "\n*** Setting encryption policy on empty directory ***"
 mkdir $empty_dir
 _get_encpolicy $empty_dir |& _filter_scratch
 _set_encpolicy $empty_dir 0000111122223333
-_get_encpolicy $empty_dir | _filter_scratch
+_get_encpolicy $empty_dir | _filter_scratch | _filter_default_encryption_mode
 
 # Should be able to set the same policy again, but not a different one.
 echo -e "\n*** Setting encryption policy again ***"
 _set_encpolicy $empty_dir 0000111122223333
-_get_encpolicy $empty_dir | _filter_scratch
+_get_encpolicy $empty_dir | _filter_scratch | _filter_default_encryption_mode
 _set_encpolicy $empty_dir 4444555566667777 |& _filter_scratch
-_get_encpolicy $empty_dir | _filter_scratch
+_get_encpolicy $empty_dir | _filter_scratch | _filter_default_encryption_mode
 
 # Should *not* be able to set an encryption policy on a nonempty directory
 nonempty_dir=$SCRATCH_MNT/nonempty_dir
diff --git a/tests/generic/395.out b/tests/generic/395.out
index 2c55d7a9..541cab50 100644
--- a/tests/generic/395.out
+++ b/tests/generic/395.out
@@ -5,24 +5,24 @@ SCRATCH_MNT/empty_dir: failed to get encryption policy: No data available
 Encryption policy for SCRATCH_MNT/empty_dir:
 	Policy version: 0
 	Master key descriptor: 0000111122223333
-	Contents encryption mode: 1 (AES-256-XTS)
-	Filenames encryption mode: 4 (AES-256-CTS)
-	Flags: 0x02
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
 
 *** Setting encryption policy again ***
 Encryption policy for SCRATCH_MNT/empty_dir:
 	Policy version: 0
 	Master key descriptor: 0000111122223333
-	Contents encryption mode: 1 (AES-256-XTS)
-	Filenames encryption mode: 4 (AES-256-CTS)
-	Flags: 0x02
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
 SCRATCH_MNT/empty_dir: failed to set encryption policy: File exists
 Encryption policy for SCRATCH_MNT/empty_dir:
 	Policy version: 0
 	Master key descriptor: 0000111122223333
-	Contents encryption mode: 1 (AES-256-XTS)
-	Filenames encryption mode: 4 (AES-256-CTS)
-	Flags: 0x02
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
 
 *** Setting encryption policy on nonempty directory ***
 SCRATCH_MNT/nonempty_dir: failed to set encryption policy: Directory not empty
diff --git a/tests/generic/435 b/tests/generic/435
index bb1cbb62..374e2a29 100755
--- a/tests/generic/435
+++ b/tests/generic/435
@@ -27,6 +27,13 @@ _supported_fs generic
 _require_scratch_encryption
 _require_command "$KEYCTL_PROG" keyctl
 
+# -f 0x2: zero-pad to 16-byte boundary (i.e. encryption block boundary)
+FLAGS_NEEDED=0x2
+if [ "$FSTYP" = "btrfs" ]; then
+	# btrfs must use a direct key policy
+	FLAGS_NEEDED=0x6
+fi
+
 # set up an encrypted directory
 
 _init_session_keyring
@@ -34,8 +41,7 @@ _scratch_mkfs_encrypted &>> $seqres.full
 _scratch_mount
 mkdir $SCRATCH_MNT/edir
 keydesc=$(_generate_session_encryption_key)
-# -f 0x2: zero-pad to 16-byte boundary (i.e. encryption block boundary)
-_set_encpolicy $SCRATCH_MNT/edir $keydesc -f 0x2
+_set_encpolicy $SCRATCH_MNT/edir $keydesc -f $FLAGS_NEEDED
 
 # Create files with long names (> 32 bytes, long enough to trigger the use of
 # "digested" names) in the encrypted directory.
diff --git a/tests/generic/576 b/tests/generic/576
index c8862de2..fbd72f8c 100755
--- a/tests/generic/576
+++ b/tests/generic/576
@@ -51,7 +51,8 @@ cp $fsv_orig_file $fsv_file
 _fsv_enable $fsv_file
 echo
 $XFS_IO_PROG -r -c "get_encpolicy" $fsv_file | _filter_scratch \
-	| sed 's/Master key descriptor:.*/Master key descriptor: 0000000000000000/'
+	| sed 's/Master key descriptor:.*/Master key descriptor: 0000000000000000/' \
+	| _filter_default_encryption_mode
 echo
 
 # Verify that the file contents are as expected.  This should be going through
diff --git a/tests/generic/576.out b/tests/generic/576.out
index cd8527b9..3d875b62 100644
--- a/tests/generic/576.out
+++ b/tests/generic/576.out
@@ -3,9 +3,9 @@ QA output created by 576
 Encryption policy for SCRATCH_MNT/edir/file.fsv:
 	Policy version: 0
 	Master key descriptor: 0000000000000000
-	Contents encryption mode: 1 (AES-256-XTS)
-	Filenames encryption mode: 4 (AES-256-CTS)
-	Flags: 0x02
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
 
 Files matched
 Files matched
diff --git a/tests/generic/580 b/tests/generic/580
index 73f32ff9..8faa0dc2 100755
--- a/tests/generic/580
+++ b/tests/generic/580
@@ -39,10 +39,11 @@ test_with_policy_version()
 	echo "# Setting v$vers encryption policy"
 	_set_encpolicy $dir $keyspec
 	echo "# Getting v$vers encryption policy"
-	_get_encpolicy $dir | _filter_scratch
+	_get_encpolicy $dir | _filter_scratch | _filter_default_encryption_mode
 	if (( vers == 1 )); then
 		echo "# Getting v1 encryption policy using old ioctl"
-		_get_encpolicy $dir -1 | _filter_scratch
+		_get_encpolicy $dir -1 | _filter_scratch | \
+			_filter_default_encryption_mode
 	fi
 	echo "# Trying to create file without key added yet"
 	$XFS_IO_PROG -f $dir/file |& _filter_scratch
diff --git a/tests/generic/580.out b/tests/generic/580.out
index 989d4514..0c930827 100644
--- a/tests/generic/580.out
+++ b/tests/generic/580.out
@@ -5,16 +5,16 @@ QA output created by 580
 Encryption policy for SCRATCH_MNT/dir:
 	Policy version: 0
 	Master key descriptor: 0000111122223333
-	Contents encryption mode: 1 (AES-256-XTS)
-	Filenames encryption mode: 4 (AES-256-CTS)
-	Flags: 0x02
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
 # Getting v1 encryption policy using old ioctl
 Encryption policy for SCRATCH_MNT/dir:
 	Policy version: 0
 	Master key descriptor: 0000111122223333
-	Contents encryption mode: 1 (AES-256-XTS)
-	Filenames encryption mode: 4 (AES-256-CTS)
-	Flags: 0x02
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
 # Trying to create file without key added yet
 SCRATCH_MNT/dir/file: Required key not available
 # Getting encryption key status
@@ -52,9 +52,9 @@ cat: SCRATCH_MNT/dir/file: No such file or directory
 Encryption policy for SCRATCH_MNT/dir:
 	Policy version: 2
 	Master key identifier: 69b2f6edeee720cce0577937eb8a6751
-	Contents encryption mode: 1 (AES-256-XTS)
-	Filenames encryption mode: 4 (AES-256-CTS)
-	Flags: 0x02
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
 # Trying to create file without key added yet
 SCRATCH_MNT/dir/file: Required key not available
 # Getting encryption key status
diff --git a/tests/generic/581 b/tests/generic/581
index cabc7e1c..b2659b66 100755
--- a/tests/generic/581
+++ b/tests/generic/581
@@ -52,7 +52,7 @@ echo "# Setting v1 policy as regular user (should succeed)"
 _user_do_set_encpolicy $dir $keydesc
 
 echo "# Getting v1 policy as regular user (should succeed)"
-_user_do_get_encpolicy $dir | _filter_scratch
+_user_do_get_encpolicy $dir | _filter_scratch | _filter_default_encryption_mode
 
 echo "# Adding v1 policy key as regular user (should fail with EACCES)"
 _user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc
@@ -71,7 +71,7 @@ echo "# Setting v2 policy as regular user with key added (should succeed)"
 _user_do_set_encpolicy $dir $keyid
 
 echo "# Getting v2 policy as regular user (should succeed)"
-_user_do_get_encpolicy $dir | _filter_scratch
+_user_do_get_encpolicy $dir | _filter_scratch | _filter_default_encryption_mode
 
 echo "# Creating encrypted file as regular user (should succeed)"
 _user_do "echo contents > $dir/file"
diff --git a/tests/generic/581.out b/tests/generic/581.out
index b3f7d889..544f7579 100644
--- a/tests/generic/581.out
+++ b/tests/generic/581.out
@@ -5,9 +5,9 @@ QA output created by 581
 Encryption policy for SCRATCH_MNT/dir:
 	Policy version: 0
 	Master key descriptor: 0000111122223333
-	Contents encryption mode: 1 (AES-256-XTS)
-	Filenames encryption mode: 4 (AES-256-CTS)
-	Flags: 0x02
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
 # Adding v1 policy key as regular user (should fail with EACCES)
 Permission denied
 
@@ -20,9 +20,9 @@ Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
 Encryption policy for SCRATCH_MNT/dir:
 	Policy version: 2
 	Master key identifier: 69b2f6edeee720cce0577937eb8a6751
-	Contents encryption mode: 1 (AES-256-XTS)
-	Filenames encryption mode: 4 (AES-256-CTS)
-	Flags: 0x02
+	Contents encryption mode: DEFAULT
+	Filenames encryption mode: DEFAULT
+	Flags: DEFAULT
 # Creating encrypted file as regular user (should succeed)
 # Removing v2 policy key as regular user (should succeed)
 Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
-- 
2.35.1

