[PATCH v2 0/5] Add filesystem-level encryption tests

[PATCH v2 0/5] Add filesystem-level encryption tests

[Eric Biggers]

This is the second version of the patch series to add some xfstests for
filesystem-level encryption.  The new tests are designed to run on any
filesystem that implements the "fscrypt" API, currently ext4 and f2fs.  (fscrypt
support for ubifs is also under development, but it looks like xfstests doesn't
have ubifs support yet.)

The new tests are designed to complement, not replace, doing a full xfstests run
with encryption enabled, which for ext4 can currently be done by using the
test_dummy_encryption mount option.

v2 of the series drops the fscrypt_util test program and instead uses new xfs_io
commands to set and get encryption policies, and uses keyctl to add and remove
encryption keys.  I'm sending the xfs_io patch separately since xfs_io is part
of xfsprogs.

Eric Biggers (5):
  generic: add utilities for testing filesystem encryption
  generic: test setting and getting encryption policies
  generic: test validation of encryption policy structure
  generic: test encrypted file access
  generic: test for weaknesses in filesystem encryption

 common/config         |   2 +
 common/encrypt        | 128 +++++++++++++++++++++++++++++++++++++++++
 tests/generic/400     | 126 ++++++++++++++++++++++++++++++++++++++++
 tests/generic/400.out |  43 ++++++++++++++
 tests/generic/401     |  83 +++++++++++++++++++++++++++
 tests/generic/401.out |  18 ++++++
 tests/generic/402     | 145 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/generic/402.out |  11 ++++
 tests/generic/403     | 155 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/generic/403.out |   3 +
 tests/generic/group   |   4 ++
 11 files changed, 718 insertions(+)
 create mode 100644 common/encrypt
 create mode 100755 tests/generic/400
 create mode 100644 tests/generic/400.out
 create mode 100755 tests/generic/401
 create mode 100644 tests/generic/401.out
 create mode 100755 tests/generic/402
 create mode 100644 tests/generic/402.out
 create mode 100755 tests/generic/403
 create mode 100644 tests/generic/403.out

-- 
2.8.0.rc3.226.g39d4020

[PATCH v2 1/5] generic: add utilities for testing filesystem encryption

[Eric Biggers]

Add utility functions for testing filesystem-level encryption via the
common API currently supported by ext4 and f2fs, in development for
ubifs and planned for xfs.  Setting and getting encryption policies will
use new commands being added to xfs_io, while adding and removing
encryption keys will use keyctl.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 common/config  |   1 +
 common/encrypt | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+)
 create mode 100644 common/encrypt

diff --git a/common/config b/common/config
index f0f08d2..3727ec0 100644
--- a/common/config
+++ b/common/config
@@ -202,6 +202,7 @@ export DEBUGFS_PROG="`set_prog_path debugfs`"
 export UUIDGEN_PROG="`set_prog_path uuidgen`"
 export GETRICHACL_PROG="`set_prog_path getrichacl`"
 export SETRICHACL_PROG="`set_prog_path setrichacl`"
+export KEYCTL_PROG="`set_prog_path keyctl`"
 
 # use 'udevadm settle' or 'udevsettle' to wait for lv to be settled.
 # newer systems have udevadm command but older systems like RHEL5 don't.
diff --git a/common/encrypt b/common/encrypt
new file mode 100644
index 0000000..6ffb6ff
--- /dev/null
+++ b/common/encrypt
@@ -0,0 +1,128 @@
+#-----------------------------------------------------------------------
+#
+# Common functions for testing filesystem-level encryption
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
+#
+# Author: Eric Biggers <ebiggers@google.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+
+_require_encryption()
+{
+	# The 'test_dummy_encryption' mount option interferes with trying to use
+	# encryption for real, even if we are just trying to get/set policies
+	# and never put any keys in the keyring.  So skip the real encryption
+	# tests if the 'test_dummy_encryption' mount option was specified.
+	if echo "$MOUNT_OPTIONS" | grep -q "test_dummy_encryption"; then
+		_notrun "Dummy encryption is on; skipping real encryption tests"
+	fi
+
+	# Make a filesystem on the scratch device with the encryption feature
+	# enabled.  If this fails then probably the userspace tools (e.g.
+	# e2fsprogs or f2fs-tools) are too old to understand encryption.
+	if ! _scratch_mkfs_encrypted &>>$seqres.full; then
+		_notrun "$FSTYP userspace tools do not support encryption"
+	fi
+
+	# Try to mount the filesystem.  If this fails then either the kernel
+	# isn't aware of encryption, or the mkfs options were not compatible
+	# with encryption (e.g. ext4 with block size != PAGE_SIZE).
+	if ! _scratch_mount &>>$seqres.full; then
+		_notrun "kernel is unaware of $FSTYP encryption feature, " \
+			"or mkfs options are not compatible with encryption"
+	fi
+
+	# The kernel may be aware of encryption without supporting it.  For
+	# example, for ext4 this is the case with kernels configured with
+	# CONFIG_EXT4_FS_ENCRYPTION=n.  Detect support for encryption by trying
+	# to set an encryption policy.  (For ext4 we could instead check for the
+	# presence of /sys/fs/ext4/features/encryption, but this is broken on
+	# some older kernels and is ext4-specific anyway.)
+	mkdir $SCRATCH_MNT/tmpdir
+	if $XFS_IO_PROG -c set_encpolicy $SCRATCH_MNT/tmpdir \
+		2>&1 >>$seqres.full | \
+		egrep -q 'Inappropriate ioctl for device|Operation not supported'
+	then
+		_notrun "kernel does not support $FSTYP encryption"
+	fi
+	rmdir $SCRATCH_MNT/tmpdir
+	_scratch_unmount
+}
+
+_scratch_mkfs_encrypted()
+{
+	_scratch_mkfs -O encrypt
+}
+
+#
+# Generate a random encryption key, add it to the keyring, and print out the
+# resulting key descriptor (example: "8bf798e1a494e1ec").  Requires the keyctl
+# program.
+#
+_generate_encryption_key()
+{
+	# Generate a key descriptor (16 character hex string)
+	local keydesc=""
+	for ((i = 0; i < 8; i++)); do
+		keydesc="${keydesc}$(printf "%02x" $(( $RANDOM % 256 )))"
+	done
+
+	# Generate the actual encryption key (64 bytes)
+	local raw=""
+	for ((i = 0; i < 64; i++)); do
+		raw="${raw}\\x$(printf "%02x" $(( $RANDOM % 256 )))"
+	done
+
+	#
+	# Add the key to the user session keyring.  The required structure is:
+	#
+	#	#define FS_MAX_KEY_SIZE 64
+	#	struct fscrypt_key {
+	#		u32 mode;
+	#		u8 raw[FS_MAX_KEY_SIZE];
+	#		u32 size;
+	#	} __packed;
+	#
+	# The kernel ignores 'mode' but requires that 'size' be 64.
+	#
+	# Keys are named fscrypt:KEYDESC where KEYDESC is the 16-character key
+	# descriptor hex string.  Some old kernels only accepted
+	# filesystem-specific key prefixes, namely ext4 pre-4.8 and f2fs
+	# pre-4.6.  It's expected that tests using this code will fail on those
+	# old kernels due to the keys not being found.
+	#
+	local big_endian=$(echo -ne '\x11' | od -tx2 | head -1 | \
+			   cut -f2 -d' ' | cut -c1 )
+	if (( big_endian )); then
+		local mode='\x00\x00\x00\x00'
+		local size='\x00\x00\x00\x40'
+	else
+		local mode='\x00\x00\x00\x00'
+		local size='\x40\x00\x00\x00'
+	fi
+	echo -n -e "${mode}${raw}${size}" |
+		$KEYCTL_PROG padd logon fscrypt:$keydesc @us >>$seqres.full
+	echo $keydesc
+}
+
+# Unlink an encryption key from the keyring, given its key descriptor.
+_unlink_encryption_key()
+{
+	local keydesc=$1
+	local keyid=$($KEYCTL_PROG search @us logon fscrypt:$keydesc)
+	$KEYCTL_PROG unlink $keyid >>$seqres.full
+}
-- 
2.8.0.rc3.226.g39d4020

[PATCH v2 2/5] generic: test setting and getting encryption policies

[Eric Biggers]

Several kernel bugs were recently fixed regarding the constraints for
setting encryption policies.  Add tests for these cases and a few more.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 tests/generic/400     | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/generic/400.out |  43 +++++++++++++++++
 tests/generic/group   |   1 +
 3 files changed, 170 insertions(+)
 create mode 100755 tests/generic/400
 create mode 100644 tests/generic/400.out

diff --git a/tests/generic/400 b/tests/generic/400
new file mode 100755
index 0000000..5baf5e7
--- /dev/null
+++ b/tests/generic/400
@@ -0,0 +1,126 @@
+#! /bin/bash
+# FS QA Test generic/400
+#
+# Test setting and getting encryption policies.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
+#
+# Author: Eric Biggers <ebiggers@google.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/encrypt
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs ext4 f2fs
+_supported_os Linux
+_require_xfs_io_command "get_encpolicy"
+_require_xfs_io_command "set_encpolicy"
+_require_scratch
+_require_encryption
+_require_user
+
+_scratch_mkfs_encrypted >> $seqres.full
+_scratch_mount
+cd $SCRATCH_MNT
+
+check_no_policy()
+{
+	# When a file is unencrypted, FS_IOC_GET_ENCRYPTION_POLICY currently
+	# fails with ENOENT on ext4 but with ENODATA on f2fs.  It's planned to
+	# consistently use ENODATA, but for now make this test accept both.
+	$XFS_IO_PROG -c "get_encpolicy" $1 |&
+		sed -e 's/No such file or directory/No data available/'
+}
+
+# Should be able to set an encryption policy on an empty directory
+echo -e "\n*** Setting encryption policy on empty directory ***"
+mkdir empty_dir
+check_no_policy empty_dir
+$XFS_IO_PROG -c "set_encpolicy 0000111122223333" empty_dir
+$XFS_IO_PROG -c "get_encpolicy" empty_dir
+
+# Should be able to set the same policy again, but not a different one
+echo -e "\n*** Setting encryption policy again ***"
+$XFS_IO_PROG -c "set_encpolicy 0000111122223333" empty_dir
+$XFS_IO_PROG -c "get_encpolicy" empty_dir
+$XFS_IO_PROG -c "set_encpolicy 4444555566667777" empty_dir
+$XFS_IO_PROG -c "get_encpolicy" empty_dir
+
+# Should *not* be able to set an encryption policy on a nonempty directory
+echo -e "\n*** Setting encryption policy on nonempty directory ***"
+mkdir nonempty_dir
+touch nonempty_dir/file
+$XFS_IO_PROG -c "set_encpolicy" nonempty_dir
+check_no_policy nonempty_dir
+
+# Should *not* be able to set an encryption policy on a nondirectory file, even
+# an empty one.  Regression test for 002ced4be642: "fscrypto: only allow setting
+# encryption policy on directories".
+echo -e "\n*** Setting encryption policy on nondirectory ***"
+touch nondirectory
+$XFS_IO_PROG -c "set_encpolicy" nondirectory
+check_no_policy nondirectory
+
+# Should *not* be able to set an encryption policy on another user's directory.
+# Regression test for 163ae1c6ad62: "fscrypto: add authorization check for
+# setting encryption policy".
+echo -e "\n*** Setting encryption policy on another user's directory ***"
+mkdir unauthorized_dir
+su $qa_user -c "$XFS_IO_PROG -c \"set_encpolicy\" unauthorized_dir"
+check_no_policy unauthorized_dir
+
+# Should *not* be able to set an encryption policy on a directory on a
+# filesystem mounted readonly.  Regression test for ba63f23d69a3: "fscrypto:
+# require write access to mount to set encryption policy".  Test both a regular
+# readonly filesystem and a readonly bind mount of a read-write filesystem.
+echo -e "\n*** Setting encryption policy on readonly filesystem ***"
+mkdir ro_dir ro_bind_mnt
+_scratch_remount ro
+$XFS_IO_PROG -c "set_encpolicy" ro_dir
+check_no_policy ro_dir
+_scratch_remount rw
+mount --bind $SCRATCH_MNT ro_bind_mnt
+mount -o remount,ro ro_bind_mnt
+$XFS_IO_PROG -c "set_encpolicy" ro_bind_mnt/ro_dir
+check_no_policy ro_bind_mnt/ro_dir
+umount ro_bind_mnt
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/400.out b/tests/generic/400.out
new file mode 100644
index 0000000..79dc596
--- /dev/null
+++ b/tests/generic/400.out
@@ -0,0 +1,43 @@
+QA output created by 400
+
+*** Setting encryption policy on empty directory ***
+empty_dir: failed to get encryption policy: No data available
+Encryption policy for empty_dir:
+	Policy version: 0
+	Master key descriptor: 0000111122223333
+	Contents encryption mode: 1 (AES-256-XTS)
+	Filenames encryption mode: 4 (AES-256-CTS)
+	Flags: 0x02
+
+*** Setting encryption policy again ***
+Encryption policy for empty_dir:
+	Policy version: 0
+	Master key descriptor: 0000111122223333
+	Contents encryption mode: 1 (AES-256-XTS)
+	Filenames encryption mode: 4 (AES-256-CTS)
+	Flags: 0x02
+empty_dir: failed to set encryption policy: Invalid argument
+Encryption policy for empty_dir:
+	Policy version: 0
+	Master key descriptor: 0000111122223333
+	Contents encryption mode: 1 (AES-256-XTS)
+	Filenames encryption mode: 4 (AES-256-CTS)
+	Flags: 0x02
+
+*** Setting encryption policy on nonempty directory ***
+nonempty_dir: failed to set encryption policy: Directory not empty
+nonempty_dir: failed to get encryption policy: No data available
+
+*** Setting encryption policy on nondirectory ***
+nondirectory: failed to set encryption policy: Invalid argument
+nondirectory: failed to get encryption policy: No data available
+
+*** Setting encryption policy on another user's directory ***
+unauthorized_dir: failed to set encryption policy: Permission denied
+unauthorized_dir: failed to get encryption policy: No data available
+
+*** Setting encryption policy on readonly filesystem ***
+ro_dir: failed to set encryption policy: Read-only file system
+ro_dir: failed to get encryption policy: No data available
+ro_bind_mnt/ro_dir: failed to set encryption policy: Read-only file system
+ro_bind_mnt/ro_dir: failed to get encryption policy: No data available
diff --git a/tests/generic/group b/tests/generic/group
index 2c16bd1..3f148a2 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -394,3 +394,4 @@
 389 auto quick acl
 390 auto freeze stress dangerous
 391 auto quick rw
+400 auto quick encrypt
-- 
2.8.0.rc3.226.g39d4020

[PATCH v2 3/5] generic: test validation of encryption policy structure

[Eric Biggers]

Add an xfstest which verifies the kernel performs basic validation of
the encryption policy structure.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 tests/generic/401     | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/generic/401.out | 18 +++++++++++
 tests/generic/group   |  1 +
 3 files changed, 102 insertions(+)
 create mode 100755 tests/generic/401
 create mode 100644 tests/generic/401.out

diff --git a/tests/generic/401 b/tests/generic/401
new file mode 100755
index 0000000..553c547
--- /dev/null
+++ b/tests/generic/401
@@ -0,0 +1,83 @@
+#! /bin/bash
+# FS QA Test generic/401
+#
+# Test that FS_IOC_SET_ENCRYPTION_POLICY correctly validates the fscrypt_policy
+# structure that userspace passes to it.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
+#
+# Author: Eric Biggers <ebiggers@google.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/encrypt
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs ext4 f2fs
+_supported_os Linux
+_require_xfs_io_command "set_encpolicy"
+_require_scratch
+_require_encryption
+
+_scratch_mkfs_encrypted >> $seqres.full
+_scratch_mount
+mkdir $SCRATCH_MNT/dir
+cd $SCRATCH_MNT
+
+echo -e "\n*** Invalid contents encryption mode ***"
+$XFS_IO_PROG -c "set_encpolicy -c 0xFF" dir
+
+echo -e "\n*** Invalid filenames encryption mode ***"
+$XFS_IO_PROG -c "set_encpolicy -n 0xFF" dir
+
+echo -e "\n*** Invalid flags ***"
+$XFS_IO_PROG -c "set_encpolicy -f 0xFF" dir
+
+echo -e "\n*** Invalid policy version ***"
+$XFS_IO_PROG -c "set_encpolicy -v 0xFF" dir
+
+# Currently, the only supported combination of modes is AES-256-XTS for contents
+# and AES-256-CTS for filenames.  Nothing else should be accepted.
+echo -e "\n*** Invalid combinations of modes ***"
+$XFS_IO_PROG -c "set_encpolicy -c AES-256-CTS -n AES-256-CTS" dir
+$XFS_IO_PROG -c "set_encpolicy -c AES-256-CTS -n AES-256-XTS" dir
+$XFS_IO_PROG -c "set_encpolicy -c AES-256-XTS -n AES-256-XTS" dir
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/401.out b/tests/generic/401.out
new file mode 100644
index 0000000..eb6142e
--- /dev/null
+++ b/tests/generic/401.out
@@ -0,0 +1,18 @@
+QA output created by 401
+
+*** Invalid contents encryption mode ***
+dir: failed to set encryption policy: Invalid argument
+
+*** Invalid filenames encryption mode ***
+dir: failed to set encryption policy: Invalid argument
+
+*** Invalid flags ***
+dir: failed to set encryption policy: Invalid argument
+
+*** Invalid policy version ***
+dir: failed to set encryption policy: Invalid argument
+
+*** Invalid combinations of modes ***
+dir: failed to set encryption policy: Invalid argument
+dir: failed to set encryption policy: Invalid argument
+dir: failed to set encryption policy: Invalid argument
diff --git a/tests/generic/group b/tests/generic/group
index 3f148a2..a3438cf 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -395,3 +395,4 @@
 390 auto freeze stress dangerous
 391 auto quick rw
 400 auto quick encrypt
+401 auto quick encrypt
-- 
2.8.0.rc3.226.g39d4020

[PATCH v2 4/5] generic: test encrypted file access

[Eric Biggers]

Test accessing encrypted files and directories, both with and without
the encryption key.  As noted in the comment, this test is expected to
fail on some old kernels.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 tests/generic/402     | 145 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/generic/402.out |  11 ++++
 tests/generic/group   |   1 +
 3 files changed, 157 insertions(+)
 create mode 100755 tests/generic/402
 create mode 100644 tests/generic/402.out

diff --git a/tests/generic/402 b/tests/generic/402
new file mode 100755
index 0000000..f51b99f
--- /dev/null
+++ b/tests/generic/402
@@ -0,0 +1,145 @@
+#! /bin/bash
+# FS QA Test generic/402
+#
+# Test accessing encrypted files and directories, both with and without the
+# encryption key.  Access with the encryption key is more of a sanity check and
+# is not intended to fully test all the encrypted I/O paths; to do that you'd
+# need to run all the xfstests with encryption enabled.  Access without the
+# encryption key, on the other hand, should result in some particular behaviors.
+#
+# Note that this test uses the common key prefix (fscrypt:), which wasn't
+# supported by ext4 before 4.8 and f2fs before 4.6.  It's expected that this
+# test will fail on such old kernels.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
+#
+# Author: Eric Biggers <ebiggers@google.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/encrypt
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs ext4 f2fs
+_supported_os Linux
+_require_xfs_io_command "set_encpolicy"
+_require_scratch
+_require_command "$KEYCTL_PROG" keyctl
+_require_encryption
+
+_scratch_mkfs_encrypted >> $seqres.full
+_scratch_mount
+
+mkdir $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir
+keydesc=$(_generate_encryption_key)
+$XFS_IO_PROG -c "set_encpolicy $keydesc" $SCRATCH_MNT/edir
+for dir in $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir; do
+	touch $dir/empty > /dev/null
+	$XFS_IO_PROG -t -f -c "pwrite 0 4k" $dir/a > /dev/null
+	$XFS_IO_PROG -t -f -c "pwrite 0 33k" $dir/abcdefghijklmnopqrstuvwxyz > /dev/null
+	maxname=$(yes | head -255 | tr -d '\n') # 255 character filename
+	$XFS_IO_PROG -t -f -c "pwrite 0 1k" $dir/$maxname > /dev/null
+	ln -s a $dir/symlink
+	ln -s abcdefghijklmnopqrstuvwxyz $dir/symlink2
+	ln -s $maxname $dir/symlink3
+	mkdir $dir/subdir
+	mkdir $dir/subdir/subsubdir
+done
+# Diff encrypted directory with unencrypted reference directory
+diff -r $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir
+# Cycle mount and diff again
+_scratch_cycle_mount
+diff -r $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir
+
+#
+# Now try accessing the files without the encryption key.  It should still be
+# possible to list the directory and remove files.  But filenames should be
+# encrypted, and it should not be possible to read regular files or to create
+# new files or subdirectories.
+#
+# Note that we cannot simply use ls -R to verify the files because the encrypted
+# filenames are unpredictable.  By design, the key used to encrypt a directory's
+# filenames is derived from the master key (the key in the keyring) and a nonce
+# generated by the kernel.  Hence, the encrypted filenames will be different
+# every time this test is run, even if we were to put a fixed key into the
+# keyring instead of a random one.  The same applies to symlink targets.
+#
+# Also, there are some inconsistencies in which error codes are returned on
+# different kernel versions and filesystems when trying to create a file or
+# subdirectory without access to the parent directory's encryption key.  For now
+# we just accept multiple error codes.
+#
+_unlink_encryption_key $keydesc
+_scratch_cycle_mount
+
+# Check that unencrypted names aren't there
+stat $SCRATCH_MNT/edir/empty |& _filter_scratch
+stat $SCRATCH_MNT/edir/symlink |& _filter_scratch
+
+# Check that the correct numbers of files and subdirectories are there
+ls $SCRATCH_MNT/edir | wc -l
+find $SCRATCH_MNT/edir -mindepth 2 -maxdepth 2 -type d | wc -l
+
+# Try to read a nondirectory file (should fail with ENOKEY)
+md5sum $(find $SCRATCH_MNT/edir -maxdepth 1 -type f | head -1) |& \
+		cut -d ' ' -f3-
+
+filter_enoent()
+{
+	sed -e 's/No such file or directory/Permission denied/'
+}
+
+filter_eperm()
+{
+	sed -e 's/Operation not permitted/Permission denied/'
+}
+
+# Try to create new files and directories in the encrypted directory, both with
+# and without using correctly base-64 encoded filenames.  These should all fail.
+$XFS_IO_PROG -f $SCRATCH_MNT/edir/newfile |& filter_enoent | _filter_scratch
+mkdir $SCRATCH_MNT/edir/newdir |& filter_enoent | _filter_scratch
+$XFS_IO_PROG -f $SCRATCH_MNT/edir/0123456789abcdef |& filter_eperm | _filter_scratch
+mkdir $SCRATCH_MNT/edir/0123456789abcdef |& filter_eperm | _filter_scratch
+
+# Delete the encrypted directory (should succeed)
+rm -r $SCRATCH_MNT/edir
+stat $SCRATCH_MNT/edir |& _filter_scratch
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/402.out b/tests/generic/402.out
new file mode 100644
index 0000000..700d056
--- /dev/null
+++ b/tests/generic/402.out
@@ -0,0 +1,11 @@
+QA output created by 402
+stat: cannot stat 'SCRATCH_MNT/edir/empty': No such file or directory
+stat: cannot stat 'SCRATCH_MNT/edir/symlink': No such file or directory
+8
+1
+Required key not available
+SCRATCH_MNT/edir/newfile: Permission denied
+mkdir: cannot create directory 'SCRATCH_MNT/edir/newdir': Permission denied
+SCRATCH_MNT/edir/0123456789abcdef: Permission denied
+mkdir: cannot create directory 'SCRATCH_MNT/edir/0123456789abcdef': Permission denied
+stat: cannot stat 'SCRATCH_MNT/edir': No such file or directory
diff --git a/tests/generic/group b/tests/generic/group
index a3438cf..7af053d 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -396,3 +396,4 @@
 391 auto quick rw
 400 auto quick encrypt
 401 auto quick encrypt
+402 auto quick encrypt
-- 
2.8.0.rc3.226.g39d4020

[PATCH v2 5/5] generic: test for weaknesses in filesystem encryption

[Eric Biggers]

Add an xfstest which can detect some basic crypto mistakes that would
reduce the confidentiality guarantee provided by filesystem encryption.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 common/config         |   1 +
 tests/generic/403     | 155 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/generic/403.out |   3 +
 tests/generic/group   |   1 +
 4 files changed, 160 insertions(+)
 create mode 100755 tests/generic/403
 create mode 100644 tests/generic/403.out

diff --git a/common/config b/common/config
index 3727ec0..6cce7ce 100644
--- a/common/config
+++ b/common/config
@@ -203,6 +203,7 @@ export UUIDGEN_PROG="`set_prog_path uuidgen`"
 export GETRICHACL_PROG="`set_prog_path getrichacl`"
 export SETRICHACL_PROG="`set_prog_path setrichacl`"
 export KEYCTL_PROG="`set_prog_path keyctl`"
+export XZ_PROG="`set_prog_path xz`"
 
 # use 'udevadm settle' or 'udevsettle' to wait for lv to be settled.
 # newer systems have udevadm command but older systems like RHEL5 don't.
diff --git a/tests/generic/403 b/tests/generic/403
new file mode 100755
index 0000000..0ca3647
--- /dev/null
+++ b/tests/generic/403
@@ -0,0 +1,155 @@
+#! /bin/bash
+# FS QA Test generic/403
+#
+# Check for weaknesses in filesystem encryption involving the same ciphertext
+# being repeated.  For file contents, we fill a small filesystem with large
+# files of 0's and verify the filesystem is incompressible.  For filenames, we
+# create an identical symlink in two different directories and verify the
+# ciphertext filenames and symlink targets are different.
+#
+# This test can detect some basic cryptographic mistakes such as nonce reuse
+# (across files), initialization vector reuse (across blocks), or data somehow
+# being left in plaintext by accident.  For example, it detects the
+# initialization vector reuse bug fixed in commit 02fc59a0d28f ("f2fs/crypto:
+# fix xts_tweak initialization").
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
+#
+# Author: Eric Biggers <ebiggers@google.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/encrypt
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs ext4 f2fs
+_supported_os Linux
+_require_xfs_io_command "set_encpolicy"
+_require_scratch
+_require_command "$XZ_PROG" xz
+_require_command "$KEYCTL_PROG" keyctl
+_require_encryption
+
+# Set up a small (32 MB) filesystem containing an encrypted directory.
+
+fs_size=$((32 * 1024 * 1024))
+MKFS_OPTIONS="$MKFS_OPTIONS -O encrypt" \
+	_scratch_mkfs_sized $fs_size &>> $seqres.full
+_scratch_mount
+
+keydesc=$(_generate_encryption_key)
+mkdir $SCRATCH_MNT/encrypted_dir
+$XFS_IO_PROG -c "set_encpolicy $keydesc" $SCRATCH_MNT/encrypted_dir
+
+# Create the "same" symlink in two different directories.
+# Later we'll check both the name and target of the symlink.
+mkdir $SCRATCH_MNT/encrypted_dir/subdir1
+mkdir $SCRATCH_MNT/encrypted_dir/subdir2
+ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir1/symlink
+ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir2/symlink
+
+#
+# Write files of 1 MB of all the same byte until we hit ENOSPC.  Note that we
+# must not create sparse files, since the contents of sparse files are not
+# stored on-disk.  Also, we create multiple files rather than one big file
+# because we want to test for reuse of per-file keys.
+#
+total_file_size=0
+i=1
+while true; do
+	file=$SCRATCH_MNT/encrypted_dir/file$i
+	if ! xfs_io -f $file -c 'pwrite 0 1M' &> $tmp.out; then
+		if ! grep -q 'No space left on device' $tmp.out; then
+			echo "FAIL: unexpected pwrite failure"
+			cat $tmp.out
+		elif [ -e $file ]; then
+			total_file_size=$((total_file_size + $(stat -c %s $file)))
+		fi
+		break
+	fi
+	total_file_size=$((total_file_size + $(stat -c %s $file)))
+	i=$((i + 1))
+	if [ $i -ge 33 ]; then
+		echo "FAIL: filesystem never filled up!"
+		break
+	fi
+done
+
+# We shouldn't have been able to write more data than we had space for.
+if (( $total_file_size > $fs_size )); then
+	echo "FAIL: wrote $total_file_size bytes but should have only" \
+		"had space for $fs_size bytes at most"
+fi
+
+#
+# Unmount the filesystem and compute its compressed size.  It must be no smaller
+# than the amount of data that was written; otherwise there was a compromise in
+# the confidentiality of the data.  False positives should not be possible
+# because filesystem metadata will also contribute to the compressed size.
+#
+# Note: it's important to use a strong compressor such as xz which can detect
+# redundancy across the whole filesystem.  For a 32 MB filesystem, xz -8 is
+# sufficient because it uses a 32 MB sliding window for compression.  At this
+# setting, compression will take 370 MB of memory as documented in xz(1).
+#
+_unlink_encryption_key $keydesc
+_scratch_unmount
+fs_compressed_size=$(head -c $fs_size $SCRATCH_DEV | xz -8 | wc -c)
+
+if (( $fs_compressed_size < $total_file_size )); then
+	echo "FAIL: filesystem was compressible" \
+		"($total_file_size bytes => $fs_compressed_size bytes)"
+else
+	echo "PASS: ciphertexts were not repeated for contents"
+fi
+
+# Verify that encrypted filenames and symlink targets were not reused.  Note
+# that since the ciphertexts should be unpredictable, we cannot simply include
+# the expected names in the expected output file.
+_scratch_mount
+find $SCRATCH_MNT/encrypted_dir -type l | wc -l
+link1=$(find $SCRATCH_MNT/encrypted_dir -type l | head -1)
+link2=$(find $SCRATCH_MNT/encrypted_dir -type l | tail -1)
+[ $(basename $link1) = $(basename $link2) ] && \
+	echo "Encrypted filenames were reused!"
+[ $(readlink $link1) = $(readlink $link2) ] && \
+	echo "Encrypted symlink targets were reused!"
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/403.out b/tests/generic/403.out
new file mode 100644
index 0000000..05c1eaa
--- /dev/null
+++ b/tests/generic/403.out
@@ -0,0 +1,3 @@
+QA output created by 403
+PASS: ciphertexts were not repeated for contents
+2
diff --git a/tests/generic/group b/tests/generic/group
index 7af053d..eb9361e 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -397,3 +397,4 @@
 400 auto quick encrypt
 401 auto quick encrypt
 402 auto quick encrypt
+403 auto encrypt
-- 
2.8.0.rc3.226.g39d4020

Re: [PATCH v2 0/5] Add filesystem-level encryption tests

[Eric Biggers]

On Mon, Nov 28, 2016 at 02:16:37PM -0800, Eric Biggers wrote:
> This is the second version of the patch series to add some xfstests for
> filesystem-level encryption.  The new tests are designed to run on any
> filesystem that implements the "fscrypt" API, currently ext4 and f2fs.  (fscrypt
> support for ubifs is also under development, but it looks like xfstests doesn't
> have ubifs support yet.)
> 
> The new tests are designed to complement, not replace, doing a full xfstests run
> with encryption enabled, which for ext4 can currently be done by using the
> test_dummy_encryption mount option.
> 
> v2 of the series drops the fscrypt_util test program and instead uses new xfs_io
> commands to set and get encryption policies, and uses keyctl to add and remove
> encryption keys.  I'm sending the xfs_io patch separately since xfs_io is part
> of xfsprogs.
> 

Forgot to list a few other changes since v1:

	* Updates to match xfstests coding style
	* Move validation of policy structure into its own test
	* Add test to detect some cryptographic weaknesses
	* Drop ioctl locking test 

Eric

Re: [PATCH v2 4/5] generic: test encrypted file access

[Richard Weinberger]

Eric,

On 28.11.2016 23:16, Eric Biggers wrote:
> +# Also, there are some inconsistencies in which error codes are returned on
> +# different kernel versions and filesystems when trying to create a file or
> +# subdirectory without access to the parent directory's encryption key.  For now
> +# we just accept multiple error codes.

This is something I wanted to ask about some time ago but forgot.
Can we please agree on a clear set of fscrypt related error codes
and document them in the Linux man pages?

Thanks,
//richard

Re: [PATCH v2 4/5] generic: test encrypted file access

[Richard Weinberger]

Eric,

On 28.11.2016 23:16, Eric Biggers wrote:
> +# Also, there are some inconsistencies in which error codes are returned on
> +# different kernel versions and filesystems when trying to create a file or
> +# subdirectory without access to the parent directory's encryption key.  For now
> +# we just accept multiple error codes.

This is something I wanted to ask about some time ago but forgot.
Can we please agree on a clear set of fscrypt related error codes
and document them in the Linux man pages?

Thanks,
//richard

Re: [PATCH v2 4/5] generic: test encrypted file access

[Eric Biggers]

On Tue, Nov 29, 2016 at 09:52:10PM +0100, Richard Weinberger wrote:
> Eric,
> 
> On 28.11.2016 23:16, Eric Biggers wrote:
> > +# Also, there are some inconsistencies in which error codes are returned on
> > +# different kernel versions and filesystems when trying to create a file or
> > +# subdirectory without access to the parent directory's encryption key.  For now
> > +# we just accept multiple error codes.
> 
> This is something I wanted to ask about some time ago but forgot.
> Can we please agree on a clear set of fscrypt related error codes
> and document them in the Linux man pages?
> 
> Thanks,
> //richard

Agreed.  Let's break down what kinds of "fscrypt related error codes" codes we
currently use:

Errors for FS_IOC_GET_ENCRYPTION_POLICY:
	* ENOTTY: filesystem doesn't implement ioctl
	* ENODATA/ENOENT: file is not encrypted.  Currently ENOENT for ext4 but
			  ENODATA for f2fs.  I prefer ENODATA.
	* ENODATA: encryption context has unrecognized size (maybe should be
		   EINVAL like below?)
	* EINVAL: version of encryption context not recognized

Errors for FS_IOC_SET_ENCRYPTION_POLICY:
	* ENOTTY: filesystem doesn't implement ioctl
	* EOPNOTSUPP: filesystem doesn't support encryption
	* EACCES: user doesn't have permission to set the encryption policy
	* EROFS: filesystem is readonly
	* EINVAL: encryption modes, flags, or policy version not recognized
	* EINVAL: file already has an encryption policy, but it's not the same
		  as the one requested
	* EINVAL: file is not a directory (maybe this should be ENOTDIR?)
	* ENOTEMPTY: directory is not empty

Errors for FS_IOC_GET_ENCRYPTION_PWSALT:
	* EOPNOTSUPP: filesystem doesn't support encryption
	* EROFS: filesystem is readonly

Errors for opening/creating files:
	* ENOKEY: without the key, tried to open an encrypted regular file
	* ENOENT/EACCES/EPERM: without the key, tried to create a file in an
			       encrypted directory.  (Maybe we should make this
			       always ENOKEY, like above?)
	* EPERM: with the key, tried to create, in an encrypted directory, a
	  hard link to a file that doesn't have a compatible encryption policy.
	  (Note: I forgot to test this in my xfstests patches)

I probably missed some.  There are also miscellaneous errors like ones that get
returned when something is corrupted, but I think it's not worth worrying a lot
about those in general.

For the ioctls the error codes are not the main problem for documentation, since
AFAICS we don't have man pages for them at all yet.

For the errors with opening/creating files I don't know whether they should be
documented places like open(2) and mkdir(2), but at least we do need to agree on
the error codes.

Eric