From: Eric Biggers <ebiggers@kernel.org>
To: fstests@vger.kernel.org
Cc: linux-block@vger.kernel.org, linux-fscrypt@vger.kernel.org,
Gaurav Kashyap <quic_gaurkash@quicinc.com>
Subject: [RFC PATCH 5/8] common/encrypt: verify the key identifiers
Date: Sun, 27 Feb 2022 23:47:19 -0800 [thread overview]
Message-ID: <20220228074722.77008-6-ebiggers@kernel.org> (raw)
In-Reply-To: <20220228074722.77008-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
As part of all the ciphertext verification tests, verify that the
filesystem correctly computed the key identifier from the key the test
generated. This uses fscrypt-crypt-util to compute the key identifier.
Previously this was only being tested indirectly, via the tests that
happen to use the hardcoded $TEST_RAW_KEY and $TEST_KEY_IDENTIFIER.
The new check provides better coverage.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/encrypt | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/common/encrypt b/common/encrypt
index cf402570..d8e2dba9 100644
--- a/common/encrypt
+++ b/common/encrypt
@@ -902,6 +902,18 @@ _verify_ciphertext_for_encryption_policy()
fi
local raw_key_hex=$(echo "$raw_key" | tr -d '\\x')
+ if (( policy_version > 1 )); then
+ echo "Verifying key identifier" >> $seqres.full
+ expected_identifier=$($here/src/fscrypt-crypt-util \
+ --dump-key-identifier "$raw_key_hex" \
+ $crypt_util_args)
+ if [ "$expected_identifier" != "$keyspec" ]; then
+ echo "KEY IDENTIFIER MISMATCH!"
+ echo " Expected: $expected_identifier"
+ echo " Actual: $keyspec"
+ fi
+ fi
+
echo
echo -e "Verifying ciphertext with parameters:"
echo -e "\tcontents_encryption_mode: $contents_encryption_mode"
--
2.35.1
next prev parent reply other threads:[~2022-02-28 7:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-28 7:47 [RFC PATCH 0/8] xfstests: test the fscrypt hardware-wrapped key support Eric Biggers
2022-02-28 7:47 ` [RFC PATCH 1/8] fscrypt-crypt-util: use an explicit --direct-key option Eric Biggers
2022-02-28 7:47 ` [RFC PATCH 2/8] fscrypt-crypt-util: refactor get_key_and_iv() Eric Biggers
2022-02-28 7:47 ` [RFC PATCH 3/8] fscrypt-crypt-util: add support for dumping key identifier Eric Biggers
2022-02-28 7:47 ` [RFC PATCH 4/8] common/encrypt: log full ciphertext verification params Eric Biggers
2022-02-28 7:47 ` Eric Biggers [this message]
2022-02-28 7:47 ` [RFC PATCH 6/8] fscrypt-crypt-util: add hardware KDF support Eric Biggers
2022-02-28 7:47 ` [RFC PATCH 7/8] common/encrypt: support hardware-wrapped key testing Eric Biggers
2022-02-28 7:47 ` [RFC PATCH 8/8] generic: verify ciphertext with hardware-wrapped keys Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220228074722.77008-6-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=fstests@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=quic_gaurkash@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.