From: Eric Biggers <ebiggers@kernel.org>
To: fstests@vger.kernel.org
Cc: linux-fscrypt@vger.kernel.org
Subject: [PATCH v3 3/9] common/encrypt: support checking for v2 encryption policy support
Date: Tue, 15 Oct 2019 11:16:37 -0700 [thread overview]
Message-ID: <20191015181643.6519-4-ebiggers@kernel.org> (raw)
In-Reply-To: <20191015181643.6519-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
Allow passing '-v 2' to _require_scratch_encryption() to check for v2
encryption policy support on the scratch device, and for xfs_io support
for setting and getting v2 encryption policies.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/encrypt | 42 +++++++++++++++++++++++++++++++++---------
1 file changed, 33 insertions(+), 9 deletions(-)
diff --git a/common/encrypt b/common/encrypt
index a086e80f..eec585a0 100644
--- a/common/encrypt
+++ b/common/encrypt
@@ -6,12 +6,13 @@
#
# _require_scratch_encryption [-c CONTENTS_MODE] [-n FILENAMES_MODE]
+# [-v POLICY_VERSION]
#
# Require encryption support on the scratch device.
#
-# This checks for support for the default type of encryption policy (AES-256-XTS
-# and AES-256-CTS). Options can be specified to also require support for a
-# different type of encryption policy.
+# This checks for support for the default type of encryption policy (v1 with
+# AES-256-XTS and AES-256-CTS). Options can be specified to also require
+# support for a different type of encryption policy.
#
_require_scratch_encryption()
{
@@ -68,14 +69,19 @@ _require_encryption_policy_support()
local mnt=$1
local dir=$mnt/tmpdir
local set_encpolicy_args=""
+ local policy_version=1
local c
OPTIND=2
- while getopts "c:n:" c; do
+ while getopts "c:n:v:" c; do
case $c in
c|n)
set_encpolicy_args+=" -$c $OPTARG"
;;
+ v)
+ set_encpolicy_args+=" -$c $OPTARG"
+ policy_version=$OPTARG
+ ;;
*)
_fail "Unrecognized option '$c'"
;;
@@ -87,10 +93,26 @@ _require_encryption_policy_support()
>> $seqres.full
mkdir $dir
- _require_command "$KEYCTL_PROG" keyctl
- _new_session_keyring
- local keydesc=$(_generate_session_encryption_key)
- if _set_encpolicy $dir $keydesc $set_encpolicy_args \
+ if (( policy_version > 1 )); then
+ _require_xfs_io_command "get_encpolicy" "-t"
+ local output=$(_get_encpolicy $dir -t)
+ if [ "$output" != "supported" ]; then
+ if [ "$output" = "unsupported" ]; then
+ _notrun "kernel does not support $FSTYP encryption v2 API"
+ fi
+ _fail "Unexpected output from 'get_encpolicy -t': $output"
+ fi
+ # Both the kernel and xfs_io support v2 encryption policies, and
+ # therefore also filesystem-level keys -- since that's the only
+ # way to provide keys for v2 policies.
+ local raw_key=$(_generate_raw_encryption_key)
+ local keyspec=$(_add_enckey $mnt "$raw_key" | awk '{print $NF}')
+ else
+ _require_command "$KEYCTL_PROG" keyctl
+ _new_session_keyring
+ local keyspec=$(_generate_session_encryption_key)
+ fi
+ if _set_encpolicy $dir $keyspec $set_encpolicy_args \
2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then
_notrun "kernel does not support encryption policy: '$set_encpolicy_args'"
fi
@@ -103,7 +125,9 @@ _require_encryption_policy_support()
if ! echo foo > $dir/file; then
_notrun "encryption policy '$set_encpolicy_args' is unusable; probably missing kernel crypto API support"
fi
- $KEYCTL_PROG clear @s
+ if (( policy_version <= 1 )); then
+ $KEYCTL_PROG clear @s
+ fi
rm -r $dir
}
--
2.23.0.700.g56cf767bdb-goog
next prev parent reply other threads:[~2019-10-15 18:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-15 18:16 [PATCH v3 0/9] xfstests: add tests for fscrypt key management improvements Eric Biggers
2019-10-15 18:16 ` [PATCH v3 1/9] common/encrypt: disambiguate session encryption keys Eric Biggers
2019-10-15 18:16 ` [PATCH v3 2/9] common/encrypt: add helper functions that wrap new xfs_io commands Eric Biggers
2019-10-15 18:16 ` Eric Biggers [this message]
2019-10-15 18:16 ` [PATCH v3 4/9] common/encrypt: support verifying ciphertext of v2 encryption policies Eric Biggers
2019-10-15 18:16 ` [PATCH v3 5/9] generic: add basic test for fscrypt API additions Eric Biggers
2019-10-15 18:16 ` [PATCH v3 6/9] generic: add test for non-root use of " Eric Biggers
2020-01-19 5:45 ` Murphy Zhou
2020-01-19 18:25 ` Eric Biggers
2020-01-20 2:20 ` Murphy Zhou
2020-01-29 0:45 ` Eric Biggers
2019-10-15 18:16 ` [PATCH v3 7/9] generic: verify ciphertext of v2 encryption policies with AES-256 Eric Biggers
2019-10-15 18:16 ` [PATCH v3 8/9] generic: verify ciphertext of v2 encryption policies with AES-128 Eric Biggers
2019-10-15 18:16 ` [PATCH v3 9/9] generic: verify ciphertext of v2 encryption policies with Adiantum Eric Biggers
2019-10-23 18:00 ` [PATCH v3 0/9] xfstests: add tests for fscrypt key management improvements Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191015181643.6519-4-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=fstests@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).