2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright (c) 2016 Google, Inc. All Rights Reserved.
5 # FS QA Test generic/399
7 # Check for weaknesses in filesystem encryption involving the same ciphertext
8 # being repeated. For file contents, we fill a small filesystem with large
9 # files of 0's and verify the filesystem is incompressible. For filenames, we
10 # create an identical symlink in two different directories and verify the
11 # ciphertext filenames and symlink targets are different.
13 # This test can detect some basic cryptographic mistakes such as nonce reuse
14 # (across files), initialization vector reuse (across blocks), or data somehow
15 # being left in plaintext by accident. For example, it detects the
16 # initialization vector reuse bug fixed in commit 02fc59a0d28f ("f2fs/crypto:
17 # fix xts_tweak initialization").
20 _begin_fstest auto encrypt
22 # Import common functions.
26 # real QA test starts here
28 _require_scratch_encryption
30 _require_command "$XZ_PROG" xz
31 _require_command "$KEYCTL_PROG" keyctl
36 # Set up a small filesystem containing an encrypted directory. 64 MB is enough
37 # for both ext4 and f2fs (f2fs doesn't support a 32 MB filesystem). Before
38 # creating the filesystem, zero out the needed portion of the device so that
39 # existing data on the device doesn't contribute to the compressed size.
42 fs_size=$((fs_size_in_mb * 1024 * 1024))
43 dd if=/dev/zero of=$SCRATCH_DEV bs=$((1024 * 1024)) \
44 count=$fs_size_in_mb &>> $seqres.full
45 _scratch_mkfs_sized_encrypted $fs_size &>> $seqres.full
48 keydesc=$(_generate_session_encryption_key)
49 mkdir $SCRATCH_MNT/encrypted_dir
50 _set_encpolicy $SCRATCH_MNT/encrypted_dir $keydesc
52 # Create the "same" symlink in two different directories.
53 # Later we'll check both the name and target of the symlink.
54 mkdir $SCRATCH_MNT/encrypted_dir/subdir1
55 mkdir $SCRATCH_MNT/encrypted_dir/subdir2
56 ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir1/symlink
57 ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir2/symlink
60 # Write files of 1 MB of all the same byte until we hit ENOSPC. Note that we
61 # must not create sparse files, since the contents of sparse files are not
62 # stored on-disk. Also, we create multiple files rather than one big file
63 # because we want to test for reuse of per-file keys.
68 file=$SCRATCH_MNT/encrypted_dir/file$i
70 $XFS_IO_PROG -f $file -c 'pwrite 0 1M' &> $tmp.out
71 echo "Writing $file..." >> $seqres.full
72 cat $tmp.out >> $seqres.full
76 file_size=$(_get_filesize $file)
79 # We shouldn't have been able to write more data than we had space for.
80 (( total_file_size += file_size ))
81 if (( total_file_size > fs_size )); then
82 _fail "Wrote $total_file_size bytes but should have only" \
83 "had space for $fs_size bytes at most!"
86 # Stop if we hit ENOSPC.
87 if grep -q 'No space left on device' $tmp.out; then
91 # Otherwise the file should have been successfully created.
92 if [ ! -e $file ]; then
93 _fail "$file failed to be created, but the fs isn't out of space yet!"
95 if (( file_size != 1024 * 1024 )); then
96 _fail "Size of $file is wrong (possible write error?)." \
97 "Got $file_size, expected 1 MiB"
103 # Unmount the filesystem and compute its compressed size. It must be no smaller
104 # than the amount of data that was written; otherwise there was a compromise in
105 # the confidentiality of the data. False positives should not be possible
106 # because filesystem metadata will also contribute to the compressed size.
108 # Note: it's important to use a strong compressor such as xz which can detect
109 # redundancy across most or all of the filesystem. We run xz with a 64 MB
110 # sliding window but use some custom settings to make it faster and use less
111 # memory than the '-9' preset. The memory needed with our settings will be
112 # 64 * 6.5 = 416 MB; see xz(1).
114 _unlink_session_encryption_key $keydesc
116 fs_compressed_size=$(head -c $fs_size $SCRATCH_DEV | \
117 xz --lzma2=dict=64M,mf=hc4,mode=fast,nice=16 | \
120 if (( $fs_compressed_size < $total_file_size )); then
121 echo "FAIL: filesystem was compressible" \
122 "($total_file_size bytes => $fs_compressed_size bytes)"
124 echo "PASS: ciphertexts were not repeated for contents"
127 # Verify that encrypted filenames and symlink targets were not reused. Note
128 # that since the ciphertexts should be unpredictable, we cannot simply include
129 # the expected names in the expected output file.
131 find $SCRATCH_MNT/encrypted_dir -type l | wc -l
132 link1=$(find $SCRATCH_MNT/encrypted_dir -type l | head -1)
133 link2=$(find $SCRATCH_MNT/encrypted_dir -type l | tail -1)
134 [ $(basename $link1) = $(basename $link2) ] && \
135 echo "Encrypted filenames were reused!"
136 [ $(readlink $link1) = $(readlink $link2) ] && \
137 echo "Encrypted symlink targets were reused!"