2 # FS QA Test generic/399
4 # Check for weaknesses in filesystem encryption involving the same ciphertext
5 # being repeated. For file contents, we fill a small filesystem with large
6 # files of 0's and verify the filesystem is incompressible. For filenames, we
7 # create an identical symlink in two different directories and verify the
8 # ciphertext filenames and symlink targets are different.
10 # This test can detect some basic cryptographic mistakes such as nonce reuse
11 # (across files), initialization vector reuse (across blocks), or data somehow
12 # being left in plaintext by accident. For example, it detects the
13 # initialization vector reuse bug fixed in commit 02fc59a0d28f ("f2fs/crypto:
14 # fix xts_tweak initialization").
16 #-----------------------------------------------------------------------
17 # Copyright (c) 2016 Google, Inc. All Rights Reserved.
19 # Author: Eric Biggers <ebiggers@google.com>
21 # This program is free software; you can redistribute it and/or
22 # modify it under the terms of the GNU General Public License as
23 # published by the Free Software Foundation.
25 # This program is distributed in the hope that it would be useful,
26 # but WITHOUT ANY WARRANTY; without even the implied warranty of
27 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28 # GNU General Public License for more details.
30 # You should have received a copy of the GNU General Public License
31 # along with this program; if not, write the Free Software Foundation,
32 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
33 #-----------------------------------------------------------------------
37 seqres=$RESULT_DIR/$seq
38 echo "QA output created by $seq"
42 status=1 # failure is the default!
43 trap "_cleanup; exit \$status" 0 1 2 3 15
51 # get standard environment, filters and checks
56 # remove previous $seqres.full before test
59 # real QA test starts here
62 _require_scratch_encryption
63 _require_xfs_io_command "set_encpolicy"
64 _require_command "$XZ_PROG" xz
65 _require_command "$KEYCTL_PROG" keyctl
70 # Set up a small filesystem containing an encrypted directory. 64 MB is enough
71 # for both ext4 and f2fs (f2fs doesn't support a 32 MB filesystem). Before
72 # creating the filesystem, zero out the needed portion of the device so that
73 # existing data on the device doesn't contribute to the compressed size.
76 fs_size=$((fs_size_in_mb * 1024 * 1024))
77 dd if=/dev/zero of=$SCRATCH_DEV bs=$((1024 * 1024)) \
78 count=$fs_size_in_mb &>> $seqres.full
79 MKFS_OPTIONS="$MKFS_OPTIONS -O encrypt" \
80 _scratch_mkfs_sized $fs_size &>> $seqres.full
83 keydesc=$(_generate_encryption_key)
84 mkdir $SCRATCH_MNT/encrypted_dir
85 $XFS_IO_PROG -c "set_encpolicy $keydesc" $SCRATCH_MNT/encrypted_dir
87 # Create the "same" symlink in two different directories.
88 # Later we'll check both the name and target of the symlink.
89 mkdir $SCRATCH_MNT/encrypted_dir/subdir1
90 mkdir $SCRATCH_MNT/encrypted_dir/subdir2
91 ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir1/symlink
92 ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir2/symlink
95 # Write files of 1 MB of all the same byte until we hit ENOSPC. Note that we
96 # must not create sparse files, since the contents of sparse files are not
97 # stored on-disk. Also, we create multiple files rather than one big file
98 # because we want to test for reuse of per-file keys.
103 file=$SCRATCH_MNT/encrypted_dir/file$i
104 if ! $XFS_IO_PROG -f $file -c 'pwrite 0 1M' &> $tmp.out; then
105 if ! grep -q 'No space left on device' $tmp.out; then
106 echo "FAIL: unexpected pwrite failure"
108 elif [ -e $file ]; then
109 total_file_size=$((total_file_size + $(stat -c %s $file)))
113 total_file_size=$((total_file_size + $(stat -c %s $file)))
115 if [ $i -gt $fs_size_in_mb ]; then
116 echo "FAIL: filesystem never filled up!"
121 # We shouldn't have been able to write more data than we had space for.
122 if (( $total_file_size > $fs_size )); then
123 echo "FAIL: wrote $total_file_size bytes but should have only" \
124 "had space for $fs_size bytes at most"
128 # Unmount the filesystem and compute its compressed size. It must be no smaller
129 # than the amount of data that was written; otherwise there was a compromise in
130 # the confidentiality of the data. False positives should not be possible
131 # because filesystem metadata will also contribute to the compressed size.
133 # Note: it's important to use a strong compressor such as xz which can detect
134 # redundancy across most or all of the filesystem. We run xz with a 64 MB
135 # sliding window but use some custom settings to make it faster and use less
136 # memory than the '-9' preset. The memory needed with our settings will be
137 # 64 * 6.5 = 416 MB; see xz(1).
139 _unlink_encryption_key $keydesc
141 fs_compressed_size=$(head -c $fs_size $SCRATCH_DEV | \
142 xz --lzma2=dict=64M,mf=hc4,mode=fast,nice=16 | \
145 if (( $fs_compressed_size < $total_file_size )); then
146 echo "FAIL: filesystem was compressible" \
147 "($total_file_size bytes => $fs_compressed_size bytes)"
149 echo "PASS: ciphertexts were not repeated for contents"
152 # Verify that encrypted filenames and symlink targets were not reused. Note
153 # that since the ciphertexts should be unpredictable, we cannot simply include
154 # the expected names in the expected output file.
156 find $SCRATCH_MNT/encrypted_dir -type l | wc -l
157 link1=$(find $SCRATCH_MNT/encrypted_dir -type l | head -1)
158 link2=$(find $SCRATCH_MNT/encrypted_dir -type l | tail -1)
159 [ $(basename $link1) = $(basename $link2) ] && \
160 echo "Encrypted filenames were reused!"
161 [ $(readlink $link1) = $(readlink $link2) ] && \
162 echo "Encrypted symlink targets were reused!"