common/encrypt: support verifying ciphertext of IV_INO_LBLK_64 policies
[xfstests-dev.git] / common / encrypt
index b967c65a26f6598d8561fecb4a3abe6c49964868..2e9908adf1cbbf0e900068b6551e926d2c2e2ee4 100644 (file)
@@ -6,7 +6,7 @@
 
 #
 # _require_scratch_encryption [-c CONTENTS_MODE] [-n FILENAMES_MODE]
-#                            [-v POLICY_VERSION]
+#                            [-f POLICY_FLAGS] [-v POLICY_VERSION]
 #
 # Require encryption support on the scratch device.
 #
@@ -69,15 +69,20 @@ _require_encryption_policy_support()
        local mnt=$1
        local dir=$mnt/tmpdir
        local set_encpolicy_args=""
+       local policy_flags=0
        local policy_version=1
        local c
 
        OPTIND=2
-       while getopts "c:n:v:" c; do
+       while getopts "c:n:f:v:" c; do
                case $c in
                c|n)
                        set_encpolicy_args+=" -$c $OPTARG"
                        ;;
+               f)
+                       set_encpolicy_args+=" -$c $OPTARG"
+                       policy_flags=$OPTARG
+                       ;;
                v)
                        set_encpolicy_args+=" -$c $OPTARG"
                        policy_version=$OPTARG
@@ -92,6 +97,12 @@ _require_encryption_policy_support()
        echo "Checking whether kernel supports encryption policy: $set_encpolicy_args" \
                >> $seqres.full
 
+       if (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 )); then
+               _scratch_unmount
+               _scratch_mkfs_stable_inodes_encrypted &>> $seqres.full
+               _scratch_mount
+       fi
+
        mkdir $dir
        if (( policy_version > 1 )); then
                _require_xfs_io_command "get_encpolicy" "-t"
@@ -159,6 +170,23 @@ _scratch_mkfs_sized_encrypted()
        esac
 }
 
+# Like _scratch_mkfs_encrypted(), but add -O stable_inodes if applicable for the
+# filesystem type.  This is necessary for using encryption policies that include
+# the inode number in the IVs, e.g. policies with the IV_INO_LBLK_64 flag set.
+_scratch_mkfs_stable_inodes_encrypted()
+{
+       case $FSTYP in
+       ext4)
+               if ! _scratch_mkfs -O encrypt -O stable_inodes; then
+                       _notrun "-O stable_inodes is not supported"
+               fi
+               ;;
+       *)
+               _scratch_mkfs_encrypted
+               ;;
+       esac
+}
+
 # Give the invoking shell a new session keyring.  This makes any keys we add to
 # the session keyring scoped to the lifetime of the test script.
 _new_session_keyring()
@@ -568,7 +596,8 @@ _do_verify_ciphertext_for_encryption_policy()
        local set_encpolicy_args=$4
        local keyspec=$5
        local raw_key_hex=$6
-       local crypt_cmd="$here/src/fscrypt-crypt-util $7"
+       local crypt_contents_cmd="$here/src/fscrypt-crypt-util $7"
+       local crypt_filename_cmd="$here/src/fscrypt-crypt-util $8"
 
        local blocksize=$(_get_block_size $SCRATCH_MNT)
        local test_contents_files=()
@@ -626,14 +655,15 @@ _do_verify_ciphertext_for_encryption_policy()
                read -r src inode blocklist <<< "$f"
                nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode)
                _dump_ciphertext_blocks $SCRATCH_DEV $blocklist > $tmp.actual_contents
-               $crypt_cmd $contents_encryption_mode $raw_key_hex \
+               $crypt_contents_cmd $contents_encryption_mode $raw_key_hex \
                        --file-nonce=$nonce --block-size=$blocksize \
-                       < $src > $tmp.expected_contents
+                       --inode-number=$inode < $src > $tmp.expected_contents
                if ! cmp $tmp.expected_contents $tmp.actual_contents; then
                        _fail "Expected encrypted contents != actual encrypted contents.  File: $f"
                fi
-               $crypt_cmd $contents_encryption_mode $raw_key_hex --decrypt \
-                       --file-nonce=$nonce --block-size=$blocksize \
+               $crypt_contents_cmd $contents_encryption_mode $raw_key_hex \
+                       --decrypt --file-nonce=$nonce --block-size=$blocksize \
+                       --inode-number=$inode \
                        < $tmp.actual_contents > $tmp.decrypted_contents
                if ! cmp $src $tmp.decrypted_contents; then
                        _fail "Contents decryption sanity check failed.  File: $f"
@@ -647,16 +677,17 @@ _do_verify_ciphertext_for_encryption_policy()
                _get_ciphertext_filename $SCRATCH_DEV $inode $dir_inode \
                        > $tmp.actual_name
                echo -n "$name" | \
-                       $crypt_cmd $filenames_encryption_mode $raw_key_hex \
-                       --file-nonce=$nonce --padding=$padding \
-                       --block-size=255 > $tmp.expected_name
+                       $crypt_filename_cmd $filenames_encryption_mode \
+                       $raw_key_hex --file-nonce=$nonce --padding=$padding \
+                       --block-size=255 --inode-number=$dir_inode \
+                       > $tmp.expected_name
                if ! cmp $tmp.expected_name $tmp.actual_name; then
                        _fail "Expected encrypted filename != actual encrypted filename.  File: $f"
                fi
-               $crypt_cmd $filenames_encryption_mode $raw_key_hex --decrypt \
-                       --file-nonce=$nonce --padding=$padding \
-                       --block-size=255 < $tmp.actual_name \
-                       > $tmp.decrypted_name
+               $crypt_filename_cmd $filenames_encryption_mode $raw_key_hex \
+                       --decrypt --file-nonce=$nonce --padding=$padding \
+                       --block-size=255 --inode-number=$dir_inode \
+                       < $tmp.actual_name > $tmp.decrypted_name
                decrypted_name=$(tr -d '\0' < $tmp.decrypted_name)
                if [ "$name" != "$decrypted_name" ]; then
                        _fail "Filename decryption sanity check failed ($name != $decrypted_name).  File: $f"
@@ -673,6 +704,7 @@ FSCRYPT_MODE_AES_128_CTS=6
 FSCRYPT_MODE_ADIANTUM=9
 
 FSCRYPT_POLICY_FLAG_DIRECT_KEY=0x04
+FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64=0x08
 
 _fscrypt_mode_name_to_num()
 {
@@ -692,8 +724,13 @@ _fscrypt_mode_name_to_num()
 # policy of the specified type is used.
 #
 # The first two parameters are the contents and filenames encryption modes to
-# test.  Optionally, also specify 'direct' to test the DIRECT_KEY flag, and/or
-# 'v2' to test v2 policies.
+# test.  The following optional parameters are also accepted to further modify
+# the type of encryption policy that is tested:
+#
+#      'v2':                   test a v2 encryption policy
+#      'direct':               test the DIRECT_KEY policy flag
+#      'iv_ino_lblk_64':       test the IV_INO_LBLK_64 policy flag
+#
 _verify_ciphertext_for_encryption_policy()
 {
        local contents_encryption_mode=$1
@@ -703,6 +740,8 @@ _verify_ciphertext_for_encryption_policy()
        local policy_flags=0
        local set_encpolicy_args=""
        local crypt_util_args=""
+       local crypt_util_contents_args=""
+       local crypt_util_filename_args=""
 
        shift 2
        for opt; do
@@ -717,6 +756,9 @@ _verify_ciphertext_for_encryption_policy()
                        fi
                        (( policy_flags |= FSCRYPT_POLICY_FLAG_DIRECT_KEY ))
                        ;;
+               iv_ino_lblk_64)
+                       (( policy_flags |= FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 ))
+                       ;;
                *)
                        _fail "Unknown option '$opt' passed to ${FUNCNAME[0]}"
                        ;;
@@ -732,9 +774,19 @@ _verify_ciphertext_for_encryption_policy()
                set_encpolicy_args+=" -v 2"
                crypt_util_args+=" --kdf=HKDF-SHA512"
                if (( policy_flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY )); then
+                       if (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 )); then
+                               _fail "'direct' and 'iv_ino_lblk_64' options are mutually exclusive"
+                       fi
                        crypt_util_args+=" --mode-num=$contents_mode_num"
+               elif (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 )); then
+                       crypt_util_args+=" --iv-ino-lblk-64"
+                       crypt_util_contents_args+=" --mode-num=$contents_mode_num"
+                       crypt_util_filename_args+=" --mode-num=$filenames_mode_num"
                fi
        else
+               if (( policy_flags & ~FSCRYPT_POLICY_FLAG_DIRECT_KEY )); then
+                       _fail "unsupported flags for v1 policy: $policy_flags"
+               fi
                if (( policy_flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY )); then
                        crypt_util_args+=" --kdf=none"
                else
@@ -743,7 +795,7 @@ _verify_ciphertext_for_encryption_policy()
        fi
        set_encpolicy_args=${set_encpolicy_args# }
 
-       _require_scratch_encryption $set_encpolicy_args
+       _require_scratch_encryption $set_encpolicy_args -f $policy_flags
        _require_test_program "fscrypt-crypt-util"
        _require_xfs_io_command "fiemap"
        _require_get_encryption_nonce_support
@@ -753,9 +805,18 @@ _verify_ciphertext_for_encryption_policy()
        fi
 
        echo "Creating encryption-capable filesystem" >> $seqres.full
-       _scratch_mkfs_encrypted &>> $seqres.full
+       if (( policy_flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 )); then
+               _scratch_mkfs_stable_inodes_encrypted &>> $seqres.full
+       else
+               _scratch_mkfs_encrypted &>> $seqres.full
+       fi
        _scratch_mount
 
+       crypt_util_args+=" --fs-uuid=$(blkid -s UUID -o value $SCRATCH_DEV | tr -d -)"
+
+       crypt_util_contents_args+="$crypt_util_args"
+       crypt_util_filename_args+="$crypt_util_args"
+
        echo "Generating encryption key" >> $seqres.full
        local raw_key=$(_generate_raw_encryption_key)
        if (( policy_version > 1 )); then
@@ -781,5 +842,6 @@ _verify_ciphertext_for_encryption_policy()
                "$set_encpolicy_args" \
                "$keyspec" \
                "$raw_key_hex" \
-               "$crypt_util_args"
+               "$crypt_util_contents_args" \
+               "$crypt_util_filename_args"
 }