common/encrypt: support requiring other encryption settings
authorEric Biggers <ebiggers@google.com>
Fri, 24 May 2019 22:04:21 +0000 (15:04 -0700)
committerEryu Guan <guaneryu@gmail.com>
Mon, 27 May 2019 12:14:34 +0000 (20:14 +0800)
Update _require_scratch_encryption() to support checking for kernel
support for contents and filenames encryption modes besides the default.
This will be used by some of the ciphertext verification tests.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
common/encrypt

index cbe0b73d7e5e11c53d0da6d8bfd5fc9f6dcced12..a4ffc531e4b884ba379857b0b3e86e5cea1a36b0 100644 (file)
@@ -4,6 +4,15 @@
 #
 # Functions for setting up and testing file encryption
 
+#
+# _require_scratch_encryption [-c CONTENTS_MODE] [-n FILENAMES_MODE]
+#
+# Require encryption support on the scratch device.
+#
+# This checks for support for the default type of encryption policy (AES-256-XTS
+# and AES-256-CTS).  Options can be specified to also require support for a
+# different type of encryption policy.
+#
 _require_scratch_encryption()
 {
        _require_scratch
@@ -44,9 +53,58 @@ _require_scratch_encryption()
                _notrun "kernel does not support $FSTYP encryption"
        fi
        rmdir $SCRATCH_MNT/tmpdir
+
+       # If required, check for support for the specific type of encryption
+       # policy required by the test.
+       if [ $# -ne 0 ]; then
+               _require_encryption_policy_support $SCRATCH_MNT "$@"
+       fi
+
        _scratch_unmount
 }
 
+_require_encryption_policy_support()
+{
+       local mnt=$1
+       local dir=$mnt/tmpdir
+       local set_encpolicy_args=""
+       local c
+
+       OPTIND=2
+       while getopts "c:n:" c; do
+               case $c in
+               c|n)
+                       set_encpolicy_args+=" -$c $OPTARG"
+                       ;;
+               *)
+                       _fail "Unrecognized option '$c'"
+                       ;;
+               esac
+       done
+       set_encpolicy_args=${set_encpolicy_args# }
+
+       echo "Checking whether kernel supports encryption policy: $set_encpolicy_args" \
+               >> $seqres.full
+
+       mkdir $dir
+       _require_command "$KEYCTL_PROG" keyctl
+       _new_session_keyring
+       local keydesc=$(_generate_encryption_key)
+       if _set_encpolicy $dir $keydesc $set_encpolicy_args \
+               2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then
+               _notrun "kernel does not support encryption policy: '$set_encpolicy_args'"
+       fi
+       # fscrypt allows setting policies with modes it knows about, even
+       # without kernel crypto API support.  E.g. a policy using Adiantum
+       # encryption can be set on a kernel without CONFIG_CRYPTO_ADIANTUM.
+       # But actually trying to use such an encrypted directory will fail.
+       if ! touch $dir/file; then
+               _notrun "encryption policy '$set_encpolicy_args' is unusable; probably missing kernel crypto API support"
+       fi
+       $KEYCTL_PROG clear @s
+       rm -r $dir
+}
+
 _scratch_mkfs_encrypted()
 {
        case $FSTYP in