common/encrypt: support checking for v2 encryption policy support
authorEric Biggers <ebiggers@google.com>
Tue, 15 Oct 2019 18:16:37 +0000 (11:16 -0700)
committerEryu Guan <guaneryu@gmail.com>
Sat, 26 Oct 2019 15:22:56 +0000 (23:22 +0800)
Allow passing '-v 2' to _require_scratch_encryption() to check for
v2 encryption policy support on the scratch device, and for xfs_io
support for setting and getting v2 encryption policies.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
common/encrypt

index dc3fe6acf2b077aec63ef2461539bdca78665e64..1335d22272de72a4aa27dfca32e5f1356d32e4e9 100644 (file)
@@ -6,12 +6,13 @@
 
 #
 # _require_scratch_encryption [-c CONTENTS_MODE] [-n FILENAMES_MODE]
+#                            [-v POLICY_VERSION]
 #
 # Require encryption support on the scratch device.
 #
-# This checks for support for the default type of encryption policy (AES-256-XTS
-# and AES-256-CTS).  Options can be specified to also require support for a
-# different type of encryption policy.
+# This checks for support for the default type of encryption policy (v1 with
+# AES-256-XTS and AES-256-CTS).  Options can be specified to also require
+# support for a different type of encryption policy.
 #
 _require_scratch_encryption()
 {
@@ -68,14 +69,19 @@ _require_encryption_policy_support()
        local mnt=$1
        local dir=$mnt/tmpdir
        local set_encpolicy_args=""
+       local policy_version=1
        local c
 
        OPTIND=2
-       while getopts "c:n:" c; do
+       while getopts "c:n:v:" c; do
                case $c in
                c|n)
                        set_encpolicy_args+=" -$c $OPTARG"
                        ;;
+               v)
+                       set_encpolicy_args+=" -$c $OPTARG"
+                       policy_version=$OPTARG
+                       ;;
                *)
                        _fail "Unrecognized option '$c'"
                        ;;
@@ -87,10 +93,26 @@ _require_encryption_policy_support()
                >> $seqres.full
 
        mkdir $dir
-       _require_command "$KEYCTL_PROG" keyctl
-       _new_session_keyring
-       local keydesc=$(_generate_session_encryption_key)
-       if _set_encpolicy $dir $keydesc $set_encpolicy_args \
+       if (( policy_version > 1 )); then
+               _require_xfs_io_command "get_encpolicy" "-t"
+               local output=$(_get_encpolicy $dir -t)
+               if [ "$output" != "supported" ]; then
+                       if [ "$output" = "unsupported" ]; then
+                               _notrun "kernel does not support $FSTYP encryption v2 API"
+                       fi
+                       _fail "Unexpected output from 'get_encpolicy -t': $output"
+               fi
+               # Both the kernel and xfs_io support v2 encryption policies, and
+               # therefore also filesystem-level keys -- since that's the only
+               # way to provide keys for v2 policies.
+               local raw_key=$(_generate_raw_encryption_key)
+               local keyspec=$(_add_enckey $mnt "$raw_key" | awk '{print $NF}')
+       else
+               _require_command "$KEYCTL_PROG" keyctl
+               _new_session_keyring
+               local keyspec=$(_generate_session_encryption_key)
+       fi
+       if _set_encpolicy $dir $keyspec $set_encpolicy_args \
                2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then
                _notrun "kernel does not support encryption policy: '$set_encpolicy_args'"
        fi
@@ -103,7 +125,9 @@ _require_encryption_policy_support()
        if ! echo foo > $dir/file; then
                _notrun "encryption policy '$set_encpolicy_args' is unusable; probably missing kernel crypto API support"
        fi
-       $KEYCTL_PROG clear @s
+       if (( policy_version <= 1 )); then
+               $KEYCTL_PROG clear @s
+       fi
        rm -r $dir
 }