To avoid ambiguity, don't use the terms "ciphertext names" or "encrypted
names" when we really mean "no-key names" (the names that the filesystem
shows when userspace lists an encrypted directory without the
directory's encryption key being present). This aligns with changes
that have been made to the kernel source code and documentation
(https://lore.kernel.org/r/
20200924042624.98439-1-ebiggers@kernel.org).
No change to the actual test logic.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
#
# Now try accessing the files without the encryption key. It should still be
# possible to list the directory and remove files. But filenames should be
#
# Now try accessing the files without the encryption key. It should still be
# possible to list the directory and remove files. But filenames should be
-# encrypted, and it should not be possible to read regular files or to create
-# new files or subdirectories.
+# presented in no-key form, and it should not be possible to read regular files
+# or to create new files or subdirectories.
-# Note that we cannot simply use ls -R to verify the files because the encrypted
+# Note that we cannot simply use ls -R to verify the files because the no-key
# filenames are unpredictable. By design, the key used to encrypt a directory's
# filenames is derived from the master key (the key in the keyring) and a nonce
# filenames are unpredictable. By design, the key used to encrypt a directory's
# filenames is derived from the master key (the key in the keyring) and a nonce
-# generated by the kernel. Hence, the encrypted filenames will be different
-# every time this test is run, even if we were to put a fixed key into the
-# keyring instead of a random one. The same applies to symlink targets.
+# generated by the kernel. Hence, the no-key filenames will be different every
+# time this test is run, even if we were to put a fixed key into the keyring
+# instead of a random one. The same applies to symlink targets.
#
_unlink_session_encryption_key $keydesc
#
_unlink_session_encryption_key $keydesc
_unlink_session_encryption_key $keydesc
_scratch_cycle_mount
_unlink_session_encryption_key $keydesc
_scratch_cycle_mount
-# Note that because encrypted filenames are unpredictable, this needs to be
-# written in a way that does not assume any particular filenames.
+# Note that because no-key filenames are unpredictable, this needs to be written
+# in a way that does not assume any particular filenames.
efile1=$(find $SCRATCH_MNT/edir -maxdepth 1 -type f | head -1)
efile2=$(find $SCRATCH_MNT/edir -maxdepth 1 -type f | tail -1)
mv $efile1 $efile2 |& _filter_scratch | sed 's|edir/[a-zA-Z0-9+,_]\+|edir/FILENAME|g'
efile1=$(find $SCRATCH_MNT/edir -maxdepth 1 -type f | head -1)
efile2=$(find $SCRATCH_MNT/edir -maxdepth 1 -type f | tail -1)
mv $efile1 $efile2 |& _filter_scratch | sed 's|edir/[a-zA-Z0-9+,_]\+|edir/FILENAME|g'
# Now try to open the file again. In buggy kernels this caused concurrent
# readers to crash with a NULL pointer dereference during decryption.
#
# Now try to open the file again. In buggy kernels this caused concurrent
# readers to crash with a NULL pointer dereference during decryption.
#
-# Note that the fix also made filenames stop "immediately" reverting to their
-# ciphertext on key revocation. Therefore, the name of the file we're opening
-# here may be in either plaintext or ciphertext depending on the kernel version,
-# and ciphertext names are unpredictable anyway, so just use 'find' to find it.
+# Note that the fix also made filenames stop "immediately" reverting to no-key
+# names on key revocation. Therefore, the name of the file we're opening here
+# may be in either plaintext or no-key form depending on the kernel version, and
+# no-key names are unpredictable anyway, so just use 'find' to find it.
cat "$(find $dir -type f)" > /dev/null
# Wait for readers to exit
cat "$(find $dir -type f)" > /dev/null
# Wait for readers to exit
-# Test that encrypted dentries are revalidated after adding a key.
-# Regression test for:
+# Test that no-key dentries are revalidated after adding a key. Regression test
+# for:
# 28b4c263961c ("ext4 crypto: revalidate dentry after adding or removing the key")
#
# 28b4c263961c ("ext4 crypto: revalidate dentry after adding or removing the key")
#
-# Furthermore, test that encrypted directories are *not* revalidated after
-# "revoking" a key. This used to be done, but it was broken and was removed by:
+# Furthermore, test that no-key dentries are *not* revalidated after "revoking"
+# a key. This used to be done, but it was broken and was removed by:
# 1b53cf9815bb ("fscrypt: remove broken support for detecting keyring key revocation")
#
# Also test for a race condition bug in 28b4c263961c, fixed by:
# 1b53cf9815bb ("fscrypt: remove broken support for detecting keyring key revocation")
#
# Also test for a race condition bug in 28b4c263961c, fixed by:
_set_encpolicy $SCRATCH_MNT/edir $keydesc
# Create two files in the directory: one whose name is valid in the base64
_set_encpolicy $SCRATCH_MNT/edir $keydesc
# Create two files in the directory: one whose name is valid in the base64
-# format used for encoding ciphertext filenames, and one whose name is not. The
-# exact filenames *should* be irrelevant, but due to yet another bug, ->lookup()
-# in an encrypted directory without the key returned ERR_PTR(-ENOENT) rather
-# than NULL if the name was not valid ciphertext, causing a negative dentry to
-# not be created. For the purpose of this test, we want at least one negative
-# dentry to be created, so just create both types of name.
+# format used in no-key filenames, and one whose name is not. The exact
+# filenames *should* be irrelevant, but due to yet another bug, ->lookup() in an
+# encrypted directory without the key returned ERR_PTR(-ENOENT) rather than NULL
+# if the name was not a valid no-key name, causing a negative dentry to not be
+# created. For the purpose of this test, we want at least one negative dentry
+# to be created, so just create both types of name.
echo contents_@@@ > $SCRATCH_MNT/edir/@@@ # not valid base64
echo contents_abcd > $SCRATCH_MNT/edir/abcd # valid base64
echo contents_@@@ > $SCRATCH_MNT/edir/@@@ # not valid base64
echo contents_abcd > $SCRATCH_MNT/edir/abcd # valid base64
-filter_ciphertext_filenames()
+filter_nokey_filenames()
- _filter_scratch | sed 's|edir/[a-zA-Z0-9+,_]\+|edir/ENCRYPTED_NAME|g'
+ _filter_scratch | sed 's|edir/[a-zA-Z0-9+,_]\+|edir/NOKEY_NAME|g'
echo "--- Contents of files using plaintext names:"
cat $SCRATCH_MNT/edir/@@@ |& _filter_scratch
cat $SCRATCH_MNT/edir/abcd |& _filter_scratch
echo "--- Contents of files using plaintext names:"
cat $SCRATCH_MNT/edir/@@@ |& _filter_scratch
cat $SCRATCH_MNT/edir/abcd |& _filter_scratch
- echo "--- Contents of files using ciphertext names:"
- cat ${ciphertext_names[@]} |& filter_ciphertext_filenames
+ echo "--- Contents of files using no-key names:"
+ cat ${nokey_names[@]} |& filter_nokey_filenames
}
show_directory_with_key()
}
show_directory_with_key()
# View the directory without the encryption key. The plaintext names shouldn't
# exist, but 'cat' each to verify this, which also should create negative
# View the directory without the encryption key. The plaintext names shouldn't
# exist, but 'cat' each to verify this, which also should create negative
-# dentries. The ciphertext names are unpredictable by design, but verify that
-# the correct number of them are listed by readdir, and save them for later.
+# dentries. The no-key names are unpredictable by design, but verify that the
+# correct number of them are listed by readdir, and save them for later.
echo
echo "***** Without encryption key *****"
_unlink_session_encryption_key $keydesc
_scratch_cycle_mount
echo "--- Directory listing:"
echo
echo "***** Without encryption key *****"
_unlink_session_encryption_key $keydesc
_scratch_cycle_mount
echo "--- Directory listing:"
-ciphertext_names=( $(find $SCRATCH_MNT/edir -mindepth 1 | sort) )
-printf '%s\n' "${ciphertext_names[@]}" | filter_ciphertext_filenames
+nokey_names=( $(find $SCRATCH_MNT/edir -mindepth 1 | sort) )
+printf '%s\n' "${nokey_names[@]}" | filter_nokey_filenames
show_file_contents
# Without remounting or dropping caches, add the encryption key and view the
show_file_contents
# Without remounting or dropping caches, add the encryption key and view the
-# directory again. Now the plaintext names should all be there, and the
-# ciphertext names should be gone. Make sure to 'cat' all the names to test for
-# stale dentries.
+# directory again. Now the plaintext names should all be there, and the no-key
+# names should be gone. Make sure to 'cat' all the names to test for stale
+# dentries.
echo
echo "***** With encryption key *****"
_add_session_encryption_key $keydesc $raw_key
echo
echo "***** With encryption key *****"
_add_session_encryption_key $keydesc $raw_key
# Now open the files to pin them in the inode cache (needed to make the test
# reliable), then revoke the encryption key. This should no longer cause the
# Now open the files to pin them in the inode cache (needed to make the test
# reliable), then revoke the encryption key. This should no longer cause the
-# files to be presented in ciphertext form immediately.
+# files to be presented in no-key form immediately.
echo
echo "***** After key revocation *****"
(
echo
echo "***** After key revocation *****"
(
***** Without encryption key *****
--- Directory listing:
***** Without encryption key *****
--- Directory listing:
-SCRATCH_MNT/edir/ENCRYPTED_NAME
-SCRATCH_MNT/edir/ENCRYPTED_NAME
+SCRATCH_MNT/edir/NOKEY_NAME
+SCRATCH_MNT/edir/NOKEY_NAME
--- Contents of files using plaintext names:
cat: SCRATCH_MNT/edir/@@@: No such file or directory
cat: SCRATCH_MNT/edir/abcd: No such file or directory
--- Contents of files using plaintext names:
cat: SCRATCH_MNT/edir/@@@: No such file or directory
cat: SCRATCH_MNT/edir/abcd: No such file or directory
---- Contents of files using ciphertext names:
-cat: SCRATCH_MNT/edir/ENCRYPTED_NAME: Required key not available
-cat: SCRATCH_MNT/edir/ENCRYPTED_NAME: Required key not available
+--- Contents of files using no-key names:
+cat: SCRATCH_MNT/edir/NOKEY_NAME: Required key not available
+cat: SCRATCH_MNT/edir/NOKEY_NAME: Required key not available
***** With encryption key *****
--- Directory listing:
***** With encryption key *****
--- Directory listing:
--- Contents of files using plaintext names:
contents_@@@
contents_abcd
--- Contents of files using plaintext names:
contents_@@@
contents_abcd
---- Contents of files using ciphertext names:
-cat: SCRATCH_MNT/edir/ENCRYPTED_NAME: No such file or directory
-cat: SCRATCH_MNT/edir/ENCRYPTED_NAME: No such file or directory
+--- Contents of files using no-key names:
+cat: SCRATCH_MNT/edir/NOKEY_NAME: No such file or directory
+cat: SCRATCH_MNT/edir/NOKEY_NAME: No such file or directory
***** Race conditions *****
t_encrypted_d_revalidate finished
***** Race conditions *****
t_encrypted_d_revalidate finished
--- Contents of files using plaintext names:
contents_@@@
contents_abcd
--- Contents of files using plaintext names:
contents_@@@
contents_abcd
---- Contents of files using ciphertext names:
-cat: SCRATCH_MNT/edir/ENCRYPTED_NAME: No such file or directory
-cat: SCRATCH_MNT/edir/ENCRYPTED_NAME: No such file or directory
+--- Contents of files using no-key names:
+cat: SCRATCH_MNT/edir/NOKEY_NAME: No such file or directory
+cat: SCRATCH_MNT/edir/NOKEY_NAME: No such file or directory