From: Eric Biggers <ebiggers@kernel.org>
To: fstests@vger.kernel.org
Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net
Subject: [RFC PATCH 3/7] common/encrypt: support requiring other encryption settings
Date: Fri, 26 Apr 2019 13:41:49 -0700 [thread overview]
Message-ID: <20190426204153.101861-4-ebiggers@kernel.org> (raw)
In-Reply-To: <20190426204153.101861-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
Update _require_scratch_encryption() to support checking for kernel
support for contents and filenames encryption modes besides the default.
This will be used by some of the ciphertext verification tests.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/encrypt | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/common/encrypt b/common/encrypt
index 54d873fa..37f16b94 100644
--- a/common/encrypt
+++ b/common/encrypt
@@ -4,6 +4,15 @@
#
# Functions for setting up and testing file encryption
+#
+# _require_scratch_encryption [-c CONTENTS_MODE] [-n FILENAMES_MODE]
+#
+# Require encryption support on the scratch device.
+#
+# This checks for support for the default type of encryption policy (AES-256-XTS
+# and AES-256-CTS). Options can be specified to also require support for a
+# different type of encryption policy.
+#
_require_scratch_encryption()
{
_require_scratch
@@ -44,9 +53,58 @@ _require_scratch_encryption()
_notrun "kernel does not support $FSTYP encryption"
fi
rmdir $SCRATCH_MNT/tmpdir
+
+ # If required, check for support for the specific type of encryption
+ # policy required by the test.
+ if [ $# -ne 0 ]; then
+ _require_encryption_policy_support $SCRATCH_MNT "$@"
+ fi
+
_scratch_unmount
}
+_require_encryption_policy_support()
+{
+ local mnt=$1
+ local dir=$mnt/tmpdir
+ local set_encpolicy_args=""
+ local c
+
+ OPTIND=2
+ while getopts "c:n:" c; do
+ case $c in
+ c|n)
+ set_encpolicy_args+=" -$c $OPTARG"
+ ;;
+ *)
+ _fail "Unrecognized option '$c'"
+ ;;
+ esac
+ done
+ set_encpolicy_args=${set_encpolicy_args# }
+
+ echo "Checking whether kernel supports encryption policy: $set_encpolicy_args" \
+ >> $seqres.full
+
+ mkdir $dir
+ _require_command "$KEYCTL_PROG" keyctl
+ _new_session_keyring
+ local keydesc=$(_generate_encryption_key)
+ if _set_encpolicy $dir $keydesc $set_encpolicy_args \
+ 2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then
+ _notrun "kernel does not support encryption policy: '$set_encpolicy_args'"
+ fi
+ # fscrypt allows setting policies with modes it knows about, even
+ # without kernel crypto API support. E.g. a policy using Adiantum
+ # encryption can be set on a kernel without CONFIG_CRYPTO_ADIANTUM.
+ # But actually trying to use such an encrypted directory will fail.
+ if ! touch $dir/file; then
+ _notrun "encryption policy '$set_encpolicy_args' is unusable; probably missing kernel crypto API support"
+ fi
+ $KEYCTL_PROG clear @s
+ rm -r $dir
+}
+
_scratch_mkfs_encrypted()
{
case $FSTYP in
--
2.21.0.593.g511ec345e18-goog
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: fstests@vger.kernel.org
Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net
Subject: [f2fs-dev] [RFC PATCH 3/7] common/encrypt: support requiring other encryption settings
Date: Fri, 26 Apr 2019 13:41:49 -0700 [thread overview]
Message-ID: <20190426204153.101861-4-ebiggers@kernel.org> (raw)
In-Reply-To: <20190426204153.101861-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
Update _require_scratch_encryption() to support checking for kernel
support for contents and filenames encryption modes besides the default.
This will be used by some of the ciphertext verification tests.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/encrypt | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/common/encrypt b/common/encrypt
index 54d873fa..37f16b94 100644
--- a/common/encrypt
+++ b/common/encrypt
@@ -4,6 +4,15 @@
#
# Functions for setting up and testing file encryption
+#
+# _require_scratch_encryption [-c CONTENTS_MODE] [-n FILENAMES_MODE]
+#
+# Require encryption support on the scratch device.
+#
+# This checks for support for the default type of encryption policy (AES-256-XTS
+# and AES-256-CTS). Options can be specified to also require support for a
+# different type of encryption policy.
+#
_require_scratch_encryption()
{
_require_scratch
@@ -44,9 +53,58 @@ _require_scratch_encryption()
_notrun "kernel does not support $FSTYP encryption"
fi
rmdir $SCRATCH_MNT/tmpdir
+
+ # If required, check for support for the specific type of encryption
+ # policy required by the test.
+ if [ $# -ne 0 ]; then
+ _require_encryption_policy_support $SCRATCH_MNT "$@"
+ fi
+
_scratch_unmount
}
+_require_encryption_policy_support()
+{
+ local mnt=$1
+ local dir=$mnt/tmpdir
+ local set_encpolicy_args=""
+ local c
+
+ OPTIND=2
+ while getopts "c:n:" c; do
+ case $c in
+ c|n)
+ set_encpolicy_args+=" -$c $OPTARG"
+ ;;
+ *)
+ _fail "Unrecognized option '$c'"
+ ;;
+ esac
+ done
+ set_encpolicy_args=${set_encpolicy_args# }
+
+ echo "Checking whether kernel supports encryption policy: $set_encpolicy_args" \
+ >> $seqres.full
+
+ mkdir $dir
+ _require_command "$KEYCTL_PROG" keyctl
+ _new_session_keyring
+ local keydesc=$(_generate_encryption_key)
+ if _set_encpolicy $dir $keydesc $set_encpolicy_args \
+ 2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then
+ _notrun "kernel does not support encryption policy: '$set_encpolicy_args'"
+ fi
+ # fscrypt allows setting policies with modes it knows about, even
+ # without kernel crypto API support. E.g. a policy using Adiantum
+ # encryption can be set on a kernel without CONFIG_CRYPTO_ADIANTUM.
+ # But actually trying to use such an encrypted directory will fail.
+ if ! touch $dir/file; then
+ _notrun "encryption policy '$set_encpolicy_args' is unusable; probably missing kernel crypto API support"
+ fi
+ $KEYCTL_PROG clear @s
+ rm -r $dir
+}
+
_scratch_mkfs_encrypted()
{
case $FSTYP in
--
2.21.0.593.g511ec345e18-goog
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next prev parent reply other threads:[~2019-04-26 20:45 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-26 20:41 [RFC PATCH 0/7] xfstests: verify fscrypt-encrypted contents and filenames Eric Biggers
2019-04-26 20:41 ` [RFC PATCH 1/7] common/encrypt: introduce helpers for set_encpolicy and get_encpolicy Eric Biggers
2019-05-12 12:21 ` Eryu Guan
2019-05-12 12:21 ` Eryu Guan
2019-04-26 20:41 ` [RFC PATCH 2/7] fscrypt-crypt-util: add utility for reproducing fscrypt encrypted data Eric Biggers
2019-04-26 20:41 ` Eric Biggers
2019-04-26 20:41 ` Eric Biggers [this message]
2019-04-26 20:41 ` [f2fs-dev] [RFC PATCH 3/7] common/encrypt: support requiring other encryption settings Eric Biggers
2019-04-26 20:41 ` [RFC PATCH 4/7] common/encrypt: add helper for ciphertext verification tests Eric Biggers
2019-05-12 12:27 ` Eryu Guan
2019-05-12 12:27 ` Eryu Guan
2019-05-13 19:12 ` Eric Biggers
2019-05-13 19:12 ` [f2fs-dev] " Eric Biggers
2019-05-13 19:12 ` Eric Biggers
2019-05-14 2:20 ` Eryu Guan
2019-05-14 2:20 ` Eryu Guan
2019-04-26 20:41 ` [RFC PATCH 5/7] generic: verify ciphertext of v1 encryption policies with AES-256 Eric Biggers
2019-04-26 20:41 ` [RFC PATCH 6/7] generic: verify ciphertext of v1 encryption policies with AES-128 Eric Biggers
2019-04-26 20:41 ` [RFC PATCH 7/7] generic: verify ciphertext of v1 encryption policies with Adiantum Eric Biggers
2019-05-06 15:57 ` [RFC PATCH 0/7] xfstests: verify fscrypt-encrypted contents and filenames Eric Biggers
2019-05-12 12:58 ` Eryu Guan
2019-05-12 12:58 ` Eryu Guan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190426204153.101861-4-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=fstests@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.