[PATCH v2 3/3] generic: verify ciphertext with hardware-wrapped keys

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers@kernel.org>
To: fstests@vger.kernel.org
Cc: linux-fscrypt@vger.kernel.org,
	Bartosz Golaszewski <brgl@bgdev.pl>,
	Gaurav Kashyap <quic_gaurkash@quicinc.com>
Subject: [PATCH v2 3/3] generic: verify ciphertext with hardware-wrapped keys
Date: Thu, 12 Dec 2024 21:28:39 -0800	[thread overview]
Message-ID: <20241213052840.314921-4-ebiggers@kernel.org> (raw)
In-Reply-To: <20241213052840.314921-1-ebiggers@kernel.org>

From: Eric Biggers <ebiggers@google.com>

Add two tests which verify that encrypted files are encrypted correctly
when a hardware-wrapped inline encryption key is used.  The two tests
are identical except that one uses FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64
and the other uses FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32.  These cover both
of the settings where hardware-wrapped keys may be used.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 tests/generic/900     | 24 ++++++++++++++++++++++++
 tests/generic/900.out |  6 ++++++
 tests/generic/901     | 24 ++++++++++++++++++++++++
 tests/generic/901.out |  6 ++++++
 4 files changed, 60 insertions(+)
 create mode 100755 tests/generic/900
 create mode 100644 tests/generic/900.out
 create mode 100755 tests/generic/901
 create mode 100644 tests/generic/901.out

diff --git a/tests/generic/900 b/tests/generic/900
new file mode 100755
index 00000000..8da8007e
--- /dev/null
+++ b/tests/generic/900
@@ -0,0 +1,24 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2024 Google LLC
+#
+# FS QA Test No. 900
+#
+# Verify the ciphertext for encryption policies that use a hardware-wrapped
+# inline encryption key, the IV_INO_LBLK_64 flag, and AES-256-XTS.
+#
+. ./common/preamble
+_begin_fstest auto quick encrypt
+
+. ./common/filter
+. ./common/encrypt
+
+# Hardware-wrapped keys require the inlinecrypt mount option.
+_require_scratch_inlinecrypt
+export MOUNT_OPTIONS="$MOUNT_OPTIONS -o inlinecrypt"
+
+_verify_ciphertext_for_encryption_policy AES-256-XTS AES-256-CTS-CBC \
+	v2 iv_ino_lblk_64 hw_wrapped_key
+
+status=0
+exit
diff --git a/tests/generic/900.out b/tests/generic/900.out
new file mode 100644
index 00000000..9edc012c
--- /dev/null
+++ b/tests/generic/900.out
@@ -0,0 +1,6 @@
+QA output created by 900
+
+Verifying ciphertext with parameters:
+	contents_encryption_mode: AES-256-XTS
+	filenames_encryption_mode: AES-256-CTS-CBC
+	options: v2 iv_ino_lblk_64 hw_wrapped_key
diff --git a/tests/generic/901 b/tests/generic/901
new file mode 100755
index 00000000..bfc63bde
--- /dev/null
+++ b/tests/generic/901
@@ -0,0 +1,24 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2024 Google LLC
+#
+# FS QA Test No. 901
+#
+# Verify the ciphertext for encryption policies that use a hardware-wrapped
+# inline encryption key, the IV_INO_LBLK_32 flag, and AES-256-XTS.
+#
+. ./common/preamble
+_begin_fstest auto quick encrypt
+
+. ./common/filter
+. ./common/encrypt
+
+# Hardware-wrapped keys require the inlinecrypt mount option.
+_require_scratch_inlinecrypt
+export MOUNT_OPTIONS="$MOUNT_OPTIONS -o inlinecrypt"
+
+_verify_ciphertext_for_encryption_policy AES-256-XTS AES-256-CTS-CBC \
+	v2 iv_ino_lblk_32 hw_wrapped_key
+
+status=0
+exit
diff --git a/tests/generic/901.out b/tests/generic/901.out
new file mode 100644
index 00000000..2f928465
--- /dev/null
+++ b/tests/generic/901.out
@@ -0,0 +1,6 @@
+QA output created by 901
+
+Verifying ciphertext with parameters:
+	contents_encryption_mode: AES-256-XTS
+	filenames_encryption_mode: AES-256-CTS-CBC
+	options: v2 iv_ino_lblk_32 hw_wrapped_key
-- 
2.47.1

next prev parent reply	other threads:[~2024-12-13  5:28 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-13  5:28 [PATCH v2 0/3] xfstests: test the fscrypt hardware-wrapped key support Eric Biggers
2024-12-13  5:28 ` [PATCH v2 1/3] fscrypt-crypt-util: add hardware KDF support Eric Biggers
2024-12-13  5:28 ` [PATCH v2 2/3] common/encrypt: support hardware-wrapped key testing Eric Biggers
2024-12-13  5:28 ` Eric Biggers [this message]
2025-01-07 13:59 ` [PATCH v2 0/3] xfstests: test the fscrypt hardware-wrapped key support Zorro Lang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8da8007 dfblob:9edc012 dfblob:bfc63bd dfblob:2f92846 )
 OR (
bs:"[PATCH v2 3/3] generic: verify ciphertext with hardware-wrapped keys" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241213052840.314921-4-ebiggers@kernel.org \
    --to=ebiggers@kernel.org \
    --cc=brgl@bgdev.pl \
    --cc=fstests@vger.kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=quic_gaurkash@quicinc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.