* [PATCH v2 0/2] iotests: Fix crypto algorithm failures @ 2021-11-17 15:17 Hanna Reitz 2021-11-17 15:17 ` [PATCH v2 1/2] iotests: Use aes-128-cbc Hanna Reitz 2021-11-17 15:17 ` [PATCH v2 2/2] iotests/149: Skip on unsupported ciphers Hanna Reitz 0 siblings, 2 replies; 7+ messages in thread From: Hanna Reitz @ 2021-11-17 15:17 UTC (permalink / raw) To: qemu-block Cc: Kevin Wolf, Hanna Reitz, Daniel P . Berrangé, qemu-devel, Thomas Huth Hi, iotests 149, 206, and 210 fail when qemu uses the gnutls crypto backend (which is the default as of 8bd0931f6) because they try to use algorithms that this backend does not support. Have 206 and 210 use different algorithms instead (patch 1), and let 149 be skipped when it encounters an unsupported algorithm (patch 2). v2: - Fixed the `check_cipher_support()` function introduced in patch 2 (forgot to pass `config`, though it worked even without, apparently because `config` is a global-scope variable....) - Also a good opportunity to CC Dan, who I forgot on v1 git-backport-diff against v1: Key: [----] : patches are identical [####] : number of functional differences between upstream/downstream patch [down] : patch is downstream-only The flags [FC] indicate (F)unctional and (C)ontextual differences, respectively 001/2:[----] [--] 'iotests: Use aes-128-cbc' 002/2:[0008] [FC] 'iotests/149: Skip on unsupported ciphers' Hanna Reitz (2): iotests: Use aes-128-cbc iotests/149: Skip on unsupported ciphers tests/qemu-iotests/149 | 23 ++++++++++++++++++----- tests/qemu-iotests/206 | 4 ++-- tests/qemu-iotests/206.out | 6 +++--- tests/qemu-iotests/210 | 4 ++-- tests/qemu-iotests/210.out | 6 +++--- 5 files changed, 28 insertions(+), 15 deletions(-) -- 2.33.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/2] iotests: Use aes-128-cbc 2021-11-17 15:17 [PATCH v2 0/2] iotests: Fix crypto algorithm failures Hanna Reitz @ 2021-11-17 15:17 ` Hanna Reitz 2021-11-17 15:47 ` Daniel P. Berrangé 2021-11-19 8:53 ` Thomas Huth 2021-11-17 15:17 ` [PATCH v2 2/2] iotests/149: Skip on unsupported ciphers Hanna Reitz 1 sibling, 2 replies; 7+ messages in thread From: Hanna Reitz @ 2021-11-17 15:17 UTC (permalink / raw) To: qemu-block Cc: Kevin Wolf, Hanna Reitz, Daniel P . Berrangé, qemu-devel, Thomas Huth Our gnutls crypto backend (which is the default as of 8bd0931f6) supports neither twofish-128 nor the CTR mode. CBC and aes-128 are supported by all of our backends (as far as I can tell), so use aes-128-cbc in our iotests. (We could also use e.g. aes-256-cbc, but the different key sizes would lead to different key slot offsets and so change the reference output more, which is why I went with aes-128.) Signed-off-by: Hanna Reitz <hreitz@redhat.com> --- tests/qemu-iotests/206 | 4 ++-- tests/qemu-iotests/206.out | 6 +++--- tests/qemu-iotests/210 | 4 ++-- tests/qemu-iotests/210.out | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/qemu-iotests/206 b/tests/qemu-iotests/206 index c3cdad4ce4..10eff343f7 100755 --- a/tests/qemu-iotests/206 +++ b/tests/qemu-iotests/206 @@ -162,8 +162,8 @@ with iotests.FilePath('t.qcow2') as disk_path, \ 'encrypt': { 'format': 'luks', 'key-secret': 'keysec0', - 'cipher-alg': 'twofish-128', - 'cipher-mode': 'ctr', + 'cipher-alg': 'aes-128', + 'cipher-mode': 'cbc', 'ivgen-alg': 'plain64', 'ivgen-hash-alg': 'md5', 'hash-alg': 'sha1', diff --git a/tests/qemu-iotests/206.out b/tests/qemu-iotests/206.out index 3593e8e9c2..80cd274223 100644 --- a/tests/qemu-iotests/206.out +++ b/tests/qemu-iotests/206.out @@ -97,7 +97,7 @@ Format specific information: === Successful image creation (encrypted) === -{"execute": "blockdev-create", "arguments": {"job-id": "job0", "options": {"driver": "qcow2", "encrypt": {"cipher-alg": "twofish-128", "cipher-mode": "ctr", "format": "luks", "hash-alg": "sha1", "iter-time": 10, "ivgen-alg": "plain64", "ivgen-hash-alg": "md5", "key-secret": "keysec0"}, "file": {"driver": "file", "filename": "TEST_DIR/PID-t.qcow2"}, "size": 33554432}}} +{"execute": "blockdev-create", "arguments": {"job-id": "job0", "options": {"driver": "qcow2", "encrypt": {"cipher-alg": "aes-128", "cipher-mode": "cbc", "format": "luks", "hash-alg": "sha1", "iter-time": 10, "ivgen-alg": "plain64", "ivgen-hash-alg": "md5", "key-secret": "keysec0"}, "file": {"driver": "file", "filename": "TEST_DIR/PID-t.qcow2"}, "size": 33554432}}} {"return": {}} {"execute": "job-dismiss", "arguments": {"id": "job0"}} {"return": {}} @@ -115,10 +115,10 @@ Format specific information: encrypt: ivgen alg: plain64 hash alg: sha1 - cipher alg: twofish-128 + cipher alg: aes-128 uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX format: luks - cipher mode: ctr + cipher mode: cbc slots: [0]: active: true diff --git a/tests/qemu-iotests/210 b/tests/qemu-iotests/210 index 5a62ed4dd1..a4dcc5fe59 100755 --- a/tests/qemu-iotests/210 +++ b/tests/qemu-iotests/210 @@ -83,8 +83,8 @@ with iotests.FilePath('t.luks') as disk_path, \ }, 'size': size, 'key-secret': 'keysec0', - 'cipher-alg': 'twofish-128', - 'cipher-mode': 'ctr', + 'cipher-alg': 'aes-128', + 'cipher-mode': 'cbc', 'ivgen-alg': 'plain64', 'ivgen-hash-alg': 'md5', 'hash-alg': 'sha1', diff --git a/tests/qemu-iotests/210.out b/tests/qemu-iotests/210.out index 55c0844370..96d9f749dd 100644 --- a/tests/qemu-iotests/210.out +++ b/tests/qemu-iotests/210.out @@ -59,7 +59,7 @@ Format specific information: {"execute": "job-dismiss", "arguments": {"id": "job0"}} {"return": {}} -{"execute": "blockdev-create", "arguments": {"job-id": "job0", "options": {"cipher-alg": "twofish-128", "cipher-mode": "ctr", "driver": "luks", "file": {"driver": "file", "filename": "TEST_DIR/PID-t.luks"}, "hash-alg": "sha1", "iter-time": 10, "ivgen-alg": "plain64", "ivgen-hash-alg": "md5", "key-secret": "keysec0", "size": 67108864}}} +{"execute": "blockdev-create", "arguments": {"job-id": "job0", "options": {"cipher-alg": "aes-128", "cipher-mode": "cbc", "driver": "luks", "file": {"driver": "file", "filename": "TEST_DIR/PID-t.luks"}, "hash-alg": "sha1", "iter-time": 10, "ivgen-alg": "plain64", "ivgen-hash-alg": "md5", "key-secret": "keysec0", "size": 67108864}}} {"return": {}} {"execute": "job-dismiss", "arguments": {"id": "job0"}} {"return": {}} @@ -71,9 +71,9 @@ encrypted: yes Format specific information: ivgen alg: plain64 hash alg: sha1 - cipher alg: twofish-128 + cipher alg: aes-128 uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX - cipher mode: ctr + cipher mode: cbc slots: [0]: active: true -- 2.33.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/2] iotests: Use aes-128-cbc 2021-11-17 15:17 ` [PATCH v2 1/2] iotests: Use aes-128-cbc Hanna Reitz @ 2021-11-17 15:47 ` Daniel P. Berrangé 2021-11-19 8:53 ` Thomas Huth 1 sibling, 0 replies; 7+ messages in thread From: Daniel P. Berrangé @ 2021-11-17 15:47 UTC (permalink / raw) To: Hanna Reitz; +Cc: Kevin Wolf, Thomas Huth, qemu-devel, qemu-block On Wed, Nov 17, 2021 at 04:17:06PM +0100, Hanna Reitz wrote: > Our gnutls crypto backend (which is the default as of 8bd0931f6) > supports neither twofish-128 nor the CTR mode. CBC and aes-128 are > supported by all of our backends (as far as I can tell), so use > aes-128-cbc in our iotests. Yes, AES is guarnateed by all backends, as is ECB,CBC & XTS modes. > > (We could also use e.g. aes-256-cbc, but the different key sizes would > lead to different key slot offsets and so change the reference output > more, which is why I went with aes-128.) > > Signed-off-by: Hanna Reitz <hreitz@redhat.com> > --- > tests/qemu-iotests/206 | 4 ++-- > tests/qemu-iotests/206.out | 6 +++--- > tests/qemu-iotests/210 | 4 ++-- > tests/qemu-iotests/210.out | 6 +++--- > 4 files changed, 10 insertions(+), 10 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/2] iotests: Use aes-128-cbc 2021-11-17 15:17 ` [PATCH v2 1/2] iotests: Use aes-128-cbc Hanna Reitz 2021-11-17 15:47 ` Daniel P. Berrangé @ 2021-11-19 8:53 ` Thomas Huth 1 sibling, 0 replies; 7+ messages in thread From: Thomas Huth @ 2021-11-19 8:53 UTC (permalink / raw) To: Hanna Reitz, qemu-block; +Cc: Kevin Wolf, Daniel P . Berrangé, qemu-devel On 17/11/2021 16.17, Hanna Reitz wrote: > Our gnutls crypto backend (which is the default as of 8bd0931f6) > supports neither twofish-128 nor the CTR mode. CBC and aes-128 are > supported by all of our backends (as far as I can tell), so use > aes-128-cbc in our iotests. > > (We could also use e.g. aes-256-cbc, but the different key sizes would > lead to different key slot offsets and so change the reference output > more, which is why I went with aes-128.) > > Signed-off-by: Hanna Reitz <hreitz@redhat.com> > --- > tests/qemu-iotests/206 | 4 ++-- > tests/qemu-iotests/206.out | 6 +++--- > tests/qemu-iotests/210 | 4 ++-- > tests/qemu-iotests/210.out | 6 +++--- > 4 files changed, 10 insertions(+), 10 deletions(-) Thanks, this fixes the failure on my system! Tested-by: Thomas Huth <thuth@redhat.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 2/2] iotests/149: Skip on unsupported ciphers 2021-11-17 15:17 [PATCH v2 0/2] iotests: Fix crypto algorithm failures Hanna Reitz 2021-11-17 15:17 ` [PATCH v2 1/2] iotests: Use aes-128-cbc Hanna Reitz @ 2021-11-17 15:17 ` Hanna Reitz 2021-11-17 15:46 ` Daniel P. Berrangé 1 sibling, 1 reply; 7+ messages in thread From: Hanna Reitz @ 2021-11-17 15:17 UTC (permalink / raw) To: qemu-block Cc: Kevin Wolf, Hanna Reitz, Daniel P . Berrangé, qemu-devel, Thomas Huth Whenever qemu-img or qemu-io report that some cipher is unsupported, skip the whole test, because that is probably because qemu has been configured with the gnutls crypto backend. We could taylor the algorithm list to what gnutls supports, but this is a test that is run rather rarely anyway (because it requires password-less sudo), and so it seems better and easier to skip it. When this test is intentionally run to check LUKS compatibility, it seems better not to limit the algorithms but keep the list extensive. Signed-off-by: Hanna Reitz <hreitz@redhat.com> --- tests/qemu-iotests/149 | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/tests/qemu-iotests/149 b/tests/qemu-iotests/149 index 328fd05a4c..d49646ca60 100755 --- a/tests/qemu-iotests/149 +++ b/tests/qemu-iotests/149 @@ -230,6 +230,18 @@ def create_image(config, size_mb): fn.truncate(size_mb * 1024 * 1024) +def check_cipher_support(config, output): + """Check the output of qemu-img or qemu-io for mention of the respective + cipher algorithm being unsupported, and if so, skip this test. + (Returns `output` for convenience.)""" + + if 'Unsupported cipher algorithm' in output: + iotests.notrun('Unsupported cipher algorithm ' + f'{config.cipher}-{config.keylen}-{config.mode}; ' + 'consider configuring qemu with a different crypto ' + 'backend') + return output + def qemu_img_create(config, size_mb): """Create and format a disk image with LUKS using qemu-img""" @@ -253,7 +265,8 @@ def qemu_img_create(config, size_mb): "%dM" % size_mb] iotests.log("qemu-img " + " ".join(args), filters=[iotests.filter_test_dir]) - iotests.log(iotests.qemu_img_pipe(*args), filters=[iotests.filter_test_dir]) + iotests.log(check_cipher_support(config, iotests.qemu_img_pipe(*args)), + filters=[iotests.filter_test_dir]) def qemu_io_image_args(config, dev=False): """Get the args for access an image or device with qemu-io""" @@ -279,8 +292,8 @@ def qemu_io_write_pattern(config, pattern, offset_mb, size_mb, dev=False): args = ["-c", "write -P 0x%x %dM %dM" % (pattern, offset_mb, size_mb)] args.extend(qemu_io_image_args(config, dev)) iotests.log("qemu-io " + " ".join(args), filters=[iotests.filter_test_dir]) - iotests.log(iotests.qemu_io(*args), filters=[iotests.filter_test_dir, - iotests.filter_qemu_io]) + iotests.log(check_cipher_support(config, iotests.qemu_io(*args)), + filters=[iotests.filter_test_dir, iotests.filter_qemu_io]) def qemu_io_read_pattern(config, pattern, offset_mb, size_mb, dev=False): @@ -291,8 +304,8 @@ def qemu_io_read_pattern(config, pattern, offset_mb, size_mb, dev=False): args = ["-c", "read -P 0x%x %dM %dM" % (pattern, offset_mb, size_mb)] args.extend(qemu_io_image_args(config, dev)) iotests.log("qemu-io " + " ".join(args), filters=[iotests.filter_test_dir]) - iotests.log(iotests.qemu_io(*args), filters=[iotests.filter_test_dir, - iotests.filter_qemu_io]) + iotests.log(check_cipher_support(config, iotests.qemu_io(*args)), + filters=[iotests.filter_test_dir, iotests.filter_qemu_io]) def test_once(config, qemu_img=False): -- 2.33.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 2/2] iotests/149: Skip on unsupported ciphers 2021-11-17 15:17 ` [PATCH v2 2/2] iotests/149: Skip on unsupported ciphers Hanna Reitz @ 2021-11-17 15:46 ` Daniel P. Berrangé 2021-11-18 15:53 ` Hanna Reitz 0 siblings, 1 reply; 7+ messages in thread From: Daniel P. Berrangé @ 2021-11-17 15:46 UTC (permalink / raw) To: Hanna Reitz; +Cc: Kevin Wolf, Thomas Huth, qemu-devel, qemu-block On Wed, Nov 17, 2021 at 04:17:07PM +0100, Hanna Reitz wrote: > Whenever qemu-img or qemu-io report that some cipher is unsupported, > skip the whole test, because that is probably because qemu has been > configured with the gnutls crypto backend. > > We could taylor the algorithm list to what gnutls supports, but this is > a test that is run rather rarely anyway (because it requires > password-less sudo), and so it seems better and easier to skip it. When > this test is intentionally run to check LUKS compatibility, it seems > better not to limit the algorithms but keep the list extensive. I'd really like to figure out a way to be able to partially run this test. When I have hit problems in the past, I needed to run specific tests, but then the expected output always contains everything. I've thought of a few options - Split it into many stanadlone tests - eg tests/qemu-iotests/tests/luks-host-$ALG - Split only the expected output eg 149-$SUBTEST and have a way to indicate which of expected output files we need to concatenate for the set of subtests that we run. - Introduce some template syntax in expected output tha can be used to munge the output. - Stop comparing expected output entirely and just then this into a normal python unit test. - Insert your idea here ? > > Signed-off-by: Hanna Reitz <hreitz@redhat.com> > --- > tests/qemu-iotests/149 | 23 ++++++++++++++++++----- > 1 file changed, 18 insertions(+), 5 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 2/2] iotests/149: Skip on unsupported ciphers 2021-11-17 15:46 ` Daniel P. Berrangé @ 2021-11-18 15:53 ` Hanna Reitz 0 siblings, 0 replies; 7+ messages in thread From: Hanna Reitz @ 2021-11-18 15:53 UTC (permalink / raw) To: Daniel P. Berrangé; +Cc: Kevin Wolf, Thomas Huth, qemu-devel, qemu-block On 17.11.21 16:46, Daniel P. Berrangé wrote: > On Wed, Nov 17, 2021 at 04:17:07PM +0100, Hanna Reitz wrote: >> Whenever qemu-img or qemu-io report that some cipher is unsupported, >> skip the whole test, because that is probably because qemu has been >> configured with the gnutls crypto backend. >> >> We could taylor the algorithm list to what gnutls supports, but this is >> a test that is run rather rarely anyway (because it requires >> password-less sudo), and so it seems better and easier to skip it. When >> this test is intentionally run to check LUKS compatibility, it seems >> better not to limit the algorithms but keep the list extensive. > I'd really like to figure out a way to be able to partially run > this test. When I have hit problems in the past, I needed to > run specific tests, but then the expected output always contains > everything. I've thought of a few options > > - Split it into many stanadlone tests - eg > tests/qemu-iotests/tests/luks-host-$ALG I wouldn’t hate it, though we should have some common file where common code can be sourced from. > - Split only the expected output eg > > 149-$SUBTEST > > and have a way to indicate which of expected output files > we need to concatenate for the set of subtests that we > run. I’d prefer it if the test could verify its own output so that the reference output is basically just the usual unittest output of dots, “Ran XX tests” and “OK”. (Two reasons: You can then easily disable some tests with the reference output changing only slightly; and it makes reviewing a test much easier because then I don’t need to verify the reference output...) > - Introduce some template syntax in expected output > tha can be used to munge the output. > > - Stop comparing expected output entirely and just > then this into a normal python unit test. That’s something that might indeed be useful for unittest-style iotests. Then again, we already allow them to skip any test case and it will be counted as success, is that not sufficient? > - Insert your idea here ? I personally most prefer unittest-style tests, because with them you can just %s/def test_/def xtest_/, then reverse this change for all the cases you want to run, and then adjust the reference output to match the number of tests run. So I suppose the best idea I have is to convert this test into unittest style, and then it should be more modular when it comes to what subtests it wants to run. I mean, it doesn’t have to truly be an iotests.QMPTestCase. It would be sufficient if the test itself verified the output of every command it invokes (instead of leaving that to a separate reference output file) and then printed something like “OK” afterwards. Then we could trivially skip some cases just by printing “OK” even if they weren’t run. Hanna ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-11-19 8:58 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-11-17 15:17 [PATCH v2 0/2] iotests: Fix crypto algorithm failures Hanna Reitz 2021-11-17 15:17 ` [PATCH v2 1/2] iotests: Use aes-128-cbc Hanna Reitz 2021-11-17 15:47 ` Daniel P. Berrangé 2021-11-19 8:53 ` Thomas Huth 2021-11-17 15:17 ` [PATCH v2 2/2] iotests/149: Skip on unsupported ciphers Hanna Reitz 2021-11-17 15:46 ` Daniel P. Berrangé 2021-11-18 15:53 ` Hanna Reitz
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).