| Message ID | 154749642921.63704.16381620150804266304.stgit@djiang5-desk3.ch.intel.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | ndctl: add security support | expand |
On 01/14, Dave Jiang wrote: > Add unit test for security enable, disable, update, erase, unlock, and > freeze. > > Signed-off-by: Dave Jiang <dave.jiang@intel.com> > --- > test/Makefile.am | 4 + > test/security.sh | 197 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 201 insertions(+) > create mode 100755 test/security.sh > > diff --git a/test/Makefile.am b/test/Makefile.am > index ebdd23f6..42009c31 100644 > --- a/test/Makefile.am > +++ b/test/Makefile.am > @@ -27,6 +27,10 @@ TESTS =\ > max_available_extent_ns.sh \ > pfn-meta-errors.sh > > +if ENABLE_KEYUTILS > +TESTS += security.sh > +endif > + > check_PROGRAMS =\ > libndctl \ > dsm-fail \ > diff --git a/test/security.sh b/test/security.sh > new file mode 100755 > index 00000000..9f69b481 > --- /dev/null > +++ b/test/security.sh > @@ -0,0 +1,197 @@ > +#!/bin/bash -Ex > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright(c) 2018 Intel Corporation. All rights reserved. > + > +rc=77 > +dev="" [..] > + > +lock_dimm() > +{ > + $NDCTL disable-dimm "$dev" > + dev_no="${dev#nmem}" > + echo 1 > "${lockpath}${dev_no}/lock_dimm" This breaks setups where nfit_test.0 is not the first bus on the system. The following patch should fix it (you can squash it into this patch): 8<---- From 9365b1af15c3c8958f87f618494c3a52d09d8cbc Mon Sep 17 00:00:00 2001 From: Vishal Verma <vishal.l.verma@intel.com> Date: Tue, 15 Jan 2019 17:49:23 -0700 Subject: [ndctl PATCH] test/security.sh: fix nmemX to nfit_test_dimm translation The lock_dimm helper used the nmemX number as is to find the test_dimm path to trigger the dimm lock for nfit_test, which is incorrect. The test_dimmY device numbring is relative to nfit_test only, and nmemX is systemwide. Use the dimm handles to find the right test_dimm to operate on in lock_dimm. If another user of this functionality shows up, we can then refactor this into a helper routing in test/common. While at it, and since this patch is just going to be squashed into the original, fix up a few more quoting issues. Signed-off-by: Vishal Verma <vishal.l.verma@intel.com> --- test/security.sh | 41 ++++++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/test/security.sh b/test/security.sh index 9f69b48..ea6b235 100755 --- a/test/security.sh +++ b/test/security.sh @@ -5,15 +5,12 @@ rc=77 dev="" id="" -dev_no="" keypath="/etc/ndctl/keys" masterkey="nvdimm-master-test" masterpath="$keypath/$masterkey" . ./common -lockpath="/sys/devices/platform/${NFIT_TEST_BUS0}/nfit_test_dimm/test_dimm" - trap 'err $LINENO' ERR setup() @@ -57,12 +54,30 @@ test_cleanup() lock_dimm() { $NDCTL disable-dimm "$dev" - dev_no="${dev#nmem}" - echo 1 > "${lockpath}${dev_no}/lock_dimm" + + # convert nmemX --> test_dimmY + # for now this is the only user of such a conversion so we can leave it inline + # once a subsequent user arrives we can refactor this to a helper in test/common: + # get_test_dimm_path "nfit_test.0" "nmem3" + handle="$(ndctl list -b "$NFIT_TEST_BUS0" -d "$dev" -i | jq -r .[].dimms[0].handle)" + test_dimm_path="" + for test_dimm in /sys/devices/platform/"$NFIT_TEST_BUS0"/nfit_test_dimm/test_dimm*; do + td_handle_file="$test_dimm/handle" + test -e "$td_handle_file" || continue + td_handle="$(cat "$td_handle_file")" + if [[ "$td_handle" -eq "$handle" ]]; then + test_dimm_path="$test_dimm" + break + fi + done + test -d "$test_dimm_path" + + # now lock the dimm + echo 1 > "${test_dimm_path}/lock_dimm" sstate="$(get_security_state)" if [ "$sstate" != "locked" ]; then echo "Incorrect security state: $sstate expected: disabled" - err $LINENO + err "$LINENO" fi } @@ -77,7 +92,7 @@ enable_passphrase() sstate="$(get_security_state)" if [ "$sstate" != "unlocked" ]; then echo "Incorrect security state: $sstate expected: unlocked" - err $LINENO + err "$LINENO" fi } @@ -87,7 +102,7 @@ disable_passphrase() sstate="$(get_security_state)" if [ "$sstate" != "disabled" ]; then echo "Incorrect security state: $sstate expected: disabled" - err $LINENO + err "$LINENO" fi } @@ -97,7 +112,7 @@ erase_security() sstate="$(get_security_state)" if [ "$sstate" != "disabled" ]; then echo "Incorrect security state: $sstate expected: disabled" - err $LINENO + err "$LINENO" fi } @@ -107,7 +122,7 @@ update_security() sstate="$(get_security_state)" if [ "$sstate" != "unlocked" ]; then echo "Incorrect security state: $sstate expected: unlocked" - err $LINENO + err "$LINENO" fi } @@ -143,7 +158,7 @@ test_4_security_unlock() sstate="$(get_security_state)" if [ "$sstate" != "unlocked" ]; then echo "Incorrect security state: $sstate expected: unlocked" - err $LINENO + err "$LINENO" fi $NDCTL disable-region -b "$NFIT_TEST_BUS0" all disable_passphrase @@ -158,14 +173,14 @@ test_5_security_freeze() sstate="$(get_security_state)" if [ "$sstate" != "frozen" ]; then echo "Incorrect security state: $sstate expected: frozen" - err $LINENO + err "$LINENO" fi $NDCTL disable-passphrase "$dev" && { echo "disable succeed after frozen"; } sstate="$(get_security_state)" echo "$sstate" if [ "$sstate" != "frozen" ]; then echo "Incorrect security state: $sstate expected: disabled" - err $LINENO + err "$LINENO" fi }
diff --git a/test/Makefile.am b/test/Makefile.am index ebdd23f6..42009c31 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -27,6 +27,10 @@ TESTS =\ max_available_extent_ns.sh \ pfn-meta-errors.sh +if ENABLE_KEYUTILS +TESTS += security.sh +endif + check_PROGRAMS =\ libndctl \ dsm-fail \ diff --git a/test/security.sh b/test/security.sh new file mode 100755 index 00000000..9f69b481 --- /dev/null +++ b/test/security.sh @@ -0,0 +1,197 @@ +#!/bin/bash -Ex +# SPDX-License-Identifier: GPL-2.0 +# Copyright(c) 2018 Intel Corporation. All rights reserved. + +rc=77 +dev="" +id="" +dev_no="" +keypath="/etc/ndctl/keys" +masterkey="nvdimm-master-test" +masterpath="$keypath/$masterkey" + +. ./common + +lockpath="/sys/devices/platform/${NFIT_TEST_BUS0}/nfit_test_dimm/test_dimm" + +trap 'err $LINENO' ERR + +setup() +{ + $NDCTL disable-region -b "$NFIT_TEST_BUS0" all +} + +detect() +{ + dev="$($NDCTL list -b "$NFIT_TEST_BUS0" -D | jq -r .[0].dev)" + [ -n "$dev" ] || err "$LINENO" + id="$($NDCTL list -b "$NFIT_TEST_BUS0" -D | jq -r .[0].id)" + [ -n "$id" ] || err "$LINENO" +} + +setup_keys() +{ + keyctl add user "$masterkey" "$(dd if=/dev/urandom bs=1 count=32 2>/dev/null)" @u + keyctl pipe "$(keyctl search @u user $masterkey)" > "$masterpath" +} + +test_cleanup() +{ + if keyctl search @u encrypted nvdimm:"$id"; then + keyctl unlink "$(keyctl search @u encrypted nvdimm:"$id")" + fi + + if keyctl search @u user "$masterkey"; then + keyctl unlink "$(keyctl search @u user $masterkey)" + fi + + if [ -f "$keypath"/nvdimm_"$id"_"$(hostname)".blob ]; then + rm -f "$keypath"/nvdimm_"$id"_"$(hostname)".blob + fi + + if [ -f $masterpath ]; then + rm -f "$masterpath" + fi +} + +lock_dimm() +{ + $NDCTL disable-dimm "$dev" + dev_no="${dev#nmem}" + echo 1 > "${lockpath}${dev_no}/lock_dimm" + sstate="$(get_security_state)" + if [ "$sstate" != "locked" ]; then + echo "Incorrect security state: $sstate expected: disabled" + err $LINENO + fi +} + +get_security_state() +{ + $NDCTL list -i -b "$NFIT_TEST_BUS0" -d "$dev" | jq -r .[].dimms[0].security +} + +enable_passphrase() +{ + $NDCTL enable-passphrase -m user:"$masterkey" "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "unlocked" ]; then + echo "Incorrect security state: $sstate expected: unlocked" + err $LINENO + fi +} + +disable_passphrase() +{ + $NDCTL disable-passphrase "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "disabled" ]; then + echo "Incorrect security state: $sstate expected: disabled" + err $LINENO + fi +} + +erase_security() +{ + $NDCTL sanitize-dimm -c "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "disabled" ]; then + echo "Incorrect security state: $sstate expected: disabled" + err $LINENO + fi +} + +update_security() +{ + $NDCTL update-passphrase -m user:"$masterkey" "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "unlocked" ]; then + echo "Incorrect security state: $sstate expected: unlocked" + err $LINENO + fi +} + +freeze_security() +{ + $NDCTL freeze-security "$dev" +} + +test_1_security_enable_and_disable() +{ + enable_passphrase + disable_passphrase +} + +test_2_security_enable_and_update() +{ + enable_passphrase + update_security + disable_passphrase +} + +test_3_security_enable_and_erase() +{ + enable_passphrase + erase_security +} + +test_4_security_unlock() +{ + enable_passphrase + lock_dimm + $NDCTL enable-dimm "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "unlocked" ]; then + echo "Incorrect security state: $sstate expected: unlocked" + err $LINENO + fi + $NDCTL disable-region -b "$NFIT_TEST_BUS0" all + disable_passphrase +} + +# this should always be the last test. with security frozen, nfit_test must +# be removed and is no longer usable +test_5_security_freeze() +{ + enable_passphrase + freeze_security + sstate="$(get_security_state)" + if [ "$sstate" != "frozen" ]; then + echo "Incorrect security state: $sstate expected: frozen" + err $LINENO + fi + $NDCTL disable-passphrase "$dev" && { echo "disable succeed after frozen"; } + sstate="$(get_security_state)" + echo "$sstate" + if [ "$sstate" != "frozen" ]; then + echo "Incorrect security state: $sstate expected: disabled" + err $LINENO + fi +} + +check_min_kver "5.0" || do_skip "may lack security handling" + +modprobe nfit_test +setup +check_prereq "keyctl" +rc=1 +detect +test_cleanup +setup_keys +echo "Test 1, security enable and disable" +test_1_security_enable_and_disable +echo "Test 2, security enable, update, and disable" +test_2_security_enable_and_update +echo "Test 3, security enable and erase" +test_3_security_enable_and_erase +echo "Test 4, unlock dimm" +test_4_security_unlock + +# Freeze should always be run last because it locks security state and require +# nfit_test module unload. +echo "Test 5, freeze security" +test_5_security_freeze + +test_cleanup +_cleanup +exit 0
Add unit test for security enable, disable, update, erase, unlock, and freeze. Signed-off-by: Dave Jiang <dave.jiang@intel.com> --- test/Makefile.am | 4 + test/security.sh | 197 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100755 test/security.sh