[RFC,3/9] common/encrypt: support checking for v2 encryption policy support
diff mbox series

Message ID 20190812175809.34810-4-ebiggers@kernel.org
State Superseded
Headers show
Series
  • xfstests: add tests for fscrypt key management improvements
Related show

Commit Message

Eric Biggers Aug. 12, 2019, 5:58 p.m. UTC
From: Eric Biggers <ebiggers@google.com>

Allow passing '-v 2' to _require_scratch_encryption() to check for v2
encryption policy support on the scratch device, and for xfs_io support
for setting and getting v2 encryption policies.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 common/encrypt | 41 +++++++++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 10 deletions(-)

Comments

Eryu Guan Sept. 1, 2019, 12:08 p.m. UTC | #1
On Mon, Aug 12, 2019 at 10:58:03AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Allow passing '-v 2' to _require_scratch_encryption() to check for v2
> encryption policy support on the scratch device, and for xfs_io support
> for setting and getting v2 encryption policies.
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  common/encrypt | 41 +++++++++++++++++++++++++++++++----------
>  1 file changed, 31 insertions(+), 10 deletions(-)
> 
> diff --git a/common/encrypt b/common/encrypt
> index a086e80f..fa6e2672 100644
> --- a/common/encrypt
> +++ b/common/encrypt
> @@ -6,12 +6,13 @@
>  
>  #
>  # _require_scratch_encryption [-c CONTENTS_MODE] [-n FILENAMES_MODE]
> +#			      [-v POLICY_VERSION]
>  #
>  # Require encryption support on the scratch device.
>  #
> -# This checks for support for the default type of encryption policy (AES-256-XTS
> -# and AES-256-CTS).  Options can be specified to also require support for a
> -# different type of encryption policy.
> +# This checks for support for the default type of encryption policy (v1 with
> +# AES-256-XTS and AES-256-CTS).  Options can be specified to also require
> +# support for a different type of encryption policy.
>  #
>  _require_scratch_encryption()
>  {
> @@ -68,13 +69,15 @@ _require_encryption_policy_support()
>  	local mnt=$1
>  	local dir=$mnt/tmpdir
>  	local set_encpolicy_args=""
> +	local policy_version=1
>  	local c
>  
>  	OPTIND=2
> -	while getopts "c:n:" c; do
> +	while getopts "c:n:v:" c; do
>  		case $c in
> -		c|n)
> +		c|n|v)
>  			set_encpolicy_args+=" -$c $OPTARG"
> +			[ $c = v ] && policy_version=$OPTARG

Why not checking 'v' in a separate case?

>  			;;
>  		*)
>  			_fail "Unrecognized option '$c'"
> @@ -87,10 +90,26 @@ _require_encryption_policy_support()
>  		>> $seqres.full
>  
>  	mkdir $dir
> -	_require_command "$KEYCTL_PROG" keyctl
> -	_new_session_keyring
> -	local keydesc=$(_generate_session_encryption_key)
> -	if _set_encpolicy $dir $keydesc $set_encpolicy_args \
> +	if (( policy_version > 1 )); then
> +		_require_xfs_io_command "get_encpolicy" "-t"
> +		local output=$(_get_encpolicy $dir -t)
> +		if [ "$output" != "supported" ]; then
> +			if [ "$output" = "unsupported" ]; then
> +				_notrun "kernel does not support $FSTYP encryption v2 API"
> +			fi
> +			_fail "Unexpected output from 'get_encpolicy -t'"

Print $output in the _fail message as well?

Thanks,
Eryu

> +		fi
> +		# Both the kernel and xfs_io support v2 encryption policies, and
> +		# therefore also filesystem-level keys -- since that's the only
> +		# way to provide keys for v2 policies.
> +		local raw_key=$(_generate_raw_encryption_key)
> +		local keyspec=$(_add_enckey $mnt "$raw_key" | awk '{print $NF}')
> +	else
> +		_require_command "$KEYCTL_PROG" keyctl
> +		_new_session_keyring
> +		local keyspec=$(_generate_session_encryption_key)
> +	fi
> +	if _set_encpolicy $dir $keyspec $set_encpolicy_args \
>  		2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then
>  		_notrun "kernel does not support encryption policy: '$set_encpolicy_args'"
>  	fi
> @@ -103,7 +122,9 @@ _require_encryption_policy_support()
>  	if ! echo foo > $dir/file; then
>  		_notrun "encryption policy '$set_encpolicy_args' is unusable; probably missing kernel crypto API support"
>  	fi
> -	$KEYCTL_PROG clear @s
> +	if (( policy_version <= 1 )); then
> +		$KEYCTL_PROG clear @s
> +	fi
>  	rm -r $dir
>  }
>  
> -- 
> 2.23.0.rc1.153.gdeed80330f-goog
>

Patch
diff mbox series

diff --git a/common/encrypt b/common/encrypt
index a086e80f..fa6e2672 100644
--- a/common/encrypt
+++ b/common/encrypt
@@ -6,12 +6,13 @@ 
 
 #
 # _require_scratch_encryption [-c CONTENTS_MODE] [-n FILENAMES_MODE]
+#			      [-v POLICY_VERSION]
 #
 # Require encryption support on the scratch device.
 #
-# This checks for support for the default type of encryption policy (AES-256-XTS
-# and AES-256-CTS).  Options can be specified to also require support for a
-# different type of encryption policy.
+# This checks for support for the default type of encryption policy (v1 with
+# AES-256-XTS and AES-256-CTS).  Options can be specified to also require
+# support for a different type of encryption policy.
 #
 _require_scratch_encryption()
 {
@@ -68,13 +69,15 @@  _require_encryption_policy_support()
 	local mnt=$1
 	local dir=$mnt/tmpdir
 	local set_encpolicy_args=""
+	local policy_version=1
 	local c
 
 	OPTIND=2
-	while getopts "c:n:" c; do
+	while getopts "c:n:v:" c; do
 		case $c in
-		c|n)
+		c|n|v)
 			set_encpolicy_args+=" -$c $OPTARG"
+			[ $c = v ] && policy_version=$OPTARG
 			;;
 		*)
 			_fail "Unrecognized option '$c'"
@@ -87,10 +90,26 @@  _require_encryption_policy_support()
 		>> $seqres.full
 
 	mkdir $dir
-	_require_command "$KEYCTL_PROG" keyctl
-	_new_session_keyring
-	local keydesc=$(_generate_session_encryption_key)
-	if _set_encpolicy $dir $keydesc $set_encpolicy_args \
+	if (( policy_version > 1 )); then
+		_require_xfs_io_command "get_encpolicy" "-t"
+		local output=$(_get_encpolicy $dir -t)
+		if [ "$output" != "supported" ]; then
+			if [ "$output" = "unsupported" ]; then
+				_notrun "kernel does not support $FSTYP encryption v2 API"
+			fi
+			_fail "Unexpected output from 'get_encpolicy -t'"
+		fi
+		# Both the kernel and xfs_io support v2 encryption policies, and
+		# therefore also filesystem-level keys -- since that's the only
+		# way to provide keys for v2 policies.
+		local raw_key=$(_generate_raw_encryption_key)
+		local keyspec=$(_add_enckey $mnt "$raw_key" | awk '{print $NF}')
+	else
+		_require_command "$KEYCTL_PROG" keyctl
+		_new_session_keyring
+		local keyspec=$(_generate_session_encryption_key)
+	fi
+	if _set_encpolicy $dir $keyspec $set_encpolicy_args \
 		2>&1 >>$seqres.full | egrep -q 'Invalid argument'; then
 		_notrun "kernel does not support encryption policy: '$set_encpolicy_args'"
 	fi
@@ -103,7 +122,9 @@  _require_encryption_policy_support()
 	if ! echo foo > $dir/file; then
 		_notrun "encryption policy '$set_encpolicy_args' is unusable; probably missing kernel crypto API support"
 	fi
-	$KEYCTL_PROG clear @s
+	if (( policy_version <= 1 )); then
+		$KEYCTL_PROG clear @s
+	fi
 	rm -r $dir
 }