| Message ID | 20220401104553.32036-1-lhenriques@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | common/encrypt: allow the use of 'fscrypt:' as key prefix | expand |
On Fri, 2022-04-01 at 11:45 +0100, Luís Henriques wrote: > fscrypt keys have used the $FSTYP as prefix. However this format is being > deprecated -- newer kernels already allow the usage of the generic > 'fscrypt:' prefix for ext4 and f2fs. This patch allows the usage of this > new prefix for testing filesystems that have never supported the old > format, but keeping the $FSTYP prefix for filesystems that support it, so > that old kernels can be tested. > > Signed-off-by: Luís Henriques <lhenriques@suse.de> > --- > common/encrypt | 38 +++++++++++++++++++++++++++----------- > 1 file changed, 27 insertions(+), 11 deletions(-) > > diff --git a/common/encrypt b/common/encrypt > index f90c4ef05a3f..897c97e0f6fa 100644 > --- a/common/encrypt > +++ b/common/encrypt > @@ -250,6 +250,27 @@ _num_to_hex() > fi > } > > +# Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key descriptor > +# hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 and later) also allow > +# the common key prefix "fscrypt:" in addition to their filesystem-specific key > +# prefix ("ext4:", "f2fs:"). It would be nice to use the common key prefix, but > +# for now use the filesystem- specific prefix for these 2 filesystems to make it > +# possible to test older kernels, and the "fscrypt" prefix for anything else. > +_get_fs_keyprefix() > +{ > + local prefix="" > + > + case $FSTYP in > + ext4|f2fs|ubifs) > + prefix="$FSTYP" > + ;; > + *) > + prefix="fscrypt" > + ;; > + esac > + echo $prefix > +} > + > # Add the specified raw encryption key to the session keyring, using the > # specified key descriptor. > _add_session_encryption_key() > @@ -268,18 +289,11 @@ _add_session_encryption_key() > # }; > # > # The kernel ignores 'mode' but requires that 'size' be 64. > - # > - # Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key > - # descriptor hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 > - # and later) also allow the common key prefix "fscrypt:" in addition to > - # their filesystem-specific key prefix ("ext4:", "f2fs:"). It would be > - # nice to use the common key prefix, but for now use the filesystem- > - # specific prefix to make it possible to test older kernels... > - # > local mode=$(_num_to_hex 0 4) > local size=$(_num_to_hex 64 4) > + local prefix=$(_get_fs_keyprefix) > echo -n -e "${mode}${raw}${size}" | > - $KEYCTL_PROG padd logon $FSTYP:$keydesc @s >>$seqres.full > + $KEYCTL_PROG padd logon $prefix:$keydesc @s >>$seqres.full > } > > # > @@ -302,7 +316,8 @@ _generate_session_encryption_key() > _unlink_session_encryption_key() > { > local keydesc=$1 > - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) > + local prefix=$(_get_fs_keyprefix) > + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc) > $KEYCTL_PROG unlink $keyid >>$seqres.full > } > > @@ -310,7 +325,8 @@ _unlink_session_encryption_key() > _revoke_session_encryption_key() > { > local keydesc=$1 > - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) > + local prefix=$(_get_fs_keyprefix) > + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc) > $KEYCTL_PROG revoke $keyid >>$seqres.full > } > Reviewed-by: Jeff Layton <jlayton@kernel.org>
On Fri, Apr 01, 2022 at 11:45:53AM +0100, Luís Henriques wrote: > fscrypt keys have used the $FSTYP as prefix. However this format is being > deprecated -- newer kernels already allow the usage of the generic > 'fscrypt:' prefix for ext4 and f2fs. This patch allows the usage of this > new prefix for testing filesystems that have never supported the old > format, but keeping the $FSTYP prefix for filesystems that support it, so > that old kernels can be tested. > > Signed-off-by: Luís Henriques <lhenriques@suse.de> > --- > common/encrypt | 38 +++++++++++++++++++++++++++----------- > 1 file changed, 27 insertions(+), 11 deletions(-) > > diff --git a/common/encrypt b/common/encrypt > index f90c4ef05a3f..897c97e0f6fa 100644 > --- a/common/encrypt > +++ b/common/encrypt > @@ -250,6 +250,27 @@ _num_to_hex() > fi > } > > +# Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key descriptor > +# hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 and later) also allow > +# the common key prefix "fscrypt:" in addition to their filesystem-specific key > +# prefix ("ext4:", "f2fs:"). It would be nice to use the common key prefix, but > +# for now use the filesystem- specific prefix for these 2 filesystems to make it > +# possible to test older kernels, and the "fscrypt" prefix for anything else. > +_get_fs_keyprefix() > +{ > + local prefix="" > + > + case $FSTYP in > + ext4|f2fs|ubifs) > + prefix="$FSTYP" > + ;; > + *) > + prefix="fscrypt" > + ;; > + esac > + echo $prefix > +} ubifs can use the "fscrypt" prefix, since there was never a kernel that supported ubifs encryption but not the "fscrypt" prefix. Also, the "prefix" local variable is unnecessary. So: case $FSTYP in ext4|f2fs) echo $FSTYP ;; *) echo fscrypt ;; esac Otherwise, this patch looks fine if we want to keep supporting testing kernels older than 4.8. However, since 4.4 is no longer a supported LTS kernel, perhaps this is no longer needed and we could just always use "fscrypt"? I'm not sure what xfstests's policy on old kernels is. - Eric
On Fri, 2022-04-01 at 11:45 +0100, Luís Henriques wrote: > fscrypt keys have used the $FSTYP as prefix. However this format is being > deprecated -- newer kernels already allow the usage of the generic > 'fscrypt:' prefix for ext4 and f2fs. This patch allows the usage of this > new prefix for testing filesystems that have never supported the old > format, but keeping the $FSTYP prefix for filesystems that support it, so > that old kernels can be tested. > > Signed-off-by: Luís Henriques <lhenriques@suse.de> > --- > common/encrypt | 38 +++++++++++++++++++++++++++----------- > 1 file changed, 27 insertions(+), 11 deletions(-) > > diff --git a/common/encrypt b/common/encrypt > index f90c4ef05a3f..897c97e0f6fa 100644 > --- a/common/encrypt > +++ b/common/encrypt > @@ -250,6 +250,27 @@ _num_to_hex() > fi > } > > +# Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key descriptor > +# hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 and later) also allow > +# the common key prefix "fscrypt:" in addition to their filesystem-specific key > +# prefix ("ext4:", "f2fs:"). It would be nice to use the common key prefix, but > +# for now use the filesystem- specific prefix for these 2 filesystems to make it > +# possible to test older kernels, and the "fscrypt" prefix for anything else. > +_get_fs_keyprefix() > +{ > + local prefix="" > + > + case $FSTYP in > + ext4|f2fs|ubifs) > + prefix="$FSTYP" > + ;; > + *) > + prefix="fscrypt" > + ;; > + esac > + echo $prefix > +} > + > # Add the specified raw encryption key to the session keyring, using the > # specified key descriptor. > _add_session_encryption_key() > @@ -268,18 +289,11 @@ _add_session_encryption_key() > # }; > # > # The kernel ignores 'mode' but requires that 'size' be 64. > - # > - # Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key > - # descriptor hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 > - # and later) also allow the common key prefix "fscrypt:" in addition to > - # their filesystem-specific key prefix ("ext4:", "f2fs:"). It would be > - # nice to use the common key prefix, but for now use the filesystem- > - # specific prefix to make it possible to test older kernels... > - # > local mode=$(_num_to_hex 0 4) > local size=$(_num_to_hex 64 4) > + local prefix=$(_get_fs_keyprefix) > echo -n -e "${mode}${raw}${size}" | > - $KEYCTL_PROG padd logon $FSTYP:$keydesc @s >>$seqres.full > + $KEYCTL_PROG padd logon $prefix:$keydesc @s >>$seqres.full > } > > # > @@ -302,7 +316,8 @@ _generate_session_encryption_key() > _unlink_session_encryption_key() > { > local keydesc=$1 > - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) > + local prefix=$(_get_fs_keyprefix) > + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc) > $KEYCTL_PROG unlink $keyid >>$seqres.full > } > > @@ -310,7 +325,8 @@ _unlink_session_encryption_key() > _revoke_session_encryption_key() > { > local keydesc=$1 > - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) > + local prefix=$(_get_fs_keyprefix) > + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc) > $KEYCTL_PROG revoke $keyid >>$seqres.full > } > For the record, without this patch in place, generic/397 hangs when tested against the current ceph+fscrypt pile. With this, the test passes. Cheers,
Eric Biggers <ebiggers@kernel.org> writes: > On Fri, Apr 01, 2022 at 11:45:53AM +0100, Luís Henriques wrote: >> fscrypt keys have used the $FSTYP as prefix. However this format is being >> deprecated -- newer kernels already allow the usage of the generic >> 'fscrypt:' prefix for ext4 and f2fs. This patch allows the usage of this >> new prefix for testing filesystems that have never supported the old >> format, but keeping the $FSTYP prefix for filesystems that support it, so >> that old kernels can be tested. >> >> Signed-off-by: Luís Henriques <lhenriques@suse.de> >> --- >> common/encrypt | 38 +++++++++++++++++++++++++++----------- >> 1 file changed, 27 insertions(+), 11 deletions(-) >> >> diff --git a/common/encrypt b/common/encrypt >> index f90c4ef05a3f..897c97e0f6fa 100644 >> --- a/common/encrypt >> +++ b/common/encrypt >> @@ -250,6 +250,27 @@ _num_to_hex() >> fi >> } >> >> +# Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key descriptor >> +# hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 and later) also allow >> +# the common key prefix "fscrypt:" in addition to their filesystem-specific key >> +# prefix ("ext4:", "f2fs:"). It would be nice to use the common key prefix, but >> +# for now use the filesystem- specific prefix for these 2 filesystems to make it >> +# possible to test older kernels, and the "fscrypt" prefix for anything else. >> +_get_fs_keyprefix() >> +{ >> + local prefix="" >> + >> + case $FSTYP in >> + ext4|f2fs|ubifs) >> + prefix="$FSTYP" >> + ;; >> + *) >> + prefix="fscrypt" >> + ;; >> + esac >> + echo $prefix >> +} > > ubifs can use the "fscrypt" prefix, since there was never a kernel that > supported ubifs encryption but not the "fscrypt" prefix. Also, the "prefix" > local variable is unnecessary. So: > > case $FSTYP in > ext4|f2fs) > echo $FSTYP > ;; > *) > echo fscrypt > ;; > esac > > Otherwise, this patch looks fine if we want to keep supporting testing kernels > older than 4.8. However, since 4.4 is no longer a supported LTS kernel, perhaps > this is no longer needed and we could just always use "fscrypt"? I'm not sure > what xfstests's policy on old kernels is. Thank you for your feedback. I'll resend the patch with your changes. I am, of course, OK dropping support for older kernels on fstests, but I'll leave that decision for the maintainers; if anyone thinks that support should be dropped, I can send another version of the patch doing that. Cheers,
diff --git a/common/encrypt b/common/encrypt index f90c4ef05a3f..897c97e0f6fa 100644 --- a/common/encrypt +++ b/common/encrypt @@ -250,6 +250,27 @@ _num_to_hex() fi } +# Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key descriptor +# hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 and later) also allow +# the common key prefix "fscrypt:" in addition to their filesystem-specific key +# prefix ("ext4:", "f2fs:"). It would be nice to use the common key prefix, but +# for now use the filesystem- specific prefix for these 2 filesystems to make it +# possible to test older kernels, and the "fscrypt" prefix for anything else. +_get_fs_keyprefix() +{ + local prefix="" + + case $FSTYP in + ext4|f2fs|ubifs) + prefix="$FSTYP" + ;; + *) + prefix="fscrypt" + ;; + esac + echo $prefix +} + # Add the specified raw encryption key to the session keyring, using the # specified key descriptor. _add_session_encryption_key() @@ -268,18 +289,11 @@ _add_session_encryption_key() # }; # # The kernel ignores 'mode' but requires that 'size' be 64. - # - # Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key - # descriptor hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 - # and later) also allow the common key prefix "fscrypt:" in addition to - # their filesystem-specific key prefix ("ext4:", "f2fs:"). It would be - # nice to use the common key prefix, but for now use the filesystem- - # specific prefix to make it possible to test older kernels... - # local mode=$(_num_to_hex 0 4) local size=$(_num_to_hex 64 4) + local prefix=$(_get_fs_keyprefix) echo -n -e "${mode}${raw}${size}" | - $KEYCTL_PROG padd logon $FSTYP:$keydesc @s >>$seqres.full + $KEYCTL_PROG padd logon $prefix:$keydesc @s >>$seqres.full } # @@ -302,7 +316,8 @@ _generate_session_encryption_key() _unlink_session_encryption_key() { local keydesc=$1 - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) + local prefix=$(_get_fs_keyprefix) + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc) $KEYCTL_PROG unlink $keyid >>$seqres.full } @@ -310,7 +325,8 @@ _unlink_session_encryption_key() _revoke_session_encryption_key() { local keydesc=$1 - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc) + local prefix=$(_get_fs_keyprefix) + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc) $KEYCTL_PROG revoke $keyid >>$seqres.full }
fscrypt keys have used the $FSTYP as prefix. However this format is being deprecated -- newer kernels already allow the usage of the generic 'fscrypt:' prefix for ext4 and f2fs. This patch allows the usage of this new prefix for testing filesystems that have never supported the old format, but keeping the $FSTYP prefix for filesystems that support it, so that old kernels can be tested. Signed-off-by: Luís Henriques <lhenriques@suse.de> --- common/encrypt | 38 +++++++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 11 deletions(-)