[v2] syscalls/keyctl09: test encrypted keys.

Message ID	20211221023721.129689-1-yaelt@google.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-integrity-owner@kernel.org> Date: Mon, 20 Dec 2021 21:37:21 -0500 Message-Id: <20211221023721.129689-1-yaelt@google.com> Mime-Version: 1.0 Subject: [PATCH v2] syscalls/keyctl09: test encrypted keys. From: Yael Tiomkin <yaelt@google.com> To: ltp@lists.linux.it Cc: zohar@linux.ibm.com, pvorel@suse.cz, linux-integrity@vger.kernel.org, Yael Tiomkin <yaelt@google.com> Content-Type: text/plain; charset="UTF-8" Precedence: bulk
Series	[v2] syscalls/keyctl09: test encrypted keys. \| expand [v2] syscalls/keyctl09: test encrypted keys.

Yael Tzur Dec. 21, 2021, 2:37 a.m. UTC

Test that encrypted keys can be instantiated using
both user-provided decrypted data
(https://lore.kernel.org/linux-integrity/20211213192030.125091-1-yaelt@google.com/),
or kernel-generated numbers.

Signed-off-by: Yael Tiomkin <yaelt@google.com>
---

Notes:
    v -> v2: added key revocation and made styling changes.

 runtest/syscalls                            |  1 +
 testcases/kernel/syscalls/keyctl/.gitignore |  1 +
 testcases/kernel/syscalls/keyctl/keyctl09.c | 58 +++++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 testcases/kernel/syscalls/keyctl/keyctl09.c

Petr Vorel Dec. 21, 2021, 9:01 a.m. UTC | #1

Hi Yael,

you still have some problem when running more iterations:

./keyctl09 -i500
keyctl09.c:49: TPASS: Encrypted keys were successfully instantiated and read
keyctl09.c:49: TPASS: Encrypted keys were successfully instantiated and read
...
keyctl09.c:33: TFAIL: Failed to instantiate encrypted key using payload decrypted data

(some people really try high number of iterations.)
Could you please have a look?

> Test that encrypted keys can be instantiated using
> both user-provided decrypted data
> (https://lore.kernel.org/linux-integrity/20211213192030.125091-1-yaelt@google.com/),
> or kernel-generated numbers.
+1 for doc!

...
> +static void do_test(void)
> +{
> +	key_serial_t masterkey;
> +	key_serial_t encryptedkey1;
> +	key_serial_t encryptedkey2;
> +	char buffer[128];
> +
> +	masterkey = add_key("user", "user:masterkey", "foo", 3,
> +			    KEY_SPEC_PROCESS_KEYRING);
> +	if (masterkey == -1)
> +		tst_brk(TBROK | TERRNO, "Failed to add user key");
> +
> +	encryptedkey1 = add_key("encrypted", "ltptestkey1", ENCRYPTED_KEY_1_PAYLOAD,
> +				60, KEY_SPEC_PROCESS_KEYRING);
> +	if (encryptedkey1 == -1)
> +		tst_brk(TFAIL, "Failed to instantiate encrypted key using payload decrypted data");
nit: this might be TBROK (test preparation phase), not sure
(and not that important).

The rest LGTM.

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

R Nageswara Sastry Dec. 21, 2021, 9:21 a.m. UTC | #2

On 21/12/21 8:07 am, Yael Tiomkin wrote:
> Test that encrypted keys can be instantiated using
> both user-provided decrypted data
> (https://lore.kernel.org/linux-integrity/20211213192030.125091-1-yaelt@google.com/),
> or kernel-generated numbers.
> 
> Signed-off-by: Yael Tiomkin <yaelt@google.com>

Tested on ppc64le platform

Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com>

...
<<<test_start>>>
tag=keyctl09 stime=1640078325
cmdline="keyctl09"
contacts=""
analysis=exit
<<<test_output>>>
tst_test.c:1425: TINFO: Timeout per run is 0h 05m 00s
keyctl09.c:49: TPASS: Encrypted keys were successfully instantiated and read

Summary:
passed   1
failed   0
broken   0
skipped  0
warnings 0
<<<execution_status>>>
initiation_status="ok"
duration=0 termination_type=exited termination_id=0 corefile=no
cutime=0 cstime=0
<<<test_end>>>
...


> ---
> 
> Notes:
>      v -> v2: added key revocation and made styling changes.
> 
>   runtest/syscalls                            |  1 +
>   testcases/kernel/syscalls/keyctl/.gitignore |  1 +
>   testcases/kernel/syscalls/keyctl/keyctl09.c | 58 +++++++++++++++++++++
>   3 files changed, 60 insertions(+)
>   create mode 100644 testcases/kernel/syscalls/keyctl/keyctl09.c
> 
> diff --git a/runtest/syscalls b/runtest/syscalls
> index bcf3d56c9..ccea1ddbd 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -643,6 +643,7 @@ keyctl05 keyctl05
>   keyctl06 keyctl06
>   keyctl07 keyctl07
>   keyctl08 keyctl08
> +keyctl09 keyctl09
>   
>   kcmp01 kcmp01
>   kcmp02 kcmp02
> diff --git a/testcases/kernel/syscalls/keyctl/.gitignore b/testcases/kernel/syscalls/keyctl/.gitignore
> index 3544ac79c..f9948c176 100644
> --- a/testcases/kernel/syscalls/keyctl/.gitignore
> +++ b/testcases/kernel/syscalls/keyctl/.gitignore
> @@ -6,3 +6,4 @@
>   /keyctl06
>   /keyctl07
>   /keyctl08
> +/keyctl09
> diff --git a/testcases/kernel/syscalls/keyctl/keyctl09.c b/testcases/kernel/syscalls/keyctl/keyctl09.c
> new file mode 100644
> index 000000000..507cd5628
> --- /dev/null
> +++ b/testcases/kernel/syscalls/keyctl/keyctl09.c
> @@ -0,0 +1,58 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2021 Google, Inc.
> + */
> +
> +/*\
> + * [Description]
> + * Test that encrypted keys can be instantiated using user-provided decrypted
> + * data (plaintext), and separately, using kernel-generated key material.
> + */
> +
> +#include "tst_test.h"
> +#include "lapi/keyctl.h"
> +
> +#define ENCRYPTED_KEY_1_PAYLOAD	"new enc32 user:masterkey 32 plaintext12345678901234567890123"
> +#define ENCRYPTED_KEY_2_PAYLOAD	"new enc32 user:masterkey 32"
> +
> +static void do_test(void)
> +{
> +	key_serial_t masterkey;
> +	key_serial_t encryptedkey1;
> +	key_serial_t encryptedkey2;
> +	char buffer[128];
> +
> +	masterkey = add_key("user", "user:masterkey", "foo", 3,
> +			    KEY_SPEC_PROCESS_KEYRING);
> +	if (masterkey == -1)
> +		tst_brk(TBROK | TERRNO, "Failed to add user key");
> +
> +	encryptedkey1 = add_key("encrypted", "ltptestkey1", ENCRYPTED_KEY_1_PAYLOAD,
> +				60, KEY_SPEC_PROCESS_KEYRING);
> +	if (encryptedkey1 == -1)
> +		tst_brk(TFAIL, "Failed to instantiate encrypted key using payload decrypted data");
> +
> +	TEST(keyctl(KEYCTL_READ, encryptedkey1, buffer, sizeof(buffer)));
> +	if (TST_RET < 0)
> +		tst_brk(TFAIL, "KEYCTL_READ failed for encryptedkey1");
> +
> +	encryptedkey2 = add_key("encrypted", "ltptestkey2", ENCRYPTED_KEY_2_PAYLOAD,
> +				27, KEY_SPEC_PROCESS_KEYRING);
> +	if (encryptedkey2 == -1)
> +		tst_brk(TFAIL,
> +			"Failed to instantiate encrypted key using kernel-generated key material");
> +
> +	TEST(keyctl(KEYCTL_READ, encryptedkey2, buffer, sizeof(buffer)));
> +	if (TST_RET < 0)
> +		tst_brk(TFAIL, "KEYCTL_READ failed for encryptedkey2");
> +
> +	tst_res(TPASS, "Encrypted keys were successfully instantiated and read");
> +
> +	keyctl(KEYCTL_REVOKE, encryptedkey1);
> +	keyctl(KEYCTL_REVOKE, encryptedkey2);
> +	keyctl(KEYCTL_REVOKE, masterkey);
> +}
> +
> +static struct tst_test test = {
> +	.test_all = do_test,
> +};

Petr Vorel Dec. 21, 2021, 10:48 a.m. UTC | #3

Hi Nageswara,

> On 21/12/21 8:07 am, Yael Tiomkin wrote:
> > Test that encrypted keys can be instantiated using
> > both user-provided decrypted data
> > (https://lore.kernel.org/linux-integrity/20211213192030.125091-1-yaelt@google.com/),
> > or kernel-generated numbers.

> > Signed-off-by: Yael Tiomkin <yaelt@google.com>

> Tested on ppc64le platform

I suppose it also fails on ppc64le when run more iterations.
./keyctl09 -i500
keyctl09.c:49: TPASS: Encrypted keys were successfully instantiated and read
keyctl09.c:49: TPASS: Encrypted keys were successfully instantiated and read
...
keyctl09.c:33: TFAIL: Failed to instantiate encrypted key using payload decrypted data

(It's always good to put higher number iterations.)

Kind regards,
Petr

R Nageswara Sastry Dec. 22, 2021, 5:11 a.m. UTC | #4

On 21/12/21 4:18 pm, Petr Vorel wrote:
> Hi Nageswara,
> 
>> On 21/12/21 8:07 am, Yael Tiomkin wrote:
>>> Test that encrypted keys can be instantiated using
>>> both user-provided decrypted data
>>> (https://lore.kernel.org/linux-integrity/20211213192030.125091-1-yaelt@google.com/),
>>> or kernel-generated numbers.
> 
>>> Signed-off-by: Yael Tiomkin <yaelt@google.com>
> 
>> Tested on ppc64le platform
> 
> I suppose it also fails on ppc64le when run more iterations.


Tried with -i500, -i5000 and -i50000 also ... no failures were seen on 
ppc64le architecture.

Summary:
passed   500
failed   0

Summary:
passed   5000
failed   0

Summary:
passed   50000
failed   0


> ./keyctl09 -i500
> keyctl09.c:49: TPASS: Encrypted keys were successfully instantiated and read
> keyctl09.c:49: TPASS: Encrypted keys were successfully instantiated and read
> ...
> keyctl09.c:33: TFAIL: Failed to instantiate encrypted key using payload decrypted data
> 
> (It's always good to put higher number iterations.)
> 
> Kind regards,
> Petr

Petr Vorel Dec. 22, 2021, 9:10 a.m. UTC | #5

Hi all,

> On 21/12/21 4:18 pm, Petr Vorel wrote:
> > Hi Nageswara,

> > > On 21/12/21 8:07 am, Yael Tiomkin wrote:
> > > > Test that encrypted keys can be instantiated using
> > > > both user-provided decrypted data
> > > > (https://lore.kernel.org/linux-integrity/20211213192030.125091-1-yaelt@google.com/),
> > > > or kernel-generated numbers.

> > > > Signed-off-by: Yael Tiomkin <yaelt@google.com>

> > > Tested on ppc64le platform

> > I suppose it also fails on ppc64le when run more iterations.


> Tried with -i500, -i5000 and -i50000 also ... no failures were seen on
> ppc64le architecture.

> Summary:
> passed   500
> failed   0

> Summary:
> passed   5000
> failed   0

> Summary:
> passed   50000
> failed   0

Interesting, thx for info. It's either arch specific or specific to openSUSE
kernel on my laptop (~ 5.16.0-rc5) where I tested it. Testing on
various VM it works well (including openSUSE with latest kernel stable). It also
works on RPI 4 with openSUSE kernel.

Also it fails on 2 VMs with fips enabled: Debian testing (immediately) and SLES
15-SP4 (after 63 iterations - the same number as 5.16.0-rc5 on my laptop):
keyctl09.c:33: TBROK: Failed to instantiate encrypted key using payload decrypted data

but on my laptop I don't use fips.

Kind regards,
Petr

Eric Biggers Dec. 22, 2021, 3:14 p.m. UTC | #6

On Mon, Dec 20, 2021 at 09:37:21PM -0500, Yael Tiomkin wrote:
> diff --git a/testcases/kernel/syscalls/keyctl/keyctl09.c b/testcases/kernel/syscalls/keyctl/keyctl09.c
> new file mode 100644
> index 000000000..507cd5628
> --- /dev/null
> +++ b/testcases/kernel/syscalls/keyctl/keyctl09.c
> @@ -0,0 +1,58 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2021 Google, Inc.
> + */
> +
> +/*\
> + * [Description]
> + * Test that encrypted keys can be instantiated using user-provided decrypted
> + * data (plaintext), and separately, using kernel-generated key material.
> + */
> +

This test doesn't seem to work as intended.

First, it fails if CONFIG_ENCRYPTED_KEYS is unset (it should be skipped):

	keyctl09.c:33: TFAIL: Failed to instantiate encrypted key using payload decrypted data

Second, I don't have your patch "Instantiate key with user-provided decrypted
data" (https://lore.kernel.org/r/20211213192030.125091-1-yaelt@google.com) in my
kernel, so instantiating a key using "user-provided decrypted data" is not
implemented by the kernel.  However, the test still passes regardless:

	keyctl09.c:49: TPASS: Encrypted keys were successfully instantiated and read    

The test should detect when "user-provided decrypted data" is not supported by
the kernel, and report that the test of that is being skipped in that case.

- Eric

Eric Biggers Dec. 22, 2021, 3:33 p.m. UTC | #7

On Wed, Dec 22, 2021 at 09:14:43AM -0600, Eric Biggers wrote:
> On Mon, Dec 20, 2021 at 09:37:21PM -0500, Yael Tiomkin wrote:
> > diff --git a/testcases/kernel/syscalls/keyctl/keyctl09.c b/testcases/kernel/syscalls/keyctl/keyctl09.c
> > new file mode 100644
> > index 000000000..507cd5628
> > --- /dev/null
> > +++ b/testcases/kernel/syscalls/keyctl/keyctl09.c
> > @@ -0,0 +1,58 @@
> > +// SPDX-License-Identifier: GPL-2.0-or-later
> > +/*
> > + * Copyright (c) 2021 Google, Inc.
> > + */
> > +
> > +/*\
> > + * [Description]
> > + * Test that encrypted keys can be instantiated using user-provided decrypted
> > + * data (plaintext), and separately, using kernel-generated key material.
> > + */
> > +
> 
> This test doesn't seem to work as intended.
> 
> First, it fails if CONFIG_ENCRYPTED_KEYS is unset (it should be skipped):
> 
> 	keyctl09.c:33: TFAIL: Failed to instantiate encrypted key using payload decrypted data
> 
> Second, I don't have your patch "Instantiate key with user-provided decrypted
> data" (https://lore.kernel.org/r/20211213192030.125091-1-yaelt@google.com) in my
> kernel, so instantiating a key using "user-provided decrypted data" is not
> implemented by the kernel.  However, the test still passes regardless:
> 
> 	keyctl09.c:49: TPASS: Encrypted keys were successfully instantiated and read    
> 
> The test should detect when "user-provided decrypted data" is not supported by
> the kernel, and report that the test of that is being skipped in that case.
> 

And of course, if "user-provided decrypted data" *is* supported by the kernel,
the test should actually test it.

- Eric

[v2] syscalls/keyctl09: test encrypted keys.

Commit Message

Comments

Patch