From patchwork Thu Mar 28 19:07:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 10875733 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 007821669 for ; Thu, 28 Mar 2019 19:07:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DBD722869A for ; Thu, 28 Mar 2019 19:07:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D00AC288BC; Thu, 28 Mar 2019 19:07:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 659482869A for ; Thu, 28 Mar 2019 19:07:22 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 4E878211EB815; Thu, 28 Mar 2019 12:07:22 -0700 (PDT) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=dave.jiang@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 657C92117AE40 for ; Thu, 28 Mar 2019 12:07:21 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2019 12:07:21 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,281,1549958400"; d="scan'208";a="131038240" Received: from djiang5-desk3.ch.intel.com ([143.182.136.93]) by orsmga006.jf.intel.com with ESMTP; 28 Mar 2019 12:07:20 -0700 Subject: [PATCH 3/3] ndctl: add unit test for load-keys From: Dave Jiang To: vishal.l.verma@intel.com Date: Thu, 28 Mar 2019 12:07:20 -0700 Message-ID: <155380004030.7924.13233540083178591968.stgit@djiang5-desk3.ch.intel.com> In-Reply-To: <155380002962.7924.11109542476291499729.stgit@djiang5-desk3.ch.intel.com> References: <155380002962.7924.11109542476291499729.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-nvdimm@lists.01.org Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP Add to security.sh to test load-keys for user keys. Signed-off-by: Dave Jiang --- test/security.sh | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 52 insertions(+), 4 deletions(-) diff --git a/test/security.sh b/test/security.sh index 1b7a9a1a..7bd60293 100755 --- a/test/security.sh +++ b/test/security.sh @@ -6,8 +6,10 @@ rc=77 dev="" id="" keypath="/etc/ndctl/keys" -masterkey="nvdimm-master-test" -masterpath="$keypath/$masterkey" +masterkey="nvdimm-master" +masterpath="$keypath/$masterkey.blob" +backup_key=0 +backup_handle=0 . ./common @@ -32,6 +34,15 @@ setup_keys() mkdir -p "$keypath" fi + if [ -f "$masterpath" ]; then + mv "$masterpath" "$masterpath.bak" + $backup_key=1 + fi + if [ -f "$keypath/tpm.handle" ]; then + mv "$keypath/tpm.handle" "$keypath/tmp.handle.bak" + $backup_handle=1 + fi + dd if=/dev/urandom bs=1 count=32 2>/dev/null | keyctl padd user "$masterkey" @u keyctl pipe "$(keyctl search @u user $masterkey)" > "$masterpath" } @@ -53,6 +64,12 @@ test_cleanup() if [ -f $masterpath ]; then rm -f "$masterpath" fi + if [ "$backup_key" -eq 1 ]; then + mv "$masterpath.bak" "$masterpath" + fi + if [ "$backup_handle" -eq 1 ]; then + mv "$keypath/tpm.handle.bak" "$keypath/tmp.handle" + fi } lock_dimm() @@ -188,6 +205,33 @@ test_5_security_freeze() fi } +test_6_load_keys() +{ + if keyctl search @u encrypted nvdimm:"$id"; then + keyctl unlink "$(keyctl search @u encrypted nvdimm:"$id")" + fi + + if keyctl search @u user "$masterkey"; then + keyctl unlink "$(keyctl search @u user $masterkey)" + fi + + $NDCTL load-keys + + if keyctl search @u user "$masterkey"; then + echo "master key loaded" + else + echo "master key fail to loaded" + err "$LINENO" + fi + + if keyctl search @u encrypted nvdimm:"$id"; then + echo "dimm key loaded" + else + echo "dimm key failed to load" + err "$LINENO" + fi +} + check_min_kver "5.0" || do_skip "may lack security handling" uid="$(keyctl show | grep -Eo "_uid.[0-9]+" | head -1 | cut -d. -f2-)" if [ "$uid" -ne 0 ]; then @@ -210,11 +254,15 @@ test_3_security_setup_and_erase echo "Test 4, unlock dimm" test_4_security_unlock -# Freeze should always be run last because it locks security state and require -# nfit_test module unload. +# Freeze should always be run as last DIMM operation because it locks +# security state and require nfit_test module unload. echo "Test 5, freeze security" test_5_security_freeze +# this is purely on keyctl management and does not involve nvdimm +echo "Test 6, test load-keys" +test_6_load_keys + test_cleanup _cleanup exit 0