From patchwork Tue Oct 10 20:25:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415986 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D635CD8CB7 for ; Tue, 10 Oct 2023 20:26:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229598AbjJJU0X (ORCPT ); Tue, 10 Oct 2023 16:26:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36390 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230510AbjJJU0W (ORCPT ); Tue, 10 Oct 2023 16:26:22 -0400 Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6159CCA for ; Tue, 10 Oct 2023 13:26:20 -0700 (PDT) Received: by mail-yb1-xb2f.google.com with SMTP id 3f1490d57ef6-d8a000f6a51so6641288276.3 for ; Tue, 10 Oct 2023 13:26:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969579; x=1697574379; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Hwy8Zi2uzZrYdFBsR35VWjRso0l8oMrGMg/hmDe3qJM=; b=Yl0pGiFBg6X/6EpYGRdhV9NPnuFkdKffP4AQG+REbjvJdJ97qLeTFoHibxIo6b/G3K AcnnUxQwf+OweE/xI1l7XiAFkI7hngfozZyARh0Ei/IiCJxHzIoK7dfUSLM50k7gnpap KLGefxb+/XkUNrNbuqENo2Y8K0JP9DLAe/mFksIHRSPv2g8YFBNgphzVTeeNiiCaqaTm x/+xX8IzzO5D6oEZGR6WtdAT99gV7RhxueHU2EcX2kmUweeegVRRBq+zrTs8qZhGZhYF yegap7TCqgZRK3EfkwdSgePurl67ZVE+3Bqx3WHin/ccFy0yy8tmt1pfNt2eeRTC2PL+ UaTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969579; x=1697574379; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Hwy8Zi2uzZrYdFBsR35VWjRso0l8oMrGMg/hmDe3qJM=; b=Gn8dw09RnorulLendgM4dxKIEP/HpsRadf8YC6bPWSb4GlqslE1V2xH00ciPEpxgrK zS6r0VzFhNceLPxdoe2aNn9UQ6sfvgAkj6UULj8hvk0Q33l7nEqaPvi+7Hh9k8HQ5BZA lYrEgR4otWNk1evfkYF6p/431o+5+U94FF1F7sooU5fYaQ77Vx8NeBoTsH4NwJxDTuB1 GjFR2NFlA6+WPalCinyhB1F1QWsZf9VX5g5TKWxRVJnoDKAgq1yhM5CZet+wc6QWclDY AjxVaaoonCIFee2E0t1iczX6PU8aCDOtMAzRiyUE/XVqWmBtUuafuATFP9jgawBOMkMS LoqA== X-Gm-Message-State: AOJu0YzMNWDZjOs56BDcvVth+PLE+0fc5b52eNc4Gl5yWJd/tDm1Wkef rdRM42PbcvEtfm7yhpWQdS3V1Xain4I12Ut74xmZ/g== X-Google-Smtp-Source: AGHT+IGazxV6INO6CLta8CjXhAk2I8g2uwMKRNIInMbviKy22fPV7nEsEgC0OCc6sZ0Sr9E6Z7ZHBQ== X-Received: by 2002:a25:6810:0:b0:d78:878d:e1e1 with SMTP id d16-20020a256810000000b00d78878de1e1mr17959900ybc.50.1696969579546; Tue, 10 Oct 2023 13:26:19 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id 6-20020a251806000000b00d800eb5ac2asm3972167yby.65.2023.10.10.13.26.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:19 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 01/12] common/encrypt: separate data and inode nonces Date: Tue, 10 Oct 2023 16:25:54 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Sweet Tea Dorminy btrfs will have different inode and data nonces, so we need to be specific about which nonce each use needs. For now, there is no difference in the two functions. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 33 ++++++++++++++++++++++++++------- tests/f2fs/002 | 2 +- tests/generic/613 | 4 ++-- 3 files changed, 29 insertions(+), 10 deletions(-) diff --git a/common/encrypt b/common/encrypt index 1a77e23b..04b6e5ac 100644 --- a/common/encrypt +++ b/common/encrypt @@ -488,7 +488,7 @@ _add_fscrypt_provisioning_key() # Retrieve the encryption nonce of the given inode as a hex string. The nonce # was randomly generated by the filesystem and isn't exposed directly to # userspace. But it can be read using the filesystem's debugging tools. -_get_encryption_nonce() +_get_encryption_file_nonce() { local device=$1 local inode=$2 @@ -532,15 +532,34 @@ _get_encryption_nonce() }' ;; *) - _fail "_get_encryption_nonce() isn't implemented on $FSTYP" + _fail "_get_encryption_file_nonce() isn't implemented on $FSTYP" ;; esac } -# Require support for _get_encryption_nonce() +# Retrieve the encryption nonce used to encrypt the data of the given inode as +# a hex string. The nonce was randomly generated by the filesystem and isn't +# exposed directly to userspace. But it can be read using the filesystem's +# debugging tools. +_get_encryption_data_nonce() +{ + local device=$1 + local inode=$2 + + case $FSTYP in + ext4|f2fs) + _get_encryption_file_nonce $device $inode + ;; + *) + _fail "_get_encryption_data_nonce() isn't implemented on $FSTYP" + ;; + esac +} + +# Require support for _get_encryption_*nonce() _require_get_encryption_nonce_support() { - echo "Checking for _get_encryption_nonce() support for $FSTYP" >> $seqres.full + echo "Checking for _get_encryption_*nonce() support for $FSTYP" >> $seqres.full case $FSTYP in ext4) _require_command "$DEBUGFS_PROG" debugfs @@ -554,7 +573,7 @@ _require_get_encryption_nonce_support() # the test fail in that case, as it was an f2fs-tools bug... ;; *) - _notrun "_get_encryption_nonce() isn't implemented on $FSTYP" + _notrun "_get_encryption_*nonce() isn't implemented on $FSTYP" ;; esac } @@ -760,7 +779,7 @@ _do_verify_ciphertext_for_encryption_policy() echo "Verifying encrypted file contents" >> $seqres.full for f in "${test_contents_files[@]}"; do read -r src inode blocklist <<< "$f" - nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode) + nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) _dump_ciphertext_blocks $SCRATCH_DEV $blocklist > $tmp.actual_contents $crypt_contents_cmd $contents_encryption_mode $raw_key_hex \ --file-nonce=$nonce --block-size=$blocksize \ @@ -780,7 +799,7 @@ _do_verify_ciphertext_for_encryption_policy() echo "Verifying encrypted file names" >> $seqres.full for f in "${test_filenames_files[@]}"; do read -r name inode dir_inode padding <<< "$f" - nonce=$(_get_encryption_nonce $SCRATCH_DEV $dir_inode) + nonce=$(_get_encryption_file_nonce $SCRATCH_DEV $dir_inode) _get_ciphertext_filename $SCRATCH_DEV $inode $dir_inode \ > $tmp.actual_name echo -n "$name" | \ diff --git a/tests/f2fs/002 b/tests/f2fs/002 index 8235d88a..a51ddf22 100755 --- a/tests/f2fs/002 +++ b/tests/f2fs/002 @@ -129,7 +129,7 @@ blocklist=$(_get_ciphertext_block_list $file) _scratch_unmount echo -e "\n# Getting file's encryption nonce" -nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode) +nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) echo -e "\n# Dumping the file's raw data" _dump_ciphertext_blocks $SCRATCH_DEV $blocklist > $tmp.raw diff --git a/tests/generic/613 b/tests/generic/613 index 4cf5ccc6..47c60e9c 100755 --- a/tests/generic/613 +++ b/tests/generic/613 @@ -68,10 +68,10 @@ echo -e "\n# Getting encryption nonces from inodes" echo -n > $tmp.nonces_hex echo -n > $tmp.nonces_bin for inode in "${inodes[@]}"; do - nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode) + nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) if (( ${#nonce} != 32 )) || [ -n "$(echo "$nonce" | tr -d 0-9a-fA-F)" ] then - _fail "Expected nonce to be 16 bytes (32 hex characters), but got \"$nonce\"" + _fail "Expected nonce for inode $inode to be 16 bytes (32 hex characters), but got \"$nonce\"" fi echo $nonce >> $tmp.nonces_hex echo -ne "$(echo $nonce | sed 's/[0-9a-fA-F]\{2\}/\\x\0/g')" \ From patchwork Tue Oct 10 20:25:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415988 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1C95CD8CB4 for ; Tue, 10 Oct 2023 20:26:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234473AbjJJU03 (ORCPT ); Tue, 10 Oct 2023 16:26:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231596AbjJJU0Y (ORCPT ); Tue, 10 Oct 2023 16:26:24 -0400 Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46ED9DA for ; Tue, 10 Oct 2023 13:26:21 -0700 (PDT) Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-5a7ac4c3666so22724587b3.3 for ; Tue, 10 Oct 2023 13:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969580; x=1697574380; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OFwcUtvU3gU5AGXiF/CPujJ+TekA/xyF9zqxriLoMwM=; b=gRQAywef0j79nEmibOimvJGCzSWw6Z5UsPLv3u0VpLoOgzrC/IbFEKbTxIgChb6vpj lpEUoZcgsE9U6h+a8oJCem/mFWo80th9o0icWOoNFUYB8jPIi9PxNrKNJ0/OypFvj1ir 319DWod/C8ATKL/diOCnIdtVjapJYZgXg2U+7ZbhsRB9oicVJW0alOM2nzrvG0ATS5Zn ym2/jiSHrSrR7nt6TtoZb3PMmT8rHSe/UGb9Q7/ThV2CZzYTyuKba2b8pGZrzIEWUJnr U9vtfjeTJxck/6pEA+VVr3alba6n+OFoEEUKNhZQHI7FolqPJvVJS+wX3tC4JxhhiVGo sRzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969580; x=1697574380; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OFwcUtvU3gU5AGXiF/CPujJ+TekA/xyF9zqxriLoMwM=; b=hmcPt+p5C7B2uz/ZyJNMZCkWkj1uBDgEQEDiPCd/mmKj4/BQhr/60bJJekeSZ9g/qg nulQbSAyZcQqjZ/0Ri+/u0IyaUVkU6ac2w5fizJZ4U2pBs1AyiUlrNNKvyXjPqI+U1KD OWWsvUZyND8BGFWC+WyGFGdzM4gzoK69Zko5LnSRWpqr5OI3jPbEeZuy1VhE+a4R5yxy sfwKCOkY2aZpUHYqO8XFljz+s79CZlRPNHD/uy+pgtzEXzyCMMv28ShIPpvLXTP75ZWn XznPBjGqSudfzXD3AlFlSCMHCqBgFlELlN3zv+77XJCz/oNQaJtXrojO/MjdRWrrVULi bCWg== X-Gm-Message-State: AOJu0Yw2iIJ9IkjA1e/q+Oo6D5xgpFK56sdrNIQjfNa/FveAsT/Xf84C ETk0dofLSnWEPIhNAWoFY482Qw== X-Google-Smtp-Source: AGHT+IFQoMBF9uhCT0asEEgYDb3P3Co+GNRB/75Q1mdnz6O01l+cwEoqFE71PBDrmralI/v8iQ9RpQ== X-Received: by 2002:a81:8104:0:b0:59b:bacb:a84f with SMTP id r4-20020a818104000000b0059bbacba84fmr20903470ywf.47.1696969580433; Tue, 10 Oct 2023 13:26:20 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x9-20020a814a09000000b00589b653b7adsm4691229ywa.136.2023.10.10.13.26.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:20 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 02/12] common/encrypt: add btrfs to get_encryption_*nonce Date: Tue, 10 Oct 2023 16:25:55 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Sweet Tea Dorminy Add the modes of getting the encryption nonces, either inode or extent, to the various get_encryption_nonce functions. For now, no encrypt test makes a file with more than one extent, so we can just grab the first extent's nonce for the data nonce; when we write a bigger file test, we'll need to change that. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/common/encrypt b/common/encrypt index 04b6e5ac..fc1c8cc7 100644 --- a/common/encrypt +++ b/common/encrypt @@ -531,6 +531,17 @@ _get_encryption_file_nonce() found = 0; }' ;; + btrfs) + # Retrieve the fscrypt context for an inode as a hex string. + # btrfs prints these like: + # item 14 key ($inode FSCRYPT_CTXT_ITEM 0) itemoff 15491 itemsize 40 + # value: 02010400000000008fabf3dd745d41856e812458cd765bf0140f41d62853f4c0351837daff4dcc8f + + $BTRFS_UTIL_PROG inspect-internal dump-tree $device | \ + grep -A 1 "key ($inode FSCRYPT_CTXT_ITEM 0)" | \ + grep --only-matching 'value: [[:xdigit:]]\+' | \ + tr -d ' \n' | tail -c 32 + ;; *) _fail "_get_encryption_file_nonce() isn't implemented on $FSTYP" ;; @@ -550,6 +561,23 @@ _get_encryption_data_nonce() ext4|f2fs) _get_encryption_file_nonce $device $inode ;; + btrfs) + # Retrieve the encryption IV of the first file extent in an inode as a hex + # string. btrfs prints the file extents (for simple unshared + # inodes) like: + # item 21 key ($inode EXTENT_DATA 0) itemoff 2534 itemsize 69 + # generation 7 type 1 (regular) + # extent data disk byte 5304320 nr 1048576 + # extent data offset 0 nr 1048576 ram 1048576 + # extent compression 0 (none) + # extent encryption 161 ((1, 40: context 0201040200000000116a77667261d7422a4b1ed8c427e685edb7a0d370d0c9d40030333033333330)) + + + $BTRFS_UTIL_PROG inspect-internal dump-tree $device | \ + grep -A 5 "key ($inode EXTENT_DATA 0)" | \ + grep --only-matching 'context [[:xdigit:]]\+' | \ + tr -d ' \n' | tail -c 32 + ;; *) _fail "_get_encryption_data_nonce() isn't implemented on $FSTYP" ;; @@ -572,6 +600,9 @@ _require_get_encryption_nonce_support() # Otherwise the xattr is incorrectly parsed as v1. But just let # the test fail in that case, as it was an f2fs-tools bug... ;; + btrfs) + _require_command "$BTRFS_UTIL_PROG" btrfs + ;; *) _notrun "_get_encryption_*nonce() isn't implemented on $FSTYP" ;; From patchwork Tue Oct 10 20:25:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415989 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE0DCCD8CB6 for ; Tue, 10 Oct 2023 20:26:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234365AbjJJU0b (ORCPT ); Tue, 10 Oct 2023 16:26:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234393AbjJJU0Z (ORCPT ); Tue, 10 Oct 2023 16:26:25 -0400 Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46E23D3 for ; Tue, 10 Oct 2023 13:26:22 -0700 (PDT) Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-5a7c7262d5eso10976547b3.1 for ; Tue, 10 Oct 2023 13:26:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969581; x=1697574381; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jEBkTHJ3Zcu/2KG+vVGPEkATD7sMt03VYNJu8yvTP9M=; b=SN3aOlddxcqgvMSGkQYM9YW3biqn9ZY2bGhhhSwZHovLYv3+H7VLvPrtEXVA+73MyZ j+N0RB1qVFxXODgeGnO9GoA79kWnrQqX//uc6CZ/MXuilIOVwRvVUIE6RDyzcKjN+WF6 RyfB1SoUG6FkEPtVtSJ1cLdRpH5DoB54aNZkM82HZCvzEJoS9pvQH8jvs0DjhxZrcjvT xks8pRcEaIWfV9EomLx5+eSZYz13vaagV9MY4xgdvFpzCJV1ei5oL4+euF9BlacA2BFi qr4JyIWgEtlJ/zjB8ec9NjI8MzYQrkLQ9zRGNdYBa3g7qMWgFyqDPBnvjpojxDbcy2GT yqlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969581; x=1697574381; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jEBkTHJ3Zcu/2KG+vVGPEkATD7sMt03VYNJu8yvTP9M=; b=nDRpTbDsMw+6ZCjHhU2wxcXHS/Tc/LF/jOIidML3k6eA8eb2F7fY3lo0nqtyOJ7xHU /uFSzOgOTGykIHgCFN+sm9w6+itWmjJmemx25BJpBI6qlHwJNcMrRFCijkFkrIuhhrGs fWMuKi/1ffFfYtR8gZ6Wmmvs21URyONNRu2fv4h/M3dBtQViaZGxzdxvDrFnushnT2+C tFFF2TYWAdD4rYPPGtFEw5zKw2r6b+Fuu2H/I9ZDOJXSL830imAZ7jyMe4VJC2xCttwq L45/QGeKVk9DK3Ug2cLFWgjBTSbSD71n48juzouKhqlzJg5HAKukjvMqVjTuYEvgMt95 xu1A== X-Gm-Message-State: AOJu0YyC6PSZ48F2bWtExrAwVhUuBu3JH4xJNVujtbWyaN8YwhAWmm6/ rh7MQafQIGuc/DK2hse8L2JwDNgaqAmnhCmIY/XNnw== X-Google-Smtp-Source: AGHT+IEDJXaz8Iqj0J5QGmoE8YAQkrqbJnp7d+TIBuszlRdRr5jTsnA0UfmfaKbLhaXI1gnZsLNkDg== X-Received: by 2002:a81:48cc:0:b0:5a7:baac:7b34 with SMTP id v195-20020a8148cc000000b005a7baac7b34mr3793507ywa.28.1696969581386; Tue, 10 Oct 2023 13:26:21 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x9-20020a814a09000000b00589b653b7adsm4691241ywa.136.2023.10.10.13.26.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:21 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 03/12] common/encrypt: add btrfs to get_ciphertext_filename Date: Tue, 10 Oct 2023 16:25:56 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Sweet Tea Dorminy Add the relevant call to get an encrypted filename from btrfs. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/common/encrypt b/common/encrypt index fc1c8cc7..2c1925da 100644 --- a/common/encrypt +++ b/common/encrypt @@ -618,6 +618,19 @@ _get_ciphertext_filename() local dir_inode=$3 case $FSTYP in + btrfs) + # Extract the filename from the inode_ref object, similar to: + # item 24 key (259 INODE_REF 257) itemoff 14826 itemsize 26 + # index 3 namelen 16 name: J\xf7\x15tD\x8eL\xae/\x98\x9f\x09\xc1\xb6\x09> + # + $BTRFS_UTIL_PROG inspect-internal dump-tree $device | \ + grep -A 1 "key ($inode INODE_REF " | tail -n 1 | \ + perl -ne ' + s/.*?name: //; + chomp; + s/\\x([[:xdigit:]]{2})/chr hex $1/eg; + print;' + ;; ext4) # Extract the filename from the debugfs output line like: # @@ -715,6 +728,9 @@ _require_get_ciphertext_filename_support() _notrun "dump.f2fs (f2fs-tools) is too old; doesn't support showing unambiguous on-disk filenames" fi ;; + btrfs) + _require_command "$BTRFS_UTIL_PROG" btrfs + ;; *) _notrun "_get_ciphertext_filename() isn't implemented on $FSTYP" ;; From patchwork Tue Oct 10 20:25:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415990 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6AC06CD8CB7 for ; Tue, 10 Oct 2023 20:26:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234393AbjJJU0c (ORCPT ); Tue, 10 Oct 2023 16:26:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229555AbjJJU01 (ORCPT ); Tue, 10 Oct 2023 16:26:27 -0400 Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 308A7E3 for ; Tue, 10 Oct 2023 13:26:23 -0700 (PDT) Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-5a7be88e9ccso14394467b3.2 for ; Tue, 10 Oct 2023 13:26:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969582; x=1697574382; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Dmh9xGr/as1MpprJlAG4JgvOSIGD6BUQHl774+RzFu4=; b=bqjaX0mDqOCfQ1W1b3N+mkOPqhm8/pBhtr9xLJyNucFnGT2tG7iTjcf5kSupZXDamu vw3hESjVK7NQH1jE1NnFNDRdhPG2iegWL0bJD/oWL5Wq/VCXjPQdPqLl5JGm5mPvv2og fDV7wDVYzH/Ddd9XfsKp1OmbI861xO0ehO0X5V9Br39P759MDZoKZuREBTYuJ2MifcsZ OwjnkC4XA/aCLnWc4NJdRCWk01WqugNsuU8T/R7s6tf0fMS1ry360bwP6IIF2IJu/N3o UmzVv39xEl9Tu7RhaHnDC3iecFtW5kYrtxNoBnEUQjheuiOPI9F1aCnZzHJEB/b0gm1M qZIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969582; x=1697574382; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Dmh9xGr/as1MpprJlAG4JgvOSIGD6BUQHl774+RzFu4=; b=krdj4jZhFFwn9jAqRvOuq6+OOJCmHijueKIZdaMB0dCXIthLVR445R9goPwPnQI1SQ GfDvvmgZ2QITwtHd9/XQmz+JsoGr4QFz2azjOT9bcCX1YuyijKIklcSrTtQmSMTX+GQ+ zuEI6BkRP2s4h/DqtYT/npDkjKLIk3emGLN8BQ0bfgPggXJV+GSAi2WBAOMsKw1i+MNE AZoZ5Kzsw6A2tIrySkhk75ly6k+Pi2Bb+40+UJjKm5riGqK/ZzpWruAeLAItHYQDf2uS MRlBJGfRa9JlDBuxkvNaG6CXN0LPIokdlYWoQl7J2gIOt/k8M6LuYSKmVeMdOzuAqxZg KviQ== X-Gm-Message-State: AOJu0YyGLee0rGS7eeS8m69bCnk/+KmtCHSTx+Anym8OYZfNjicJTNq9 QLOTLAEa0Isnh0qA72nmXsoXwl0fOONbdRIgD6n3Lg== X-Google-Smtp-Source: AGHT+IHHPc4cVCv0X5UjY6ZEhh73TopZ6jV5VXaR1PRAmJHmMIp+SqJlnKd+kKUVvokDPp15rDCEYQ== X-Received: by 2002:a0d:e841:0:b0:5a7:d986:a9bb with SMTP id r62-20020a0de841000000b005a7d986a9bbmr873545ywe.3.1696969582283; Tue, 10 Oct 2023 13:26:22 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id d187-20020a0df4c4000000b0059af121d0b8sm4694342ywf.52.2023.10.10.13.26.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:22 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 04/12] common/encrypt: enable making a encrypted btrfs filesystem Date: Tue, 10 Oct 2023 16:25:57 -0400 Message-ID: <905514b9fa178c51afde27c4eff456079e010750.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Sweet Tea Dorminy Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/common/encrypt b/common/encrypt index 2c1925da..1372af66 100644 --- a/common/encrypt +++ b/common/encrypt @@ -153,6 +153,9 @@ _scratch_mkfs_encrypted() # erase the UBI volume; reformated automatically on next mount $UBIUPDATEVOL_PROG ${SCRATCH_DEV} -t ;; + btrfs) + _scratch_mkfs + ;; ceph) _scratch_cleanup_files ;; @@ -168,6 +171,9 @@ _scratch_mkfs_sized_encrypted() ext4|f2fs) MKFS_OPTIONS="$MKFS_OPTIONS -O encrypt" _scratch_mkfs_sized $* ;; + btrfs) + _scratch_mkfs_sized $* + ;; *) _notrun "Filesystem $FSTYP not supported in _scratch_mkfs_sized_encrypted" ;; From patchwork Tue Oct 10 20:25:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415996 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 09B0BCD68ED for ; Tue, 10 Oct 2023 20:26:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234279AbjJJU0o (ORCPT ); Tue, 10 Oct 2023 16:26:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234461AbjJJU03 (ORCPT ); Tue, 10 Oct 2023 16:26:29 -0400 Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2B4E3A4 for ; Tue, 10 Oct 2023 13:26:24 -0700 (PDT) Received: by mail-yb1-xb2a.google.com with SMTP id 3f1490d57ef6-d9191f0d94cso6401113276.3 for ; Tue, 10 Oct 2023 13:26:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969583; x=1697574383; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fqxbcnQrbhAM79ZT2haRQaI7x72trapZ/1y8f7sxESs=; b=aS+N6wlx+xKjokk7uje7jRN+GUm9S32+PZl4PCyqodSss5ROHhjsxHKsnHLbmVdvBT Lpv8aF0yPcv57/PdTu8W5AdU7EXU6ascZIXSTazTC5pawmzJjGXoAzdneEawIqf/pp+A MVtjSN/YA8wnF25MU6VQS8EyDLc4QHb7ZthTjzOr7bBQFG2DVFAunEqNpA3v3VPAdl0n UCy/ZGWUyqistraaqgbIxX6DFBDxrXClMA2rw/+ir9L8D6FuvadAjNfl7BqYlzD6A1ol qVWuh4XLUDJZweSpaIy+64miGup3zOmb0zQ/ss7U9ELFfQefpDetIPkRdJQ6kAceEX7L rr+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969583; x=1697574383; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fqxbcnQrbhAM79ZT2haRQaI7x72trapZ/1y8f7sxESs=; b=Z4mvGuF2TxsAK8mtAptMQ6sByODMWMsRpurno6EDGWLW9922Hei5sj0pWjMiYi04HN PcKaqkS5QZsgzLyWg30zpWvvux4VcvgqATJ/PoDERhcTbXkXzmPpVtbR2n4q4AjUc1gU x/9o/BmSWS3zcHqd9HkC2KMEi+7Z9LCk1dnYkJojjXsVjhiCyw+1mXFt28gZ5poi5B0t IK3fmWAtE9+kb+3vX9tImy7R32HCV4ctu4E/WFATQ95qctL9Z3ThqnX5BC7vWaqu6Rja ZQp/KWYo1/B2oSLliJw9zCQWt+kcSZGtrxLLvOaxMn2NBA7DpG3t7yZGB2eI1MEU1IpR RikA== X-Gm-Message-State: AOJu0YwznTd37REF3Bf/YdiOzOF6xgrH8NF/Zadk5KZ4AuAL55mlJt0m Ay2J3IK1u8JjLw5EZH3d3WnIaA== X-Google-Smtp-Source: AGHT+IGw4kxDsOt6fa8BJi9L1FMTAuWa4xVaYHP5ZOTb9sMQ5tRzZ10wUFt1F7QiR+ugdbA5JanIRA== X-Received: by 2002:a25:eb04:0:b0:d89:47d6:b4f9 with SMTP id d4-20020a25eb04000000b00d8947d6b4f9mr16849727ybs.23.1696969583309; Tue, 10 Oct 2023 13:26:23 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id 85-20020a250d58000000b00d9a54e9b742sm748139ybn.55.2023.10.10.13.26.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:22 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 05/12] common/verity: explicitly don't allow btrfs encryption Date: Tue, 10 Oct 2023 16:25:58 -0400 Message-ID: <24a79bf71c105ebcff42868cdc7938022ca145d1.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Sweet Tea Dorminy Currently btrfs encryption doesn't support verity, but it is planned to one day. To be explicit about the lack of support, add a custom error message to the combination. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/verity | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/verity b/common/verity index 03d175ce..4e601a81 100644 --- a/common/verity +++ b/common/verity @@ -224,6 +224,10 @@ _scratch_mkfs_encrypted_verity() # features with -O. Instead -O must be supplied multiple times. _scratch_mkfs -O encrypt -O verity ;; + btrfs) + # currently verity + encryption is not supported + _notrun "btrfs doesn't currently support verity + encryption" + ;; *) _notrun "$FSTYP not supported in _scratch_mkfs_encrypted_verity" ;; From patchwork Tue Oct 10 20:25:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415991 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B0E2CD8CB4 for ; Tue, 10 Oct 2023 20:26:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231596AbjJJU0e (ORCPT ); Tue, 10 Oct 2023 16:26:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36390 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234480AbjJJU0a (ORCPT ); Tue, 10 Oct 2023 16:26:30 -0400 Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3BEBFED for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-5a7d9d357faso3761087b3.0 for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969584; x=1697574384; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M2VMrA1lI9Q4ecQ5bc5FJJXlOR+SulDDfBaPoTgzRVE=; b=qHBR6KTb5/EJuFj244Q9gGY7llosCXyLMr2HggcN28lQ3AiDdEmQBmvamMx0L9EWab Q22kpdWE66SlTK4XB3BSpR4VJ+ZSK8o+M5eBt3CkUiUkBSCl++aKLcjXKn0V27HfOtEi 64iW+31QJBmLQU2rMTzlCG6SReVYQE6euKGQX8i2eY3Q761eOhNIb0cBq7cq8XnkSNny wY+0XYkR4jBKc3v1PbzhvG3ALHj4SMKMlAIYEWEKxi/9Vt99dZEH5v1/lFrxDKIBFQnh 7INt3Di28T44YPz6KtnjlD9Z2UuRWa+vAp3s7Q3w81wRl4FrhVG32moGy6uUqsrzmdhQ X/Ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969584; x=1697574384; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M2VMrA1lI9Q4ecQ5bc5FJJXlOR+SulDDfBaPoTgzRVE=; b=aMJ7K+8M4GzKSvsWUZwwqW8C7M01+EwgjO5IWt38NDZEaE5flqwYW/PCvV4C5D1y+M h06q5gj3bYDwxvp1zhKY6BEum20OakarurDDnroQYBo10fI3jKvyVYHkOi8AWDbvnxMj at7ftBFjHKfmHfWjM+azvwmns7lfaOvlNMyXAmwcHdAgWFya5tXOnBa9bs4WOJLakxOa oMBPi5IbrC8T3H/EaUZaqsn0mM5+hE1YNHRobv2zMRNRuvT0MUr0GLgXZ5dM9qOoftsj HdcTut8NmyWRRKWl6OaNmVT/lDbXzsmKo7WvKnFUARAiUr7zeKsVWFiNez9oZjulTOmv gPkA== X-Gm-Message-State: AOJu0YyrOYtj+SiyNRISG5kdwL7rKDfEgty1eAcCtwlLCyzg9x7h2wCV cRGOyvqNP1viQTDe66T18ZLETED4tYgKZX26/L1TMQ== X-Google-Smtp-Source: AGHT+IG+BJZqKItphUjRYVNLo/YE1loYz+1+fzWvZ+O4HVoM+QGspAsPD6MkeRRtOJichHcdzorz5g== X-Received: by 2002:a0d:ef43:0:b0:595:be7:a38 with SMTP id y64-20020a0def43000000b005950be70a38mr20627894ywe.49.1696969584182; Tue, 10 Oct 2023 13:26:24 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id i84-20020a819157000000b005a7bfec6c34sm701856ywg.46.2023.10.10.13.26.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:23 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 06/12] btrfs: add simple test of reflink of encrypted data Date: Tue, 10 Oct 2023 16:25:59 -0400 Message-ID: <723b5972c3d2d917acc23bf65eb3a5e5feba5ecc.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Sweet Tea Dorminy Make sure that we succeed at reflinking encrypted data. Test deliberately numbered with a high number so it won't conflict with tests between now and merge. --- tests/btrfs/613 | 59 +++++++++++++++++++++++++++++++++++++++++++++ tests/btrfs/613.out | 13 ++++++++++ 2 files changed, 72 insertions(+) create mode 100755 tests/btrfs/613 create mode 100644 tests/btrfs/613.out diff --git a/tests/btrfs/613 b/tests/btrfs/613 new file mode 100755 index 00000000..0288016e --- /dev/null +++ b/tests/btrfs/613 @@ -0,0 +1,59 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2023 Meta Platforms, Inc. All Rights Reserved. +# +# FS QA Test 613 +# +# Check if reflinking one encrypted file on btrfs succeeds. +# +. ./common/preamble +_begin_fstest auto encrypt + +# Import common functions. +. ./common/encrypt +. ./common/filter +. ./common/reflink + +# real QA test starts here + +# Modify as appropriate. +_supported_fs btrfs + +_require_test +_require_scratch +_require_cp_reflink +_require_scratch_encryption -v 2 +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir +mkdir $dir +_set_encpolicy $dir $TEST_KEY_IDENTIFIER +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo "Creating and reflinking a file" +$XFS_IO_PROG -t -f -c "pwrite 0 33k" $dir/test > /dev/null +cp --reflink=always $dir/test $dir/test2 + +echo "Can't reflink encrypted and unencrypted" +cp --reflink=always $dir/test $SCRATCH_MNT/fail |& _filter_scratch + +echo "Diffing the file and its copy" +diff $dir/test $dir/test2 + +echo "Verifying the files are reflinked" +_verify_reflink $dir/test $dir/test2 + +echo "Diffing the files after remount" +_scratch_cycle_mount +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +diff $dir/test $dir/test2 + +echo "Diffing the files after key remove" +_rm_enckey $SCRATCH_MNT $TEST_KEY_IDENTIFIER +diff $dir/test $dir/test2 |& _filter_scratch + +# success, all done +status=0 +exit diff --git a/tests/btrfs/613.out b/tests/btrfs/613.out new file mode 100644 index 00000000..4895d6dd --- /dev/null +++ b/tests/btrfs/613.out @@ -0,0 +1,13 @@ +QA output created by 613 +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Creating and reflinking a file +Can't reflink encrypted and unencrypted +cp: failed to clone 'SCRATCH_MNT/fail' from 'SCRATCH_MNT/dir/test': Invalid argument +Diffing the file and its copy +Verifying the files are reflinked +Diffing the files after remount +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Diffing the files after key remove +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +diff: SCRATCH_MNT/dir/test: No such file or directory +diff: SCRATCH_MNT/dir/test2: No such file or directory From patchwork Tue Oct 10 20:26:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415998 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01354CD8CBE for ; Tue, 10 Oct 2023 20:26:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231208AbjJJU0n (ORCPT ); Tue, 10 Oct 2023 16:26:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234528AbjJJU0a (ORCPT ); Tue, 10 Oct 2023 16:26:30 -0400 Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9EDD3F4 for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-59f82ad1e09so76629717b3.0 for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969585; x=1697574385; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WjlHOtrmj3j+aDuwQDOJPd6FNzCtXK4lP83KMVMNQ78=; b=NuOA82EblV9VoFsJrz8LU/0QooeSrjOEKcAvBaH+20hPlXvuQXGOOuhO748m0ZbyaE I/K6amYHbwigIgU/ypBQIEBPWM4V36xdl1hhAQ2b1ghgm8hqFHHrmMsPIUsTETQcnwB+ GohYUuW5A9rViUk3Bs3trcZP5sC4VNt6QAgITFo6OZ5VnCG4vXNej7/IzZz/o54vWBbO 4Mbd1DILvGkZvYE0CC/heXzLj6dEPRXSV6ee3RnpmlsI5WWbFG4KVCUMsnWZIRBQAXdR NyJfskiDl3cc0LlHQJr2EtUyjacObWv7A6Konjotprp5/SxiBu2BQfGPVXRKBwKLOwNE fohA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969585; x=1697574385; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WjlHOtrmj3j+aDuwQDOJPd6FNzCtXK4lP83KMVMNQ78=; b=BhwBPhkHa2pybpbJhWXU9WItXqTx9lJpwoWnVeDFZpCY6KN9F4LJ8FkfhNAeqmT7dQ 69jYpMCM+hbM90rBHMcbEJ0X4HL7PaT/HT/pQzBNpY2F0ubQO74+RrQA/wEodVkwqfmP JWA9QBCzfsbvAwNFzSzcp1VQ0t6aQEdzZI3NctjdPKLKS4qseuG+4AWVCIZaylaVf55w ldlU6qagt/HaxeqyirJdgODUlacVv0KhQxXu/jBIx+N9id5x68+wyGr3xJR7DFKe1Ea2 lZDVPyAW3WHs4cRr+t0XyVNvNGp+/v/6bWoqvqcUtjUlNxKy9xThrjvS69KD0/LPFqqO Mezw== X-Gm-Message-State: AOJu0YyHKQrZ9SS/2d6e6TpGtteN+DyjaEwYg/AEOaHuDfqY8VOGJbu8 pkSMbflE1Tvfj+TIBJn1JZnbp3DA8qnD2mwBItt8BA== X-Google-Smtp-Source: AGHT+IFYUeWvqGAdezAeV0PC8Dt/mEZnTIfBKHtUm1+6ewgo2L71xr6Nj3WRQlnyyO/HOQuYGigcZQ== X-Received: by 2002:a81:8782:0:b0:577:51cd:1b4a with SMTP id x124-20020a818782000000b0057751cd1b4amr21451628ywf.41.1696969585060; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id m12-20020a819e0c000000b00594fff48796sm4588587ywj.75.2023.10.10.13.26.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:24 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 07/12] btrfs: test snapshotting encrypted subvol Date: Tue, 10 Oct 2023 16:26:00 -0400 Message-ID: <9a17afb133849c2321bb98c07c48cff2aaf1d87a.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Sweet Tea Dorminy Make sure that snapshots of encrypted data are readable and writeable. Test deliberately high-numbered to not conflict. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- tests/btrfs/614 | 76 ++++++++++++++++++++++++++++++ tests/btrfs/614.out | 111 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 187 insertions(+) create mode 100755 tests/btrfs/614 create mode 100644 tests/btrfs/614.out diff --git a/tests/btrfs/614 b/tests/btrfs/614 new file mode 100755 index 00000000..87dd27f9 --- /dev/null +++ b/tests/btrfs/614 @@ -0,0 +1,76 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2023 Meta Platforms, Inc. All Rights Reserved. +# +# FS QA Test 614 +# +# Try taking a snapshot of an encrypted subvolume. Make sure the snapshot is +# still readable. Rewrite part of the subvol with the same data; make sure it's +# still readable. +# +. ./common/preamble +_begin_fstest auto encrypt + +# Import common functions. +. ./common/encrypt +. ./common/filter + +# real QA test starts here +_supported_fs btrfs + +_require_test +_require_scratch +_require_scratch_encryption -v 2 +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +udir=$SCRATCH_MNT/reference +dir=$SCRATCH_MNT/subvol +dir2=$SCRATCH_MNT/subvol2 +$BTRFS_UTIL_PROG subvolume create $dir >> $seqres.full +mkdir $udir + +_set_encpolicy $dir $TEST_KEY_IDENTIFIER +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" + +# get files with lots of extents by using backwards writes. +for j in `seq 0 50`; do + for i in `seq 20 -1 1`; do + $XFS_IO_PROG -f -d -c "pwrite $(($i * 4096)) 4096" \ + $dir/foo-$j >> $seqres.full | _filter_xfs_io + $XFS_IO_PROG -f -d -c "pwrite $(($i * 4096)) 4096" \ + $udir/foo-$j >> $seqres.full | _filter_xfs_io + done +done + +$BTRFS_UTIL_PROG subvolume snapshot $dir $dir2 | _filter_scratch + +_scratch_remount +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +sleep 30 +echo "Diffing $dir and $dir2" +diff $dir $dir2 + +echo "Rewriting $dir2 partly" +# rewrite half of each file in the snapshot +for j in `seq 0 50`; do + for i in `seq 10 -1 1`; do + $XFS_IO_PROG -f -d -c "pwrite $(($i * 4096)) 4096" \ + $dir2/foo-$j >> $seqres.full | _filter_xfs_io + done +done + +echo "Diffing $dir and $dir2" +diff $dir $dir2 + +echo "Dropping key and diffing" +_rm_enckey $SCRATCH_MNT $TEST_KEY_IDENTIFIER +diff $dir $dir2 |& _filter_scratch | _filter_nokey_filenames + +$BTRFS_UTIL_PROG subvolume delete $dir > /dev/null 2>&1 + +# success, all done +status=0 +exit diff --git a/tests/btrfs/614.out b/tests/btrfs/614.out new file mode 100644 index 00000000..390807e8 --- /dev/null +++ b/tests/btrfs/614.out @@ -0,0 +1,111 @@ +QA output created by 614 +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Create a snapshot of 'SCRATCH_MNT/subvol' in 'SCRATCH_MNT/subvol2' +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Diffing /mnt/scratch/subvol and /mnt/scratch/subvol2 +Rewriting /mnt/scratch/subvol2 partly +Diffing /mnt/scratch/subvol and /mnt/scratch/subvol2 +Dropping key and diffing +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME From patchwork Tue Oct 10 20:26:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415997 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1D53CD8CB6 for ; Tue, 10 Oct 2023 20:26:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229748AbjJJU0o (ORCPT ); Tue, 10 Oct 2023 16:26:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234539AbjJJU0a (ORCPT ); Tue, 10 Oct 2023 16:26:30 -0400 Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D91B6101 for ; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-5a4c073cc06so2077587b3.1 for ; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969586; x=1697574386; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3hzSgDT0gSoCBX2kCWh7EzeVvXJNhVaEv2jbeDNylHU=; b=PaIPiU64zkb7shF8XRz5d7OP0jz+m0uJYV++VIBdawswqF3loG3st5JpPf+xDoUJKM 66MzEdLcFWPwpn47x0icvbvOqIBDA1TamkiVxOvbAuZa0l21Zxf2rUelb7RrBgV50Ida MK8+dEpvUwQqTX+ccyIbk7UTpE9AU8SEClXuVxw8Lxms3HEZ6S3gvy4kkApZ/CBrd+8E 6xWfUakK303goQePALyJDI+rKT54jpThCrZmEZe/8MLXkG96voVKd2KiyIDD/vvCOCH5 URE3EMTDt3VhuMw7qziw1U5pwMxf0V94lzmnEcYd8Z1fsIjNbZaCIORdc9MwQFQ95JM3 s5kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969586; x=1697574386; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3hzSgDT0gSoCBX2kCWh7EzeVvXJNhVaEv2jbeDNylHU=; b=i5ohLK2sbbGiSBPU/FuWQZHEV4OaboDJCnp0bzRs5iNQHCqxbVBwAHrcef8z3Lzges 9gjcNVt3PJlnS5RwEREvJmumeognZiPxbTpVJ/cmzcICRv8y4urTxjd1vE8Mtteo0yzb YfNdLDpKK+RuZjJRJ19CoyPdDlkjF9gL6iaRoPvz+IifyeTSZFrDvRg9GcwQmuWhTDvn m6bVVHe6kzEeN8UJ7DyFH0SiJkJ6mTnXpFZoNhT3U0KVshek4d/s/TZf89kPn6lgpQF4 Iz9HPgSm7K60ctocOdx/tbCi5GomnG89YhcrF/Fmu6xniVL/ACCI3ngjJ/nakbs7EDO3 xvCA== X-Gm-Message-State: AOJu0YwlGlfXxSKlhvFuJOT9GtZnBBNCXyzvcyLXPLCja+vdGl3019bg QQEkRS6la1M+3VwPWJF0xhcBCEOzxx2unhv1Y/lgsg== X-Google-Smtp-Source: AGHT+IEADGedsJ+tD+z1v+BkL/Fj36MMKWHXc5DgD5MLY74OYK5q9bScHx6p5oY7kR3DiomxEx51DA== X-Received: by 2002:a81:4e10:0:b0:56c:e480:2b2b with SMTP id c16-20020a814e10000000b0056ce4802b2bmr10786812ywb.12.1696969585964; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id p20-20020a0de614000000b005a7bbd713ddsm824658ywe.108.2023.10.10.13.26.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:25 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 08/12] fstests: properly test for v1 encryption policies in encrypt tests Date: Tue, 10 Oct 2023 16:26:01 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org With btrfs adding fscrypt support we're limiting the usage to plain v2 policies only. This means we need to update the _require's for generic/593 that tests both v1 and v2 policies. The other sort of tests will be split into two tests in later patches. Signed-off-by: Josef Bacik Reviewed-by: Anand Jain --- common/encrypt | 2 ++ tests/generic/593 | 1 + 2 files changed, 3 insertions(+) diff --git a/common/encrypt b/common/encrypt index 1372af66..120ca612 100644 --- a/common/encrypt +++ b/common/encrypt @@ -59,6 +59,8 @@ _require_scratch_encryption() # policy required by the test. if [ $# -ne 0 ]; then _require_encryption_policy_support $SCRATCH_MNT "$@" + else + _require_encryption_policy_support $SCRATCH_MNT -v 1 fi _scratch_unmount diff --git a/tests/generic/593 b/tests/generic/593 index 2dda5d76..7907236c 100755 --- a/tests/generic/593 +++ b/tests/generic/593 @@ -17,6 +17,7 @@ _begin_fstest auto quick encrypt # real QA test starts here _supported_fs generic +_require_scratch_encryption -v 1 _require_scratch_encryption -v 2 _require_command "$KEYCTL_PROG" keyctl From patchwork Tue Oct 10 20:26:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415992 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D230CD8CBD for ; Tue, 10 Oct 2023 20:26:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231825AbjJJU0f (ORCPT ); Tue, 10 Oct 2023 16:26:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54354 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234632AbjJJU0c (ORCPT ); Tue, 10 Oct 2023 16:26:32 -0400 Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BDCABC9 for ; Tue, 10 Oct 2023 13:26:27 -0700 (PDT) Received: by mail-yb1-xb31.google.com with SMTP id 3f1490d57ef6-d9a516b015cso1473984276.2 for ; Tue, 10 Oct 2023 13:26:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969587; x=1697574387; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nCU5pMZ0m3eAagSN+le1r3UM58vPGnqfNmWJ/pF9FlI=; b=N0wBgkc2d5Tkqg+iNcNW3Lqpbmjb4x2AeSjVurIRNV9RGQxg9X83htpUvm0Gdb3jxw NmF43S/5e341s31BENtdXmmsU1RnIEIPThaCy5Sw/tjFv6qN5V6qpsPiTVjeu4CJm5kH J8vbuO/C/UeX+QpkQ3lbnypnkRmsi4fa0g74pLjsybWjrS5wVZQWdxIDUlhBmCnVKH8l 7wkfwzqapKWk1C/ufrlUu9pAnpnyu2Zme+vaPmvqK74psn9oN5hZphEs58Fl0DyeigPh n3dfJFvsW47hdeDyxY3tCrtB0JkjlStxo2KxOOoYh/CDGsThfxHCsUIRE0NiQLvtn8MN n+tQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969587; x=1697574387; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nCU5pMZ0m3eAagSN+le1r3UM58vPGnqfNmWJ/pF9FlI=; b=k1GhdAHqO82CS3+1ju10kVQKRFs5hOtD5quSy1iml0pZzInY7Tl+aJsWbwxTLLTdmQ c35KWQRrdLGILt+1KmS4MuBaWyu/u2KHwZo6HMH8W6CHGG4kzpfEE1UnEvAwyn5VmixI kNRkjZm9SFJXQIt15aFpQ3xGtdhQuo3p4aAMStplRiiqYNHva+l3/wGtiY58tGCpqOFH F4FD6BhvGjumFeknq15PSO+8Esw7aPxd7zaTZbf8YOyqEbTcslEJ2U9YjzAFxjUwRAB+ kMdZQLj/p+DSYBlbKWHOn47p/hw0Nt9GD9VmI8K81cSTQk+ckSUwmUqfrX57IHd6iJ12 Hxxg== X-Gm-Message-State: AOJu0YyHQHQ+DXDyN1P7fyesoKcLZh7NghTPjpS44MfkI+Rg5adwU41y GcFuaJOPRG5w/XQwJMDmsC2FjxqQI4STZf+msXLeWw== X-Google-Smtp-Source: AGHT+IEnYO8liLS81q3dOYpjTVcFTD241g3yDLfTZ44VO54mhYjCFyeio+o8MlAwl2q8YA/MIf3scg== X-Received: by 2002:a25:3308:0:b0:d9a:3801:aed8 with SMTP id z8-20020a253308000000b00d9a3801aed8mr4648166ybz.14.1696969586907; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x142-20020a25ce94000000b00d89679f6d22sm786655ybe.64.2023.10.10.13.26.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:26 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 09/12] fstests: split generic/580 into two tests Date: Tue, 10 Oct 2023 16:26:02 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org generic/580 tests both v1 and v2 encryption policies, however btrfs only supports v2 policies. Split this into two tests so that we can get the v2 coverage for btrfs. Signed-off-by: Josef Bacik --- tests/generic/580 | 118 ++++++++++++++++++------------------------ tests/generic/580.out | 40 -------------- tests/generic/733 | 79 ++++++++++++++++++++++++++++ tests/generic/733.out | 44 ++++++++++++++++ 4 files changed, 173 insertions(+), 108 deletions(-) create mode 100644 tests/generic/733 create mode 100644 tests/generic/733.out diff --git a/tests/generic/580 b/tests/generic/580 index 73f32ff9..63ab9712 100755 --- a/tests/generic/580 +++ b/tests/generic/580 @@ -5,7 +5,7 @@ # FS QA Test generic/580 # # Basic test of the fscrypt filesystem-level encryption keyring -# and v2 encryption policies. +# policy. # . ./common/preamble @@ -18,80 +18,62 @@ echo # real QA test starts here _supported_fs generic -_require_scratch_encryption -v 2 +_require_scratch_encryption _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount -test_with_policy_version() -{ - local vers=$1 - - if (( vers == 1 )); then - local keyspec=$TEST_KEY_DESCRIPTOR - local add_enckey_args="-d $keyspec" - else - local keyspec=$TEST_KEY_IDENTIFIER - local add_enckey_args="" - fi - - mkdir $dir - echo "# Setting v$vers encryption policy" - _set_encpolicy $dir $keyspec - echo "# Getting v$vers encryption policy" - _get_encpolicy $dir | _filter_scratch - if (( vers == 1 )); then - echo "# Getting v1 encryption policy using old ioctl" - _get_encpolicy $dir -1 | _filter_scratch - fi - echo "# Trying to create file without key added yet" - $XFS_IO_PROG -f $dir/file |& _filter_scratch - echo "# Getting encryption key status" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Adding encryption key" - _add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" $add_enckey_args - echo "# Creating encrypted file" - echo contents > $dir/file - echo "# Getting encryption key status" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Removing encryption key" - _rm_enckey $SCRATCH_MNT $keyspec - echo "# Getting encryption key status" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Verifying that the encrypted directory was \"locked\"" - cat $dir/file |& _filter_scratch - cat "$(find $dir -type f)" |& _filter_scratch | cut -d ' ' -f3- - - # Test removing key with a file open. - echo "# Re-adding encryption key" - _add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" $add_enckey_args - echo "# Creating another encrypted file" - echo foo > $dir/file2 - echo "# Removing key while an encrypted file is open" - exec 3< $dir/file - _rm_enckey $SCRATCH_MNT $keyspec - echo "# Non-open file should have been evicted" - cat $dir/file2 |& _filter_scratch - echo "# Open file shouldn't have been evicted" - cat $dir/file - echo "# Key should be in \"incompletely removed\" state" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Closing file and removing key for real now" - exec 3<&- - _rm_enckey $SCRATCH_MNT $keyspec - cat $dir/file |& _filter_scratch - - echo "# Cleaning up" - rm -rf $dir - _scratch_cycle_mount # Clear all keys - echo -} - dir=$SCRATCH_MNT/dir +keyspec=$TEST_KEY_DESCRIPTOR -test_with_policy_version 1 +mkdir $dir +echo "# Setting v1 encryption policy" +_set_encpolicy $dir $keyspec +echo "# Getting v1 encryption policy" +_get_encpolicy $dir | _filter_scratch +echo "# Getting v1 encryption policy using old ioctl" +_get_encpolicy $dir -1 | _filter_scratch +echo "# Trying to create file without key added yet" +$XFS_IO_PROG -f $dir/file |& _filter_scratch +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" -d $keyspec +echo "# Creating encrypted file" +echo contents > $dir/file +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Removing encryption key" +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Verifying that the encrypted directory was \"locked\"" +cat $dir/file |& _filter_scratch +cat "$(find $dir -type f)" |& _filter_scratch | cut -d ' ' -f3- -test_with_policy_version 2 +# Test removing key with a file open. +echo "# Re-adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" -d $keyspec +echo "# Creating another encrypted file" +echo foo > $dir/file2 +echo "# Removing key while an encrypted file is open" +exec 3< $dir/file +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Non-open file should have been evicted" +cat $dir/file2 |& _filter_scratch +echo "# Open file shouldn't have been evicted" +cat $dir/file +echo "# Key should be in \"incompletely removed\" state" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Closing file and removing key for real now" +exec 3<&- +_rm_enckey $SCRATCH_MNT $keyspec +cat $dir/file |& _filter_scratch + +echo "# Cleaning up" +rm -rf $dir +_scratch_cycle_mount # Clear all keys +echo echo "# Trying to remove absent key" _rm_enckey $SCRATCH_MNT abcdabcdabcdabcd diff --git a/tests/generic/580.out b/tests/generic/580.out index 989d4514..f2f4d490 100644 --- a/tests/generic/580.out +++ b/tests/generic/580.out @@ -47,45 +47,5 @@ Removed encryption key with descriptor 0000111122223333 cat: SCRATCH_MNT/dir/file: No such file or directory # Cleaning up -# Setting v2 encryption policy -# Getting v2 encryption policy -Encryption policy for SCRATCH_MNT/dir: - Policy version: 2 - Master key identifier: 69b2f6edeee720cce0577937eb8a6751 - Contents encryption mode: 1 (AES-256-XTS) - Filenames encryption mode: 4 (AES-256-CTS) - Flags: 0x02 -# Trying to create file without key added yet -SCRATCH_MNT/dir/file: Required key not available -# Getting encryption key status -Absent -# Adding encryption key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Creating encrypted file -# Getting encryption key status -Present (user_count=1, added_by_self) -# Removing encryption key -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting encryption key status -Absent -# Verifying that the encrypted directory was "locked" -cat: SCRATCH_MNT/dir/file: No such file or directory -Required key not available -# Re-adding encryption key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Creating another encrypted file -# Removing key while an encrypted file is open -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751, but files still busy -# Non-open file should have been evicted -cat: SCRATCH_MNT/dir/file2: Required key not available -# Open file shouldn't have been evicted -contents -# Key should be in "incompletely removed" state -Incompletely removed -# Closing file and removing key for real now -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -cat: SCRATCH_MNT/dir/file: No such file or directory -# Cleaning up - # Trying to remove absent key Error removing encryption key: Required key not available diff --git a/tests/generic/733 b/tests/generic/733 new file mode 100644 index 00000000..ae0434fb --- /dev/null +++ b/tests/generic/733 @@ -0,0 +1,79 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# FS QA Test generic/733 +# +# A v2 only version of generic/580 + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +keyspec=$TEST_KEY_IDENTIFIER +dir=$SCRATCH_MNT/dir + +mkdir $dir +echo "# Setting v2 encryption policy" +_set_encpolicy $dir $keyspec +echo "# Getting v2 encryption policy" +_get_encpolicy $dir | _filter_scratch +echo "# Trying to create file without key added yet" +$XFS_IO_PROG -f $dir/file |& _filter_scratch +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo "# Creating encrypted file" +echo contents > $dir/file +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Removing encryption key" +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Verifying that the encrypted directory was \"locked\"" +cat $dir/file |& _filter_scratch +cat "$(find $dir -type f)" |& _filter_scratch | cut -d ' ' -f3- + +# Test removing key with a file open. +echo "# Re-adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo "# Creating another encrypted file" +echo foo > $dir/file2 +echo "# Removing key while an encrypted file is open" +exec 3< $dir/file +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Non-open file should have been evicted" +cat $dir/file2 |& _filter_scratch +echo "# Open file shouldn't have been evicted" +cat $dir/file +echo "# Key should be in \"incompletely removed\" state" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Closing file and removing key for real now" +exec 3<&- +_rm_enckey $SCRATCH_MNT $keyspec +cat $dir/file |& _filter_scratch + +echo "# Cleaning up" +rm -rf $dir +_scratch_cycle_mount # Clear all keys +echo + +echo "# Trying to remove absent key" +_rm_enckey $SCRATCH_MNT abcdabcdabcdabcd + +# success, all done +status=0 +exit + diff --git a/tests/generic/733.out b/tests/generic/733.out new file mode 100644 index 00000000..02dce51d --- /dev/null +++ b/tests/generic/733.out @@ -0,0 +1,44 @@ +QA output created by 733 + +# Setting v2 encryption policy +# Getting v2 encryption policy +Encryption policy for SCRATCH_MNT/dir: + Policy version: 2 + Master key identifier: 69b2f6edeee720cce0577937eb8a6751 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 +# Trying to create file without key added yet +SCRATCH_MNT/dir/file: Required key not available +# Getting encryption key status +Absent +# Adding encryption key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Creating encrypted file +# Getting encryption key status +Present (user_count=1, added_by_self) +# Removing encryption key +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting encryption key status +Absent +# Verifying that the encrypted directory was "locked" +cat: SCRATCH_MNT/dir/file: No such file or directory +Required key not available +# Re-adding encryption key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Creating another encrypted file +# Removing key while an encrypted file is open +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751, but files still busy +# Non-open file should have been evicted +cat: SCRATCH_MNT/dir/file2: Required key not available +# Open file shouldn't have been evicted +contents +# Key should be in "incompletely removed" state +Incompletely removed +# Closing file and removing key for real now +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +cat: SCRATCH_MNT/dir/file: No such file or directory +# Cleaning up + +# Trying to remove absent key +Error removing encryption key: Required key not available From patchwork Tue Oct 10 20:26:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415993 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E43BCCD8CB7 for ; Tue, 10 Oct 2023 20:26:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234658AbjJJU0g (ORCPT ); Tue, 10 Oct 2023 16:26:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232064AbjJJU0c (ORCPT ); Tue, 10 Oct 2023 16:26:32 -0400 Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7E4A110 for ; Tue, 10 Oct 2023 13:26:28 -0700 (PDT) Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-5a7be61fe74so14876407b3.2 for ; Tue, 10 Oct 2023 13:26:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969588; x=1697574388; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mF1vbhiX1cdiPR9Z0KxSfmvhj/avUWiDcOqPSNPdsMM=; b=i5zKHZRm8nga1f7lLWUDuIoJCcEAKWGCSl5qkHOIgjzc4eXQgLlwiZpqXSarjIhqde TqWVZBGEyS0W2xSX8hOFzcsnG3aDeKvT9lmLL13fJUcjqWGQ4kRrJxxVxolgMS1+CUUT FOuYo1m2efwWkBSENKLSEuM6uKhFucxXeMZxN0bU2gcD9HfCmZUAFkMLRsGQ0YBJUqeD RP9OZA/YYX9QVgTT9MgGdMCA545gYpDyaXHvh0IndCVY4R0dLyPJMT6/665FQzqNaFZY NkK+Zu1pEdkeioYS2ESVNzmHcqRlgnVrKBWYYsyGGa9woDyzKpc+Y9Aelfu7uAqdS+Tw GmHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969588; x=1697574388; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mF1vbhiX1cdiPR9Z0KxSfmvhj/avUWiDcOqPSNPdsMM=; b=rZpv+rBliB1q1eu4kpIhn6X5gw+AuFiu5R+Y8V3wKRmdobLcVTqsmLgbC17UbstXZe eLLOSfETGmiUB1j4CSsiT/NKZcRVjrkdRHb0Bx2JXKn8IMFCuTavJ3h4e1vMbzUo+j/f LfMvVHagwCA0f/V4OpP38/uAHgnQMVz3y/cttXt/IpdcfIyZeQdwxUCSEF5tP7JK9gmY rTgyT8cr03KtBkfBt/JIARUtV5/jIaOgNaIzCDu2XlG5AazYP/09oDIsZkTqhpMImssz VPnU9MNf2+uyL6GeYEyedMD6QBE7xxyB1f8XDd49uAF3ZUFQxfE64rLAcpS2sTeWpzi3 sIVA== X-Gm-Message-State: AOJu0YybwNeNN7u+jl3V+4IWTgrHxNmnQKngtCqnTYMy8sNidC9AlZ2+ YfmYj98G1LzdlWV04GHuvs3FxKeA9G0IwatlP/j/Gw== X-Google-Smtp-Source: AGHT+IHbQlbrp+UsbhNo4Yoi3+VZM3megDUDcwS3/dwnScoEwA0IR1HI8nRIPEMka0keny9ES8h4ug== X-Received: by 2002:a0d:ea90:0:b0:5a0:83d3:b61d with SMTP id t138-20020a0dea90000000b005a083d3b61dmr20657862ywe.8.1696969587987; Tue, 10 Oct 2023 13:26:27 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x184-20020a814ac1000000b005869ca8da8esm4613337ywa.146.2023.10.10.13.26.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:27 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 10/12] fstests: split generic/581 into two tests Date: Tue, 10 Oct 2023 16:26:03 -0400 Message-ID: <4f808fb5081fc4e9afe77e8498535fd41cc122b2.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org generic/581 is mostly a v2 policy test, but it does do some quick checks of v1 policies as a normal user. Split the v1 and v2 related parts into two different tests so that the v2 part can get properly tested for btrfs file systems, which only support v2 policies. Signed-off-by: Josef Bacik --- tests/generic/581 | 89 +--------------------------- tests/generic/581.out | 50 ---------------- tests/generic/734 | 135 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/734.out | 51 ++++++++++++++++ 4 files changed, 188 insertions(+), 137 deletions(-) create mode 100644 tests/generic/734 create mode 100644 tests/generic/734.out diff --git a/tests/generic/581 b/tests/generic/581 index cabc7e1c..ab930ac6 100755 --- a/tests/generic/581 +++ b/tests/generic/581 @@ -4,8 +4,7 @@ # # FS QA Test No. generic/581 # -# Test non-root use of the fscrypt filesystem-level encryption keyring -# and v2 encryption policies. +# Test non-root use of the fscrypt filesystem-level encryption keyring policy. # . ./common/preamble @@ -31,7 +30,7 @@ _cleanup() # real QA test starts here _supported_fs generic _require_user -_require_scratch_encryption -v 2 +_require_scratch_encryption _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount @@ -58,90 +57,6 @@ echo "# Adding v1 policy key as regular user (should fail with EACCES)" _user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc rm -rf $dir -echo -_user_do "mkdir $dir" - -echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" -_user_do_set_encpolicy $dir $keyid |& _filter_scratch - -echo "# Adding v2 policy key as regular user (should succeed)" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" - -echo "# Setting v2 policy as regular user with key added (should succeed)" -_user_do_set_encpolicy $dir $keyid - -echo "# Getting v2 policy as regular user (should succeed)" -_user_do_get_encpolicy $dir | _filter_scratch - -echo "# Creating encrypted file as regular user (should succeed)" -_user_do "echo contents > $dir/file" - -echo "# Removing v2 policy key as regular user (should succeed)" -_user_do_rm_enckey $SCRATCH_MNT $keyid - -_scratch_cycle_mount # Clear all keys - -# Wait for any invalidated keys to be garbage-collected. -i=0 -while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do - if ((++i >= 20)); then - echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full - break - fi - sleep 0.5 -done - -# Set the user key quota to the fsgqa user's current number of keys plus 5. -orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") -: ${orig_keys:=0} -echo "orig_keys=$orig_keys" >> $seqres.full -orig_maxkeys=$( /proc/sys/kernel/keys/maxkeys - -echo -echo "# Testing user key quota" -for i in `seq $((keys_to_add + 1))`; do - rand_raw_key=$(_generate_raw_encryption_key) - _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ - | sed 's/ with identifier .*$//' -done - -# Restore the original key quota. -echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys - -rm -rf $dir -echo -_user_do "mkdir $dir" -_scratch_cycle_mount # Clear all keys - -# Test multiple users adding the same key. -echo "# Adding key as root" -_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Removing key only added by another user (should fail with ENOKEY)" -_user_do_rm_enckey $SCRATCH_MNT $keyid -echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" -_user_do_set_encpolicy $dir $keyid |& _filter_scratch -echo "# Adding second user of key" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Setting v2 encryption policy as regular user" -_user_do_set_encpolicy $dir $keyid -echo "# Removing this user's claim to the key" -_user_do_rm_enckey $SCRATCH_MNT $keyid -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Adding back second user of key" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" -_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch -_enckey_status $SCRATCH_MNT $keyid -echo "# Remove key for \"all users\", as root" -_rm_enckey $SCRATCH_MNT $keyid -a -_enckey_status $SCRATCH_MNT $keyid # success, all done status=0 diff --git a/tests/generic/581.out b/tests/generic/581.out index b3f7d889..a8cb96a8 100644 --- a/tests/generic/581.out +++ b/tests/generic/581.out @@ -10,53 +10,3 @@ Encryption policy for SCRATCH_MNT/dir: Flags: 0x02 # Adding v1 policy key as regular user (should fail with EACCES) Permission denied - -# Setting v2 policy as regular user without key already added (should fail with ENOKEY) -SCRATCH_MNT/dir: failed to set encryption policy: Required key not available -# Adding v2 policy key as regular user (should succeed) -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Setting v2 policy as regular user with key added (should succeed) -# Getting v2 policy as regular user (should succeed) -Encryption policy for SCRATCH_MNT/dir: - Policy version: 2 - Master key identifier: 69b2f6edeee720cce0577937eb8a6751 - Contents encryption mode: 1 (AES-256-XTS) - Filenames encryption mode: 4 (AES-256-CTS) - Flags: 0x02 -# Creating encrypted file as regular user (should succeed) -# Removing v2 policy key as regular user (should succeed) -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 - -# Testing user key quota -Added encryption key -Added encryption key -Added encryption key -Added encryption key -Added encryption key -Error adding encryption key: Disk quota exceeded - -# Adding key as root -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=1) -# Removing key only added by another user (should fail with ENOKEY) -Error removing encryption key: Required key not available -# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) -SCRATCH_MNT/dir: failed to set encryption policy: Required key not available -# Adding second user of key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=2, added_by_self) -# Setting v2 encryption policy as regular user -# Removing this user's claim to the key -Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=1) -# Adding back second user of key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Remove key for "all users", as regular user (should fail with EACCES) -Permission denied -Present (user_count=2, added_by_self) -# Remove key for "all users", as root -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -Absent diff --git a/tests/generic/734 b/tests/generic/734 new file mode 100644 index 00000000..a6f46e7e --- /dev/null +++ b/tests/generic/734 @@ -0,0 +1,135 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2019 Google LLC +# +# FS QA Test No. generic/581 +# +# Test non-root use of the fscrypt filesystem-level encryption v2 policy. +# + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +orig_maxkeys= + +# Override the default cleanup function. +_cleanup() +{ + cd / + rm -f $tmp.* + if [ -n "$orig_maxkeys" ]; then + echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys + fi +} + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_user +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir + +raw_key="" +for i in `seq 64`; do + raw_key+="\\x$(printf "%02x" $i)" +done +keydesc="0000111122223333" +keyid="69b2f6edeee720cce0577937eb8a6751" +chmod 777 $SCRATCH_MNT + +_user_do "mkdir $dir" + +echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch + +echo "# Adding v2 policy key as regular user (should succeed)" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" + +echo "# Setting v2 policy as regular user with key added (should succeed)" +_user_do_set_encpolicy $dir $keyid + +echo "# Getting v2 policy as regular user (should succeed)" +_user_do_get_encpolicy $dir | _filter_scratch + +echo "# Creating encrypted file as regular user (should succeed)" +_user_do "echo contents > $dir/file" + +echo "# Removing v2 policy key as regular user (should succeed)" +_user_do_rm_enckey $SCRATCH_MNT $keyid + +_scratch_cycle_mount # Clear all keys + +# Wait for any invalidated keys to be garbage-collected. +i=0 +while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do + if ((++i >= 20)); then + echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full + break + fi + sleep 0.5 +done + +# Set the user key quota to the fsgqa user's current number of keys plus 5. +orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") +: ${orig_keys:=0} +echo "orig_keys=$orig_keys" >> $seqres.full +orig_maxkeys=$( /proc/sys/kernel/keys/maxkeys + +echo +echo "# Testing user key quota" +for i in `seq $((keys_to_add + 1))`; do + rand_raw_key=$(_generate_raw_encryption_key) + _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ + | sed 's/ with identifier .*$//' +done + +# Restore the original key quota. +echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys + +rm -rf $dir +echo +_user_do "mkdir $dir" +_scratch_cycle_mount # Clear all keys + +# Test multiple users adding the same key. +echo "# Adding key as root" +_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Removing key only added by another user (should fail with ENOKEY)" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch +echo "# Adding second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy as regular user" +_user_do_set_encpolicy $dir $keyid +echo "# Removing this user's claim to the key" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Adding back second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" +_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch +_enckey_status $SCRATCH_MNT $keyid +echo "# Remove key for \"all users\", as root" +_rm_enckey $SCRATCH_MNT $keyid -a +_enckey_status $SCRATCH_MNT $keyid + +# success, all done +status=0 +exit + diff --git a/tests/generic/734.out b/tests/generic/734.out new file mode 100644 index 00000000..85a8c973 --- /dev/null +++ b/tests/generic/734.out @@ -0,0 +1,51 @@ +QA output created by 734 + +# Setting v2 policy as regular user without key already added (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding v2 policy key as regular user (should succeed) +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Setting v2 policy as regular user with key added (should succeed) +# Getting v2 policy as regular user (should succeed) +Encryption policy for SCRATCH_MNT/dir: + Policy version: 2 + Master key identifier: 69b2f6edeee720cce0577937eb8a6751 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 +# Creating encrypted file as regular user (should succeed) +# Removing v2 policy key as regular user (should succeed) +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 + +# Testing user key quota +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Error adding encryption key: Disk quota exceeded + +# Adding key as root +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Removing key only added by another user (should fail with ENOKEY) +Error removing encryption key: Required key not available +# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=2, added_by_self) +# Setting v2 encryption policy as regular user +# Removing this user's claim to the key +Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Adding back second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Remove key for "all users", as regular user (should fail with EACCES) +Permission denied +Present (user_count=2, added_by_self) +# Remove key for "all users", as root +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Absent From patchwork Tue Oct 10 20:26:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415995 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78B42CD8CBA for ; Tue, 10 Oct 2023 20:26:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343759AbjJJU0l (ORCPT ); Tue, 10 Oct 2023 16:26:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234481AbjJJU0f (ORCPT ); Tue, 10 Oct 2023 16:26:35 -0400 Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49D13116 for ; Tue, 10 Oct 2023 13:26:30 -0700 (PDT) Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-5a7cc03dee5so10040487b3.3 for ; Tue, 10 Oct 2023 13:26:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969589; x=1697574389; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CpXoLSC4B3+y4tFzKbAFP96R061BBPW8n0TzUGeBy20=; b=1I2t8mzbvuNF3pruO1Xc89EgwsALHJBW3WE/RSrXcL3zphYYNS6hnIfCyIcvypmpeR YViEHmWtdVNo43z+6eFe1g1qh5oy9O9q6PTetX/u4IQvSS6y644nQZxJd8RrYRi9QS8q LrrIgTVzptfeKVbBcGIWYGW5ydrJS0/kSnSui1M3o70CUfxq/j+jD5O+2p7C2/DnEw5i DFeSADdy3s4xs4JxckBzmL7EoiNZ6oIUGaqoz9PYrUJjzYOok67aP+Xfc1Cc1IgRjeYF VObc6OsJm2FFl3D3F8r+m6GSQ84KzpUhGpKiuJZQsuC4NEZtE5jM+lDbV0rb6NABscZ8 92sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969589; x=1697574389; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CpXoLSC4B3+y4tFzKbAFP96R061BBPW8n0TzUGeBy20=; b=KR5nfWCvZNywsSjQL6sJzzKaZE09fhPKDnCx/tR9+XW0NuL0H+HNJUPiDgcW28Hxpi /TiEu9iEZyq/cauVeQmbZOYuzz1rLR3liCodoYGwXSPucVkxMnkHmTnGsGPZB5szQ9JP 5cwyeOeZ5Tmlh/wvXMg6T/LXtJ8V6bUQIGd4bFZz2i2wIWHLwWnaVLVqxPKt/QDcD8nw qjFAuSjvMBlEDvu3RnOkkxLFiDjXnN1Z7Fmw9qlabkaidYcxPBaIFPYAiKfBaImxOEq8 QqJi/8ZvEiQCPHQlOIFrlSq9VI3mtMeUXYzXV8aQ1hXot/VKbPO+7HocUH48YbliONeC GlHw== X-Gm-Message-State: AOJu0Yxm8oOX1rsOPx1CQEJsnp9PK0sBGFJgzQcMU8ugJgewfssUBDxs eTKMJUAAu7NnhDBgFF/dcrqowA== X-Google-Smtp-Source: AGHT+IF7Y/FZ6maDxIIOaCWirMfXhRsvOOUqzWjpYsCWBIt+XCan7S/I9Xp6egN+Uj1LaMkChVCBjg== X-Received: by 2002:a81:6203:0:b0:59b:bd55:8452 with SMTP id w3-20020a816203000000b0059bbd558452mr22083068ywb.36.1696969589322; Tue, 10 Oct 2023 13:26:29 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id g68-20020a0df647000000b0059f766f9750sm4665680ywf.124.2023.10.10.13.26.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:28 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 11/12] fstests: split generic/613 into two tests Date: Tue, 10 Oct 2023 16:26:04 -0400 Message-ID: <227ac42377705dcd416558f8415965ecba3a17df.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org generic/613 tests v1 and v2 policies, but btrfs can only support v2 policies. Split this into two different tests, 613 which will only test v1 policies, and then 735 which will test v2 policies. The 735 test will also add checks for the per-extent nonces to validate they're all sufficiently random. Signed-off-by: Josef Bacik --- tests/generic/613 | 20 ++------ tests/generic/613.out | 5 +- tests/generic/735 | 117 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/735.out | 14 +++++ 4 files changed, 138 insertions(+), 18 deletions(-) create mode 100644 tests/generic/735 create mode 100644 tests/generic/735.out diff --git a/tests/generic/613 b/tests/generic/613 index 47c60e9c..96b81a96 100755 --- a/tests/generic/613 +++ b/tests/generic/613 @@ -22,22 +22,21 @@ _begin_fstest auto quick encrypt # real QA test starts here _supported_fs generic -_require_scratch_encryption -v 2 +_require_scratch_encryption _require_get_encryption_nonce_support _require_command "$XZ_PROG" xz _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount -echo -e "\n# Adding encryption keys" -_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo -e "\n# Adding encryption key" _add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" -d $TEST_KEY_DESCRIPTOR # Create a bunch of encrypted files and directories -- enough for the uniqueness # and randomness tests to be meaningful, but not so many that this test takes a -# long time. Test using both v1 and v2 encryption policies, and for each of -# those test the case of an encryption policy that is assigned to an empty -# directory as well as the case of a file created in an encrypted directory. +# long time. Test using the v1 encryption policy, test the case of an +# encryption policy that is assigned to an empty directory as well as the case +# of a file created in an encrypted directory. echo -e "\n# Creating encrypted files and directories" inodes=() for i in {1..50}; do @@ -45,20 +44,11 @@ for i in {1..50}; do mkdir $dir inodes+=("$(stat -c %i $dir)") _set_encpolicy $dir $TEST_KEY_DESCRIPTOR - - dir=$SCRATCH_MNT/v2_policy_dir_$i - mkdir $dir - inodes+=("$(stat -c %i $dir)") - _set_encpolicy $dir $TEST_KEY_IDENTIFIER done for i in {1..50}; do file=$SCRATCH_MNT/v1_policy_dir_1/$i touch $file inodes+=("$(stat -c %i $file)") - - file=$SCRATCH_MNT/v2_policy_dir_1/$i - touch $file - inodes+=("$(stat -c %i $file)") done _scratch_unmount diff --git a/tests/generic/613.out b/tests/generic/613.out index 203a64f2..4a218d03 100644 --- a/tests/generic/613.out +++ b/tests/generic/613.out @@ -1,7 +1,6 @@ QA output created by 613 -# Adding encryption keys -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Adding encryption key Added encryption key with descriptor 0000111122223333 # Creating encrypted files and directories @@ -12,5 +11,5 @@ Added encryption key with descriptor 0000111122223333 Listing non-unique nonces: # Verifying randomness of nonces -Uncompressed size is 3200 bytes +Uncompressed size is 1600 bytes Nonces are incompressible, as expected diff --git a/tests/generic/735 b/tests/generic/735 new file mode 100644 index 00000000..c901be1f --- /dev/null +++ b/tests/generic/735 @@ -0,0 +1,117 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2023 Meta +# +# FS QA Test No. 735 +# +# A variation of generic/613 that only tests v2, and checks data nonces for any +# file system that supporst per-extent encryption. +# +# Test that encryption nonces are unique and random, where randomness is +# approximated as "incompressible by the xz program". +# +# An encryption nonce is the 16-byte value that the filesystem generates for +# each encrypted file. These nonces must be unique in order to cause different +# files to be encrypted differently, which is an important security property. +# In practice, they need to be random to achieve that; and it's easy enough to +# test for both uniqueness and randomness, so we test for both. +# +. ./common/preamble +_begin_fstest auto quick encrypt + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_scratch_encryption -v 2 +_require_get_encryption_nonce_support +_require_command "$XZ_PROG" xz + +_check_nonce() +{ + local nonce=$1 + + if (( ${#nonce} != 32 )) || [ -n "$(echo "$nonce" | tr -d 0-9a-fA-F)" ] + then + _fail "Expected nonce for inode $inode to be 16 bytes (32 hex characters), but got \"$nonce\"" + fi +} + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +echo -e "\n# Adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" + +# Create a bunch of encrypted files and directories -- enough for the uniqueness +# and randomness tests to be meaningful, but not so many that this test takes a +# long time. Test using the v2 encryption policy, test the case of an +# encryption policy that is assigned to an empty directory as well as the case +# of a file created in an encrypted directory. +echo -e "\n# Creating encrypted files and directories" +inodes=() +for i in {1..50}; do + dir=$SCRATCH_MNT/v2_policy_dir_$i + mkdir $dir + inodes+=("$(stat -c %i $dir)") + _set_encpolicy $dir $TEST_KEY_IDENTIFIER +done +for i in {1..50}; do + file=$SCRATCH_MNT/v2_policy_dir_1/$i + $XFS_IO_PROG -f -c "pwrite 0 1m" $file > /dev/null + inodes+=("$(stat -c %i $file)") +done +_scratch_unmount + +# Build files that contain all the nonces. nonces_hex contains them in hex, one +# per line. nonces_bin contains them in binary, all concatenated. +echo -e "\n# Getting encryption nonces from inodes" +echo -n > $tmp.nonces_hex +echo -n > $tmp.nonces_bin +for inode in "${inodes[@]}"; do + inode_nonce=$(_get_encryption_file_nonce $SCRATCH_DEV $inode) + _check_nonce $inode_nonce + + echo $inode_nonce >> $tmp.nonces_hex + echo -ne "$(echo $inode_nonce | sed 's/[0-9a-fA-F]\{2\}/\\x\0/g')" \ + >> $tmp.nonces_bin + + data_nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) + + # If the inode is empty we won't have a data nonce + [ "$data_nonce" = "" ] && continue + + # If the inode nonce and data nonce are the same continue + [ "$inode_nonce" = "$data_nonce" ] && continue + + _check_nonce $data_nonce + + echo $data_nonce >> $tmp.nonces_hex + echo -ne "$(echo $data_nonce | sed 's/[0-9a-fA-F]\{2\}/\\x\0/g')" \ + >> $tmp.nonces_bin +done + +# Verify the uniqueness and randomness of the nonces. In theory randomness +# implies uniqueness here, but it's easy enough to explicitly test for both. + +echo -e "\n# Verifying uniqueness of nonces" +echo "Listing non-unique nonces:" +sort < $tmp.nonces_hex | uniq -d + +echo -e "\n# Verifying randomness of nonces" +uncompressed_size=$(stat -c %s $tmp.nonces_bin) +echo "Uncompressed size is $uncompressed_size bytes" >> $seqres.full +compressed_size=$($XZ_PROG -c < $tmp.nonces_bin | wc -c) +echo "Compressed size is $compressed_size bytes" >> $seqres.full +# The xz format has 60 bytes of overhead. Go a bit lower to avoid flakiness. +if (( compressed_size >= uncompressed_size + 55 )); then + echo "Nonces are incompressible, as expected" +else + _fail "Nonces are compressible (non-random); compressed $uncompressed_size => $compressed_size bytes!" +fi + +# success, all done +status=0 +exit diff --git a/tests/generic/735.out b/tests/generic/735.out new file mode 100644 index 00000000..bf73118b --- /dev/null +++ b/tests/generic/735.out @@ -0,0 +1,14 @@ +QA output created by 735 + +# Adding encryption key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 + +# Creating encrypted files and directories + +# Getting encryption nonces from inodes + +# Verifying uniqueness of nonces +Listing non-unique nonces: + +# Verifying randomness of nonces +Nonces are incompressible, as expected From patchwork Tue Oct 10 20:26:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13415994 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97C18CD6115 for ; Tue, 10 Oct 2023 20:26:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234685AbjJJU0j (ORCPT ); Tue, 10 Oct 2023 16:26:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36450 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234510AbjJJU0g (ORCPT ); Tue, 10 Oct 2023 16:26:36 -0400 Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ACEC0AC for ; Tue, 10 Oct 2023 13:26:31 -0700 (PDT) Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-5a7dafb659cso2272117b3.0 for ; Tue, 10 Oct 2023 13:26:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969591; x=1697574391; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TYV6W3/su+yQdVC08/W92yX/IiZTkZ+W2IG1K67YFEE=; b=CPK4WauFk1tak6CV4zolZKCy2JoVv3UUf4yWBpQfTiBhaILnk+HeLUugwYR8nYSbVI 7CeUnXcXyOt4UiHr9lmuNXveqR/1ixvdEdQ3cFbkkf0UuNyp/izAqT/UB/NPkFOcIguz 8vILIO+nbjucFHTxOfZsG/25fd6saUXsSvFJck9uYp8GK4UaT6wm0XkTXIM+J38m4ViR Pbz4H7jfOFBQRuklnOGR7MxR9R5F031vYM1wUTPJgRETZxJHXEZ/N1kole5je1IB9mmA db3L87VU5hmk2mnxVBae68d1mJwCPMb73kRE76k9oJdJPZsbogxg7G90Tdssfhg+KIef XOBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969591; x=1697574391; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TYV6W3/su+yQdVC08/W92yX/IiZTkZ+W2IG1K67YFEE=; b=OIjaD30QUbxk68QEY/zQ4S1XWfNkv1fRg7fCfvhwgJSr0HLINrUkbmLtB5J02kOfdP CCUh6EtdQJuDk1YkLB1Egi8tu6lPrOvJ0N6JDursV6LdlA7S9q/vOL+C2wEy1lyPNZWO NHwacJPZg2rZuQ3b+9u09admqy8uirLuOeWGAZE50S21W/dx6wCtslggRa77cZ8YAnoA RJ9hBqOCWJY89addI+zoN4I5yD9BcsKg8F5UbkNOXHcXCmIhz29y54E7E965gDj5zTRo MIVDqU/EM6L9u/mONHD1jnDtYyAfzqPHDXkBKRCWEWLb4REy75cLZ9fOXa1mZ/vWC9gN b/Jg== X-Gm-Message-State: AOJu0Yzz/2OsQpGVxx0CJfWtpUwBqywqQ233aIthmHGnNZayeZPWcMw3 vlTOvdsuwBfNr3PKCpp/Ik5SEkX9YpSOAaRuqZ/gjg== X-Google-Smtp-Source: AGHT+IGvgRhnxM8rs8Q4ccehZoHcRELzxu4LMU2pLr32V5AjQW8wniDsc5M8y0GOBrzOZ5UXLUl+cw== X-Received: by 2002:a0d:ea90:0:b0:5a1:db12:d782 with SMTP id t138-20020a0dea90000000b005a1db12d782mr19988174ywe.44.1696969590781; Tue, 10 Oct 2023 13:26:30 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id c4-20020a81df04000000b0059b1e1b6e5dsm4581610ywn.91.2023.10.10.13.26.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:30 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 12/12] fstest: add a fsstress+fscrypt test Date: Tue, 10 Oct 2023 16:26:05 -0400 Message-ID: <936037a6c2bcf5553145862c5358e175621983b0.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org I noticed we don't run fsstress with fscrypt in any of our tests, and this was helpful in uncovering a couple of symlink related corner cases for the btrfs support work. Add a basic test that creates a encrypted directory and runs fsstress in that directory. Signed-off-by: Josef Bacik Reviewed-by: Anand Jain --- tests/generic/736 | 38 ++++++++++++++++++++++++++++++++++++++ tests/generic/736.out | 3 +++ 2 files changed, 41 insertions(+) create mode 100644 tests/generic/736 create mode 100644 tests/generic/736.out diff --git a/tests/generic/736 b/tests/generic/736 new file mode 100644 index 00000000..0ef37d7e --- /dev/null +++ b/tests/generic/736 @@ -0,0 +1,38 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2023 Meta +# +# FS QA Test No. generic/5736 +# +# Run fscrypt on an encrypted directory +# + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir +mkdir $dir + +_set_encpolicy $dir $TEST_KEY_IDENTIFIER +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" + +args=$(_scale_fsstress_args -p 4 -n 10000 -p 2 $FSSTRESS_AVOID -d $dir) +echo "Run fsstress $args" >>$seqres.full + +$FSSTRESS_PROG $args >> $seqres.full + +# success, all done +status=0 +exit diff --git a/tests/generic/736.out b/tests/generic/736.out new file mode 100644 index 00000000..022754df --- /dev/null +++ b/tests/generic/736.out @@ -0,0 +1,3 @@ +QA output created by 736 + +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751