From patchwork Tue Oct 10 20:25:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416001 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96F21CD8CB4 for ; Tue, 10 Oct 2023 20:26:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234249AbjJJU0Y (ORCPT ); Tue, 10 Oct 2023 16:26:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36432 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231787AbjJJU0X (ORCPT ); Tue, 10 Oct 2023 16:26:23 -0400 Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 95D34D7 for ; Tue, 10 Oct 2023 13:26:20 -0700 (PDT) Received: by mail-yb1-xb30.google.com with SMTP id 3f1490d57ef6-d8a000f6a51so6641289276.3 for ; Tue, 10 Oct 2023 13:26:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969579; x=1697574379; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Hwy8Zi2uzZrYdFBsR35VWjRso0l8oMrGMg/hmDe3qJM=; b=Yl0pGiFBg6X/6EpYGRdhV9NPnuFkdKffP4AQG+REbjvJdJ97qLeTFoHibxIo6b/G3K AcnnUxQwf+OweE/xI1l7XiAFkI7hngfozZyARh0Ei/IiCJxHzIoK7dfUSLM50k7gnpap KLGefxb+/XkUNrNbuqENo2Y8K0JP9DLAe/mFksIHRSPv2g8YFBNgphzVTeeNiiCaqaTm x/+xX8IzzO5D6oEZGR6WtdAT99gV7RhxueHU2EcX2kmUweeegVRRBq+zrTs8qZhGZhYF yegap7TCqgZRK3EfkwdSgePurl67ZVE+3Bqx3WHin/ccFy0yy8tmt1pfNt2eeRTC2PL+ UaTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969579; x=1697574379; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Hwy8Zi2uzZrYdFBsR35VWjRso0l8oMrGMg/hmDe3qJM=; b=j6mgavemfXe+5jQX+vW0E6O3OTorpquvR+wXl+LX0+dkQBQee/53j+d4xe4GSdvOJw o8G++MZXeScseKQC+za4PA5WlgOhoVwoQMSfSYvaMApB9xJlD24yybcDQEiI24xG5Wv+ nkJA1jotUcyojvywLlZZcsFABcU8SXsRWyQowEtbiYCld53FQZaJOahWTHbGcRovWieM sgj3WPcdrVyYc7naVEm2kHIGXqYFx+I8uRRWGJOWXoZ6P6K/utGK5E69+PdsnqeCwtVg 15YyjL/oWoRLZt+1U0QTJGBAW39DIQtwFvZh0z6ejM6bhvFHqLnpVD/nTJfuNs4wEitq EZyA== X-Gm-Message-State: AOJu0Yy8prCCkP+eZLwKcOcPl9iYxVehpq22wbHggLbErC9cr2nj4avm XttgECnwDloMn4ZwwfUl8GUeyO7TPFnPCJAgqT8jtg== X-Google-Smtp-Source: AGHT+IGazxV6INO6CLta8CjXhAk2I8g2uwMKRNIInMbviKy22fPV7nEsEgC0OCc6sZ0Sr9E6Z7ZHBQ== X-Received: by 2002:a25:6810:0:b0:d78:878d:e1e1 with SMTP id d16-20020a256810000000b00d78878de1e1mr17959900ybc.50.1696969579546; Tue, 10 Oct 2023 13:26:19 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id 6-20020a251806000000b00d800eb5ac2asm3972167yby.65.2023.10.10.13.26.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:19 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 01/12] common/encrypt: separate data and inode nonces Date: Tue, 10 Oct 2023 16:25:54 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org From: Sweet Tea Dorminy btrfs will have different inode and data nonces, so we need to be specific about which nonce each use needs. For now, there is no difference in the two functions. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 33 ++++++++++++++++++++++++++------- tests/f2fs/002 | 2 +- tests/generic/613 | 4 ++-- 3 files changed, 29 insertions(+), 10 deletions(-) diff --git a/common/encrypt b/common/encrypt index 1a77e23b..04b6e5ac 100644 --- a/common/encrypt +++ b/common/encrypt @@ -488,7 +488,7 @@ _add_fscrypt_provisioning_key() # Retrieve the encryption nonce of the given inode as a hex string. The nonce # was randomly generated by the filesystem and isn't exposed directly to # userspace. But it can be read using the filesystem's debugging tools. -_get_encryption_nonce() +_get_encryption_file_nonce() { local device=$1 local inode=$2 @@ -532,15 +532,34 @@ _get_encryption_nonce() }' ;; *) - _fail "_get_encryption_nonce() isn't implemented on $FSTYP" + _fail "_get_encryption_file_nonce() isn't implemented on $FSTYP" ;; esac } -# Require support for _get_encryption_nonce() +# Retrieve the encryption nonce used to encrypt the data of the given inode as +# a hex string. The nonce was randomly generated by the filesystem and isn't +# exposed directly to userspace. But it can be read using the filesystem's +# debugging tools. +_get_encryption_data_nonce() +{ + local device=$1 + local inode=$2 + + case $FSTYP in + ext4|f2fs) + _get_encryption_file_nonce $device $inode + ;; + *) + _fail "_get_encryption_data_nonce() isn't implemented on $FSTYP" + ;; + esac +} + +# Require support for _get_encryption_*nonce() _require_get_encryption_nonce_support() { - echo "Checking for _get_encryption_nonce() support for $FSTYP" >> $seqres.full + echo "Checking for _get_encryption_*nonce() support for $FSTYP" >> $seqres.full case $FSTYP in ext4) _require_command "$DEBUGFS_PROG" debugfs @@ -554,7 +573,7 @@ _require_get_encryption_nonce_support() # the test fail in that case, as it was an f2fs-tools bug... ;; *) - _notrun "_get_encryption_nonce() isn't implemented on $FSTYP" + _notrun "_get_encryption_*nonce() isn't implemented on $FSTYP" ;; esac } @@ -760,7 +779,7 @@ _do_verify_ciphertext_for_encryption_policy() echo "Verifying encrypted file contents" >> $seqres.full for f in "${test_contents_files[@]}"; do read -r src inode blocklist <<< "$f" - nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode) + nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) _dump_ciphertext_blocks $SCRATCH_DEV $blocklist > $tmp.actual_contents $crypt_contents_cmd $contents_encryption_mode $raw_key_hex \ --file-nonce=$nonce --block-size=$blocksize \ @@ -780,7 +799,7 @@ _do_verify_ciphertext_for_encryption_policy() echo "Verifying encrypted file names" >> $seqres.full for f in "${test_filenames_files[@]}"; do read -r name inode dir_inode padding <<< "$f" - nonce=$(_get_encryption_nonce $SCRATCH_DEV $dir_inode) + nonce=$(_get_encryption_file_nonce $SCRATCH_DEV $dir_inode) _get_ciphertext_filename $SCRATCH_DEV $inode $dir_inode \ > $tmp.actual_name echo -n "$name" | \ diff --git a/tests/f2fs/002 b/tests/f2fs/002 index 8235d88a..a51ddf22 100755 --- a/tests/f2fs/002 +++ b/tests/f2fs/002 @@ -129,7 +129,7 @@ blocklist=$(_get_ciphertext_block_list $file) _scratch_unmount echo -e "\n# Getting file's encryption nonce" -nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode) +nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) echo -e "\n# Dumping the file's raw data" _dump_ciphertext_blocks $SCRATCH_DEV $blocklist > $tmp.raw diff --git a/tests/generic/613 b/tests/generic/613 index 4cf5ccc6..47c60e9c 100755 --- a/tests/generic/613 +++ b/tests/generic/613 @@ -68,10 +68,10 @@ echo -e "\n# Getting encryption nonces from inodes" echo -n > $tmp.nonces_hex echo -n > $tmp.nonces_bin for inode in "${inodes[@]}"; do - nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode) + nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) if (( ${#nonce} != 32 )) || [ -n "$(echo "$nonce" | tr -d 0-9a-fA-F)" ] then - _fail "Expected nonce to be 16 bytes (32 hex characters), but got \"$nonce\"" + _fail "Expected nonce for inode $inode to be 16 bytes (32 hex characters), but got \"$nonce\"" fi echo $nonce >> $tmp.nonces_hex echo -ne "$(echo $nonce | sed 's/[0-9a-fA-F]\{2\}/\\x\0/g')" \ From patchwork Tue Oct 10 20:25:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416002 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 102A0CD8CB9 for ; Tue, 10 Oct 2023 20:26:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230499AbjJJU00 (ORCPT ); Tue, 10 Oct 2023 16:26:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232119AbjJJU0X (ORCPT ); Tue, 10 Oct 2023 16:26:23 -0400 Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55DCBDC for ; Tue, 10 Oct 2023 13:26:21 -0700 (PDT) Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-59f6441215dso75590237b3.2 for ; Tue, 10 Oct 2023 13:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969580; x=1697574380; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OFwcUtvU3gU5AGXiF/CPujJ+TekA/xyF9zqxriLoMwM=; b=gRQAywef0j79nEmibOimvJGCzSWw6Z5UsPLv3u0VpLoOgzrC/IbFEKbTxIgChb6vpj lpEUoZcgsE9U6h+a8oJCem/mFWo80th9o0icWOoNFUYB8jPIi9PxNrKNJ0/OypFvj1ir 319DWod/C8ATKL/diOCnIdtVjapJYZgXg2U+7ZbhsRB9oicVJW0alOM2nzrvG0ATS5Zn ym2/jiSHrSrR7nt6TtoZb3PMmT8rHSe/UGb9Q7/ThV2CZzYTyuKba2b8pGZrzIEWUJnr U9vtfjeTJxck/6pEA+VVr3alba6n+OFoEEUKNhZQHI7FolqPJvVJS+wX3tC4JxhhiVGo sRzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969580; x=1697574380; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OFwcUtvU3gU5AGXiF/CPujJ+TekA/xyF9zqxriLoMwM=; b=kkO8MzRy+FkXXK3e8kKsbd7BBqCkwVVnggyqPkzXWv99nipta21XqmlI+AKJhHN1Jv VIwjPUx4Hz+oglHjXQde1PTSgp5oEhK7jjpMIZzxXwLK8yJnvCEZk5mleYLjQDSFafba 5m6GGAUsMFqfHrM+ypC+A+waDafZAZ/3rgAx6Shy5qfoOMXssRVjK4HNqs2RSJhbt0tZ GnT36eeGWoaMV2IZJymRgdnl4B1l5l36c8DsIgaXEygbG5gqLmvjL9PbaIsLRU1GmRey YaN8XoV2Q+ODa7Ab+iqvRnqvBX+XHdXWSJ+RaBpRzPiC79ihkJb+S7zIfDDJAZ3Pk1TY zsrw== X-Gm-Message-State: AOJu0YzFlsOuQamSkLLEd2/KERLg8QrJXCAiw/PQYg5HrmcmZSHT8QS2 UJOims8vxGg6UHLelsjUOHFWaAWyvBJrUdEi/zxe2w== X-Google-Smtp-Source: AGHT+IFQoMBF9uhCT0asEEgYDb3P3Co+GNRB/75Q1mdnz6O01l+cwEoqFE71PBDrmralI/v8iQ9RpQ== X-Received: by 2002:a81:8104:0:b0:59b:bacb:a84f with SMTP id r4-20020a818104000000b0059bbacba84fmr20903470ywf.47.1696969580433; Tue, 10 Oct 2023 13:26:20 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x9-20020a814a09000000b00589b653b7adsm4691229ywa.136.2023.10.10.13.26.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:20 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 02/12] common/encrypt: add btrfs to get_encryption_*nonce Date: Tue, 10 Oct 2023 16:25:55 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org From: Sweet Tea Dorminy Add the modes of getting the encryption nonces, either inode or extent, to the various get_encryption_nonce functions. For now, no encrypt test makes a file with more than one extent, so we can just grab the first extent's nonce for the data nonce; when we write a bigger file test, we'll need to change that. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/common/encrypt b/common/encrypt index 04b6e5ac..fc1c8cc7 100644 --- a/common/encrypt +++ b/common/encrypt @@ -531,6 +531,17 @@ _get_encryption_file_nonce() found = 0; }' ;; + btrfs) + # Retrieve the fscrypt context for an inode as a hex string. + # btrfs prints these like: + # item 14 key ($inode FSCRYPT_CTXT_ITEM 0) itemoff 15491 itemsize 40 + # value: 02010400000000008fabf3dd745d41856e812458cd765bf0140f41d62853f4c0351837daff4dcc8f + + $BTRFS_UTIL_PROG inspect-internal dump-tree $device | \ + grep -A 1 "key ($inode FSCRYPT_CTXT_ITEM 0)" | \ + grep --only-matching 'value: [[:xdigit:]]\+' | \ + tr -d ' \n' | tail -c 32 + ;; *) _fail "_get_encryption_file_nonce() isn't implemented on $FSTYP" ;; @@ -550,6 +561,23 @@ _get_encryption_data_nonce() ext4|f2fs) _get_encryption_file_nonce $device $inode ;; + btrfs) + # Retrieve the encryption IV of the first file extent in an inode as a hex + # string. btrfs prints the file extents (for simple unshared + # inodes) like: + # item 21 key ($inode EXTENT_DATA 0) itemoff 2534 itemsize 69 + # generation 7 type 1 (regular) + # extent data disk byte 5304320 nr 1048576 + # extent data offset 0 nr 1048576 ram 1048576 + # extent compression 0 (none) + # extent encryption 161 ((1, 40: context 0201040200000000116a77667261d7422a4b1ed8c427e685edb7a0d370d0c9d40030333033333330)) + + + $BTRFS_UTIL_PROG inspect-internal dump-tree $device | \ + grep -A 5 "key ($inode EXTENT_DATA 0)" | \ + grep --only-matching 'context [[:xdigit:]]\+' | \ + tr -d ' \n' | tail -c 32 + ;; *) _fail "_get_encryption_data_nonce() isn't implemented on $FSTYP" ;; @@ -572,6 +600,9 @@ _require_get_encryption_nonce_support() # Otherwise the xattr is incorrectly parsed as v1. But just let # the test fail in that case, as it was an f2fs-tools bug... ;; + btrfs) + _require_command "$BTRFS_UTIL_PROG" btrfs + ;; *) _notrun "_get_encryption_*nonce() isn't implemented on $FSTYP" ;; From patchwork Tue Oct 10 20:25:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416012 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29595CD690E for ; Tue, 10 Oct 2023 20:26:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234284AbjJJU0o (ORCPT ); Tue, 10 Oct 2023 16:26:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36488 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234411AbjJJU0Z (ORCPT ); Tue, 10 Oct 2023 16:26:25 -0400 Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B1B5ADE for ; Tue, 10 Oct 2023 13:26:22 -0700 (PDT) Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-5a7be88e9ccso14394287b3.2 for ; Tue, 10 Oct 2023 13:26:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969581; x=1697574381; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jEBkTHJ3Zcu/2KG+vVGPEkATD7sMt03VYNJu8yvTP9M=; b=SN3aOlddxcqgvMSGkQYM9YW3biqn9ZY2bGhhhSwZHovLYv3+H7VLvPrtEXVA+73MyZ j+N0RB1qVFxXODgeGnO9GoA79kWnrQqX//uc6CZ/MXuilIOVwRvVUIE6RDyzcKjN+WF6 RyfB1SoUG6FkEPtVtSJ1cLdRpH5DoB54aNZkM82HZCvzEJoS9pvQH8jvs0DjhxZrcjvT xks8pRcEaIWfV9EomLx5+eSZYz13vaagV9MY4xgdvFpzCJV1ei5oL4+euF9BlacA2BFi qr4JyIWgEtlJ/zjB8ec9NjI8MzYQrkLQ9zRGNdYBa3g7qMWgFyqDPBnvjpojxDbcy2GT yqlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969581; x=1697574381; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jEBkTHJ3Zcu/2KG+vVGPEkATD7sMt03VYNJu8yvTP9M=; b=YDsi4zNCcybQw13MjIG7zsv4lMfhGomBMkZcvwY+ufhX3fo4YCkgtifycWLaL40Gx7 Movg/E2jh8tZMLv5McQDs8D+5SiSeHXs3I+MYIsGqsaj6stNLSGs2LJFuFQ3qlv+253i QlXJqOyHHRx+Zbowx2NSQDGPncIT6eaNoV7SwaUmEXFtOC5hfayc+uB07I/GWewMGhls ikv/pgiK10JljU2TkWiov59n7eCAmNnv4qfJDm/AQwBg3LiB28aXfJjdsiYdU/b46P5u W94Y4mbNhCqNLyu+IiBF6Fb7ypgbiwTIzA3wJ0FpT3Ljfo0u4BsZJREBKJAgexMbQQv0 d8dg== X-Gm-Message-State: AOJu0Yz55r7bAg610KstgnsQ6j38hX0//Z7lTnQ54NE4ji1IkjUDlWIP iDRzq0z6wVT2OUf0cuJz7oPtw7qmbjx0qJ/fU9m92Q== X-Google-Smtp-Source: AGHT+IEDJXaz8Iqj0J5QGmoE8YAQkrqbJnp7d+TIBuszlRdRr5jTsnA0UfmfaKbLhaXI1gnZsLNkDg== X-Received: by 2002:a81:48cc:0:b0:5a7:baac:7b34 with SMTP id v195-20020a8148cc000000b005a7baac7b34mr3793507ywa.28.1696969581386; Tue, 10 Oct 2023 13:26:21 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x9-20020a814a09000000b00589b653b7adsm4691241ywa.136.2023.10.10.13.26.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:21 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 03/12] common/encrypt: add btrfs to get_ciphertext_filename Date: Tue, 10 Oct 2023 16:25:56 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org From: Sweet Tea Dorminy Add the relevant call to get an encrypted filename from btrfs. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/common/encrypt b/common/encrypt index fc1c8cc7..2c1925da 100644 --- a/common/encrypt +++ b/common/encrypt @@ -618,6 +618,19 @@ _get_ciphertext_filename() local dir_inode=$3 case $FSTYP in + btrfs) + # Extract the filename from the inode_ref object, similar to: + # item 24 key (259 INODE_REF 257) itemoff 14826 itemsize 26 + # index 3 namelen 16 name: J\xf7\x15tD\x8eL\xae/\x98\x9f\x09\xc1\xb6\x09> + # + $BTRFS_UTIL_PROG inspect-internal dump-tree $device | \ + grep -A 1 "key ($inode INODE_REF " | tail -n 1 | \ + perl -ne ' + s/.*?name: //; + chomp; + s/\\x([[:xdigit:]]{2})/chr hex $1/eg; + print;' + ;; ext4) # Extract the filename from the debugfs output line like: # @@ -715,6 +728,9 @@ _require_get_ciphertext_filename_support() _notrun "dump.f2fs (f2fs-tools) is too old; doesn't support showing unambiguous on-disk filenames" fi ;; + btrfs) + _require_command "$BTRFS_UTIL_PROG" btrfs + ;; *) _notrun "_get_ciphertext_filename() isn't implemented on $FSTYP" ;; From patchwork Tue Oct 10 20:25:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416003 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 824A5CD8CB8 for ; Tue, 10 Oct 2023 20:26:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234663AbjJJU0d (ORCPT ); Tue, 10 Oct 2023 16:26:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54236 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234457AbjJJU03 (ORCPT ); Tue, 10 Oct 2023 16:26:29 -0400 Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 507D7E4 for ; Tue, 10 Oct 2023 13:26:23 -0700 (PDT) Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-5a7be88e9ccso14394487b3.2 for ; Tue, 10 Oct 2023 13:26:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969582; x=1697574382; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Dmh9xGr/as1MpprJlAG4JgvOSIGD6BUQHl774+RzFu4=; b=bqjaX0mDqOCfQ1W1b3N+mkOPqhm8/pBhtr9xLJyNucFnGT2tG7iTjcf5kSupZXDamu vw3hESjVK7NQH1jE1NnFNDRdhPG2iegWL0bJD/oWL5Wq/VCXjPQdPqLl5JGm5mPvv2og fDV7wDVYzH/Ddd9XfsKp1OmbI861xO0ehO0X5V9Br39P759MDZoKZuREBTYuJ2MifcsZ OwjnkC4XA/aCLnWc4NJdRCWk01WqugNsuU8T/R7s6tf0fMS1ry360bwP6IIF2IJu/N3o UmzVv39xEl9Tu7RhaHnDC3iecFtW5kYrtxNoBnEUQjheuiOPI9F1aCnZzHJEB/b0gm1M qZIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969582; x=1697574382; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Dmh9xGr/as1MpprJlAG4JgvOSIGD6BUQHl774+RzFu4=; b=YPV0FwBEXUsOvtQEJTPT925Kg5H6G+qj0aEumQgtOw+iIfYC9rcLxSBYwDfzjzXhgP 1CMGXqQgWK2CSA7hpi7cN7k75YugbypkK58sdR+/evrdWXmAXf3tu+yDwdwAyUHqDZp2 IVlwtJwPmd8hKY7CmulOzAsxh6Wlou8nU8iBha8kQBkpS7UJ85DLW+lgqxfCar0v6Bc5 sW9Y6WBMYHNU224KoYFSQ7z/oi9OdppmGxyGqMkVHuWxA/I7vZ3cYn5DgyauQ+Xa1Ik6 lflGzyQuL2vWi4Ndwj5da0j2FU3mKLgpsYeImjL8uQPaJY3hOPjx0HcgKIitfiHN6sO6 fAHw== X-Gm-Message-State: AOJu0Yy3nOoEwwhP5y56GRdYcNDdFEZ4KI3flCXDOTKKZ357WN3Ltg86 YREvYz2BZzB2hUAInneqb2gw2TJUQaXM9oH877Z3fA== X-Google-Smtp-Source: AGHT+IHHPc4cVCv0X5UjY6ZEhh73TopZ6jV5VXaR1PRAmJHmMIp+SqJlnKd+kKUVvokDPp15rDCEYQ== X-Received: by 2002:a0d:e841:0:b0:5a7:d986:a9bb with SMTP id r62-20020a0de841000000b005a7d986a9bbmr873545ywe.3.1696969582283; Tue, 10 Oct 2023 13:26:22 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id d187-20020a0df4c4000000b0059af121d0b8sm4694342ywf.52.2023.10.10.13.26.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:22 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 04/12] common/encrypt: enable making a encrypted btrfs filesystem Date: Tue, 10 Oct 2023 16:25:57 -0400 Message-ID: <905514b9fa178c51afde27c4eff456079e010750.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org From: Sweet Tea Dorminy Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/common/encrypt b/common/encrypt index 2c1925da..1372af66 100644 --- a/common/encrypt +++ b/common/encrypt @@ -153,6 +153,9 @@ _scratch_mkfs_encrypted() # erase the UBI volume; reformated automatically on next mount $UBIUPDATEVOL_PROG ${SCRATCH_DEV} -t ;; + btrfs) + _scratch_mkfs + ;; ceph) _scratch_cleanup_files ;; @@ -168,6 +171,9 @@ _scratch_mkfs_sized_encrypted() ext4|f2fs) MKFS_OPTIONS="$MKFS_OPTIONS -O encrypt" _scratch_mkfs_sized $* ;; + btrfs) + _scratch_mkfs_sized $* + ;; *) _notrun "Filesystem $FSTYP not supported in _scratch_mkfs_sized_encrypted" ;; From patchwork Tue Oct 10 20:25:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416004 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB608CD8CBB for ; Tue, 10 Oct 2023 20:26:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234452AbjJJU0e (ORCPT ); Tue, 10 Oct 2023 16:26:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234475AbjJJU03 (ORCPT ); Tue, 10 Oct 2023 16:26:29 -0400 Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 38945B6 for ; Tue, 10 Oct 2023 13:26:24 -0700 (PDT) Received: by mail-yb1-xb31.google.com with SMTP id 3f1490d57ef6-d81adf0d57fso6416557276.1 for ; Tue, 10 Oct 2023 13:26:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969583; x=1697574383; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fqxbcnQrbhAM79ZT2haRQaI7x72trapZ/1y8f7sxESs=; b=aS+N6wlx+xKjokk7uje7jRN+GUm9S32+PZl4PCyqodSss5ROHhjsxHKsnHLbmVdvBT Lpv8aF0yPcv57/PdTu8W5AdU7EXU6ascZIXSTazTC5pawmzJjGXoAzdneEawIqf/pp+A MVtjSN/YA8wnF25MU6VQS8EyDLc4QHb7ZthTjzOr7bBQFG2DVFAunEqNpA3v3VPAdl0n UCy/ZGWUyqistraaqgbIxX6DFBDxrXClMA2rw/+ir9L8D6FuvadAjNfl7BqYlzD6A1ol qVWuh4XLUDJZweSpaIy+64miGup3zOmb0zQ/ss7U9ELFfQefpDetIPkRdJQ6kAceEX7L rr+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969583; x=1697574383; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fqxbcnQrbhAM79ZT2haRQaI7x72trapZ/1y8f7sxESs=; b=BkV+efJ8C+6kvrJ+ukwacRawKRbE6/KtMoP537z+hVTlLuZ2mWOLURUd5xfbCHIcSg 2EeKsB3VoIZo4OkeAyQphSqDyk+O3t45qIE1f/wJBHKkEUQNUWie0FEHPiyRTnp4LIAB 0Y3Ggw/JdxdMEg0zQLkBJEbIGitpKEtr6UEPyiRgtJqAMCpByeIqh9ag9y9uQSW/FCge gywzXVKB2DSDjR/K6m5ndDY5MxIeyLTENmQ2N/9qBmrltyWm2xBi974rGQypHloZtx9w EVMDUV/XwZfZXa8WhFExaXc0pbCibOB9aaAJuiJQWDIwKe0MURh0muKcV7o/RDVzJXXV zcwA== X-Gm-Message-State: AOJu0Yw48eZ80M75ejXy/z83+ao57oXNEzGM3N0SV8ae7aPGxcjxW1T1 UieEyvNMWjZBcORasTb3Pr+Bs3FpPdG4ldykXD2M1Q== X-Google-Smtp-Source: AGHT+IGw4kxDsOt6fa8BJi9L1FMTAuWa4xVaYHP5ZOTb9sMQ5tRzZ10wUFt1F7QiR+ugdbA5JanIRA== X-Received: by 2002:a25:eb04:0:b0:d89:47d6:b4f9 with SMTP id d4-20020a25eb04000000b00d8947d6b4f9mr16849727ybs.23.1696969583309; Tue, 10 Oct 2023 13:26:23 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id 85-20020a250d58000000b00d9a54e9b742sm748139ybn.55.2023.10.10.13.26.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:22 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 05/12] common/verity: explicitly don't allow btrfs encryption Date: Tue, 10 Oct 2023 16:25:58 -0400 Message-ID: <24a79bf71c105ebcff42868cdc7938022ca145d1.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org From: Sweet Tea Dorminy Currently btrfs encryption doesn't support verity, but it is planned to one day. To be explicit about the lack of support, add a custom error message to the combination. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/verity | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/verity b/common/verity index 03d175ce..4e601a81 100644 --- a/common/verity +++ b/common/verity @@ -224,6 +224,10 @@ _scratch_mkfs_encrypted_verity() # features with -O. Instead -O must be supplied multiple times. _scratch_mkfs -O encrypt -O verity ;; + btrfs) + # currently verity + encryption is not supported + _notrun "btrfs doesn't currently support verity + encryption" + ;; *) _notrun "$FSTYP not supported in _scratch_mkfs_encrypted_verity" ;; From patchwork Tue Oct 10 20:25:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416005 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78EB5CD8CBA for ; Tue, 10 Oct 2023 20:26:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231787AbjJJU0f (ORCPT ); Tue, 10 Oct 2023 16:26:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234510AbjJJU0a (ORCPT ); Tue, 10 Oct 2023 16:26:30 -0400 Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3BEF9F0 for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-5a7d9d357faso3761117b3.0 for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969584; x=1697574384; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M2VMrA1lI9Q4ecQ5bc5FJJXlOR+SulDDfBaPoTgzRVE=; b=qHBR6KTb5/EJuFj244Q9gGY7llosCXyLMr2HggcN28lQ3AiDdEmQBmvamMx0L9EWab Q22kpdWE66SlTK4XB3BSpR4VJ+ZSK8o+M5eBt3CkUiUkBSCl++aKLcjXKn0V27HfOtEi 64iW+31QJBmLQU2rMTzlCG6SReVYQE6euKGQX8i2eY3Q761eOhNIb0cBq7cq8XnkSNny wY+0XYkR4jBKc3v1PbzhvG3ALHj4SMKMlAIYEWEKxi/9Vt99dZEH5v1/lFrxDKIBFQnh 7INt3Di28T44YPz6KtnjlD9Z2UuRWa+vAp3s7Q3w81wRl4FrhVG32moGy6uUqsrzmdhQ X/Ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969584; x=1697574384; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M2VMrA1lI9Q4ecQ5bc5FJJXlOR+SulDDfBaPoTgzRVE=; b=soL8R8ecC6+h9TK0TMhEYcCuNTeoMMXypsqW9rClJmxQ887f25gFcBKB6YtPz4+cz/ Ta2g/sgsJA2627T1hTV+Y40afMbIx0ae4dOfoXJhYRBKf75j+fufeLo0KcM/Otrv19Z6 sW0aGW4Ieis3A5Kj677tkMn+RdmH11Tbrpy/8+M82+p6H/KKFOrDQnE9HWMcdSZfMI4/ jEbcLfWckswJgOQn7AsmCToBugRseDTR4GunkIm2diGa4wiV4eO8e8AZPSY+76t1xbUx t2WhlW+8/ehUBTtpzmxjrsbf3Eh+oclWFQ0e7QSUoq/MDeYUD5+fmBoDScbdoXx+H646 x2cQ== X-Gm-Message-State: AOJu0YwOatjPoD8EHyofy1r/wb88sAL283R9vQxMQ0coCdvs0bqmjGV7 roG9IAw/9iYx3Oi6Wor6kQdAkIZ1vXohjcvf2qRnRQ== X-Google-Smtp-Source: AGHT+IG+BJZqKItphUjRYVNLo/YE1loYz+1+fzWvZ+O4HVoM+QGspAsPD6MkeRRtOJichHcdzorz5g== X-Received: by 2002:a0d:ef43:0:b0:595:be7:a38 with SMTP id y64-20020a0def43000000b005950be70a38mr20627894ywe.49.1696969584182; Tue, 10 Oct 2023 13:26:24 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id i84-20020a819157000000b005a7bfec6c34sm701856ywg.46.2023.10.10.13.26.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:23 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 06/12] btrfs: add simple test of reflink of encrypted data Date: Tue, 10 Oct 2023 16:25:59 -0400 Message-ID: <723b5972c3d2d917acc23bf65eb3a5e5feba5ecc.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org From: Sweet Tea Dorminy Make sure that we succeed at reflinking encrypted data. Test deliberately numbered with a high number so it won't conflict with tests between now and merge. --- tests/btrfs/613 | 59 +++++++++++++++++++++++++++++++++++++++++++++ tests/btrfs/613.out | 13 ++++++++++ 2 files changed, 72 insertions(+) create mode 100755 tests/btrfs/613 create mode 100644 tests/btrfs/613.out diff --git a/tests/btrfs/613 b/tests/btrfs/613 new file mode 100755 index 00000000..0288016e --- /dev/null +++ b/tests/btrfs/613 @@ -0,0 +1,59 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2023 Meta Platforms, Inc. All Rights Reserved. +# +# FS QA Test 613 +# +# Check if reflinking one encrypted file on btrfs succeeds. +# +. ./common/preamble +_begin_fstest auto encrypt + +# Import common functions. +. ./common/encrypt +. ./common/filter +. ./common/reflink + +# real QA test starts here + +# Modify as appropriate. +_supported_fs btrfs + +_require_test +_require_scratch +_require_cp_reflink +_require_scratch_encryption -v 2 +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir +mkdir $dir +_set_encpolicy $dir $TEST_KEY_IDENTIFIER +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo "Creating and reflinking a file" +$XFS_IO_PROG -t -f -c "pwrite 0 33k" $dir/test > /dev/null +cp --reflink=always $dir/test $dir/test2 + +echo "Can't reflink encrypted and unencrypted" +cp --reflink=always $dir/test $SCRATCH_MNT/fail |& _filter_scratch + +echo "Diffing the file and its copy" +diff $dir/test $dir/test2 + +echo "Verifying the files are reflinked" +_verify_reflink $dir/test $dir/test2 + +echo "Diffing the files after remount" +_scratch_cycle_mount +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +diff $dir/test $dir/test2 + +echo "Diffing the files after key remove" +_rm_enckey $SCRATCH_MNT $TEST_KEY_IDENTIFIER +diff $dir/test $dir/test2 |& _filter_scratch + +# success, all done +status=0 +exit diff --git a/tests/btrfs/613.out b/tests/btrfs/613.out new file mode 100644 index 00000000..4895d6dd --- /dev/null +++ b/tests/btrfs/613.out @@ -0,0 +1,13 @@ +QA output created by 613 +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Creating and reflinking a file +Can't reflink encrypted and unencrypted +cp: failed to clone 'SCRATCH_MNT/fail' from 'SCRATCH_MNT/dir/test': Invalid argument +Diffing the file and its copy +Verifying the files are reflinked +Diffing the files after remount +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Diffing the files after key remove +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +diff: SCRATCH_MNT/dir/test: No such file or directory +diff: SCRATCH_MNT/dir/test2: No such file or directory From patchwork Tue Oct 10 20:26:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416007 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E454CD8CB6 for ; Tue, 10 Oct 2023 20:26:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234655AbjJJU0g (ORCPT ); Tue, 10 Oct 2023 16:26:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234279AbjJJU0a (ORCPT ); Tue, 10 Oct 2023 16:26:30 -0400 Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C1017FC for ; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-5a7ab31fb8bso22189697b3.1 for ; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969585; x=1697574385; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WjlHOtrmj3j+aDuwQDOJPd6FNzCtXK4lP83KMVMNQ78=; b=NuOA82EblV9VoFsJrz8LU/0QooeSrjOEKcAvBaH+20hPlXvuQXGOOuhO748m0ZbyaE I/K6amYHbwigIgU/ypBQIEBPWM4V36xdl1hhAQ2b1ghgm8hqFHHrmMsPIUsTETQcnwB+ GohYUuW5A9rViUk3Bs3trcZP5sC4VNt6QAgITFo6OZ5VnCG4vXNej7/IzZz/o54vWBbO 4Mbd1DILvGkZvYE0CC/heXzLj6dEPRXSV6ee3RnpmlsI5WWbFG4KVCUMsnWZIRBQAXdR NyJfskiDl3cc0LlHQJr2EtUyjacObWv7A6Konjotprp5/SxiBu2BQfGPVXRKBwKLOwNE fohA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969585; x=1697574385; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WjlHOtrmj3j+aDuwQDOJPd6FNzCtXK4lP83KMVMNQ78=; b=npOsWA9HgOrJwk88Oex8+njaCXsifOlC8HLzw9Q+8BGTg1t4ySSyBmayyB4+MLBFif /LCiU3A93NvBKRrGsup2397aPLSRew8LBeovjR9DwtsYmfWIkJB0eOy9zxsu5TEtDlTS iPBI7pK+1TAk3we5n42Q5XaCGG9ujVML66D2+Eb2fWuPMJhk7k0NRa80nQvVi49e9lIb D/V2eGhvVyrJED63lPVJo3Ih1mN4+d0lhkGQnJFSn2E2U3LazgTviP7iWxdLAthP1eQr r97GupC5jYNCRrk/Lv9LOqEeiIoBWaKem3Dc8RlTcohAlcEDLxixIdmo+g9h3dOSnCY9 JBTA== X-Gm-Message-State: AOJu0YxEbvfAV/dnNfajZkQE4qwxtt12+II5fZ3oNp0F/p+HGIRgqITl chfN5P50yJLWl9FA0e88dlSuLVjBKd6zNkAhOUGGHA== X-Google-Smtp-Source: AGHT+IFYUeWvqGAdezAeV0PC8Dt/mEZnTIfBKHtUm1+6ewgo2L71xr6Nj3WRQlnyyO/HOQuYGigcZQ== X-Received: by 2002:a81:8782:0:b0:577:51cd:1b4a with SMTP id x124-20020a818782000000b0057751cd1b4amr21451628ywf.41.1696969585060; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id m12-20020a819e0c000000b00594fff48796sm4588587ywj.75.2023.10.10.13.26.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:24 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 07/12] btrfs: test snapshotting encrypted subvol Date: Tue, 10 Oct 2023 16:26:00 -0400 Message-ID: <9a17afb133849c2321bb98c07c48cff2aaf1d87a.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org From: Sweet Tea Dorminy Make sure that snapshots of encrypted data are readable and writeable. Test deliberately high-numbered to not conflict. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- tests/btrfs/614 | 76 ++++++++++++++++++++++++++++++ tests/btrfs/614.out | 111 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 187 insertions(+) create mode 100755 tests/btrfs/614 create mode 100644 tests/btrfs/614.out diff --git a/tests/btrfs/614 b/tests/btrfs/614 new file mode 100755 index 00000000..87dd27f9 --- /dev/null +++ b/tests/btrfs/614 @@ -0,0 +1,76 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2023 Meta Platforms, Inc. All Rights Reserved. +# +# FS QA Test 614 +# +# Try taking a snapshot of an encrypted subvolume. Make sure the snapshot is +# still readable. Rewrite part of the subvol with the same data; make sure it's +# still readable. +# +. ./common/preamble +_begin_fstest auto encrypt + +# Import common functions. +. ./common/encrypt +. ./common/filter + +# real QA test starts here +_supported_fs btrfs + +_require_test +_require_scratch +_require_scratch_encryption -v 2 +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +udir=$SCRATCH_MNT/reference +dir=$SCRATCH_MNT/subvol +dir2=$SCRATCH_MNT/subvol2 +$BTRFS_UTIL_PROG subvolume create $dir >> $seqres.full +mkdir $udir + +_set_encpolicy $dir $TEST_KEY_IDENTIFIER +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" + +# get files with lots of extents by using backwards writes. +for j in `seq 0 50`; do + for i in `seq 20 -1 1`; do + $XFS_IO_PROG -f -d -c "pwrite $(($i * 4096)) 4096" \ + $dir/foo-$j >> $seqres.full | _filter_xfs_io + $XFS_IO_PROG -f -d -c "pwrite $(($i * 4096)) 4096" \ + $udir/foo-$j >> $seqres.full | _filter_xfs_io + done +done + +$BTRFS_UTIL_PROG subvolume snapshot $dir $dir2 | _filter_scratch + +_scratch_remount +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +sleep 30 +echo "Diffing $dir and $dir2" +diff $dir $dir2 + +echo "Rewriting $dir2 partly" +# rewrite half of each file in the snapshot +for j in `seq 0 50`; do + for i in `seq 10 -1 1`; do + $XFS_IO_PROG -f -d -c "pwrite $(($i * 4096)) 4096" \ + $dir2/foo-$j >> $seqres.full | _filter_xfs_io + done +done + +echo "Diffing $dir and $dir2" +diff $dir $dir2 + +echo "Dropping key and diffing" +_rm_enckey $SCRATCH_MNT $TEST_KEY_IDENTIFIER +diff $dir $dir2 |& _filter_scratch | _filter_nokey_filenames + +$BTRFS_UTIL_PROG subvolume delete $dir > /dev/null 2>&1 + +# success, all done +status=0 +exit diff --git a/tests/btrfs/614.out b/tests/btrfs/614.out new file mode 100644 index 00000000..390807e8 --- /dev/null +++ b/tests/btrfs/614.out @@ -0,0 +1,111 @@ +QA output created by 614 +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Create a snapshot of 'SCRATCH_MNT/subvol' in 'SCRATCH_MNT/subvol2' +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Diffing /mnt/scratch/subvol and /mnt/scratch/subvol2 +Rewriting /mnt/scratch/subvol2 partly +Diffing /mnt/scratch/subvol and /mnt/scratch/subvol2 +Dropping key and diffing +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME From patchwork Tue Oct 10 20:26:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416006 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FC1ACD8CBE for ; Tue, 10 Oct 2023 20:26:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234666AbjJJU0h (ORCPT ); Tue, 10 Oct 2023 16:26:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234614AbjJJU0b (ORCPT ); Tue, 10 Oct 2023 16:26:31 -0400 Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAAAF103 for ; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-5a7a80a96dbso2252267b3.0 for ; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969586; x=1697574386; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3hzSgDT0gSoCBX2kCWh7EzeVvXJNhVaEv2jbeDNylHU=; b=PaIPiU64zkb7shF8XRz5d7OP0jz+m0uJYV++VIBdawswqF3loG3st5JpPf+xDoUJKM 66MzEdLcFWPwpn47x0icvbvOqIBDA1TamkiVxOvbAuZa0l21Zxf2rUelb7RrBgV50Ida MK8+dEpvUwQqTX+ccyIbk7UTpE9AU8SEClXuVxw8Lxms3HEZ6S3gvy4kkApZ/CBrd+8E 6xWfUakK303goQePALyJDI+rKT54jpThCrZmEZe/8MLXkG96voVKd2KiyIDD/vvCOCH5 URE3EMTDt3VhuMw7qziw1U5pwMxf0V94lzmnEcYd8Z1fsIjNbZaCIORdc9MwQFQ95JM3 s5kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969586; x=1697574386; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3hzSgDT0gSoCBX2kCWh7EzeVvXJNhVaEv2jbeDNylHU=; b=Hw4lJcCcvYf9EioZHKz+lA7ZapEX5wun1v+cEfFBY92pzQHhk3OIZL7Y3aDCH7szlz DiFtPZelpzLGZgKqfX3VcY9K6VGyMMETSUWoExNItOGlwoQQUWwYd14vjJ1Rv2IZoDUB 2tIbxFievrHmt9c2YEhTPP3vC0yJZqBob+C/NbyPCfT1XPhCR4eYRMiNXviQF4bAniki jTBQ5ILp8jTYBHanxLFI2OD2synQl9ZjJrGRhjbglSorluMZ3/+/6YEs1q3znDeGCDWq MHArSpR4XhX0yJklTeJeOBf6ERUTtZm5HPfSm53XWpPLgiqB5dT20vBnbMxj56y8jJeT 3cZg== X-Gm-Message-State: AOJu0YzKKUhwSu78cOTZKAEZjf89e+qeTYlP09XcjwdjZWcMq9uSqcXk mBxhvbVJ3/Zz7dqfiyJGEneNulgeoIwAcq7wxZwurQ== X-Google-Smtp-Source: AGHT+IEADGedsJ+tD+z1v+BkL/Fj36MMKWHXc5DgD5MLY74OYK5q9bScHx6p5oY7kR3DiomxEx51DA== X-Received: by 2002:a81:4e10:0:b0:56c:e480:2b2b with SMTP id c16-20020a814e10000000b0056ce4802b2bmr10786812ywb.12.1696969585964; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id p20-20020a0de614000000b005a7bbd713ddsm824658ywe.108.2023.10.10.13.26.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:25 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 08/12] fstests: properly test for v1 encryption policies in encrypt tests Date: Tue, 10 Oct 2023 16:26:01 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org With btrfs adding fscrypt support we're limiting the usage to plain v2 policies only. This means we need to update the _require's for generic/593 that tests both v1 and v2 policies. The other sort of tests will be split into two tests in later patches. Signed-off-by: Josef Bacik Reviewed-by: Anand Jain --- common/encrypt | 2 ++ tests/generic/593 | 1 + 2 files changed, 3 insertions(+) diff --git a/common/encrypt b/common/encrypt index 1372af66..120ca612 100644 --- a/common/encrypt +++ b/common/encrypt @@ -59,6 +59,8 @@ _require_scratch_encryption() # policy required by the test. if [ $# -ne 0 ]; then _require_encryption_policy_support $SCRATCH_MNT "$@" + else + _require_encryption_policy_support $SCRATCH_MNT -v 1 fi _scratch_unmount diff --git a/tests/generic/593 b/tests/generic/593 index 2dda5d76..7907236c 100755 --- a/tests/generic/593 +++ b/tests/generic/593 @@ -17,6 +17,7 @@ _begin_fstest auto quick encrypt # real QA test starts here _supported_fs generic +_require_scratch_encryption -v 1 _require_scratch_encryption -v 2 _require_command "$KEYCTL_PROG" keyctl From patchwork Tue Oct 10 20:26:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416008 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29CF8CD8CB9 for ; Tue, 10 Oct 2023 20:26:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234677AbjJJU0i (ORCPT ); Tue, 10 Oct 2023 16:26:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54236 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234641AbjJJU0c (ORCPT ); Tue, 10 Oct 2023 16:26:32 -0400 Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F7B910C for ; Tue, 10 Oct 2023 13:26:28 -0700 (PDT) Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-d81d09d883dso6678538276.0 for ; Tue, 10 Oct 2023 13:26:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969587; x=1697574387; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nCU5pMZ0m3eAagSN+le1r3UM58vPGnqfNmWJ/pF9FlI=; b=N0wBgkc2d5Tkqg+iNcNW3Lqpbmjb4x2AeSjVurIRNV9RGQxg9X83htpUvm0Gdb3jxw NmF43S/5e341s31BENtdXmmsU1RnIEIPThaCy5Sw/tjFv6qN5V6qpsPiTVjeu4CJm5kH J8vbuO/C/UeX+QpkQ3lbnypnkRmsi4fa0g74pLjsybWjrS5wVZQWdxIDUlhBmCnVKH8l 7wkfwzqapKWk1C/ufrlUu9pAnpnyu2Zme+vaPmvqK74psn9oN5hZphEs58Fl0DyeigPh n3dfJFvsW47hdeDyxY3tCrtB0JkjlStxo2KxOOoYh/CDGsThfxHCsUIRE0NiQLvtn8MN n+tQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969587; x=1697574387; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nCU5pMZ0m3eAagSN+le1r3UM58vPGnqfNmWJ/pF9FlI=; b=fA3CJuuAte7gwtHogOvKeqkFs2vV2ZnLLkE4Dw6zsvf/4NYtj370KSTYVOXwZgc6Lq DUGlhyFJ3QhNXRnAS69MkX0INLGI5KSlEMT6zhm+VfakPDpIJeu1vOipSnz5o56iBukX wj0FC2bqMRM94FRXH/1OLBoMioKmbhzpK59WQVBLbd61n2DUWZ6tqqKLkYz5Hj6ITTp9 4AkCik3gVpLDASdujyyfivvtnD8KJrDMZAO6WVWoy6V0w3rudcahcePqmdCliyhpyyZQ y6AscPLTuc8dDmmfnbyyoh4NDjCF4nURPU1bKgpLc51VjJr8sx1LLn5n6sGW/YHWrq8u Lgfg== X-Gm-Message-State: AOJu0YyWyoCLCc9B+CAz4xtRzEroxiJoId8XUd0t5AXns9lPONruJD7u vLMH9LM+TD4ra1DiC4ZtNjjfrgMPhppbsNEWteRg0Q== X-Google-Smtp-Source: AGHT+IEnYO8liLS81q3dOYpjTVcFTD241g3yDLfTZ44VO54mhYjCFyeio+o8MlAwl2q8YA/MIf3scg== X-Received: by 2002:a25:3308:0:b0:d9a:3801:aed8 with SMTP id z8-20020a253308000000b00d9a3801aed8mr4648166ybz.14.1696969586907; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x142-20020a25ce94000000b00d89679f6d22sm786655ybe.64.2023.10.10.13.26.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:26 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 09/12] fstests: split generic/580 into two tests Date: Tue, 10 Oct 2023 16:26:02 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org generic/580 tests both v1 and v2 encryption policies, however btrfs only supports v2 policies. Split this into two tests so that we can get the v2 coverage for btrfs. Signed-off-by: Josef Bacik --- tests/generic/580 | 118 ++++++++++++++++++------------------------ tests/generic/580.out | 40 -------------- tests/generic/733 | 79 ++++++++++++++++++++++++++++ tests/generic/733.out | 44 ++++++++++++++++ 4 files changed, 173 insertions(+), 108 deletions(-) create mode 100644 tests/generic/733 create mode 100644 tests/generic/733.out diff --git a/tests/generic/580 b/tests/generic/580 index 73f32ff9..63ab9712 100755 --- a/tests/generic/580 +++ b/tests/generic/580 @@ -5,7 +5,7 @@ # FS QA Test generic/580 # # Basic test of the fscrypt filesystem-level encryption keyring -# and v2 encryption policies. +# policy. # . ./common/preamble @@ -18,80 +18,62 @@ echo # real QA test starts here _supported_fs generic -_require_scratch_encryption -v 2 +_require_scratch_encryption _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount -test_with_policy_version() -{ - local vers=$1 - - if (( vers == 1 )); then - local keyspec=$TEST_KEY_DESCRIPTOR - local add_enckey_args="-d $keyspec" - else - local keyspec=$TEST_KEY_IDENTIFIER - local add_enckey_args="" - fi - - mkdir $dir - echo "# Setting v$vers encryption policy" - _set_encpolicy $dir $keyspec - echo "# Getting v$vers encryption policy" - _get_encpolicy $dir | _filter_scratch - if (( vers == 1 )); then - echo "# Getting v1 encryption policy using old ioctl" - _get_encpolicy $dir -1 | _filter_scratch - fi - echo "# Trying to create file without key added yet" - $XFS_IO_PROG -f $dir/file |& _filter_scratch - echo "# Getting encryption key status" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Adding encryption key" - _add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" $add_enckey_args - echo "# Creating encrypted file" - echo contents > $dir/file - echo "# Getting encryption key status" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Removing encryption key" - _rm_enckey $SCRATCH_MNT $keyspec - echo "# Getting encryption key status" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Verifying that the encrypted directory was \"locked\"" - cat $dir/file |& _filter_scratch - cat "$(find $dir -type f)" |& _filter_scratch | cut -d ' ' -f3- - - # Test removing key with a file open. - echo "# Re-adding encryption key" - _add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" $add_enckey_args - echo "# Creating another encrypted file" - echo foo > $dir/file2 - echo "# Removing key while an encrypted file is open" - exec 3< $dir/file - _rm_enckey $SCRATCH_MNT $keyspec - echo "# Non-open file should have been evicted" - cat $dir/file2 |& _filter_scratch - echo "# Open file shouldn't have been evicted" - cat $dir/file - echo "# Key should be in \"incompletely removed\" state" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Closing file and removing key for real now" - exec 3<&- - _rm_enckey $SCRATCH_MNT $keyspec - cat $dir/file |& _filter_scratch - - echo "# Cleaning up" - rm -rf $dir - _scratch_cycle_mount # Clear all keys - echo -} - dir=$SCRATCH_MNT/dir +keyspec=$TEST_KEY_DESCRIPTOR -test_with_policy_version 1 +mkdir $dir +echo "# Setting v1 encryption policy" +_set_encpolicy $dir $keyspec +echo "# Getting v1 encryption policy" +_get_encpolicy $dir | _filter_scratch +echo "# Getting v1 encryption policy using old ioctl" +_get_encpolicy $dir -1 | _filter_scratch +echo "# Trying to create file without key added yet" +$XFS_IO_PROG -f $dir/file |& _filter_scratch +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" -d $keyspec +echo "# Creating encrypted file" +echo contents > $dir/file +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Removing encryption key" +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Verifying that the encrypted directory was \"locked\"" +cat $dir/file |& _filter_scratch +cat "$(find $dir -type f)" |& _filter_scratch | cut -d ' ' -f3- -test_with_policy_version 2 +# Test removing key with a file open. +echo "# Re-adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" -d $keyspec +echo "# Creating another encrypted file" +echo foo > $dir/file2 +echo "# Removing key while an encrypted file is open" +exec 3< $dir/file +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Non-open file should have been evicted" +cat $dir/file2 |& _filter_scratch +echo "# Open file shouldn't have been evicted" +cat $dir/file +echo "# Key should be in \"incompletely removed\" state" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Closing file and removing key for real now" +exec 3<&- +_rm_enckey $SCRATCH_MNT $keyspec +cat $dir/file |& _filter_scratch + +echo "# Cleaning up" +rm -rf $dir +_scratch_cycle_mount # Clear all keys +echo echo "# Trying to remove absent key" _rm_enckey $SCRATCH_MNT abcdabcdabcdabcd diff --git a/tests/generic/580.out b/tests/generic/580.out index 989d4514..f2f4d490 100644 --- a/tests/generic/580.out +++ b/tests/generic/580.out @@ -47,45 +47,5 @@ Removed encryption key with descriptor 0000111122223333 cat: SCRATCH_MNT/dir/file: No such file or directory # Cleaning up -# Setting v2 encryption policy -# Getting v2 encryption policy -Encryption policy for SCRATCH_MNT/dir: - Policy version: 2 - Master key identifier: 69b2f6edeee720cce0577937eb8a6751 - Contents encryption mode: 1 (AES-256-XTS) - Filenames encryption mode: 4 (AES-256-CTS) - Flags: 0x02 -# Trying to create file without key added yet -SCRATCH_MNT/dir/file: Required key not available -# Getting encryption key status -Absent -# Adding encryption key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Creating encrypted file -# Getting encryption key status -Present (user_count=1, added_by_self) -# Removing encryption key -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting encryption key status -Absent -# Verifying that the encrypted directory was "locked" -cat: SCRATCH_MNT/dir/file: No such file or directory -Required key not available -# Re-adding encryption key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Creating another encrypted file -# Removing key while an encrypted file is open -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751, but files still busy -# Non-open file should have been evicted -cat: SCRATCH_MNT/dir/file2: Required key not available -# Open file shouldn't have been evicted -contents -# Key should be in "incompletely removed" state -Incompletely removed -# Closing file and removing key for real now -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -cat: SCRATCH_MNT/dir/file: No such file or directory -# Cleaning up - # Trying to remove absent key Error removing encryption key: Required key not available diff --git a/tests/generic/733 b/tests/generic/733 new file mode 100644 index 00000000..ae0434fb --- /dev/null +++ b/tests/generic/733 @@ -0,0 +1,79 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# FS QA Test generic/733 +# +# A v2 only version of generic/580 + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +keyspec=$TEST_KEY_IDENTIFIER +dir=$SCRATCH_MNT/dir + +mkdir $dir +echo "# Setting v2 encryption policy" +_set_encpolicy $dir $keyspec +echo "# Getting v2 encryption policy" +_get_encpolicy $dir | _filter_scratch +echo "# Trying to create file without key added yet" +$XFS_IO_PROG -f $dir/file |& _filter_scratch +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo "# Creating encrypted file" +echo contents > $dir/file +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Removing encryption key" +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Verifying that the encrypted directory was \"locked\"" +cat $dir/file |& _filter_scratch +cat "$(find $dir -type f)" |& _filter_scratch | cut -d ' ' -f3- + +# Test removing key with a file open. +echo "# Re-adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo "# Creating another encrypted file" +echo foo > $dir/file2 +echo "# Removing key while an encrypted file is open" +exec 3< $dir/file +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Non-open file should have been evicted" +cat $dir/file2 |& _filter_scratch +echo "# Open file shouldn't have been evicted" +cat $dir/file +echo "# Key should be in \"incompletely removed\" state" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Closing file and removing key for real now" +exec 3<&- +_rm_enckey $SCRATCH_MNT $keyspec +cat $dir/file |& _filter_scratch + +echo "# Cleaning up" +rm -rf $dir +_scratch_cycle_mount # Clear all keys +echo + +echo "# Trying to remove absent key" +_rm_enckey $SCRATCH_MNT abcdabcdabcdabcd + +# success, all done +status=0 +exit + diff --git a/tests/generic/733.out b/tests/generic/733.out new file mode 100644 index 00000000..02dce51d --- /dev/null +++ b/tests/generic/733.out @@ -0,0 +1,44 @@ +QA output created by 733 + +# Setting v2 encryption policy +# Getting v2 encryption policy +Encryption policy for SCRATCH_MNT/dir: + Policy version: 2 + Master key identifier: 69b2f6edeee720cce0577937eb8a6751 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 +# Trying to create file without key added yet +SCRATCH_MNT/dir/file: Required key not available +# Getting encryption key status +Absent +# Adding encryption key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Creating encrypted file +# Getting encryption key status +Present (user_count=1, added_by_self) +# Removing encryption key +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting encryption key status +Absent +# Verifying that the encrypted directory was "locked" +cat: SCRATCH_MNT/dir/file: No such file or directory +Required key not available +# Re-adding encryption key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Creating another encrypted file +# Removing key while an encrypted file is open +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751, but files still busy +# Non-open file should have been evicted +cat: SCRATCH_MNT/dir/file2: Required key not available +# Open file shouldn't have been evicted +contents +# Key should be in "incompletely removed" state +Incompletely removed +# Closing file and removing key for real now +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +cat: SCRATCH_MNT/dir/file: No such file or directory +# Cleaning up + +# Trying to remove absent key +Error removing encryption key: Required key not available From patchwork Tue Oct 10 20:26:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416011 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79279CD8CBF for ; Tue, 10 Oct 2023 20:26:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343597AbjJJU0j (ORCPT ); Tue, 10 Oct 2023 16:26:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234446AbjJJU0c (ORCPT ); Tue, 10 Oct 2023 16:26:32 -0400 Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 032F3112 for ; Tue, 10 Oct 2023 13:26:29 -0700 (PDT) Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-5a7af45084eso21914727b3.0 for ; Tue, 10 Oct 2023 13:26:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969588; x=1697574388; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mF1vbhiX1cdiPR9Z0KxSfmvhj/avUWiDcOqPSNPdsMM=; b=i5zKHZRm8nga1f7lLWUDuIoJCcEAKWGCSl5qkHOIgjzc4eXQgLlwiZpqXSarjIhqde TqWVZBGEyS0W2xSX8hOFzcsnG3aDeKvT9lmLL13fJUcjqWGQ4kRrJxxVxolgMS1+CUUT FOuYo1m2efwWkBSENKLSEuM6uKhFucxXeMZxN0bU2gcD9HfCmZUAFkMLRsGQ0YBJUqeD RP9OZA/YYX9QVgTT9MgGdMCA545gYpDyaXHvh0IndCVY4R0dLyPJMT6/665FQzqNaFZY NkK+Zu1pEdkeioYS2ESVNzmHcqRlgnVrKBWYYsyGGa9woDyzKpc+Y9Aelfu7uAqdS+Tw GmHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969588; x=1697574388; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mF1vbhiX1cdiPR9Z0KxSfmvhj/avUWiDcOqPSNPdsMM=; b=QXSlxBEffa6hULx5xHY7YHctFAOyuhBP6nhbilJw2aGBuZKfw8/X/NXTDOztVy10Vb isVOIA9h5R7Gdz8fufr4KEowju5THUfCBRQBdxptEE2YGS8VYQKXCP+uG5JtrtqZAKAB Ss01TNYVp34Lt5E7ikt2Cf+71zeX5TVJ3aMueckIdpQdhtsvWni85G1aF273b1lwDiJr QuP0uQkh+gO4dLwX+F42ERRfhd45ZinvDDWzHYBcc41BCQXFDGiSvAgX5N3QSuRCOsdG d4w2cwpqoGO/ufKR/zpG5oJtbgn27Mgn8WBBwwmGn2lvhmuIL4NTFCAOM+Vfrz62gUzp 7EmA== X-Gm-Message-State: AOJu0YwaY1pCEMSYg7VotMG8OsH60Jv2mDeuzhNxfVCkuzcVxZps8Q+x 0GquYQ/UeVZhl/eowM7akBeouyvCR1kxstY8eYOaiQ== X-Google-Smtp-Source: AGHT+IHbQlbrp+UsbhNo4Yoi3+VZM3megDUDcwS3/dwnScoEwA0IR1HI8nRIPEMka0keny9ES8h4ug== X-Received: by 2002:a0d:ea90:0:b0:5a0:83d3:b61d with SMTP id t138-20020a0dea90000000b005a083d3b61dmr20657862ywe.8.1696969587987; Tue, 10 Oct 2023 13:26:27 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x184-20020a814ac1000000b005869ca8da8esm4613337ywa.146.2023.10.10.13.26.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:27 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 10/12] fstests: split generic/581 into two tests Date: Tue, 10 Oct 2023 16:26:03 -0400 Message-ID: <4f808fb5081fc4e9afe77e8498535fd41cc122b2.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org generic/581 is mostly a v2 policy test, but it does do some quick checks of v1 policies as a normal user. Split the v1 and v2 related parts into two different tests so that the v2 part can get properly tested for btrfs file systems, which only support v2 policies. Signed-off-by: Josef Bacik --- tests/generic/581 | 89 +--------------------------- tests/generic/581.out | 50 ---------------- tests/generic/734 | 135 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/734.out | 51 ++++++++++++++++ 4 files changed, 188 insertions(+), 137 deletions(-) create mode 100644 tests/generic/734 create mode 100644 tests/generic/734.out diff --git a/tests/generic/581 b/tests/generic/581 index cabc7e1c..ab930ac6 100755 --- a/tests/generic/581 +++ b/tests/generic/581 @@ -4,8 +4,7 @@ # # FS QA Test No. generic/581 # -# Test non-root use of the fscrypt filesystem-level encryption keyring -# and v2 encryption policies. +# Test non-root use of the fscrypt filesystem-level encryption keyring policy. # . ./common/preamble @@ -31,7 +30,7 @@ _cleanup() # real QA test starts here _supported_fs generic _require_user -_require_scratch_encryption -v 2 +_require_scratch_encryption _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount @@ -58,90 +57,6 @@ echo "# Adding v1 policy key as regular user (should fail with EACCES)" _user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc rm -rf $dir -echo -_user_do "mkdir $dir" - -echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" -_user_do_set_encpolicy $dir $keyid |& _filter_scratch - -echo "# Adding v2 policy key as regular user (should succeed)" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" - -echo "# Setting v2 policy as regular user with key added (should succeed)" -_user_do_set_encpolicy $dir $keyid - -echo "# Getting v2 policy as regular user (should succeed)" -_user_do_get_encpolicy $dir | _filter_scratch - -echo "# Creating encrypted file as regular user (should succeed)" -_user_do "echo contents > $dir/file" - -echo "# Removing v2 policy key as regular user (should succeed)" -_user_do_rm_enckey $SCRATCH_MNT $keyid - -_scratch_cycle_mount # Clear all keys - -# Wait for any invalidated keys to be garbage-collected. -i=0 -while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do - if ((++i >= 20)); then - echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full - break - fi - sleep 0.5 -done - -# Set the user key quota to the fsgqa user's current number of keys plus 5. -orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") -: ${orig_keys:=0} -echo "orig_keys=$orig_keys" >> $seqres.full -orig_maxkeys=$( /proc/sys/kernel/keys/maxkeys - -echo -echo "# Testing user key quota" -for i in `seq $((keys_to_add + 1))`; do - rand_raw_key=$(_generate_raw_encryption_key) - _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ - | sed 's/ with identifier .*$//' -done - -# Restore the original key quota. -echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys - -rm -rf $dir -echo -_user_do "mkdir $dir" -_scratch_cycle_mount # Clear all keys - -# Test multiple users adding the same key. -echo "# Adding key as root" -_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Removing key only added by another user (should fail with ENOKEY)" -_user_do_rm_enckey $SCRATCH_MNT $keyid -echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" -_user_do_set_encpolicy $dir $keyid |& _filter_scratch -echo "# Adding second user of key" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Setting v2 encryption policy as regular user" -_user_do_set_encpolicy $dir $keyid -echo "# Removing this user's claim to the key" -_user_do_rm_enckey $SCRATCH_MNT $keyid -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Adding back second user of key" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" -_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch -_enckey_status $SCRATCH_MNT $keyid -echo "# Remove key for \"all users\", as root" -_rm_enckey $SCRATCH_MNT $keyid -a -_enckey_status $SCRATCH_MNT $keyid # success, all done status=0 diff --git a/tests/generic/581.out b/tests/generic/581.out index b3f7d889..a8cb96a8 100644 --- a/tests/generic/581.out +++ b/tests/generic/581.out @@ -10,53 +10,3 @@ Encryption policy for SCRATCH_MNT/dir: Flags: 0x02 # Adding v1 policy key as regular user (should fail with EACCES) Permission denied - -# Setting v2 policy as regular user without key already added (should fail with ENOKEY) -SCRATCH_MNT/dir: failed to set encryption policy: Required key not available -# Adding v2 policy key as regular user (should succeed) -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Setting v2 policy as regular user with key added (should succeed) -# Getting v2 policy as regular user (should succeed) -Encryption policy for SCRATCH_MNT/dir: - Policy version: 2 - Master key identifier: 69b2f6edeee720cce0577937eb8a6751 - Contents encryption mode: 1 (AES-256-XTS) - Filenames encryption mode: 4 (AES-256-CTS) - Flags: 0x02 -# Creating encrypted file as regular user (should succeed) -# Removing v2 policy key as regular user (should succeed) -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 - -# Testing user key quota -Added encryption key -Added encryption key -Added encryption key -Added encryption key -Added encryption key -Error adding encryption key: Disk quota exceeded - -# Adding key as root -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=1) -# Removing key only added by another user (should fail with ENOKEY) -Error removing encryption key: Required key not available -# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) -SCRATCH_MNT/dir: failed to set encryption policy: Required key not available -# Adding second user of key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=2, added_by_self) -# Setting v2 encryption policy as regular user -# Removing this user's claim to the key -Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=1) -# Adding back second user of key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Remove key for "all users", as regular user (should fail with EACCES) -Permission denied -Present (user_count=2, added_by_self) -# Remove key for "all users", as root -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -Absent diff --git a/tests/generic/734 b/tests/generic/734 new file mode 100644 index 00000000..a6f46e7e --- /dev/null +++ b/tests/generic/734 @@ -0,0 +1,135 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2019 Google LLC +# +# FS QA Test No. generic/581 +# +# Test non-root use of the fscrypt filesystem-level encryption v2 policy. +# + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +orig_maxkeys= + +# Override the default cleanup function. +_cleanup() +{ + cd / + rm -f $tmp.* + if [ -n "$orig_maxkeys" ]; then + echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys + fi +} + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_user +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir + +raw_key="" +for i in `seq 64`; do + raw_key+="\\x$(printf "%02x" $i)" +done +keydesc="0000111122223333" +keyid="69b2f6edeee720cce0577937eb8a6751" +chmod 777 $SCRATCH_MNT + +_user_do "mkdir $dir" + +echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch + +echo "# Adding v2 policy key as regular user (should succeed)" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" + +echo "# Setting v2 policy as regular user with key added (should succeed)" +_user_do_set_encpolicy $dir $keyid + +echo "# Getting v2 policy as regular user (should succeed)" +_user_do_get_encpolicy $dir | _filter_scratch + +echo "# Creating encrypted file as regular user (should succeed)" +_user_do "echo contents > $dir/file" + +echo "# Removing v2 policy key as regular user (should succeed)" +_user_do_rm_enckey $SCRATCH_MNT $keyid + +_scratch_cycle_mount # Clear all keys + +# Wait for any invalidated keys to be garbage-collected. +i=0 +while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do + if ((++i >= 20)); then + echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full + break + fi + sleep 0.5 +done + +# Set the user key quota to the fsgqa user's current number of keys plus 5. +orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") +: ${orig_keys:=0} +echo "orig_keys=$orig_keys" >> $seqres.full +orig_maxkeys=$( /proc/sys/kernel/keys/maxkeys + +echo +echo "# Testing user key quota" +for i in `seq $((keys_to_add + 1))`; do + rand_raw_key=$(_generate_raw_encryption_key) + _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ + | sed 's/ with identifier .*$//' +done + +# Restore the original key quota. +echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys + +rm -rf $dir +echo +_user_do "mkdir $dir" +_scratch_cycle_mount # Clear all keys + +# Test multiple users adding the same key. +echo "# Adding key as root" +_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Removing key only added by another user (should fail with ENOKEY)" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch +echo "# Adding second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy as regular user" +_user_do_set_encpolicy $dir $keyid +echo "# Removing this user's claim to the key" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Adding back second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" +_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch +_enckey_status $SCRATCH_MNT $keyid +echo "# Remove key for \"all users\", as root" +_rm_enckey $SCRATCH_MNT $keyid -a +_enckey_status $SCRATCH_MNT $keyid + +# success, all done +status=0 +exit + diff --git a/tests/generic/734.out b/tests/generic/734.out new file mode 100644 index 00000000..85a8c973 --- /dev/null +++ b/tests/generic/734.out @@ -0,0 +1,51 @@ +QA output created by 734 + +# Setting v2 policy as regular user without key already added (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding v2 policy key as regular user (should succeed) +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Setting v2 policy as regular user with key added (should succeed) +# Getting v2 policy as regular user (should succeed) +Encryption policy for SCRATCH_MNT/dir: + Policy version: 2 + Master key identifier: 69b2f6edeee720cce0577937eb8a6751 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 +# Creating encrypted file as regular user (should succeed) +# Removing v2 policy key as regular user (should succeed) +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 + +# Testing user key quota +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Error adding encryption key: Disk quota exceeded + +# Adding key as root +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Removing key only added by another user (should fail with ENOKEY) +Error removing encryption key: Required key not available +# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=2, added_by_self) +# Setting v2 encryption policy as regular user +# Removing this user's claim to the key +Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Adding back second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Remove key for "all users", as regular user (should fail with EACCES) +Permission denied +Present (user_count=2, added_by_self) +# Remove key for "all users", as root +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Absent From patchwork Tue Oct 10 20:26:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416009 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 281F5CD6119 for ; Tue, 10 Oct 2023 20:26:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343602AbjJJU0k (ORCPT ); Tue, 10 Oct 2023 16:26:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54318 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234480AbjJJU0f (ORCPT ); Tue, 10 Oct 2023 16:26:35 -0400 Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 570E2119 for ; Tue, 10 Oct 2023 13:26:30 -0700 (PDT) Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-59b5484fbe6so75190237b3.1 for ; Tue, 10 Oct 2023 13:26:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969589; x=1697574389; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CpXoLSC4B3+y4tFzKbAFP96R061BBPW8n0TzUGeBy20=; b=1I2t8mzbvuNF3pruO1Xc89EgwsALHJBW3WE/RSrXcL3zphYYNS6hnIfCyIcvypmpeR YViEHmWtdVNo43z+6eFe1g1qh5oy9O9q6PTetX/u4IQvSS6y644nQZxJd8RrYRi9QS8q LrrIgTVzptfeKVbBcGIWYGW5ydrJS0/kSnSui1M3o70CUfxq/j+jD5O+2p7C2/DnEw5i DFeSADdy3s4xs4JxckBzmL7EoiNZ6oIUGaqoz9PYrUJjzYOok67aP+Xfc1Cc1IgRjeYF VObc6OsJm2FFl3D3F8r+m6GSQ84KzpUhGpKiuJZQsuC4NEZtE5jM+lDbV0rb6NABscZ8 92sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969589; x=1697574389; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CpXoLSC4B3+y4tFzKbAFP96R061BBPW8n0TzUGeBy20=; b=AcUsp4CiEHwdT4YXCfwr2VgIv1ioupxc5V9kErzt7wHAHY65h/Hwn8CrUe7VD6UePI BoPDGY2BRaP296gCJDGPYRR8B/ORvUHLewc30CURuWonbb4UpOmQOSxmFnAzBMPStYwY SlIkk5ItnSEyxErnZpH1VoxOgQ3pl0ctUrzpIXMNDI0svfczsP4rg5iiJteKrYW9YWLx jv7wLatH4tc33gip0vxN4Y0LvLX4WsUeQIxmAX6Ud+kpjzb2kKGIDE5qKImiX4kD4KZ+ QMvQF6pbJC+QhdUjuNVD5NP5UiRVKyDjti2OjwbBq36YOzC8oO0qEzVuAa35T40Byp2a MF1g== X-Gm-Message-State: AOJu0YxDdW641HSQ3ig1OxfWh1Pr6fpPE6Ob0QzWu20CiQlrxVLboCfz Wr9Fvcc5hnJU3TVdeVdtx0mQmrQQmNHREaBCPWj7QA== X-Google-Smtp-Source: AGHT+IF7Y/FZ6maDxIIOaCWirMfXhRsvOOUqzWjpYsCWBIt+XCan7S/I9Xp6egN+Uj1LaMkChVCBjg== X-Received: by 2002:a81:6203:0:b0:59b:bd55:8452 with SMTP id w3-20020a816203000000b0059bbd558452mr22083068ywb.36.1696969589322; Tue, 10 Oct 2023 13:26:29 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id g68-20020a0df647000000b0059f766f9750sm4665680ywf.124.2023.10.10.13.26.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:28 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 11/12] fstests: split generic/613 into two tests Date: Tue, 10 Oct 2023 16:26:04 -0400 Message-ID: <227ac42377705dcd416558f8415965ecba3a17df.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org generic/613 tests v1 and v2 policies, but btrfs can only support v2 policies. Split this into two different tests, 613 which will only test v1 policies, and then 735 which will test v2 policies. The 735 test will also add checks for the per-extent nonces to validate they're all sufficiently random. Signed-off-by: Josef Bacik --- tests/generic/613 | 20 ++------ tests/generic/613.out | 5 +- tests/generic/735 | 117 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/735.out | 14 +++++ 4 files changed, 138 insertions(+), 18 deletions(-) create mode 100644 tests/generic/735 create mode 100644 tests/generic/735.out diff --git a/tests/generic/613 b/tests/generic/613 index 47c60e9c..96b81a96 100755 --- a/tests/generic/613 +++ b/tests/generic/613 @@ -22,22 +22,21 @@ _begin_fstest auto quick encrypt # real QA test starts here _supported_fs generic -_require_scratch_encryption -v 2 +_require_scratch_encryption _require_get_encryption_nonce_support _require_command "$XZ_PROG" xz _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount -echo -e "\n# Adding encryption keys" -_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo -e "\n# Adding encryption key" _add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" -d $TEST_KEY_DESCRIPTOR # Create a bunch of encrypted files and directories -- enough for the uniqueness # and randomness tests to be meaningful, but not so many that this test takes a -# long time. Test using both v1 and v2 encryption policies, and for each of -# those test the case of an encryption policy that is assigned to an empty -# directory as well as the case of a file created in an encrypted directory. +# long time. Test using the v1 encryption policy, test the case of an +# encryption policy that is assigned to an empty directory as well as the case +# of a file created in an encrypted directory. echo -e "\n# Creating encrypted files and directories" inodes=() for i in {1..50}; do @@ -45,20 +44,11 @@ for i in {1..50}; do mkdir $dir inodes+=("$(stat -c %i $dir)") _set_encpolicy $dir $TEST_KEY_DESCRIPTOR - - dir=$SCRATCH_MNT/v2_policy_dir_$i - mkdir $dir - inodes+=("$(stat -c %i $dir)") - _set_encpolicy $dir $TEST_KEY_IDENTIFIER done for i in {1..50}; do file=$SCRATCH_MNT/v1_policy_dir_1/$i touch $file inodes+=("$(stat -c %i $file)") - - file=$SCRATCH_MNT/v2_policy_dir_1/$i - touch $file - inodes+=("$(stat -c %i $file)") done _scratch_unmount diff --git a/tests/generic/613.out b/tests/generic/613.out index 203a64f2..4a218d03 100644 --- a/tests/generic/613.out +++ b/tests/generic/613.out @@ -1,7 +1,6 @@ QA output created by 613 -# Adding encryption keys -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Adding encryption key Added encryption key with descriptor 0000111122223333 # Creating encrypted files and directories @@ -12,5 +11,5 @@ Added encryption key with descriptor 0000111122223333 Listing non-unique nonces: # Verifying randomness of nonces -Uncompressed size is 3200 bytes +Uncompressed size is 1600 bytes Nonces are incompressible, as expected diff --git a/tests/generic/735 b/tests/generic/735 new file mode 100644 index 00000000..c901be1f --- /dev/null +++ b/tests/generic/735 @@ -0,0 +1,117 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2023 Meta +# +# FS QA Test No. 735 +# +# A variation of generic/613 that only tests v2, and checks data nonces for any +# file system that supporst per-extent encryption. +# +# Test that encryption nonces are unique and random, where randomness is +# approximated as "incompressible by the xz program". +# +# An encryption nonce is the 16-byte value that the filesystem generates for +# each encrypted file. These nonces must be unique in order to cause different +# files to be encrypted differently, which is an important security property. +# In practice, they need to be random to achieve that; and it's easy enough to +# test for both uniqueness and randomness, so we test for both. +# +. ./common/preamble +_begin_fstest auto quick encrypt + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_scratch_encryption -v 2 +_require_get_encryption_nonce_support +_require_command "$XZ_PROG" xz + +_check_nonce() +{ + local nonce=$1 + + if (( ${#nonce} != 32 )) || [ -n "$(echo "$nonce" | tr -d 0-9a-fA-F)" ] + then + _fail "Expected nonce for inode $inode to be 16 bytes (32 hex characters), but got \"$nonce\"" + fi +} + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +echo -e "\n# Adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" + +# Create a bunch of encrypted files and directories -- enough for the uniqueness +# and randomness tests to be meaningful, but not so many that this test takes a +# long time. Test using the v2 encryption policy, test the case of an +# encryption policy that is assigned to an empty directory as well as the case +# of a file created in an encrypted directory. +echo -e "\n# Creating encrypted files and directories" +inodes=() +for i in {1..50}; do + dir=$SCRATCH_MNT/v2_policy_dir_$i + mkdir $dir + inodes+=("$(stat -c %i $dir)") + _set_encpolicy $dir $TEST_KEY_IDENTIFIER +done +for i in {1..50}; do + file=$SCRATCH_MNT/v2_policy_dir_1/$i + $XFS_IO_PROG -f -c "pwrite 0 1m" $file > /dev/null + inodes+=("$(stat -c %i $file)") +done +_scratch_unmount + +# Build files that contain all the nonces. nonces_hex contains them in hex, one +# per line. nonces_bin contains them in binary, all concatenated. +echo -e "\n# Getting encryption nonces from inodes" +echo -n > $tmp.nonces_hex +echo -n > $tmp.nonces_bin +for inode in "${inodes[@]}"; do + inode_nonce=$(_get_encryption_file_nonce $SCRATCH_DEV $inode) + _check_nonce $inode_nonce + + echo $inode_nonce >> $tmp.nonces_hex + echo -ne "$(echo $inode_nonce | sed 's/[0-9a-fA-F]\{2\}/\\x\0/g')" \ + >> $tmp.nonces_bin + + data_nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) + + # If the inode is empty we won't have a data nonce + [ "$data_nonce" = "" ] && continue + + # If the inode nonce and data nonce are the same continue + [ "$inode_nonce" = "$data_nonce" ] && continue + + _check_nonce $data_nonce + + echo $data_nonce >> $tmp.nonces_hex + echo -ne "$(echo $data_nonce | sed 's/[0-9a-fA-F]\{2\}/\\x\0/g')" \ + >> $tmp.nonces_bin +done + +# Verify the uniqueness and randomness of the nonces. In theory randomness +# implies uniqueness here, but it's easy enough to explicitly test for both. + +echo -e "\n# Verifying uniqueness of nonces" +echo "Listing non-unique nonces:" +sort < $tmp.nonces_hex | uniq -d + +echo -e "\n# Verifying randomness of nonces" +uncompressed_size=$(stat -c %s $tmp.nonces_bin) +echo "Uncompressed size is $uncompressed_size bytes" >> $seqres.full +compressed_size=$($XZ_PROG -c < $tmp.nonces_bin | wc -c) +echo "Compressed size is $compressed_size bytes" >> $seqres.full +# The xz format has 60 bytes of overhead. Go a bit lower to avoid flakiness. +if (( compressed_size >= uncompressed_size + 55 )); then + echo "Nonces are incompressible, as expected" +else + _fail "Nonces are compressible (non-random); compressed $uncompressed_size => $compressed_size bytes!" +fi + +# success, all done +status=0 +exit diff --git a/tests/generic/735.out b/tests/generic/735.out new file mode 100644 index 00000000..bf73118b --- /dev/null +++ b/tests/generic/735.out @@ -0,0 +1,14 @@ +QA output created by 735 + +# Adding encryption key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 + +# Creating encrypted files and directories + +# Getting encryption nonces from inodes + +# Verifying uniqueness of nonces +Listing non-unique nonces: + +# Verifying randomness of nonces +Nonces are incompressible, as expected From patchwork Tue Oct 10 20:26:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416010 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC8AACD8CBC for ; Tue, 10 Oct 2023 20:26:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343652AbjJJU0l (ORCPT ); Tue, 10 Oct 2023 16:26:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234687AbjJJU0g (ORCPT ); Tue, 10 Oct 2023 16:26:36 -0400 Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E43499 for ; Tue, 10 Oct 2023 13:26:31 -0700 (PDT) Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-5a7b91faf40so19100707b3.1 for ; Tue, 10 Oct 2023 13:26:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969591; x=1697574391; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TYV6W3/su+yQdVC08/W92yX/IiZTkZ+W2IG1K67YFEE=; b=CPK4WauFk1tak6CV4zolZKCy2JoVv3UUf4yWBpQfTiBhaILnk+HeLUugwYR8nYSbVI 7CeUnXcXyOt4UiHr9lmuNXveqR/1ixvdEdQ3cFbkkf0UuNyp/izAqT/UB/NPkFOcIguz 8vILIO+nbjucFHTxOfZsG/25fd6saUXsSvFJck9uYp8GK4UaT6wm0XkTXIM+J38m4ViR Pbz4H7jfOFBQRuklnOGR7MxR9R5F031vYM1wUTPJgRETZxJHXEZ/N1kole5je1IB9mmA db3L87VU5hmk2mnxVBae68d1mJwCPMb73kRE76k9oJdJPZsbogxg7G90Tdssfhg+KIef XOBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969591; x=1697574391; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TYV6W3/su+yQdVC08/W92yX/IiZTkZ+W2IG1K67YFEE=; b=pXOpYT50+JArXNz+WL84A4QJrRwb2O46sZSY+yEZ379CnSXKU32EQr1bMElE96RCJ1 s5RXoBorZBrARGM0M0fjnh37oej0bwktSQRd7qc/A/OSGdxF0D//qL+zEIxPdSZ6dfiK +0evDkDAMgMvGz72wdfbXCZX/zNw3Il0K7VF/ffowvXFiVR9U8RUAyfmDSw+cn3njm5B hP1mS0DYHv/OVdR8Iv6DqrOpU0SIWvvMtPaQvYpLUsBjGKLclGzHH0nTzCSvHylX8D4u QJqWrINcIdeRpf7/AleyqphBrPTZKbR7/TB4gjqJTKP+oUSLW1/dgO5VTm2HBYZ8p+0z v+ew== X-Gm-Message-State: AOJu0Yzg2do6uDPaNoSwTEysNv9Ridixl8FM4zUCXC5+e+HE8sLi25Wd 6g9HOntLGh8CkvkiDv/E7rkyY4TtHSC+J5yVMK28WA== X-Google-Smtp-Source: AGHT+IGvgRhnxM8rs8Q4ccehZoHcRELzxu4LMU2pLr32V5AjQW8wniDsc5M8y0GOBrzOZ5UXLUl+cw== X-Received: by 2002:a0d:ea90:0:b0:5a1:db12:d782 with SMTP id t138-20020a0dea90000000b005a1db12d782mr19988174ywe.44.1696969590781; Tue, 10 Oct 2023 13:26:30 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id c4-20020a81df04000000b0059b1e1b6e5dsm4581610ywn.91.2023.10.10.13.26.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:30 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 12/12] fstest: add a fsstress+fscrypt test Date: Tue, 10 Oct 2023 16:26:05 -0400 Message-ID: <936037a6c2bcf5553145862c5358e175621983b0.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org I noticed we don't run fsstress with fscrypt in any of our tests, and this was helpful in uncovering a couple of symlink related corner cases for the btrfs support work. Add a basic test that creates a encrypted directory and runs fsstress in that directory. Signed-off-by: Josef Bacik Reviewed-by: Anand Jain --- tests/generic/736 | 38 ++++++++++++++++++++++++++++++++++++++ tests/generic/736.out | 3 +++ 2 files changed, 41 insertions(+) create mode 100644 tests/generic/736 create mode 100644 tests/generic/736.out diff --git a/tests/generic/736 b/tests/generic/736 new file mode 100644 index 00000000..0ef37d7e --- /dev/null +++ b/tests/generic/736 @@ -0,0 +1,38 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2023 Meta +# +# FS QA Test No. generic/5736 +# +# Run fscrypt on an encrypted directory +# + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir +mkdir $dir + +_set_encpolicy $dir $TEST_KEY_IDENTIFIER +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" + +args=$(_scale_fsstress_args -p 4 -n 10000 -p 2 $FSSTRESS_AVOID -d $dir) +echo "Run fsstress $args" >>$seqres.full + +$FSSTRESS_PROG $args >> $seqres.full + +# success, all done +status=0 +exit diff --git a/tests/generic/736.out b/tests/generic/736.out new file mode 100644 index 00000000..022754df --- /dev/null +++ b/tests/generic/736.out @@ -0,0 +1,3 @@ +QA output created by 736 + +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751