From patchwork Tue Oct 10 20:25:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416014 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF2BBCD8CB8 for ; Tue, 10 Oct 2023 20:26:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232010AbjJJU00 (ORCPT ); Tue, 10 Oct 2023 16:26:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36420 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229555AbjJJU0X (ORCPT ); Tue, 10 Oct 2023 16:26:23 -0400 Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7829BCC for ; Tue, 10 Oct 2023 13:26:20 -0700 (PDT) Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-d9a516b015cso1473876276.2 for ; Tue, 10 Oct 2023 13:26:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969579; x=1697574379; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Hwy8Zi2uzZrYdFBsR35VWjRso0l8oMrGMg/hmDe3qJM=; b=Yl0pGiFBg6X/6EpYGRdhV9NPnuFkdKffP4AQG+REbjvJdJ97qLeTFoHibxIo6b/G3K AcnnUxQwf+OweE/xI1l7XiAFkI7hngfozZyARh0Ei/IiCJxHzIoK7dfUSLM50k7gnpap KLGefxb+/XkUNrNbuqENo2Y8K0JP9DLAe/mFksIHRSPv2g8YFBNgphzVTeeNiiCaqaTm x/+xX8IzzO5D6oEZGR6WtdAT99gV7RhxueHU2EcX2kmUweeegVRRBq+zrTs8qZhGZhYF yegap7TCqgZRK3EfkwdSgePurl67ZVE+3Bqx3WHin/ccFy0yy8tmt1pfNt2eeRTC2PL+ UaTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969579; x=1697574379; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Hwy8Zi2uzZrYdFBsR35VWjRso0l8oMrGMg/hmDe3qJM=; b=DSimGbvme2GtFEUznYxExbYD9pEw7bZ/zBAsA1dYDEXQacfAQbq/rX9gnqV+Wc0OgU 2Y8adZwkpQydDPCGvhgqNkFOOzTZFElkiiFt0EsbHVx+5R3xlQXZ3NbZKsagz2npAB0u XrNTrd6tUufdWlL+8SaiOVfrykrgSbt/HRH+C+IA/Hn1tHkuT6Yr1JtKyBflbi1vILn0 mp+tw39sQT1iZSO36M3ycvcu7IM4l6jCn+qeTQ6Cb5zV5V9OC0vCwzP3vfXRkj590w6R /BpaVr9PBRN5BDdnxNVIxRULym1CSlr+2kIiZ2m7mjOOtt2LlSl20r/YQ8XzqGTBJq06 /LqA== X-Gm-Message-State: AOJu0YwxaJO4Kod2/dNheXFfDMFX1sXar1d7mjx3bjD4FyLVJ1Pgil9o rP4SpVbWWbr/QHIs8v8pznhs4w== X-Google-Smtp-Source: AGHT+IGazxV6INO6CLta8CjXhAk2I8g2uwMKRNIInMbviKy22fPV7nEsEgC0OCc6sZ0Sr9E6Z7ZHBQ== X-Received: by 2002:a25:6810:0:b0:d78:878d:e1e1 with SMTP id d16-20020a256810000000b00d78878de1e1mr17959900ybc.50.1696969579546; Tue, 10 Oct 2023 13:26:19 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id 6-20020a251806000000b00d800eb5ac2asm3972167yby.65.2023.10.10.13.26.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:19 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 01/12] common/encrypt: separate data and inode nonces Date: Tue, 10 Oct 2023 16:25:54 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org From: Sweet Tea Dorminy btrfs will have different inode and data nonces, so we need to be specific about which nonce each use needs. For now, there is no difference in the two functions. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 33 ++++++++++++++++++++++++++------- tests/f2fs/002 | 2 +- tests/generic/613 | 4 ++-- 3 files changed, 29 insertions(+), 10 deletions(-) diff --git a/common/encrypt b/common/encrypt index 1a77e23b..04b6e5ac 100644 --- a/common/encrypt +++ b/common/encrypt @@ -488,7 +488,7 @@ _add_fscrypt_provisioning_key() # Retrieve the encryption nonce of the given inode as a hex string. The nonce # was randomly generated by the filesystem and isn't exposed directly to # userspace. But it can be read using the filesystem's debugging tools. -_get_encryption_nonce() +_get_encryption_file_nonce() { local device=$1 local inode=$2 @@ -532,15 +532,34 @@ _get_encryption_nonce() }' ;; *) - _fail "_get_encryption_nonce() isn't implemented on $FSTYP" + _fail "_get_encryption_file_nonce() isn't implemented on $FSTYP" ;; esac } -# Require support for _get_encryption_nonce() +# Retrieve the encryption nonce used to encrypt the data of the given inode as +# a hex string. The nonce was randomly generated by the filesystem and isn't +# exposed directly to userspace. But it can be read using the filesystem's +# debugging tools. +_get_encryption_data_nonce() +{ + local device=$1 + local inode=$2 + + case $FSTYP in + ext4|f2fs) + _get_encryption_file_nonce $device $inode + ;; + *) + _fail "_get_encryption_data_nonce() isn't implemented on $FSTYP" + ;; + esac +} + +# Require support for _get_encryption_*nonce() _require_get_encryption_nonce_support() { - echo "Checking for _get_encryption_nonce() support for $FSTYP" >> $seqres.full + echo "Checking for _get_encryption_*nonce() support for $FSTYP" >> $seqres.full case $FSTYP in ext4) _require_command "$DEBUGFS_PROG" debugfs @@ -554,7 +573,7 @@ _require_get_encryption_nonce_support() # the test fail in that case, as it was an f2fs-tools bug... ;; *) - _notrun "_get_encryption_nonce() isn't implemented on $FSTYP" + _notrun "_get_encryption_*nonce() isn't implemented on $FSTYP" ;; esac } @@ -760,7 +779,7 @@ _do_verify_ciphertext_for_encryption_policy() echo "Verifying encrypted file contents" >> $seqres.full for f in "${test_contents_files[@]}"; do read -r src inode blocklist <<< "$f" - nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode) + nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) _dump_ciphertext_blocks $SCRATCH_DEV $blocklist > $tmp.actual_contents $crypt_contents_cmd $contents_encryption_mode $raw_key_hex \ --file-nonce=$nonce --block-size=$blocksize \ @@ -780,7 +799,7 @@ _do_verify_ciphertext_for_encryption_policy() echo "Verifying encrypted file names" >> $seqres.full for f in "${test_filenames_files[@]}"; do read -r name inode dir_inode padding <<< "$f" - nonce=$(_get_encryption_nonce $SCRATCH_DEV $dir_inode) + nonce=$(_get_encryption_file_nonce $SCRATCH_DEV $dir_inode) _get_ciphertext_filename $SCRATCH_DEV $inode $dir_inode \ > $tmp.actual_name echo -n "$name" | \ diff --git a/tests/f2fs/002 b/tests/f2fs/002 index 8235d88a..a51ddf22 100755 --- a/tests/f2fs/002 +++ b/tests/f2fs/002 @@ -129,7 +129,7 @@ blocklist=$(_get_ciphertext_block_list $file) _scratch_unmount echo -e "\n# Getting file's encryption nonce" -nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode) +nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) echo -e "\n# Dumping the file's raw data" _dump_ciphertext_blocks $SCRATCH_DEV $blocklist > $tmp.raw diff --git a/tests/generic/613 b/tests/generic/613 index 4cf5ccc6..47c60e9c 100755 --- a/tests/generic/613 +++ b/tests/generic/613 @@ -68,10 +68,10 @@ echo -e "\n# Getting encryption nonces from inodes" echo -n > $tmp.nonces_hex echo -n > $tmp.nonces_bin for inode in "${inodes[@]}"; do - nonce=$(_get_encryption_nonce $SCRATCH_DEV $inode) + nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) if (( ${#nonce} != 32 )) || [ -n "$(echo "$nonce" | tr -d 0-9a-fA-F)" ] then - _fail "Expected nonce to be 16 bytes (32 hex characters), but got \"$nonce\"" + _fail "Expected nonce for inode $inode to be 16 bytes (32 hex characters), but got \"$nonce\"" fi echo $nonce >> $tmp.nonces_hex echo -ne "$(echo $nonce | sed 's/[0-9a-fA-F]\{2\}/\\x\0/g')" \ From patchwork Tue Oct 10 20:25:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416015 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8F328CD8CB7 for ; Tue, 10 Oct 2023 20:26:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234430AbjJJU03 (ORCPT ); Tue, 10 Oct 2023 16:26:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232064AbjJJU0X (ORCPT ); Tue, 10 Oct 2023 16:26:23 -0400 Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 462D9B6 for ; Tue, 10 Oct 2023 13:26:21 -0700 (PDT) Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-5a7a77e736dso24117547b3.1 for ; Tue, 10 Oct 2023 13:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969580; x=1697574380; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OFwcUtvU3gU5AGXiF/CPujJ+TekA/xyF9zqxriLoMwM=; b=gRQAywef0j79nEmibOimvJGCzSWw6Z5UsPLv3u0VpLoOgzrC/IbFEKbTxIgChb6vpj lpEUoZcgsE9U6h+a8oJCem/mFWo80th9o0icWOoNFUYB8jPIi9PxNrKNJ0/OypFvj1ir 319DWod/C8ATKL/diOCnIdtVjapJYZgXg2U+7ZbhsRB9oicVJW0alOM2nzrvG0ATS5Zn ym2/jiSHrSrR7nt6TtoZb3PMmT8rHSe/UGb9Q7/ThV2CZzYTyuKba2b8pGZrzIEWUJnr U9vtfjeTJxck/6pEA+VVr3alba6n+OFoEEUKNhZQHI7FolqPJvVJS+wX3tC4JxhhiVGo sRzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969580; x=1697574380; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OFwcUtvU3gU5AGXiF/CPujJ+TekA/xyF9zqxriLoMwM=; b=wPHyc2KaA2OhOPzE5KgqNRh3kjwN6ueF1967gGwH9CDCArXTtWOzMNbfabuqKibWXW E8PIobAPIzzlt++Wcy5x9LJMNGqmpE1Q3lkyBen1l+khkBhhO0Tv7LkFriENVE+lBEcr gdR/XykgdTiybJh2llLMia9r9wbSUmzT0daza+2WvILC9jL4y2jq4vgKSFBS4gBDwEpK ikAHc/M8vDiQxxr69tk+Qu0FhGpLh0qvljfoLLFhQ0x6VjPmoSAB+/5tPFJqpFy/obNU yvw41wZBuK0jTSWt7sC6TFBqhsPHLIVrq4tQfdgp4xGmBwELIfnhjncIOJzZK7nVsRHe I/0Q== X-Gm-Message-State: AOJu0YzTXfRVnMQt+226ILT+dKZMbjOc6QEYo2uzMGghsg3mF3R8E+Fz odl6IxF27a78DJtEJTaN5CzNQVHoUKdmdYbf3Pf9cQ== X-Google-Smtp-Source: AGHT+IFQoMBF9uhCT0asEEgYDb3P3Co+GNRB/75Q1mdnz6O01l+cwEoqFE71PBDrmralI/v8iQ9RpQ== X-Received: by 2002:a81:8104:0:b0:59b:bacb:a84f with SMTP id r4-20020a818104000000b0059bbacba84fmr20903470ywf.47.1696969580433; Tue, 10 Oct 2023 13:26:20 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x9-20020a814a09000000b00589b653b7adsm4691229ywa.136.2023.10.10.13.26.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:20 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 02/12] common/encrypt: add btrfs to get_encryption_*nonce Date: Tue, 10 Oct 2023 16:25:55 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org From: Sweet Tea Dorminy Add the modes of getting the encryption nonces, either inode or extent, to the various get_encryption_nonce functions. For now, no encrypt test makes a file with more than one extent, so we can just grab the first extent's nonce for the data nonce; when we write a bigger file test, we'll need to change that. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/common/encrypt b/common/encrypt index 04b6e5ac..fc1c8cc7 100644 --- a/common/encrypt +++ b/common/encrypt @@ -531,6 +531,17 @@ _get_encryption_file_nonce() found = 0; }' ;; + btrfs) + # Retrieve the fscrypt context for an inode as a hex string. + # btrfs prints these like: + # item 14 key ($inode FSCRYPT_CTXT_ITEM 0) itemoff 15491 itemsize 40 + # value: 02010400000000008fabf3dd745d41856e812458cd765bf0140f41d62853f4c0351837daff4dcc8f + + $BTRFS_UTIL_PROG inspect-internal dump-tree $device | \ + grep -A 1 "key ($inode FSCRYPT_CTXT_ITEM 0)" | \ + grep --only-matching 'value: [[:xdigit:]]\+' | \ + tr -d ' \n' | tail -c 32 + ;; *) _fail "_get_encryption_file_nonce() isn't implemented on $FSTYP" ;; @@ -550,6 +561,23 @@ _get_encryption_data_nonce() ext4|f2fs) _get_encryption_file_nonce $device $inode ;; + btrfs) + # Retrieve the encryption IV of the first file extent in an inode as a hex + # string. btrfs prints the file extents (for simple unshared + # inodes) like: + # item 21 key ($inode EXTENT_DATA 0) itemoff 2534 itemsize 69 + # generation 7 type 1 (regular) + # extent data disk byte 5304320 nr 1048576 + # extent data offset 0 nr 1048576 ram 1048576 + # extent compression 0 (none) + # extent encryption 161 ((1, 40: context 0201040200000000116a77667261d7422a4b1ed8c427e685edb7a0d370d0c9d40030333033333330)) + + + $BTRFS_UTIL_PROG inspect-internal dump-tree $device | \ + grep -A 5 "key ($inode EXTENT_DATA 0)" | \ + grep --only-matching 'context [[:xdigit:]]\+' | \ + tr -d ' \n' | tail -c 32 + ;; *) _fail "_get_encryption_data_nonce() isn't implemented on $FSTYP" ;; @@ -572,6 +600,9 @@ _require_get_encryption_nonce_support() # Otherwise the xattr is incorrectly parsed as v1. But just let # the test fail in that case, as it was an f2fs-tools bug... ;; + btrfs) + _require_command "$BTRFS_UTIL_PROG" btrfs + ;; *) _notrun "_get_encryption_*nonce() isn't implemented on $FSTYP" ;; From patchwork Tue Oct 10 20:25:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416016 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F319CD8CBA for ; Tue, 10 Oct 2023 20:26:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234001AbjJJU0a (ORCPT ); Tue, 10 Oct 2023 16:26:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231208AbjJJU0Y (ORCPT ); Tue, 10 Oct 2023 16:26:24 -0400 Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4783FDB for ; Tue, 10 Oct 2023 13:26:22 -0700 (PDT) Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-5a7afd45199so21189587b3.0 for ; Tue, 10 Oct 2023 13:26:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969581; x=1697574381; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jEBkTHJ3Zcu/2KG+vVGPEkATD7sMt03VYNJu8yvTP9M=; b=SN3aOlddxcqgvMSGkQYM9YW3biqn9ZY2bGhhhSwZHovLYv3+H7VLvPrtEXVA+73MyZ j+N0RB1qVFxXODgeGnO9GoA79kWnrQqX//uc6CZ/MXuilIOVwRvVUIE6RDyzcKjN+WF6 RyfB1SoUG6FkEPtVtSJ1cLdRpH5DoB54aNZkM82HZCvzEJoS9pvQH8jvs0DjhxZrcjvT xks8pRcEaIWfV9EomLx5+eSZYz13vaagV9MY4xgdvFpzCJV1ei5oL4+euF9BlacA2BFi qr4JyIWgEtlJ/zjB8ec9NjI8MzYQrkLQ9zRGNdYBa3g7qMWgFyqDPBnvjpojxDbcy2GT yqlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969581; x=1697574381; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jEBkTHJ3Zcu/2KG+vVGPEkATD7sMt03VYNJu8yvTP9M=; b=Cjx+M0Voo/K4J2t1XI/oqjQt6dhp968Tkj8EFgeqFsfKnjcQLXeRpHbez02rEx9Wtn vIIJY//y0uQVkOG9O/imb0N81W2CYPmZhXB98ZzB/aWMYVr+fP6dekegaXmfUtol+WtV PfRXqkRbYjQftxHBxIDZoi7Rc5Rzn3gnAMXMxKW8jFnBfBaQIya/mQzNyaf1wI9WQVjN O5i3x6im4uBOB/Jmwa+whQ0JZQlttu2mt3rZMqb5WqHPg+TYEMv4ZTv0BxIMfX3Ib0Je gaVE49NVGd4GujRzi1yCybJDsuep9A8xJ2sGL3JDXlktEV8iCZTTcYnsydUrfw07Bjkw Keuw== X-Gm-Message-State: AOJu0YwJllQAl0+X2k7lttiC4lxJNgFiVnfEfsOZSc7LEsjWRlzhdsp0 OIMf6Aqgs2f55lV87KSk4vDA9w== X-Google-Smtp-Source: AGHT+IEDJXaz8Iqj0J5QGmoE8YAQkrqbJnp7d+TIBuszlRdRr5jTsnA0UfmfaKbLhaXI1gnZsLNkDg== X-Received: by 2002:a81:48cc:0:b0:5a7:baac:7b34 with SMTP id v195-20020a8148cc000000b005a7baac7b34mr3793507ywa.28.1696969581386; Tue, 10 Oct 2023 13:26:21 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x9-20020a814a09000000b00589b653b7adsm4691241ywa.136.2023.10.10.13.26.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:21 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 03/12] common/encrypt: add btrfs to get_ciphertext_filename Date: Tue, 10 Oct 2023 16:25:56 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org From: Sweet Tea Dorminy Add the relevant call to get an encrypted filename from btrfs. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/common/encrypt b/common/encrypt index fc1c8cc7..2c1925da 100644 --- a/common/encrypt +++ b/common/encrypt @@ -618,6 +618,19 @@ _get_ciphertext_filename() local dir_inode=$3 case $FSTYP in + btrfs) + # Extract the filename from the inode_ref object, similar to: + # item 24 key (259 INODE_REF 257) itemoff 14826 itemsize 26 + # index 3 namelen 16 name: J\xf7\x15tD\x8eL\xae/\x98\x9f\x09\xc1\xb6\x09> + # + $BTRFS_UTIL_PROG inspect-internal dump-tree $device | \ + grep -A 1 "key ($inode INODE_REF " | tail -n 1 | \ + perl -ne ' + s/.*?name: //; + chomp; + s/\\x([[:xdigit:]]{2})/chr hex $1/eg; + print;' + ;; ext4) # Extract the filename from the debugfs output line like: # @@ -715,6 +728,9 @@ _require_get_ciphertext_filename_support() _notrun "dump.f2fs (f2fs-tools) is too old; doesn't support showing unambiguous on-disk filenames" fi ;; + btrfs) + _require_command "$BTRFS_UTIL_PROG" btrfs + ;; *) _notrun "_get_ciphertext_filename() isn't implemented on $FSTYP" ;; From patchwork Tue Oct 10 20:25:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416017 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E46BCD8CB9 for ; Tue, 10 Oct 2023 20:26:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234662AbjJJU0d (ORCPT ); Tue, 10 Oct 2023 16:26:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234417AbjJJU0Z (ORCPT ); Tue, 10 Oct 2023 16:26:25 -0400 Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C5F2E1 for ; Tue, 10 Oct 2023 13:26:23 -0700 (PDT) Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-5a7afd45199so21189847b3.0 for ; Tue, 10 Oct 2023 13:26:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969582; x=1697574382; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Dmh9xGr/as1MpprJlAG4JgvOSIGD6BUQHl774+RzFu4=; b=bqjaX0mDqOCfQ1W1b3N+mkOPqhm8/pBhtr9xLJyNucFnGT2tG7iTjcf5kSupZXDamu vw3hESjVK7NQH1jE1NnFNDRdhPG2iegWL0bJD/oWL5Wq/VCXjPQdPqLl5JGm5mPvv2og fDV7wDVYzH/Ddd9XfsKp1OmbI861xO0ehO0X5V9Br39P759MDZoKZuREBTYuJ2MifcsZ OwjnkC4XA/aCLnWc4NJdRCWk01WqugNsuU8T/R7s6tf0fMS1ry360bwP6IIF2IJu/N3o UmzVv39xEl9Tu7RhaHnDC3iecFtW5kYrtxNoBnEUQjheuiOPI9F1aCnZzHJEB/b0gm1M qZIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969582; x=1697574382; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Dmh9xGr/as1MpprJlAG4JgvOSIGD6BUQHl774+RzFu4=; b=T5gV3kzwforrOtIZ3vEzJXVbtXUuQTcsOohYqeqrlX0rj4p63Ym3Ff7VMjeMJX0JMh TiAUPzqXOUA1GMrAN7WYL/w9ytOrN6McYvaSWbL+ncILcSDc9fGSeGV1yzT+gxgPWdXt oXuc97JbNJqtbR5Kqpec7451jwApuQ82nmljKDOZve3oeAn9OHAmNF44oIgkKcRT2Oq8 5AUYulJbHamwLJvTY4yAYEE/1NBBxRrM7w0V0i3M9WHu67dAswNHpVEx3UgVoVdTus1E IMh30yiw1G/LJImgSZpX76HxdIwv7Qc8JxKpPFHST4J0FoLilh6mVwbMKJ43V3lmFQuB ifTQ== X-Gm-Message-State: AOJu0YzAcXllsNpVX1EyFPpVL74s2MWsFOZUn5kc/A7HlhzgbtH3mFbb /CdWh6iQUNLn8Hua7c3+sY5VVw== X-Google-Smtp-Source: AGHT+IHHPc4cVCv0X5UjY6ZEhh73TopZ6jV5VXaR1PRAmJHmMIp+SqJlnKd+kKUVvokDPp15rDCEYQ== X-Received: by 2002:a0d:e841:0:b0:5a7:d986:a9bb with SMTP id r62-20020a0de841000000b005a7d986a9bbmr873545ywe.3.1696969582283; Tue, 10 Oct 2023 13:26:22 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id d187-20020a0df4c4000000b0059af121d0b8sm4694342ywf.52.2023.10.10.13.26.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:22 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 04/12] common/encrypt: enable making a encrypted btrfs filesystem Date: Tue, 10 Oct 2023 16:25:57 -0400 Message-ID: <905514b9fa178c51afde27c4eff456079e010750.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org From: Sweet Tea Dorminy Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/encrypt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/common/encrypt b/common/encrypt index 2c1925da..1372af66 100644 --- a/common/encrypt +++ b/common/encrypt @@ -153,6 +153,9 @@ _scratch_mkfs_encrypted() # erase the UBI volume; reformated automatically on next mount $UBIUPDATEVOL_PROG ${SCRATCH_DEV} -t ;; + btrfs) + _scratch_mkfs + ;; ceph) _scratch_cleanup_files ;; @@ -168,6 +171,9 @@ _scratch_mkfs_sized_encrypted() ext4|f2fs) MKFS_OPTIONS="$MKFS_OPTIONS -O encrypt" _scratch_mkfs_sized $* ;; + btrfs) + _scratch_mkfs_sized $* + ;; *) _notrun "Filesystem $FSTYP not supported in _scratch_mkfs_sized_encrypted" ;; From patchwork Tue Oct 10 20:25:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 624BBCD8CB9 for ; Tue, 10 Oct 2023 20:26:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231671AbjJJU0q (ORCPT ); Tue, 10 Oct 2023 16:26:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234466AbjJJU03 (ORCPT ); Tue, 10 Oct 2023 16:26:29 -0400 Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E65599 for ; Tue, 10 Oct 2023 13:26:24 -0700 (PDT) Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-d849df4f1ffso6436973276.0 for ; Tue, 10 Oct 2023 13:26:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969583; x=1697574383; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fqxbcnQrbhAM79ZT2haRQaI7x72trapZ/1y8f7sxESs=; b=aS+N6wlx+xKjokk7uje7jRN+GUm9S32+PZl4PCyqodSss5ROHhjsxHKsnHLbmVdvBT Lpv8aF0yPcv57/PdTu8W5AdU7EXU6ascZIXSTazTC5pawmzJjGXoAzdneEawIqf/pp+A MVtjSN/YA8wnF25MU6VQS8EyDLc4QHb7ZthTjzOr7bBQFG2DVFAunEqNpA3v3VPAdl0n UCy/ZGWUyqistraaqgbIxX6DFBDxrXClMA2rw/+ir9L8D6FuvadAjNfl7BqYlzD6A1ol qVWuh4XLUDJZweSpaIy+64miGup3zOmb0zQ/ss7U9ELFfQefpDetIPkRdJQ6kAceEX7L rr+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969583; x=1697574383; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fqxbcnQrbhAM79ZT2haRQaI7x72trapZ/1y8f7sxESs=; b=suH1W+AoSVGuLAWvn4OWLXV8uM2XVvGhIj9HL0VDx0dHTZEDUnh8yT1jyinDRZSsUJ fBrFuvzNyBV0zBD09hE+IrTH68sbo8X/JJkhw6oMRwtsmrRiqrIeNZvw4UGOqtp4Zcql Jc7njzFV/nT61J4ilEoyjJOBbiy56mV9byf6TCLR6g5Toi2U4aMKiw8EQttD4Fhm4h+0 AlT/9yI7OKO/dadjWizoRsi84IWIvOfN9Eh3pf26mSokvbMuA4wP+F+uR5p940f6Bnc/ +0KPL92J+4mAa1/dNn7hnk+DL9e10j+fcWVZH0T1XWysDG555ZkMJR5jU9ZYcF4f5U8A jHzQ== X-Gm-Message-State: AOJu0YwVtkxnOVYV5r6a6bKUiFFaB3dI1eRrGM96+/ui2jm3spCyJ6Me lojsdX4AEBKFObBb5HrNo7izfg== X-Google-Smtp-Source: AGHT+IGw4kxDsOt6fa8BJi9L1FMTAuWa4xVaYHP5ZOTb9sMQ5tRzZ10wUFt1F7QiR+ugdbA5JanIRA== X-Received: by 2002:a25:eb04:0:b0:d89:47d6:b4f9 with SMTP id d4-20020a25eb04000000b00d8947d6b4f9mr16849727ybs.23.1696969583309; Tue, 10 Oct 2023 13:26:23 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id 85-20020a250d58000000b00d9a54e9b742sm748139ybn.55.2023.10.10.13.26.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:22 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 05/12] common/verity: explicitly don't allow btrfs encryption Date: Tue, 10 Oct 2023 16:25:58 -0400 Message-ID: <24a79bf71c105ebcff42868cdc7938022ca145d1.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org From: Sweet Tea Dorminy Currently btrfs encryption doesn't support verity, but it is planned to one day. To be explicit about the lack of support, add a custom error message to the combination. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- common/verity | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/verity b/common/verity index 03d175ce..4e601a81 100644 --- a/common/verity +++ b/common/verity @@ -224,6 +224,10 @@ _scratch_mkfs_encrypted_verity() # features with -O. Instead -O must be supplied multiple times. _scratch_mkfs -O encrypt -O verity ;; + btrfs) + # currently verity + encryption is not supported + _notrun "btrfs doesn't currently support verity + encryption" + ;; *) _notrun "$FSTYP not supported in _scratch_mkfs_encrypted_verity" ;; From patchwork Tue Oct 10 20:25:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416018 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9BA24CD8CBC for ; Tue, 10 Oct 2023 20:26:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234402AbjJJU0f (ORCPT ); Tue, 10 Oct 2023 16:26:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54268 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231825AbjJJU03 (ORCPT ); Tue, 10 Oct 2023 16:26:29 -0400 Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0CE90EB for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-5a7bbcc099fso16801307b3.3 for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969584; x=1697574384; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M2VMrA1lI9Q4ecQ5bc5FJJXlOR+SulDDfBaPoTgzRVE=; b=qHBR6KTb5/EJuFj244Q9gGY7llosCXyLMr2HggcN28lQ3AiDdEmQBmvamMx0L9EWab Q22kpdWE66SlTK4XB3BSpR4VJ+ZSK8o+M5eBt3CkUiUkBSCl++aKLcjXKn0V27HfOtEi 64iW+31QJBmLQU2rMTzlCG6SReVYQE6euKGQX8i2eY3Q761eOhNIb0cBq7cq8XnkSNny wY+0XYkR4jBKc3v1PbzhvG3ALHj4SMKMlAIYEWEKxi/9Vt99dZEH5v1/lFrxDKIBFQnh 7INt3Di28T44YPz6KtnjlD9Z2UuRWa+vAp3s7Q3w81wRl4FrhVG32moGy6uUqsrzmdhQ X/Ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969584; x=1697574384; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M2VMrA1lI9Q4ecQ5bc5FJJXlOR+SulDDfBaPoTgzRVE=; b=Y1YuQAuzpWOXPtYlAFWf+ncEWi9uLh2Ol03Y08VBt5o1K0eYzLmMLJ70JzMVDTGwnr 6qXyHIOckQIMWw7cBvFVd9ZZZi8rnm/GaCU0mLx73uFJmtzLito1Sav45yshQWnqHV46 Tb5CQCC03DIRo/PiPvqgG/LbDfZ5r87df2pxOjt4uulzCJ//1fexPNFRUQlg3VTc4xkb bjNFSontYStG/t/nFUOQTuYWu4rUfgL8h6jxQ681GXzLNNJGIcurU218HypFlSuh1pqd W/XVA7AJ6wDBV+URcpzZj0nFY7mSYSfss6B4wjl7LRig3eMA9tEWyQKqDwBPLFgExQ4Z hvZg== X-Gm-Message-State: AOJu0Yys7P50jgRpWhmWp5yfXwelGmcABauc2X31p3RMo4NINbHbIbOt 05MPzzVGFB3XXJHjqsvCYIf36Q== X-Google-Smtp-Source: AGHT+IG+BJZqKItphUjRYVNLo/YE1loYz+1+fzWvZ+O4HVoM+QGspAsPD6MkeRRtOJichHcdzorz5g== X-Received: by 2002:a0d:ef43:0:b0:595:be7:a38 with SMTP id y64-20020a0def43000000b005950be70a38mr20627894ywe.49.1696969584182; Tue, 10 Oct 2023 13:26:24 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id i84-20020a819157000000b005a7bfec6c34sm701856ywg.46.2023.10.10.13.26.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:23 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 06/12] btrfs: add simple test of reflink of encrypted data Date: Tue, 10 Oct 2023 16:25:59 -0400 Message-ID: <723b5972c3d2d917acc23bf65eb3a5e5feba5ecc.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org From: Sweet Tea Dorminy Make sure that we succeed at reflinking encrypted data. Test deliberately numbered with a high number so it won't conflict with tests between now and merge. --- tests/btrfs/613 | 59 +++++++++++++++++++++++++++++++++++++++++++++ tests/btrfs/613.out | 13 ++++++++++ 2 files changed, 72 insertions(+) create mode 100755 tests/btrfs/613 create mode 100644 tests/btrfs/613.out diff --git a/tests/btrfs/613 b/tests/btrfs/613 new file mode 100755 index 00000000..0288016e --- /dev/null +++ b/tests/btrfs/613 @@ -0,0 +1,59 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2023 Meta Platforms, Inc. All Rights Reserved. +# +# FS QA Test 613 +# +# Check if reflinking one encrypted file on btrfs succeeds. +# +. ./common/preamble +_begin_fstest auto encrypt + +# Import common functions. +. ./common/encrypt +. ./common/filter +. ./common/reflink + +# real QA test starts here + +# Modify as appropriate. +_supported_fs btrfs + +_require_test +_require_scratch +_require_cp_reflink +_require_scratch_encryption -v 2 +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir +mkdir $dir +_set_encpolicy $dir $TEST_KEY_IDENTIFIER +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo "Creating and reflinking a file" +$XFS_IO_PROG -t -f -c "pwrite 0 33k" $dir/test > /dev/null +cp --reflink=always $dir/test $dir/test2 + +echo "Can't reflink encrypted and unencrypted" +cp --reflink=always $dir/test $SCRATCH_MNT/fail |& _filter_scratch + +echo "Diffing the file and its copy" +diff $dir/test $dir/test2 + +echo "Verifying the files are reflinked" +_verify_reflink $dir/test $dir/test2 + +echo "Diffing the files after remount" +_scratch_cycle_mount +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +diff $dir/test $dir/test2 + +echo "Diffing the files after key remove" +_rm_enckey $SCRATCH_MNT $TEST_KEY_IDENTIFIER +diff $dir/test $dir/test2 |& _filter_scratch + +# success, all done +status=0 +exit diff --git a/tests/btrfs/613.out b/tests/btrfs/613.out new file mode 100644 index 00000000..4895d6dd --- /dev/null +++ b/tests/btrfs/613.out @@ -0,0 +1,13 @@ +QA output created by 613 +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Creating and reflinking a file +Can't reflink encrypted and unencrypted +cp: failed to clone 'SCRATCH_MNT/fail' from 'SCRATCH_MNT/dir/test': Invalid argument +Diffing the file and its copy +Verifying the files are reflinked +Diffing the files after remount +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Diffing the files after key remove +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +diff: SCRATCH_MNT/dir/test: No such file or directory +diff: SCRATCH_MNT/dir/test2: No such file or directory From patchwork Tue Oct 10 20:26:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416019 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62540CD8CB8 for ; Tue, 10 Oct 2023 20:26:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234256AbjJJU0g (ORCPT ); Tue, 10 Oct 2023 16:26:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234284AbjJJU0a (ORCPT ); Tue, 10 Oct 2023 16:26:30 -0400 Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9EFB3F5 for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-5a7c93507d5so10302127b3.2 for ; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969585; x=1697574385; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WjlHOtrmj3j+aDuwQDOJPd6FNzCtXK4lP83KMVMNQ78=; b=NuOA82EblV9VoFsJrz8LU/0QooeSrjOEKcAvBaH+20hPlXvuQXGOOuhO748m0ZbyaE I/K6amYHbwigIgU/ypBQIEBPWM4V36xdl1hhAQ2b1ghgm8hqFHHrmMsPIUsTETQcnwB+ GohYUuW5A9rViUk3Bs3trcZP5sC4VNt6QAgITFo6OZ5VnCG4vXNej7/IzZz/o54vWBbO 4Mbd1DILvGkZvYE0CC/heXzLj6dEPRXSV6ee3RnpmlsI5WWbFG4KVCUMsnWZIRBQAXdR NyJfskiDl3cc0LlHQJr2EtUyjacObWv7A6Konjotprp5/SxiBu2BQfGPVXRKBwKLOwNE fohA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969585; x=1697574385; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WjlHOtrmj3j+aDuwQDOJPd6FNzCtXK4lP83KMVMNQ78=; b=j8mML87b5gfERdc6O/ng6HmGaJBqlSC61p8kVXcADkBhis9AK8qadhW0WqEfo2uIxn /eBORukO6twr/wDaMIcGrG2jxwjDgAp0zhDxn0RO/3odiQMzzcWJ2Ahrgf7s/cuAEG4u 3OhH/I7g3gQ0CFaU4J3yFopNWu+mSUmfVaQTpbT4JETXqSz8Yg/q0iwo4tml1hPm+VEw jp8qjnR71sX3w96aJhDhgWqRxZmE6QJmQDB7T+x51aogOzosqKsg2QLAnd7QT/bg87+v xJwkfaExlg1FyFViR4+M7iHqK5tpvU8E9JsVckW5Xcc053HFVQoGVag6FudiID7YhxOr zTKA== X-Gm-Message-State: AOJu0Yz/brQz6UHr4skwq9AEr2woBNXaiZivoyHChnQdxSFTvalvxfi/ LDnJI19/ROgg5PaczsgRlwq2qg== X-Google-Smtp-Source: AGHT+IFYUeWvqGAdezAeV0PC8Dt/mEZnTIfBKHtUm1+6ewgo2L71xr6Nj3WRQlnyyO/HOQuYGigcZQ== X-Received: by 2002:a81:8782:0:b0:577:51cd:1b4a with SMTP id x124-20020a818782000000b0057751cd1b4amr21451628ywf.41.1696969585060; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id m12-20020a819e0c000000b00594fff48796sm4588587ywj.75.2023.10.10.13.26.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:24 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Cc: Sweet Tea Dorminy Subject: [PATCH 07/12] btrfs: test snapshotting encrypted subvol Date: Tue, 10 Oct 2023 16:26:00 -0400 Message-ID: <9a17afb133849c2321bb98c07c48cff2aaf1d87a.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org From: Sweet Tea Dorminy Make sure that snapshots of encrypted data are readable and writeable. Test deliberately high-numbered to not conflict. Signed-off-by: Sweet Tea Dorminy Reviewed-by: Anand Jain --- tests/btrfs/614 | 76 ++++++++++++++++++++++++++++++ tests/btrfs/614.out | 111 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 187 insertions(+) create mode 100755 tests/btrfs/614 create mode 100644 tests/btrfs/614.out diff --git a/tests/btrfs/614 b/tests/btrfs/614 new file mode 100755 index 00000000..87dd27f9 --- /dev/null +++ b/tests/btrfs/614 @@ -0,0 +1,76 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2023 Meta Platforms, Inc. All Rights Reserved. +# +# FS QA Test 614 +# +# Try taking a snapshot of an encrypted subvolume. Make sure the snapshot is +# still readable. Rewrite part of the subvol with the same data; make sure it's +# still readable. +# +. ./common/preamble +_begin_fstest auto encrypt + +# Import common functions. +. ./common/encrypt +. ./common/filter + +# real QA test starts here +_supported_fs btrfs + +_require_test +_require_scratch +_require_scratch_encryption -v 2 +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +udir=$SCRATCH_MNT/reference +dir=$SCRATCH_MNT/subvol +dir2=$SCRATCH_MNT/subvol2 +$BTRFS_UTIL_PROG subvolume create $dir >> $seqres.full +mkdir $udir + +_set_encpolicy $dir $TEST_KEY_IDENTIFIER +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" + +# get files with lots of extents by using backwards writes. +for j in `seq 0 50`; do + for i in `seq 20 -1 1`; do + $XFS_IO_PROG -f -d -c "pwrite $(($i * 4096)) 4096" \ + $dir/foo-$j >> $seqres.full | _filter_xfs_io + $XFS_IO_PROG -f -d -c "pwrite $(($i * 4096)) 4096" \ + $udir/foo-$j >> $seqres.full | _filter_xfs_io + done +done + +$BTRFS_UTIL_PROG subvolume snapshot $dir $dir2 | _filter_scratch + +_scratch_remount +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +sleep 30 +echo "Diffing $dir and $dir2" +diff $dir $dir2 + +echo "Rewriting $dir2 partly" +# rewrite half of each file in the snapshot +for j in `seq 0 50`; do + for i in `seq 10 -1 1`; do + $XFS_IO_PROG -f -d -c "pwrite $(($i * 4096)) 4096" \ + $dir2/foo-$j >> $seqres.full | _filter_xfs_io + done +done + +echo "Diffing $dir and $dir2" +diff $dir $dir2 + +echo "Dropping key and diffing" +_rm_enckey $SCRATCH_MNT $TEST_KEY_IDENTIFIER +diff $dir $dir2 |& _filter_scratch | _filter_nokey_filenames + +$BTRFS_UTIL_PROG subvolume delete $dir > /dev/null 2>&1 + +# success, all done +status=0 +exit diff --git a/tests/btrfs/614.out b/tests/btrfs/614.out new file mode 100644 index 00000000..390807e8 --- /dev/null +++ b/tests/btrfs/614.out @@ -0,0 +1,111 @@ +QA output created by 614 +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Create a snapshot of 'SCRATCH_MNT/subvol' in 'SCRATCH_MNT/subvol2' +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Diffing /mnt/scratch/subvol and /mnt/scratch/subvol2 +Rewriting /mnt/scratch/subvol2 partly +Diffing /mnt/scratch/subvol and /mnt/scratch/subvol2 +Dropping key and diffing +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME +NOKEY_NAME: NOKEY_NAME/NOKEY_NAME/NOKEY_NAME: NOKEY_NAME NOKEY_NAME NOKEY_NAME NOKEY_NAME From patchwork Tue Oct 10 20:26:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416023 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5508CD8CB7 for ; Tue, 10 Oct 2023 20:26:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234421AbjJJU0p (ORCPT ); Tue, 10 Oct 2023 16:26:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54314 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234546AbjJJU0a (ORCPT ); Tue, 10 Oct 2023 16:26:30 -0400 Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D983D102 for ; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-59e88a28b98so2222637b3.1 for ; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969586; x=1697574386; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3hzSgDT0gSoCBX2kCWh7EzeVvXJNhVaEv2jbeDNylHU=; b=PaIPiU64zkb7shF8XRz5d7OP0jz+m0uJYV++VIBdawswqF3loG3st5JpPf+xDoUJKM 66MzEdLcFWPwpn47x0icvbvOqIBDA1TamkiVxOvbAuZa0l21Zxf2rUelb7RrBgV50Ida MK8+dEpvUwQqTX+ccyIbk7UTpE9AU8SEClXuVxw8Lxms3HEZ6S3gvy4kkApZ/CBrd+8E 6xWfUakK303goQePALyJDI+rKT54jpThCrZmEZe/8MLXkG96voVKd2KiyIDD/vvCOCH5 URE3EMTDt3VhuMw7qziw1U5pwMxf0V94lzmnEcYd8Z1fsIjNbZaCIORdc9MwQFQ95JM3 s5kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969586; x=1697574386; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3hzSgDT0gSoCBX2kCWh7EzeVvXJNhVaEv2jbeDNylHU=; b=q4PjYtzbnD8i2WUCLOol2wQVPhwamEmvIPOINNgAGQm9G8+oX8GXKlGb+XOK0NBZoA VsIJL3uIMlWeSLHMJBzr0VJuilmOKUinfcHugrEWBvogMzLT0hhZh2vgew9I1yj+AnCH z08LP0AHLL6wfNsDfVqXdjSmc7Nce7WJbb2VbfPin4a4kbm53V8/q4KOdjv/3LYDmV4U cZlj3Ettqmo+t0J19Tfpzk/nnstQYVduJonURnPjeqBeDODGWXCtlleOabTzmilKBxGw 03RwthmuxruY4643CXa+r+0w2ySRs2BOiV3rr7/zHlg+MbaM2QvEIfUYeTeiELzh/jD0 W6+w== X-Gm-Message-State: AOJu0YxfISxHQ7EHJAnQPjM7bsDkfnvEyx4bTiNczkRsTdUBzC1v5IOZ N8svx3jzA6OatL63/bjJIMITZQ== X-Google-Smtp-Source: AGHT+IEADGedsJ+tD+z1v+BkL/Fj36MMKWHXc5DgD5MLY74OYK5q9bScHx6p5oY7kR3DiomxEx51DA== X-Received: by 2002:a81:4e10:0:b0:56c:e480:2b2b with SMTP id c16-20020a814e10000000b0056ce4802b2bmr10786812ywb.12.1696969585964; Tue, 10 Oct 2023 13:26:25 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id p20-20020a0de614000000b005a7bbd713ddsm824658ywe.108.2023.10.10.13.26.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:25 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 08/12] fstests: properly test for v1 encryption policies in encrypt tests Date: Tue, 10 Oct 2023 16:26:01 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org With btrfs adding fscrypt support we're limiting the usage to plain v2 policies only. This means we need to update the _require's for generic/593 that tests both v1 and v2 policies. The other sort of tests will be split into two tests in later patches. Signed-off-by: Josef Bacik Reviewed-by: Anand Jain --- common/encrypt | 2 ++ tests/generic/593 | 1 + 2 files changed, 3 insertions(+) diff --git a/common/encrypt b/common/encrypt index 1372af66..120ca612 100644 --- a/common/encrypt +++ b/common/encrypt @@ -59,6 +59,8 @@ _require_scratch_encryption() # policy required by the test. if [ $# -ne 0 ]; then _require_encryption_policy_support $SCRATCH_MNT "$@" + else + _require_encryption_policy_support $SCRATCH_MNT -v 1 fi _scratch_unmount diff --git a/tests/generic/593 b/tests/generic/593 index 2dda5d76..7907236c 100755 --- a/tests/generic/593 +++ b/tests/generic/593 @@ -17,6 +17,7 @@ _begin_fstest auto quick encrypt # real QA test starts here _supported_fs generic +_require_scratch_encryption -v 1 _require_scratch_encryption -v 2 _require_command "$KEYCTL_PROG" keyctl From patchwork Tue Oct 10 20:26:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2D38CD68E9 for ; Tue, 10 Oct 2023 20:26:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234464AbjJJU0n (ORCPT ); Tue, 10 Oct 2023 16:26:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234652AbjJJU0c (ORCPT ); Tue, 10 Oct 2023 16:26:32 -0400 Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AA71A10D for ; Tue, 10 Oct 2023 13:26:28 -0700 (PDT) Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-5a7b91faf40so19099947b3.1 for ; Tue, 10 Oct 2023 13:26:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969587; x=1697574387; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nCU5pMZ0m3eAagSN+le1r3UM58vPGnqfNmWJ/pF9FlI=; b=N0wBgkc2d5Tkqg+iNcNW3Lqpbmjb4x2AeSjVurIRNV9RGQxg9X83htpUvm0Gdb3jxw NmF43S/5e341s31BENtdXmmsU1RnIEIPThaCy5Sw/tjFv6qN5V6qpsPiTVjeu4CJm5kH J8vbuO/C/UeX+QpkQ3lbnypnkRmsi4fa0g74pLjsybWjrS5wVZQWdxIDUlhBmCnVKH8l 7wkfwzqapKWk1C/ufrlUu9pAnpnyu2Zme+vaPmvqK74psn9oN5hZphEs58Fl0DyeigPh n3dfJFvsW47hdeDyxY3tCrtB0JkjlStxo2KxOOoYh/CDGsThfxHCsUIRE0NiQLvtn8MN n+tQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969587; x=1697574387; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nCU5pMZ0m3eAagSN+le1r3UM58vPGnqfNmWJ/pF9FlI=; b=u3mGu2Wmh/2bTWoOa8sOKzsiTmAdvVeco0L1vGecjS6Hu/9j5NMuWpvW0DbG9RRL76 h2hTXtG7JTk3Tvn7sBYhkY/SiUcUfcF1EUtyEBR9fG5592rUyAdVhN3Gavje0nMkhiN3 rYRKTfitpW5Kswmnkhp+uN0bf+GwPHDDcMYScLsAzug4IqoxsLmi60RHtH9+rAws/8IT Crj0cMEvbaAeVPj8GugKEjDeUT0Q8HO7rsiq81JwvRuUqR54S5sxtWnW9f4KcqtjO7E8 FBOxaoMGwM6St1GRSR/CvMALXjq4+fk+5CwuLKA9kN5HfrcoQVaYMDt2qa59chtsj1c2 zQHQ== X-Gm-Message-State: AOJu0Yxk0VzlLtB0rc/x7IMXHfUWdkkNzoogIWwLtTD+BDZtrXObnxcW KKXALAy08aftcEJfHTgIt0/RXw== X-Google-Smtp-Source: AGHT+IEnYO8liLS81q3dOYpjTVcFTD241g3yDLfTZ44VO54mhYjCFyeio+o8MlAwl2q8YA/MIf3scg== X-Received: by 2002:a25:3308:0:b0:d9a:3801:aed8 with SMTP id z8-20020a253308000000b00d9a3801aed8mr4648166ybz.14.1696969586907; Tue, 10 Oct 2023 13:26:26 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x142-20020a25ce94000000b00d89679f6d22sm786655ybe.64.2023.10.10.13.26.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:26 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 09/12] fstests: split generic/580 into two tests Date: Tue, 10 Oct 2023 16:26:02 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org generic/580 tests both v1 and v2 encryption policies, however btrfs only supports v2 policies. Split this into two tests so that we can get the v2 coverage for btrfs. Signed-off-by: Josef Bacik --- tests/generic/580 | 118 ++++++++++++++++++------------------------ tests/generic/580.out | 40 -------------- tests/generic/733 | 79 ++++++++++++++++++++++++++++ tests/generic/733.out | 44 ++++++++++++++++ 4 files changed, 173 insertions(+), 108 deletions(-) create mode 100644 tests/generic/733 create mode 100644 tests/generic/733.out diff --git a/tests/generic/580 b/tests/generic/580 index 73f32ff9..63ab9712 100755 --- a/tests/generic/580 +++ b/tests/generic/580 @@ -5,7 +5,7 @@ # FS QA Test generic/580 # # Basic test of the fscrypt filesystem-level encryption keyring -# and v2 encryption policies. +# policy. # . ./common/preamble @@ -18,80 +18,62 @@ echo # real QA test starts here _supported_fs generic -_require_scratch_encryption -v 2 +_require_scratch_encryption _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount -test_with_policy_version() -{ - local vers=$1 - - if (( vers == 1 )); then - local keyspec=$TEST_KEY_DESCRIPTOR - local add_enckey_args="-d $keyspec" - else - local keyspec=$TEST_KEY_IDENTIFIER - local add_enckey_args="" - fi - - mkdir $dir - echo "# Setting v$vers encryption policy" - _set_encpolicy $dir $keyspec - echo "# Getting v$vers encryption policy" - _get_encpolicy $dir | _filter_scratch - if (( vers == 1 )); then - echo "# Getting v1 encryption policy using old ioctl" - _get_encpolicy $dir -1 | _filter_scratch - fi - echo "# Trying to create file without key added yet" - $XFS_IO_PROG -f $dir/file |& _filter_scratch - echo "# Getting encryption key status" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Adding encryption key" - _add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" $add_enckey_args - echo "# Creating encrypted file" - echo contents > $dir/file - echo "# Getting encryption key status" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Removing encryption key" - _rm_enckey $SCRATCH_MNT $keyspec - echo "# Getting encryption key status" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Verifying that the encrypted directory was \"locked\"" - cat $dir/file |& _filter_scratch - cat "$(find $dir -type f)" |& _filter_scratch | cut -d ' ' -f3- - - # Test removing key with a file open. - echo "# Re-adding encryption key" - _add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" $add_enckey_args - echo "# Creating another encrypted file" - echo foo > $dir/file2 - echo "# Removing key while an encrypted file is open" - exec 3< $dir/file - _rm_enckey $SCRATCH_MNT $keyspec - echo "# Non-open file should have been evicted" - cat $dir/file2 |& _filter_scratch - echo "# Open file shouldn't have been evicted" - cat $dir/file - echo "# Key should be in \"incompletely removed\" state" - _enckey_status $SCRATCH_MNT $keyspec - echo "# Closing file and removing key for real now" - exec 3<&- - _rm_enckey $SCRATCH_MNT $keyspec - cat $dir/file |& _filter_scratch - - echo "# Cleaning up" - rm -rf $dir - _scratch_cycle_mount # Clear all keys - echo -} - dir=$SCRATCH_MNT/dir +keyspec=$TEST_KEY_DESCRIPTOR -test_with_policy_version 1 +mkdir $dir +echo "# Setting v1 encryption policy" +_set_encpolicy $dir $keyspec +echo "# Getting v1 encryption policy" +_get_encpolicy $dir | _filter_scratch +echo "# Getting v1 encryption policy using old ioctl" +_get_encpolicy $dir -1 | _filter_scratch +echo "# Trying to create file without key added yet" +$XFS_IO_PROG -f $dir/file |& _filter_scratch +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" -d $keyspec +echo "# Creating encrypted file" +echo contents > $dir/file +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Removing encryption key" +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Verifying that the encrypted directory was \"locked\"" +cat $dir/file |& _filter_scratch +cat "$(find $dir -type f)" |& _filter_scratch | cut -d ' ' -f3- -test_with_policy_version 2 +# Test removing key with a file open. +echo "# Re-adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" -d $keyspec +echo "# Creating another encrypted file" +echo foo > $dir/file2 +echo "# Removing key while an encrypted file is open" +exec 3< $dir/file +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Non-open file should have been evicted" +cat $dir/file2 |& _filter_scratch +echo "# Open file shouldn't have been evicted" +cat $dir/file +echo "# Key should be in \"incompletely removed\" state" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Closing file and removing key for real now" +exec 3<&- +_rm_enckey $SCRATCH_MNT $keyspec +cat $dir/file |& _filter_scratch + +echo "# Cleaning up" +rm -rf $dir +_scratch_cycle_mount # Clear all keys +echo echo "# Trying to remove absent key" _rm_enckey $SCRATCH_MNT abcdabcdabcdabcd diff --git a/tests/generic/580.out b/tests/generic/580.out index 989d4514..f2f4d490 100644 --- a/tests/generic/580.out +++ b/tests/generic/580.out @@ -47,45 +47,5 @@ Removed encryption key with descriptor 0000111122223333 cat: SCRATCH_MNT/dir/file: No such file or directory # Cleaning up -# Setting v2 encryption policy -# Getting v2 encryption policy -Encryption policy for SCRATCH_MNT/dir: - Policy version: 2 - Master key identifier: 69b2f6edeee720cce0577937eb8a6751 - Contents encryption mode: 1 (AES-256-XTS) - Filenames encryption mode: 4 (AES-256-CTS) - Flags: 0x02 -# Trying to create file without key added yet -SCRATCH_MNT/dir/file: Required key not available -# Getting encryption key status -Absent -# Adding encryption key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Creating encrypted file -# Getting encryption key status -Present (user_count=1, added_by_self) -# Removing encryption key -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting encryption key status -Absent -# Verifying that the encrypted directory was "locked" -cat: SCRATCH_MNT/dir/file: No such file or directory -Required key not available -# Re-adding encryption key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Creating another encrypted file -# Removing key while an encrypted file is open -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751, but files still busy -# Non-open file should have been evicted -cat: SCRATCH_MNT/dir/file2: Required key not available -# Open file shouldn't have been evicted -contents -# Key should be in "incompletely removed" state -Incompletely removed -# Closing file and removing key for real now -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -cat: SCRATCH_MNT/dir/file: No such file or directory -# Cleaning up - # Trying to remove absent key Error removing encryption key: Required key not available diff --git a/tests/generic/733 b/tests/generic/733 new file mode 100644 index 00000000..ae0434fb --- /dev/null +++ b/tests/generic/733 @@ -0,0 +1,79 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# FS QA Test generic/733 +# +# A v2 only version of generic/580 + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +keyspec=$TEST_KEY_IDENTIFIER +dir=$SCRATCH_MNT/dir + +mkdir $dir +echo "# Setting v2 encryption policy" +_set_encpolicy $dir $keyspec +echo "# Getting v2 encryption policy" +_get_encpolicy $dir | _filter_scratch +echo "# Trying to create file without key added yet" +$XFS_IO_PROG -f $dir/file |& _filter_scratch +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo "# Creating encrypted file" +echo contents > $dir/file +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Removing encryption key" +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Getting encryption key status" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Verifying that the encrypted directory was \"locked\"" +cat $dir/file |& _filter_scratch +cat "$(find $dir -type f)" |& _filter_scratch | cut -d ' ' -f3- + +# Test removing key with a file open. +echo "# Re-adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo "# Creating another encrypted file" +echo foo > $dir/file2 +echo "# Removing key while an encrypted file is open" +exec 3< $dir/file +_rm_enckey $SCRATCH_MNT $keyspec +echo "# Non-open file should have been evicted" +cat $dir/file2 |& _filter_scratch +echo "# Open file shouldn't have been evicted" +cat $dir/file +echo "# Key should be in \"incompletely removed\" state" +_enckey_status $SCRATCH_MNT $keyspec +echo "# Closing file and removing key for real now" +exec 3<&- +_rm_enckey $SCRATCH_MNT $keyspec +cat $dir/file |& _filter_scratch + +echo "# Cleaning up" +rm -rf $dir +_scratch_cycle_mount # Clear all keys +echo + +echo "# Trying to remove absent key" +_rm_enckey $SCRATCH_MNT abcdabcdabcdabcd + +# success, all done +status=0 +exit + diff --git a/tests/generic/733.out b/tests/generic/733.out new file mode 100644 index 00000000..02dce51d --- /dev/null +++ b/tests/generic/733.out @@ -0,0 +1,44 @@ +QA output created by 733 + +# Setting v2 encryption policy +# Getting v2 encryption policy +Encryption policy for SCRATCH_MNT/dir: + Policy version: 2 + Master key identifier: 69b2f6edeee720cce0577937eb8a6751 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 +# Trying to create file without key added yet +SCRATCH_MNT/dir/file: Required key not available +# Getting encryption key status +Absent +# Adding encryption key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Creating encrypted file +# Getting encryption key status +Present (user_count=1, added_by_self) +# Removing encryption key +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting encryption key status +Absent +# Verifying that the encrypted directory was "locked" +cat: SCRATCH_MNT/dir/file: No such file or directory +Required key not available +# Re-adding encryption key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Creating another encrypted file +# Removing key while an encrypted file is open +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751, but files still busy +# Non-open file should have been evicted +cat: SCRATCH_MNT/dir/file2: Required key not available +# Open file shouldn't have been evicted +contents +# Key should be in "incompletely removed" state +Incompletely removed +# Closing file and removing key for real now +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +cat: SCRATCH_MNT/dir/file: No such file or directory +# Cleaning up + +# Trying to remove absent key +Error removing encryption key: Required key not available From patchwork Tue Oct 10 20:26:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416022 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 102CFCD8CBB for ; Tue, 10 Oct 2023 20:26:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234573AbjJJU0i (ORCPT ); Tue, 10 Oct 2023 16:26:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234654AbjJJU0c (ORCPT ); Tue, 10 Oct 2023 16:26:32 -0400 Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7EF0111 for ; Tue, 10 Oct 2023 13:26:28 -0700 (PDT) Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-59f4f80d084so73799287b3.1 for ; Tue, 10 Oct 2023 13:26:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969588; x=1697574388; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mF1vbhiX1cdiPR9Z0KxSfmvhj/avUWiDcOqPSNPdsMM=; b=i5zKHZRm8nga1f7lLWUDuIoJCcEAKWGCSl5qkHOIgjzc4eXQgLlwiZpqXSarjIhqde TqWVZBGEyS0W2xSX8hOFzcsnG3aDeKvT9lmLL13fJUcjqWGQ4kRrJxxVxolgMS1+CUUT FOuYo1m2efwWkBSENKLSEuM6uKhFucxXeMZxN0bU2gcD9HfCmZUAFkMLRsGQ0YBJUqeD RP9OZA/YYX9QVgTT9MgGdMCA545gYpDyaXHvh0IndCVY4R0dLyPJMT6/665FQzqNaFZY NkK+Zu1pEdkeioYS2ESVNzmHcqRlgnVrKBWYYsyGGa9woDyzKpc+Y9Aelfu7uAqdS+Tw GmHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969588; x=1697574388; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mF1vbhiX1cdiPR9Z0KxSfmvhj/avUWiDcOqPSNPdsMM=; b=JpiubLFmn87V89rdJYsJ2U6AohoH4kXFljjNSxzXGuudmo6RyLq/LKVVFgLMPqu3xQ xU/SaUgIhanu1V9vFGqlAQ2qHqtmEUCAUxIAPX/wAGZE5TIkxQ9gWGfoZJzSipCvpaba SSBruf4uJWX/X8K0fjafUC5sAPyM1J7dWjzPVqe8OC5HmBsDuKmk3WhRVM2O1/S+n9fv tElC7TpoeAA8mof/nQGg99zyEj2smyzDMuqLyNxRCsuyPQCJbDTxGr1BS4MJg3DT7m5R GdNTz4BlXSgeHMROCuKabsZY72IlrOCfPvbB9KBpr88a77v9B+C+upAudaxXIovo1T2s GRKw== X-Gm-Message-State: AOJu0YwDFo9BfIWfemHd/prN94q3FEtqN+3zHP4Dr2OoxhHGXxGBZdFZ Q7s1GjvXj04eTWdOEarYv1gr9g== X-Google-Smtp-Source: AGHT+IHbQlbrp+UsbhNo4Yoi3+VZM3megDUDcwS3/dwnScoEwA0IR1HI8nRIPEMka0keny9ES8h4ug== X-Received: by 2002:a0d:ea90:0:b0:5a0:83d3:b61d with SMTP id t138-20020a0dea90000000b005a083d3b61dmr20657862ywe.8.1696969587987; Tue, 10 Oct 2023 13:26:27 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id x184-20020a814ac1000000b005869ca8da8esm4613337ywa.146.2023.10.10.13.26.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:27 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 10/12] fstests: split generic/581 into two tests Date: Tue, 10 Oct 2023 16:26:03 -0400 Message-ID: <4f808fb5081fc4e9afe77e8498535fd41cc122b2.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org generic/581 is mostly a v2 policy test, but it does do some quick checks of v1 policies as a normal user. Split the v1 and v2 related parts into two different tests so that the v2 part can get properly tested for btrfs file systems, which only support v2 policies. Signed-off-by: Josef Bacik --- tests/generic/581 | 89 +--------------------------- tests/generic/581.out | 50 ---------------- tests/generic/734 | 135 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/734.out | 51 ++++++++++++++++ 4 files changed, 188 insertions(+), 137 deletions(-) create mode 100644 tests/generic/734 create mode 100644 tests/generic/734.out diff --git a/tests/generic/581 b/tests/generic/581 index cabc7e1c..ab930ac6 100755 --- a/tests/generic/581 +++ b/tests/generic/581 @@ -4,8 +4,7 @@ # # FS QA Test No. generic/581 # -# Test non-root use of the fscrypt filesystem-level encryption keyring -# and v2 encryption policies. +# Test non-root use of the fscrypt filesystem-level encryption keyring policy. # . ./common/preamble @@ -31,7 +30,7 @@ _cleanup() # real QA test starts here _supported_fs generic _require_user -_require_scratch_encryption -v 2 +_require_scratch_encryption _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount @@ -58,90 +57,6 @@ echo "# Adding v1 policy key as regular user (should fail with EACCES)" _user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc rm -rf $dir -echo -_user_do "mkdir $dir" - -echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" -_user_do_set_encpolicy $dir $keyid |& _filter_scratch - -echo "# Adding v2 policy key as regular user (should succeed)" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" - -echo "# Setting v2 policy as regular user with key added (should succeed)" -_user_do_set_encpolicy $dir $keyid - -echo "# Getting v2 policy as regular user (should succeed)" -_user_do_get_encpolicy $dir | _filter_scratch - -echo "# Creating encrypted file as regular user (should succeed)" -_user_do "echo contents > $dir/file" - -echo "# Removing v2 policy key as regular user (should succeed)" -_user_do_rm_enckey $SCRATCH_MNT $keyid - -_scratch_cycle_mount # Clear all keys - -# Wait for any invalidated keys to be garbage-collected. -i=0 -while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do - if ((++i >= 20)); then - echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full - break - fi - sleep 0.5 -done - -# Set the user key quota to the fsgqa user's current number of keys plus 5. -orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") -: ${orig_keys:=0} -echo "orig_keys=$orig_keys" >> $seqres.full -orig_maxkeys=$( /proc/sys/kernel/keys/maxkeys - -echo -echo "# Testing user key quota" -for i in `seq $((keys_to_add + 1))`; do - rand_raw_key=$(_generate_raw_encryption_key) - _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ - | sed 's/ with identifier .*$//' -done - -# Restore the original key quota. -echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys - -rm -rf $dir -echo -_user_do "mkdir $dir" -_scratch_cycle_mount # Clear all keys - -# Test multiple users adding the same key. -echo "# Adding key as root" -_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Removing key only added by another user (should fail with ENOKEY)" -_user_do_rm_enckey $SCRATCH_MNT $keyid -echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" -_user_do_set_encpolicy $dir $keyid |& _filter_scratch -echo "# Adding second user of key" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Setting v2 encryption policy as regular user" -_user_do_set_encpolicy $dir $keyid -echo "# Removing this user's claim to the key" -_user_do_rm_enckey $SCRATCH_MNT $keyid -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Adding back second user of key" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" -_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch -_enckey_status $SCRATCH_MNT $keyid -echo "# Remove key for \"all users\", as root" -_rm_enckey $SCRATCH_MNT $keyid -a -_enckey_status $SCRATCH_MNT $keyid # success, all done status=0 diff --git a/tests/generic/581.out b/tests/generic/581.out index b3f7d889..a8cb96a8 100644 --- a/tests/generic/581.out +++ b/tests/generic/581.out @@ -10,53 +10,3 @@ Encryption policy for SCRATCH_MNT/dir: Flags: 0x02 # Adding v1 policy key as regular user (should fail with EACCES) Permission denied - -# Setting v2 policy as regular user without key already added (should fail with ENOKEY) -SCRATCH_MNT/dir: failed to set encryption policy: Required key not available -# Adding v2 policy key as regular user (should succeed) -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Setting v2 policy as regular user with key added (should succeed) -# Getting v2 policy as regular user (should succeed) -Encryption policy for SCRATCH_MNT/dir: - Policy version: 2 - Master key identifier: 69b2f6edeee720cce0577937eb8a6751 - Contents encryption mode: 1 (AES-256-XTS) - Filenames encryption mode: 4 (AES-256-CTS) - Flags: 0x02 -# Creating encrypted file as regular user (should succeed) -# Removing v2 policy key as regular user (should succeed) -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 - -# Testing user key quota -Added encryption key -Added encryption key -Added encryption key -Added encryption key -Added encryption key -Error adding encryption key: Disk quota exceeded - -# Adding key as root -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=1) -# Removing key only added by another user (should fail with ENOKEY) -Error removing encryption key: Required key not available -# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) -SCRATCH_MNT/dir: failed to set encryption policy: Required key not available -# Adding second user of key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=2, added_by_self) -# Setting v2 encryption policy as regular user -# Removing this user's claim to the key -Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=1) -# Adding back second user of key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Remove key for "all users", as regular user (should fail with EACCES) -Permission denied -Present (user_count=2, added_by_self) -# Remove key for "all users", as root -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -Absent diff --git a/tests/generic/734 b/tests/generic/734 new file mode 100644 index 00000000..a6f46e7e --- /dev/null +++ b/tests/generic/734 @@ -0,0 +1,135 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2019 Google LLC +# +# FS QA Test No. generic/581 +# +# Test non-root use of the fscrypt filesystem-level encryption v2 policy. +# + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +orig_maxkeys= + +# Override the default cleanup function. +_cleanup() +{ + cd / + rm -f $tmp.* + if [ -n "$orig_maxkeys" ]; then + echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys + fi +} + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_user +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir + +raw_key="" +for i in `seq 64`; do + raw_key+="\\x$(printf "%02x" $i)" +done +keydesc="0000111122223333" +keyid="69b2f6edeee720cce0577937eb8a6751" +chmod 777 $SCRATCH_MNT + +_user_do "mkdir $dir" + +echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch + +echo "# Adding v2 policy key as regular user (should succeed)" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" + +echo "# Setting v2 policy as regular user with key added (should succeed)" +_user_do_set_encpolicy $dir $keyid + +echo "# Getting v2 policy as regular user (should succeed)" +_user_do_get_encpolicy $dir | _filter_scratch + +echo "# Creating encrypted file as regular user (should succeed)" +_user_do "echo contents > $dir/file" + +echo "# Removing v2 policy key as regular user (should succeed)" +_user_do_rm_enckey $SCRATCH_MNT $keyid + +_scratch_cycle_mount # Clear all keys + +# Wait for any invalidated keys to be garbage-collected. +i=0 +while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do + if ((++i >= 20)); then + echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full + break + fi + sleep 0.5 +done + +# Set the user key quota to the fsgqa user's current number of keys plus 5. +orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") +: ${orig_keys:=0} +echo "orig_keys=$orig_keys" >> $seqres.full +orig_maxkeys=$( /proc/sys/kernel/keys/maxkeys + +echo +echo "# Testing user key quota" +for i in `seq $((keys_to_add + 1))`; do + rand_raw_key=$(_generate_raw_encryption_key) + _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ + | sed 's/ with identifier .*$//' +done + +# Restore the original key quota. +echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys + +rm -rf $dir +echo +_user_do "mkdir $dir" +_scratch_cycle_mount # Clear all keys + +# Test multiple users adding the same key. +echo "# Adding key as root" +_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Removing key only added by another user (should fail with ENOKEY)" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch +echo "# Adding second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy as regular user" +_user_do_set_encpolicy $dir $keyid +echo "# Removing this user's claim to the key" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Adding back second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" +_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch +_enckey_status $SCRATCH_MNT $keyid +echo "# Remove key for \"all users\", as root" +_rm_enckey $SCRATCH_MNT $keyid -a +_enckey_status $SCRATCH_MNT $keyid + +# success, all done +status=0 +exit + diff --git a/tests/generic/734.out b/tests/generic/734.out new file mode 100644 index 00000000..85a8c973 --- /dev/null +++ b/tests/generic/734.out @@ -0,0 +1,51 @@ +QA output created by 734 + +# Setting v2 policy as regular user without key already added (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding v2 policy key as regular user (should succeed) +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Setting v2 policy as regular user with key added (should succeed) +# Getting v2 policy as regular user (should succeed) +Encryption policy for SCRATCH_MNT/dir: + Policy version: 2 + Master key identifier: 69b2f6edeee720cce0577937eb8a6751 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 +# Creating encrypted file as regular user (should succeed) +# Removing v2 policy key as regular user (should succeed) +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 + +# Testing user key quota +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Error adding encryption key: Disk quota exceeded + +# Adding key as root +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Removing key only added by another user (should fail with ENOKEY) +Error removing encryption key: Required key not available +# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=2, added_by_self) +# Setting v2 encryption policy as regular user +# Removing this user's claim to the key +Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Adding back second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Remove key for "all users", as regular user (should fail with EACCES) +Permission denied +Present (user_count=2, added_by_self) +# Remove key for "all users", as root +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Absent From patchwork Tue Oct 10 20:26:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416020 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 408ADCD8CB4 for ; Tue, 10 Oct 2023 20:26:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232064AbjJJU0k (ORCPT ); Tue, 10 Oct 2023 16:26:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54334 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234488AbjJJU0f (ORCPT ); Tue, 10 Oct 2023 16:26:35 -0400 Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49FF1118 for ; Tue, 10 Oct 2023 13:26:30 -0700 (PDT) Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-59bebd5bdadso75311437b3.0 for ; Tue, 10 Oct 2023 13:26:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969589; x=1697574389; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CpXoLSC4B3+y4tFzKbAFP96R061BBPW8n0TzUGeBy20=; b=1I2t8mzbvuNF3pruO1Xc89EgwsALHJBW3WE/RSrXcL3zphYYNS6hnIfCyIcvypmpeR YViEHmWtdVNo43z+6eFe1g1qh5oy9O9q6PTetX/u4IQvSS6y644nQZxJd8RrYRi9QS8q LrrIgTVzptfeKVbBcGIWYGW5ydrJS0/kSnSui1M3o70CUfxq/j+jD5O+2p7C2/DnEw5i DFeSADdy3s4xs4JxckBzmL7EoiNZ6oIUGaqoz9PYrUJjzYOok67aP+Xfc1Cc1IgRjeYF VObc6OsJm2FFl3D3F8r+m6GSQ84KzpUhGpKiuJZQsuC4NEZtE5jM+lDbV0rb6NABscZ8 92sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969589; x=1697574389; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CpXoLSC4B3+y4tFzKbAFP96R061BBPW8n0TzUGeBy20=; b=d043byFKtIuB8iFgqP3ePoYt9VMekiOkA85EgZvCzCgKQYZyHyY36tSINL9XX52JMI lsTMsxN5O0jYa5mITK9OzNe2yM0MQSXRucNH+cKz7JClC9fM7QpvG+F8AGtQylJcV1I6 0yIV9izs6/at/o8qPFnHwwuPeQ3uDJiDX6YaszYYM1b9AL8wJR6DJUp76DcyLFJeGzQV qKsbQmOwrShl76hMkeuzqCsE8lrytf2eVMxp70c346qwMl0f/DVghIpqHIwQk3CIYa70 o0NRfThZE3O1OLWkFqGv3rD+5KFdUR74VY61QkbdGsI7y9r9S0RuGXIIdvNQCfEF5cl5 59tA== X-Gm-Message-State: AOJu0Ywoo9EInZf+DJFPRRge9RUBHKGTKJ9no8V3Emls/zeFeQ4i2dgv dB2jEAMdzpg6B4rhsCM6AvFI0Ui+5XJ90Wk6H/4Aag== X-Google-Smtp-Source: AGHT+IF7Y/FZ6maDxIIOaCWirMfXhRsvOOUqzWjpYsCWBIt+XCan7S/I9Xp6egN+Uj1LaMkChVCBjg== X-Received: by 2002:a81:6203:0:b0:59b:bd55:8452 with SMTP id w3-20020a816203000000b0059bbd558452mr22083068ywb.36.1696969589322; Tue, 10 Oct 2023 13:26:29 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id g68-20020a0df647000000b0059f766f9750sm4665680ywf.124.2023.10.10.13.26.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:28 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 11/12] fstests: split generic/613 into two tests Date: Tue, 10 Oct 2023 16:26:04 -0400 Message-ID: <227ac42377705dcd416558f8415965ecba3a17df.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org generic/613 tests v1 and v2 policies, but btrfs can only support v2 policies. Split this into two different tests, 613 which will only test v1 policies, and then 735 which will test v2 policies. The 735 test will also add checks for the per-extent nonces to validate they're all sufficiently random. Signed-off-by: Josef Bacik --- tests/generic/613 | 20 ++------ tests/generic/613.out | 5 +- tests/generic/735 | 117 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/735.out | 14 +++++ 4 files changed, 138 insertions(+), 18 deletions(-) create mode 100644 tests/generic/735 create mode 100644 tests/generic/735.out diff --git a/tests/generic/613 b/tests/generic/613 index 47c60e9c..96b81a96 100755 --- a/tests/generic/613 +++ b/tests/generic/613 @@ -22,22 +22,21 @@ _begin_fstest auto quick encrypt # real QA test starts here _supported_fs generic -_require_scratch_encryption -v 2 +_require_scratch_encryption _require_get_encryption_nonce_support _require_command "$XZ_PROG" xz _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount -echo -e "\n# Adding encryption keys" -_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" +echo -e "\n# Adding encryption key" _add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" -d $TEST_KEY_DESCRIPTOR # Create a bunch of encrypted files and directories -- enough for the uniqueness # and randomness tests to be meaningful, but not so many that this test takes a -# long time. Test using both v1 and v2 encryption policies, and for each of -# those test the case of an encryption policy that is assigned to an empty -# directory as well as the case of a file created in an encrypted directory. +# long time. Test using the v1 encryption policy, test the case of an +# encryption policy that is assigned to an empty directory as well as the case +# of a file created in an encrypted directory. echo -e "\n# Creating encrypted files and directories" inodes=() for i in {1..50}; do @@ -45,20 +44,11 @@ for i in {1..50}; do mkdir $dir inodes+=("$(stat -c %i $dir)") _set_encpolicy $dir $TEST_KEY_DESCRIPTOR - - dir=$SCRATCH_MNT/v2_policy_dir_$i - mkdir $dir - inodes+=("$(stat -c %i $dir)") - _set_encpolicy $dir $TEST_KEY_IDENTIFIER done for i in {1..50}; do file=$SCRATCH_MNT/v1_policy_dir_1/$i touch $file inodes+=("$(stat -c %i $file)") - - file=$SCRATCH_MNT/v2_policy_dir_1/$i - touch $file - inodes+=("$(stat -c %i $file)") done _scratch_unmount diff --git a/tests/generic/613.out b/tests/generic/613.out index 203a64f2..4a218d03 100644 --- a/tests/generic/613.out +++ b/tests/generic/613.out @@ -1,7 +1,6 @@ QA output created by 613 -# Adding encryption keys -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Adding encryption key Added encryption key with descriptor 0000111122223333 # Creating encrypted files and directories @@ -12,5 +11,5 @@ Added encryption key with descriptor 0000111122223333 Listing non-unique nonces: # Verifying randomness of nonces -Uncompressed size is 3200 bytes +Uncompressed size is 1600 bytes Nonces are incompressible, as expected diff --git a/tests/generic/735 b/tests/generic/735 new file mode 100644 index 00000000..c901be1f --- /dev/null +++ b/tests/generic/735 @@ -0,0 +1,117 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2023 Meta +# +# FS QA Test No. 735 +# +# A variation of generic/613 that only tests v2, and checks data nonces for any +# file system that supporst per-extent encryption. +# +# Test that encryption nonces are unique and random, where randomness is +# approximated as "incompressible by the xz program". +# +# An encryption nonce is the 16-byte value that the filesystem generates for +# each encrypted file. These nonces must be unique in order to cause different +# files to be encrypted differently, which is an important security property. +# In practice, they need to be random to achieve that; and it's easy enough to +# test for both uniqueness and randomness, so we test for both. +# +. ./common/preamble +_begin_fstest auto quick encrypt + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_scratch_encryption -v 2 +_require_get_encryption_nonce_support +_require_command "$XZ_PROG" xz + +_check_nonce() +{ + local nonce=$1 + + if (( ${#nonce} != 32 )) || [ -n "$(echo "$nonce" | tr -d 0-9a-fA-F)" ] + then + _fail "Expected nonce for inode $inode to be 16 bytes (32 hex characters), but got \"$nonce\"" + fi +} + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +echo -e "\n# Adding encryption key" +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" + +# Create a bunch of encrypted files and directories -- enough for the uniqueness +# and randomness tests to be meaningful, but not so many that this test takes a +# long time. Test using the v2 encryption policy, test the case of an +# encryption policy that is assigned to an empty directory as well as the case +# of a file created in an encrypted directory. +echo -e "\n# Creating encrypted files and directories" +inodes=() +for i in {1..50}; do + dir=$SCRATCH_MNT/v2_policy_dir_$i + mkdir $dir + inodes+=("$(stat -c %i $dir)") + _set_encpolicy $dir $TEST_KEY_IDENTIFIER +done +for i in {1..50}; do + file=$SCRATCH_MNT/v2_policy_dir_1/$i + $XFS_IO_PROG -f -c "pwrite 0 1m" $file > /dev/null + inodes+=("$(stat -c %i $file)") +done +_scratch_unmount + +# Build files that contain all the nonces. nonces_hex contains them in hex, one +# per line. nonces_bin contains them in binary, all concatenated. +echo -e "\n# Getting encryption nonces from inodes" +echo -n > $tmp.nonces_hex +echo -n > $tmp.nonces_bin +for inode in "${inodes[@]}"; do + inode_nonce=$(_get_encryption_file_nonce $SCRATCH_DEV $inode) + _check_nonce $inode_nonce + + echo $inode_nonce >> $tmp.nonces_hex + echo -ne "$(echo $inode_nonce | sed 's/[0-9a-fA-F]\{2\}/\\x\0/g')" \ + >> $tmp.nonces_bin + + data_nonce=$(_get_encryption_data_nonce $SCRATCH_DEV $inode) + + # If the inode is empty we won't have a data nonce + [ "$data_nonce" = "" ] && continue + + # If the inode nonce and data nonce are the same continue + [ "$inode_nonce" = "$data_nonce" ] && continue + + _check_nonce $data_nonce + + echo $data_nonce >> $tmp.nonces_hex + echo -ne "$(echo $data_nonce | sed 's/[0-9a-fA-F]\{2\}/\\x\0/g')" \ + >> $tmp.nonces_bin +done + +# Verify the uniqueness and randomness of the nonces. In theory randomness +# implies uniqueness here, but it's easy enough to explicitly test for both. + +echo -e "\n# Verifying uniqueness of nonces" +echo "Listing non-unique nonces:" +sort < $tmp.nonces_hex | uniq -d + +echo -e "\n# Verifying randomness of nonces" +uncompressed_size=$(stat -c %s $tmp.nonces_bin) +echo "Uncompressed size is $uncompressed_size bytes" >> $seqres.full +compressed_size=$($XZ_PROG -c < $tmp.nonces_bin | wc -c) +echo "Compressed size is $compressed_size bytes" >> $seqres.full +# The xz format has 60 bytes of overhead. Go a bit lower to avoid flakiness. +if (( compressed_size >= uncompressed_size + 55 )); then + echo "Nonces are incompressible, as expected" +else + _fail "Nonces are compressible (non-random); compressed $uncompressed_size => $compressed_size bytes!" +fi + +# success, all done +status=0 +exit diff --git a/tests/generic/735.out b/tests/generic/735.out new file mode 100644 index 00000000..bf73118b --- /dev/null +++ b/tests/generic/735.out @@ -0,0 +1,14 @@ +QA output created by 735 + +# Adding encryption key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 + +# Creating encrypted files and directories + +# Getting encryption nonces from inodes + +# Verifying uniqueness of nonces +Listing non-unique nonces: + +# Verifying randomness of nonces +Nonces are incompressible, as expected From patchwork Tue Oct 10 20:26:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13416021 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13A47CD8CBD for ; Tue, 10 Oct 2023 20:26:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234457AbjJJU0l (ORCPT ); Tue, 10 Oct 2023 16:26:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234632AbjJJU0g (ORCPT ); Tue, 10 Oct 2023 16:26:36 -0400 Received: from mail-yw1-x1135.google.com (mail-yw1-x1135.google.com [IPv6:2607:f8b0:4864:20::1135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A25C3E3 for ; Tue, 10 Oct 2023 13:26:31 -0700 (PDT) Received: by mail-yw1-x1135.google.com with SMTP id 00721157ae682-5a7c08b7744so13659217b3.3 for ; Tue, 10 Oct 2023 13:26:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1696969591; x=1697574391; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TYV6W3/su+yQdVC08/W92yX/IiZTkZ+W2IG1K67YFEE=; b=CPK4WauFk1tak6CV4zolZKCy2JoVv3UUf4yWBpQfTiBhaILnk+HeLUugwYR8nYSbVI 7CeUnXcXyOt4UiHr9lmuNXveqR/1ixvdEdQ3cFbkkf0UuNyp/izAqT/UB/NPkFOcIguz 8vILIO+nbjucFHTxOfZsG/25fd6saUXsSvFJck9uYp8GK4UaT6wm0XkTXIM+J38m4ViR Pbz4H7jfOFBQRuklnOGR7MxR9R5F031vYM1wUTPJgRETZxJHXEZ/N1kole5je1IB9mmA db3L87VU5hmk2mnxVBae68d1mJwCPMb73kRE76k9oJdJPZsbogxg7G90Tdssfhg+KIef XOBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696969591; x=1697574391; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TYV6W3/su+yQdVC08/W92yX/IiZTkZ+W2IG1K67YFEE=; b=F0KPgvMh2QS8yok3Tg6ElBCLg9a5ksusKdAe0YBbfymKZr6s9RnjMC/i3rQ1h5HG4z mz1GS+7c74NSTzeg8yoDWNfzAYCsu7mRh7Lwosmx+ZrbB2lgaWfcvEwRfyTdscANycyQ lztMl6ohEYlbqgqG2mkAJXONfg7eI2hhus0dmtJSWpzW9zrnsLEAJGVJD5vjA4EWvvzr 47n55fKWd9zubhB7aO5HDZTZzRUomVdDcdQ/b7/pbb1mALE8lj66ZXRlyYFJbB29CIXW rCzJm487KJQaKBi3w3iPpSaSzKGOk2uNV+dL5lnclLLjK5SqPHvN+zk4CM01tlhjxqZQ 2ybg== X-Gm-Message-State: AOJu0YwX6bE7jKtxzw36rPZ85WsZ5m0fKVDTVTwDqFZx0rDFplApSfhX VxAXwSTYV6DW+CGx79b/6o7M9g== X-Google-Smtp-Source: AGHT+IGvgRhnxM8rs8Q4ccehZoHcRELzxu4LMU2pLr32V5AjQW8wniDsc5M8y0GOBrzOZ5UXLUl+cw== X-Received: by 2002:a0d:ea90:0:b0:5a1:db12:d782 with SMTP id t138-20020a0dea90000000b005a1db12d782mr19988174ywe.44.1696969590781; Tue, 10 Oct 2023 13:26:30 -0700 (PDT) Received: from localhost (cpe-76-182-20-124.nc.res.rr.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id c4-20020a81df04000000b0059b1e1b6e5dsm4581610ywn.91.2023.10.10.13.26.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:26:30 -0700 (PDT) From: Josef Bacik To: fstests@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [PATCH 12/12] fstest: add a fsstress+fscrypt test Date: Tue, 10 Oct 2023 16:26:05 -0400 Message-ID: <936037a6c2bcf5553145862c5358e175621983b0.1696969376.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org I noticed we don't run fsstress with fscrypt in any of our tests, and this was helpful in uncovering a couple of symlink related corner cases for the btrfs support work. Add a basic test that creates a encrypted directory and runs fsstress in that directory. Signed-off-by: Josef Bacik Reviewed-by: Anand Jain --- tests/generic/736 | 38 ++++++++++++++++++++++++++++++++++++++ tests/generic/736.out | 3 +++ 2 files changed, 41 insertions(+) create mode 100644 tests/generic/736 create mode 100644 tests/generic/736.out diff --git a/tests/generic/736 b/tests/generic/736 new file mode 100644 index 00000000..0ef37d7e --- /dev/null +++ b/tests/generic/736 @@ -0,0 +1,38 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2023 Meta +# +# FS QA Test No. generic/5736 +# +# Run fscrypt on an encrypted directory +# + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir +mkdir $dir + +_set_encpolicy $dir $TEST_KEY_IDENTIFIER +_add_enckey $SCRATCH_MNT "$TEST_RAW_KEY" + +args=$(_scale_fsstress_args -p 4 -n 10000 -p 2 $FSSTRESS_AVOID -d $dir) +echo "Run fsstress $args" >>$seqres.full + +$FSSTRESS_PROG $args >> $seqres.full + +# success, all done +status=0 +exit diff --git a/tests/generic/736.out b/tests/generic/736.out new file mode 100644 index 00000000..022754df --- /dev/null +++ b/tests/generic/736.out @@ -0,0 +1,3 @@ +QA output created by 736 + +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751