On Fri, 2022-04-01 at 11:45 +0100, Luís Henriques wrote:
> fscrypt keys have used the $FSTYP as prefix. However this format is being
> deprecated -- newer kernels already allow the usage of the generic
> 'fscrypt:' prefix for ext4 and f2fs. This patch allows the usage of this
> new prefix for testing filesystems that have never supported the old
> format, but keeping the $FSTYP prefix for filesystems that support it, so
> that old kernels can be tested.
>
> Signed-off-by: Luís Henriques <lhenriques@xxxxxxx>
> ---
> common/encrypt | 38 +++++++++++++++++++++++++++-----------
> 1 file changed, 27 insertions(+), 11 deletions(-)
>
> diff --git a/common/encrypt b/common/encrypt
> index f90c4ef05a3f..897c97e0f6fa 100644
> --- a/common/encrypt
> +++ b/common/encrypt
> @@ -250,6 +250,27 @@ _num_to_hex()
> fi
> }
>
> +# Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key descriptor
> +# hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6 and later) also allow
> +# the common key prefix "fscrypt:" in addition to their filesystem-specific key
> +# prefix ("ext4:", "f2fs:"). It would be nice to use the common key prefix, but
> +# for now use the filesystem- specific prefix for these 2 filesystems to make it
> +# possible to test older kernels, and the "fscrypt" prefix for anything else.
> +_get_fs_keyprefix()
> +{
> + local prefix=""
> +
> + case $FSTYP in
> + ext4|f2fs|ubifs)
> + prefix="$FSTYP"
> + ;;
> + *)
> + prefix="fscrypt"
> + ;;
> + esac
> + echo $prefix
> +}
> +
> # Add the specified raw encryption key to the session keyring, using the
> # specified key descriptor.
> _add_session_encryption_key()
> @@ -268,18 +289,11 @@ _add_session_encryption_key()
> # };
> #
> # The kernel ignores 'mode' but requires that 'size' be 64.
> - #
> - # Keys are named $FSTYP:KEYDESC where KEYDESC is the 16-character key
> - # descriptor hex string. Newer kernels (ext4 4.8 and later, f2fs 4.6
> - # and later) also allow the common key prefix "fscrypt:" in addition to
> - # their filesystem-specific key prefix ("ext4:", "f2fs:"). It would be
> - # nice to use the common key prefix, but for now use the filesystem-
> - # specific prefix to make it possible to test older kernels...
> - #
> local mode=$(_num_to_hex 0 4)
> local size=$(_num_to_hex 64 4)
> + local prefix=$(_get_fs_keyprefix)
> echo -n -e "${mode}${raw}${size}" |
> - $KEYCTL_PROG padd logon $FSTYP:$keydesc @s >>$seqres.full
> + $KEYCTL_PROG padd logon $prefix:$keydesc @s >>$seqres.full
> }
>
> #
> @@ -302,7 +316,8 @@ _generate_session_encryption_key()
> _unlink_session_encryption_key()
> {
> local keydesc=$1
> - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc)
> + local prefix=$(_get_fs_keyprefix)
> + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc)
> $KEYCTL_PROG unlink $keyid >>$seqres.full
> }
>
> @@ -310,7 +325,8 @@ _unlink_session_encryption_key()
> _revoke_session_encryption_key()
> {
> local keydesc=$1
> - local keyid=$($KEYCTL_PROG search @s logon $FSTYP:$keydesc)
> + local prefix=$(_get_fs_keyprefix)
> + local keyid=$($KEYCTL_PROG search @s logon $prefix:$keydesc)
> $KEYCTL_PROG revoke $keyid >>$seqres.full
> }
>
Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>
