From: Eric Biggers <ebiggers@xxxxxxxxxx> Add two tests which verify that encrypted files are encrypted correctly when a hardware-wrapped inline encryption key is used. The two tests are identical except that one uses FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 and the other uses FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32. These cover both of the settings where hardware-wrapped keys may be used. Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> --- tests/generic/900 | 24 ++++++++++++++++++++++++ tests/generic/900.out | 6 ++++++ tests/generic/901 | 24 ++++++++++++++++++++++++ tests/generic/901.out | 6 ++++++ 4 files changed, 60 insertions(+) create mode 100755 tests/generic/900 create mode 100644 tests/generic/900.out create mode 100755 tests/generic/901 create mode 100644 tests/generic/901.out diff --git a/tests/generic/900 b/tests/generic/900 new file mode 100755 index 00000000..8da8007e --- /dev/null +++ b/tests/generic/900 @@ -0,0 +1,24 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2024 Google LLC +# +# FS QA Test No. 900 +# +# Verify the ciphertext for encryption policies that use a hardware-wrapped +# inline encryption key, the IV_INO_LBLK_64 flag, and AES-256-XTS. +# +. ./common/preamble +_begin_fstest auto quick encrypt + +. ./common/filter +. ./common/encrypt + +# Hardware-wrapped keys require the inlinecrypt mount option. +_require_scratch_inlinecrypt +export MOUNT_OPTIONS="$MOUNT_OPTIONS -o inlinecrypt" + +_verify_ciphertext_for_encryption_policy AES-256-XTS AES-256-CTS-CBC \ + v2 iv_ino_lblk_64 hw_wrapped_key + +status=0 +exit diff --git a/tests/generic/900.out b/tests/generic/900.out new file mode 100644 index 00000000..9edc012c --- /dev/null +++ b/tests/generic/900.out @@ -0,0 +1,6 @@ +QA output created by 900 + +Verifying ciphertext with parameters: + contents_encryption_mode: AES-256-XTS + filenames_encryption_mode: AES-256-CTS-CBC + options: v2 iv_ino_lblk_64 hw_wrapped_key diff --git a/tests/generic/901 b/tests/generic/901 new file mode 100755 index 00000000..bfc63bde --- /dev/null +++ b/tests/generic/901 @@ -0,0 +1,24 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2024 Google LLC +# +# FS QA Test No. 901 +# +# Verify the ciphertext for encryption policies that use a hardware-wrapped +# inline encryption key, the IV_INO_LBLK_32 flag, and AES-256-XTS. +# +. ./common/preamble +_begin_fstest auto quick encrypt + +. ./common/filter +. ./common/encrypt + +# Hardware-wrapped keys require the inlinecrypt mount option. +_require_scratch_inlinecrypt +export MOUNT_OPTIONS="$MOUNT_OPTIONS -o inlinecrypt" + +_verify_ciphertext_for_encryption_policy AES-256-XTS AES-256-CTS-CBC \ + v2 iv_ino_lblk_32 hw_wrapped_key + +status=0 +exit diff --git a/tests/generic/901.out b/tests/generic/901.out new file mode 100644 index 00000000..2f928465 --- /dev/null +++ b/tests/generic/901.out @@ -0,0 +1,6 @@ +QA output created by 901 + +Verifying ciphertext with parameters: + contents_encryption_mode: AES-256-XTS + filenames_encryption_mode: AES-256-CTS-CBC + options: v2 iv_ino_lblk_32 hw_wrapped_key -- 2.47.1