This series adds xfstests for the "hardware-wrapped inline encryption
keys" feature which I've proposed adding to the kernel
(https://lore.kernel.org/linux-fscrypt/20220228070520.74082-1-ebiggers@xxxxxxxxxx/T/#u).
This applies to the master branch of xfstests (commit 2ea74ba4e70b).
For now, the new tests just include ciphertext verification tests.
These are the most important type of test to have here, as they validate
the on-disk format, which must be gotten right from the start. They
verify that all the cryptography is implemented correctly, including
both the parts handled by the hardware and the parts handled by the
kernel. Naturally, to do their work they exercise the new UAPIs too.
For now this is an RFC, as the corresponding kernel patches have yet to
be applied. Patches 1-5 are cleanups that could be applied earlier, but
I need to look them over again first and probably will resend them.
In any case, any reviews would be greatly appreciated!
I've verified that the new tests run and pass when all their
prerequisites are met, namely:
- Hardware supporting the feature must be present. I tested this on the
SM8350 HDK (note: this currently requires a custom TrustZone image);
this hardware is compatible with both of IV_INO_LBLK_{64,32}.
- The kernel patches for hardware-wrapped key support must be applied.
- The filesystem must be ext4 or f2fs.
- The kernel must have CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y.
- The fscryptctl program must be available, and must have my patches for
hardware-wrapped key support applied. These can currently be found at
https://github.com/ebiggers/fscryptctl/tree/wip-wrapped-keys.
Eric Biggers (8):
fscrypt-crypt-util: use an explicit --direct-key option
fscrypt-crypt-util: refactor get_key_and_iv()
fscrypt-crypt-util: add support for dumping key identifier
common/encrypt: log full ciphertext verification params
common/encrypt: verify the key identifiers
fscrypt-crypt-util: add hardware KDF support
common/encrypt: support hardware-wrapped key testing
generic: verify ciphertext with hardware-wrapped keys
common/config | 1 +
common/encrypt | 149 +++++++++++--
src/fscrypt-crypt-util.c | 454 ++++++++++++++++++++++++++++++++-------
tests/generic/900 | 30 +++
tests/generic/900.out | 6 +
tests/generic/901 | 30 +++
tests/generic/901.out | 6 +
7 files changed, 579 insertions(+), 97 deletions(-)
create mode 100755 tests/generic/900
create mode 100644 tests/generic/900.out
create mode 100755 tests/generic/901
create mode 100644 tests/generic/901.out
base-commit: 2ea74ba4e70b546279896e2a733c8c7f4b206193
--
2.35.1
|