111d80bfcSMaxim Levitsky#!/usr/bin/env bash 211d80bfcSMaxim Levitsky# 311d80bfcSMaxim Levitsky# Test encryption key management with luks 411d80bfcSMaxim Levitsky# Based on 134 511d80bfcSMaxim Levitsky# 611d80bfcSMaxim Levitsky# Copyright (C) 2019 Red Hat, Inc. 711d80bfcSMaxim Levitsky# 811d80bfcSMaxim Levitsky# This program is free software; you can redistribute it and/or modify 911d80bfcSMaxim Levitsky# it under the terms of the GNU General Public License as published by 1011d80bfcSMaxim Levitsky# the Free Software Foundation; either version 2 of the License, or 1111d80bfcSMaxim Levitsky# (at your option) any later version. 1211d80bfcSMaxim Levitsky# 1311d80bfcSMaxim Levitsky# This program is distributed in the hope that it will be useful, 1411d80bfcSMaxim Levitsky# but WITHOUT ANY WARRANTY; without even the implied warranty of 1511d80bfcSMaxim Levitsky# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 1611d80bfcSMaxim Levitsky# GNU General Public License for more details. 1711d80bfcSMaxim Levitsky# 1811d80bfcSMaxim Levitsky# You should have received a copy of the GNU General Public License 1911d80bfcSMaxim Levitsky# along with this program. If not, see <http://www.gnu.org/licenses/>. 2011d80bfcSMaxim Levitsky# 2111d80bfcSMaxim Levitsky 2211d80bfcSMaxim Levitsky# creator 2311d80bfcSMaxim Levitskyowner=mlevitsk@redhat.com 2411d80bfcSMaxim Levitsky 2511d80bfcSMaxim Levitskyseq=`basename $0` 2611d80bfcSMaxim Levitskyecho "QA output created by $seq" 2711d80bfcSMaxim Levitsky 2811d80bfcSMaxim Levitskystatus=1 # failure is the default! 2911d80bfcSMaxim Levitsky 3011d80bfcSMaxim Levitsky_cleanup() 3111d80bfcSMaxim Levitsky{ 3211d80bfcSMaxim Levitsky _cleanup_test_img 3311d80bfcSMaxim Levitsky} 3411d80bfcSMaxim Levitskytrap "_cleanup; exit \$status" 0 1 2 3 15 3511d80bfcSMaxim Levitsky 3611d80bfcSMaxim Levitsky# get standard environment, filters and checks 3711d80bfcSMaxim Levitsky. ./common.rc 3811d80bfcSMaxim Levitsky. ./common.filter 3911d80bfcSMaxim Levitsky 4011d80bfcSMaxim Levitsky_supported_fmt qcow2 luks 41*57284d2aSMax Reitz_supported_proto file fuse #TODO 4211d80bfcSMaxim Levitsky_require_working_luks 4311d80bfcSMaxim Levitsky 4411d80bfcSMaxim LevitskyQEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT 4511d80bfcSMaxim Levitsky 4611d80bfcSMaxim Levitskyif [ "$IMGFMT" = "qcow2" ] ; then 4711d80bfcSMaxim Levitsky PR="encrypt." 4811d80bfcSMaxim Levitsky EXTRA_IMG_ARGS="-o encrypt.format=luks" 4911d80bfcSMaxim Levitskyfi 5011d80bfcSMaxim Levitsky 5111d80bfcSMaxim Levitsky 5211d80bfcSMaxim Levitsky# secrets: you are supposed to see the password as *******, see :-) 5311d80bfcSMaxim LevitskyS0="--object secret,id=sec0,data=hunter0" 5411d80bfcSMaxim LevitskyS1="--object secret,id=sec1,data=hunter1" 5511d80bfcSMaxim LevitskyS2="--object secret,id=sec2,data=hunter2" 5611d80bfcSMaxim LevitskyS3="--object secret,id=sec3,data=hunter3" 5711d80bfcSMaxim LevitskyS4="--object secret,id=sec4,data=hunter4" 5811d80bfcSMaxim LevitskySECRETS="$S0 $S1 $S2 $S3 $S4" 5911d80bfcSMaxim Levitsky 6011d80bfcSMaxim Levitsky# image with given secret 6111d80bfcSMaxim LevitskyIMGS0="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec0" 6211d80bfcSMaxim LevitskyIMGS1="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec1" 6311d80bfcSMaxim LevitskyIMGS2="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec2" 6411d80bfcSMaxim LevitskyIMGS3="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec3" 6511d80bfcSMaxim LevitskyIMGS4="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec4" 6611d80bfcSMaxim Levitsky 6711d80bfcSMaxim Levitsky 6811d80bfcSMaxim Levitskyecho "== creating a test image ==" 6911d80bfcSMaxim Levitsky_make_test_img $S0 $EXTRA_IMG_ARGS -o ${PR}key-secret=sec0,${PR}iter-time=10 32M 7011d80bfcSMaxim Levitsky 7111d80bfcSMaxim Levitskyecho 7211d80bfcSMaxim Levitskyecho "== test that key 0 opens the image ==" 7311d80bfcSMaxim Levitsky$QEMU_IO $S0 -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 7411d80bfcSMaxim Levitsky 7511d80bfcSMaxim Levitskyecho 7611d80bfcSMaxim Levitskyecho "== adding a password to slot 4 ==" 7711d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec4,${PR}iter-time=10,${PR}keyslot=4 7811d80bfcSMaxim Levitskyecho "== adding a password to slot 1 ==" 7911d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10 8011d80bfcSMaxim Levitskyecho "== adding a password to slot 3 ==" 8111d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10,${PR}keyslot=3 8211d80bfcSMaxim Levitsky 8311d80bfcSMaxim Levitskyecho "== adding a password to slot 2 ==" 8411d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 8511d80bfcSMaxim Levitsky 8611d80bfcSMaxim Levitsky 8711d80bfcSMaxim Levitskyecho "== erase slot 4 ==" 8811d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=4 | _filter_img_create 8911d80bfcSMaxim Levitsky 9011d80bfcSMaxim Levitsky 9111d80bfcSMaxim Levitskyecho 9211d80bfcSMaxim Levitskyecho "== all secrets should work ==" 9311d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 9411d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 9511d80bfcSMaxim Levitskydone 9611d80bfcSMaxim Levitsky 9711d80bfcSMaxim Levitskyecho 9811d80bfcSMaxim Levitskyecho "== erase slot 0 and try it ==" 9911d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 | _filter_img_create 10011d80bfcSMaxim Levitsky$QEMU_IO $SECRETS -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 10111d80bfcSMaxim Levitsky 10211d80bfcSMaxim Levitskyecho 10311d80bfcSMaxim Levitskyecho "== erase slot 2 and try it ==" 10411d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=2 | _filter_img_create 10511d80bfcSMaxim Levitsky$QEMU_IO $SECRETS -c "read 0 4096" $IMGS2 | _filter_qemu_io | _filter_testdir 10611d80bfcSMaxim Levitsky 10711d80bfcSMaxim Levitsky 10811d80bfcSMaxim Levitsky# at this point slots 1 and 3 should be active 10911d80bfcSMaxim Levitsky 11011d80bfcSMaxim Levitskyecho 11111d80bfcSMaxim Levitskyecho "== filling 4 slots with secret 2 ==" 11211d80bfcSMaxim Levitskyfor ((i = 0; i < 4; i++)); do 11311d80bfcSMaxim Levitsky $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 11411d80bfcSMaxim Levitskydone 11511d80bfcSMaxim Levitsky 11611d80bfcSMaxim Levitskyecho 11711d80bfcSMaxim Levitskyecho "== adding secret 0 ==" 11811d80bfcSMaxim Levitsky $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 11911d80bfcSMaxim Levitsky 12011d80bfcSMaxim Levitskyecho 12111d80bfcSMaxim Levitskyecho "== adding secret 3 (last slot) ==" 12211d80bfcSMaxim Levitsky $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 12311d80bfcSMaxim Levitsky 12411d80bfcSMaxim Levitskyecho 12511d80bfcSMaxim Levitskyecho "== trying to add another slot (should fail) ==" 12611d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS2 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 12711d80bfcSMaxim Levitsky 12811d80bfcSMaxim Levitskyecho 12911d80bfcSMaxim Levitskyecho "== all secrets should work again ==" 13011d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 13111d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 13211d80bfcSMaxim Levitskydone 13311d80bfcSMaxim Levitsky 13411d80bfcSMaxim Levitsky 13511d80bfcSMaxim Levitskyecho 13611d80bfcSMaxim Levitsky 13711d80bfcSMaxim Levitskyecho "== erase all keys of secret 2==" 13811d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec2 13911d80bfcSMaxim Levitsky 14011d80bfcSMaxim Levitskyecho "== erase all keys of secret 1==" 14111d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 14211d80bfcSMaxim Levitsky 14311d80bfcSMaxim Levitskyecho "== erase all keys of secret 0==" 14411d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec0 14511d80bfcSMaxim Levitsky 14611d80bfcSMaxim Levitskyecho "== erasing secret3 will fail now since it is the only secret (in 3 slots) ==" 14711d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=inactive,${PR}old-secret=sec3 14811d80bfcSMaxim Levitsky 14911d80bfcSMaxim Levitskyecho 15011d80bfcSMaxim Levitskyecho "== only secret3 should work now ==" 15111d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 15211d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 15311d80bfcSMaxim Levitskydone 15411d80bfcSMaxim Levitsky 15511d80bfcSMaxim Levitskyecho 15611d80bfcSMaxim Levitskyecho "== add secret0 ==" 15711d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 15811d80bfcSMaxim Levitsky 15911d80bfcSMaxim Levitskyecho "== erase secret3 ==" 16011d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec3 16111d80bfcSMaxim Levitsky 16211d80bfcSMaxim Levitskyecho 16311d80bfcSMaxim Levitskyecho "== only secret0 should work now ==" 16411d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 16511d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 16611d80bfcSMaxim Levitskydone 16711d80bfcSMaxim Levitsky 16811d80bfcSMaxim Levitskyecho 16911d80bfcSMaxim Levitskyecho "== replace secret0 with secret1 (should fail) ==" 17011d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}keyslot=0 17111d80bfcSMaxim Levitsky 17211d80bfcSMaxim Levitskyecho 17311d80bfcSMaxim Levitskyecho "== replace secret0 with secret1 with force (should work) ==" 17411d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10,${PR}keyslot=0 --force 17511d80bfcSMaxim Levitsky 17611d80bfcSMaxim Levitskyecho 17711d80bfcSMaxim Levitskyecho "== only secret1 should work now ==" 17811d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 17911d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 18011d80bfcSMaxim Levitskydone 18111d80bfcSMaxim Levitsky 18211d80bfcSMaxim Levitsky 18311d80bfcSMaxim Levitskyecho 18411d80bfcSMaxim Levitskyecho "== erase last secret (should fail) ==" 18511d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 18611d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 18711d80bfcSMaxim Levitsky 18811d80bfcSMaxim Levitsky 18911d80bfcSMaxim Levitskyecho "== erase non existing secrets (should fail) ==" 19011d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec5 --force 19111d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 --force 19211d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=1 --force 19311d80bfcSMaxim Levitsky 19411d80bfcSMaxim Levitskyecho 19511d80bfcSMaxim Levitskyecho "== erase last secret with force by slot (should work) ==" 19611d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 --force 19711d80bfcSMaxim Levitsky 19811d80bfcSMaxim Levitskyecho 19911d80bfcSMaxim Levitskyecho "== we have no secrets now, data is lost forever ==" 20011d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 20111d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 20211d80bfcSMaxim Levitskydone 20311d80bfcSMaxim Levitsky 20411d80bfcSMaxim Levitsky# success, all done 20511d80bfcSMaxim Levitskyecho "*** done" 20611d80bfcSMaxim Levitskyrm -f $seq.full 20711d80bfcSMaxim Levitskystatus=0 20811d80bfcSMaxim Levitsky 209