111d80bfcSMaxim Levitsky#!/usr/bin/env bash 2*9dd003a9SVladimir Sementsov-Ogievskiy# group: rw 311d80bfcSMaxim Levitsky# 411d80bfcSMaxim Levitsky# Test encryption key management with luks 511d80bfcSMaxim Levitsky# Based on 134 611d80bfcSMaxim Levitsky# 711d80bfcSMaxim Levitsky# Copyright (C) 2019 Red Hat, Inc. 811d80bfcSMaxim Levitsky# 911d80bfcSMaxim Levitsky# This program is free software; you can redistribute it and/or modify 1011d80bfcSMaxim Levitsky# it under the terms of the GNU General Public License as published by 1111d80bfcSMaxim Levitsky# the Free Software Foundation; either version 2 of the License, or 1211d80bfcSMaxim Levitsky# (at your option) any later version. 1311d80bfcSMaxim Levitsky# 1411d80bfcSMaxim Levitsky# This program is distributed in the hope that it will be useful, 1511d80bfcSMaxim Levitsky# but WITHOUT ANY WARRANTY; without even the implied warranty of 1611d80bfcSMaxim Levitsky# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 1711d80bfcSMaxim Levitsky# GNU General Public License for more details. 1811d80bfcSMaxim Levitsky# 1911d80bfcSMaxim Levitsky# You should have received a copy of the GNU General Public License 2011d80bfcSMaxim Levitsky# along with this program. If not, see <http://www.gnu.org/licenses/>. 2111d80bfcSMaxim Levitsky# 2211d80bfcSMaxim Levitsky 2311d80bfcSMaxim Levitsky# creator 2411d80bfcSMaxim Levitskyowner=mlevitsk@redhat.com 2511d80bfcSMaxim Levitsky 2611d80bfcSMaxim Levitskyseq=`basename $0` 2711d80bfcSMaxim Levitskyecho "QA output created by $seq" 2811d80bfcSMaxim Levitsky 2911d80bfcSMaxim Levitskystatus=1 # failure is the default! 3011d80bfcSMaxim Levitsky 3111d80bfcSMaxim Levitsky_cleanup() 3211d80bfcSMaxim Levitsky{ 3311d80bfcSMaxim Levitsky _cleanup_test_img 3411d80bfcSMaxim Levitsky} 3511d80bfcSMaxim Levitskytrap "_cleanup; exit \$status" 0 1 2 3 15 3611d80bfcSMaxim Levitsky 3711d80bfcSMaxim Levitsky# get standard environment, filters and checks 3811d80bfcSMaxim Levitsky. ./common.rc 3911d80bfcSMaxim Levitsky. ./common.filter 4011d80bfcSMaxim Levitsky 4111d80bfcSMaxim Levitsky_supported_fmt qcow2 luks 4257284d2aSMax Reitz_supported_proto file fuse #TODO 4311d80bfcSMaxim Levitsky_require_working_luks 4411d80bfcSMaxim Levitsky 4511d80bfcSMaxim LevitskyQEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT 4611d80bfcSMaxim Levitsky 4711d80bfcSMaxim Levitskyif [ "$IMGFMT" = "qcow2" ] ; then 4811d80bfcSMaxim Levitsky PR="encrypt." 4911d80bfcSMaxim Levitsky EXTRA_IMG_ARGS="-o encrypt.format=luks" 5011d80bfcSMaxim Levitskyfi 5111d80bfcSMaxim Levitsky 5211d80bfcSMaxim Levitsky 5311d80bfcSMaxim Levitsky# secrets: you are supposed to see the password as *******, see :-) 5411d80bfcSMaxim LevitskyS0="--object secret,id=sec0,data=hunter0" 5511d80bfcSMaxim LevitskyS1="--object secret,id=sec1,data=hunter1" 5611d80bfcSMaxim LevitskyS2="--object secret,id=sec2,data=hunter2" 5711d80bfcSMaxim LevitskyS3="--object secret,id=sec3,data=hunter3" 5811d80bfcSMaxim LevitskyS4="--object secret,id=sec4,data=hunter4" 5911d80bfcSMaxim LevitskySECRETS="$S0 $S1 $S2 $S3 $S4" 6011d80bfcSMaxim Levitsky 6111d80bfcSMaxim Levitsky# image with given secret 6211d80bfcSMaxim LevitskyIMGS0="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec0" 6311d80bfcSMaxim LevitskyIMGS1="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec1" 6411d80bfcSMaxim LevitskyIMGS2="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec2" 6511d80bfcSMaxim LevitskyIMGS3="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec3" 6611d80bfcSMaxim LevitskyIMGS4="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec4" 6711d80bfcSMaxim Levitsky 6811d80bfcSMaxim Levitsky 6911d80bfcSMaxim Levitskyecho "== creating a test image ==" 7011d80bfcSMaxim Levitsky_make_test_img $S0 $EXTRA_IMG_ARGS -o ${PR}key-secret=sec0,${PR}iter-time=10 32M 7111d80bfcSMaxim Levitsky 7211d80bfcSMaxim Levitskyecho 7311d80bfcSMaxim Levitskyecho "== test that key 0 opens the image ==" 7411d80bfcSMaxim Levitsky$QEMU_IO $S0 -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 7511d80bfcSMaxim Levitsky 7611d80bfcSMaxim Levitskyecho 7711d80bfcSMaxim Levitskyecho "== adding a password to slot 4 ==" 7811d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec4,${PR}iter-time=10,${PR}keyslot=4 7911d80bfcSMaxim Levitskyecho "== adding a password to slot 1 ==" 8011d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10 8111d80bfcSMaxim Levitskyecho "== adding a password to slot 3 ==" 8211d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10,${PR}keyslot=3 8311d80bfcSMaxim Levitsky 8411d80bfcSMaxim Levitskyecho "== adding a password to slot 2 ==" 8511d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 8611d80bfcSMaxim Levitsky 8711d80bfcSMaxim Levitsky 8811d80bfcSMaxim Levitskyecho "== erase slot 4 ==" 8911d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=4 | _filter_img_create 9011d80bfcSMaxim Levitsky 9111d80bfcSMaxim Levitsky 9211d80bfcSMaxim Levitskyecho 9311d80bfcSMaxim Levitskyecho "== all secrets should work ==" 9411d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 9511d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 9611d80bfcSMaxim Levitskydone 9711d80bfcSMaxim Levitsky 9811d80bfcSMaxim Levitskyecho 9911d80bfcSMaxim Levitskyecho "== erase slot 0 and try it ==" 10011d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 | _filter_img_create 10111d80bfcSMaxim Levitsky$QEMU_IO $SECRETS -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 10211d80bfcSMaxim Levitsky 10311d80bfcSMaxim Levitskyecho 10411d80bfcSMaxim Levitskyecho "== erase slot 2 and try it ==" 10511d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=2 | _filter_img_create 10611d80bfcSMaxim Levitsky$QEMU_IO $SECRETS -c "read 0 4096" $IMGS2 | _filter_qemu_io | _filter_testdir 10711d80bfcSMaxim Levitsky 10811d80bfcSMaxim Levitsky 10911d80bfcSMaxim Levitsky# at this point slots 1 and 3 should be active 11011d80bfcSMaxim Levitsky 11111d80bfcSMaxim Levitskyecho 11211d80bfcSMaxim Levitskyecho "== filling 4 slots with secret 2 ==" 11311d80bfcSMaxim Levitskyfor ((i = 0; i < 4; i++)); do 11411d80bfcSMaxim Levitsky $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 11511d80bfcSMaxim Levitskydone 11611d80bfcSMaxim Levitsky 11711d80bfcSMaxim Levitskyecho 11811d80bfcSMaxim Levitskyecho "== adding secret 0 ==" 11911d80bfcSMaxim Levitsky $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 12011d80bfcSMaxim Levitsky 12111d80bfcSMaxim Levitskyecho 12211d80bfcSMaxim Levitskyecho "== adding secret 3 (last slot) ==" 12311d80bfcSMaxim Levitsky $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 12411d80bfcSMaxim Levitsky 12511d80bfcSMaxim Levitskyecho 12611d80bfcSMaxim Levitskyecho "== trying to add another slot (should fail) ==" 12711d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS2 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 12811d80bfcSMaxim Levitsky 12911d80bfcSMaxim Levitskyecho 13011d80bfcSMaxim Levitskyecho "== all secrets should work again ==" 13111d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 13211d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 13311d80bfcSMaxim Levitskydone 13411d80bfcSMaxim Levitsky 13511d80bfcSMaxim Levitsky 13611d80bfcSMaxim Levitskyecho 13711d80bfcSMaxim Levitsky 13811d80bfcSMaxim Levitskyecho "== erase all keys of secret 2==" 13911d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec2 14011d80bfcSMaxim Levitsky 14111d80bfcSMaxim Levitskyecho "== erase all keys of secret 1==" 14211d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 14311d80bfcSMaxim Levitsky 14411d80bfcSMaxim Levitskyecho "== erase all keys of secret 0==" 14511d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec0 14611d80bfcSMaxim Levitsky 14711d80bfcSMaxim Levitskyecho "== erasing secret3 will fail now since it is the only secret (in 3 slots) ==" 14811d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=inactive,${PR}old-secret=sec3 14911d80bfcSMaxim Levitsky 15011d80bfcSMaxim Levitskyecho 15111d80bfcSMaxim Levitskyecho "== only secret3 should work now ==" 15211d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 15311d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 15411d80bfcSMaxim Levitskydone 15511d80bfcSMaxim Levitsky 15611d80bfcSMaxim Levitskyecho 15711d80bfcSMaxim Levitskyecho "== add secret0 ==" 15811d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 15911d80bfcSMaxim Levitsky 16011d80bfcSMaxim Levitskyecho "== erase secret3 ==" 16111d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec3 16211d80bfcSMaxim Levitsky 16311d80bfcSMaxim Levitskyecho 16411d80bfcSMaxim Levitskyecho "== only secret0 should work now ==" 16511d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 16611d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 16711d80bfcSMaxim Levitskydone 16811d80bfcSMaxim Levitsky 16911d80bfcSMaxim Levitskyecho 17011d80bfcSMaxim Levitskyecho "== replace secret0 with secret1 (should fail) ==" 17111d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}keyslot=0 17211d80bfcSMaxim Levitsky 17311d80bfcSMaxim Levitskyecho 17411d80bfcSMaxim Levitskyecho "== replace secret0 with secret1 with force (should work) ==" 17511d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10,${PR}keyslot=0 --force 17611d80bfcSMaxim Levitsky 17711d80bfcSMaxim Levitskyecho 17811d80bfcSMaxim Levitskyecho "== only secret1 should work now ==" 17911d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 18011d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 18111d80bfcSMaxim Levitskydone 18211d80bfcSMaxim Levitsky 18311d80bfcSMaxim Levitsky 18411d80bfcSMaxim Levitskyecho 18511d80bfcSMaxim Levitskyecho "== erase last secret (should fail) ==" 18611d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 18711d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 18811d80bfcSMaxim Levitsky 18911d80bfcSMaxim Levitsky 19011d80bfcSMaxim Levitskyecho "== erase non existing secrets (should fail) ==" 19111d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec5 --force 19211d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 --force 19311d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=1 --force 19411d80bfcSMaxim Levitsky 19511d80bfcSMaxim Levitskyecho 19611d80bfcSMaxim Levitskyecho "== erase last secret with force by slot (should work) ==" 19711d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 --force 19811d80bfcSMaxim Levitsky 19911d80bfcSMaxim Levitskyecho 20011d80bfcSMaxim Levitskyecho "== we have no secrets now, data is lost forever ==" 20111d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 20211d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 20311d80bfcSMaxim Levitskydone 20411d80bfcSMaxim Levitsky 20511d80bfcSMaxim Levitsky# success, all done 20611d80bfcSMaxim Levitskyecho "*** done" 20711d80bfcSMaxim Levitskyrm -f $seq.full 20811d80bfcSMaxim Levitskystatus=0 20911d80bfcSMaxim Levitsky 210