1*11d80bfcSMaxim Levitsky#!/usr/bin/env bash 2*11d80bfcSMaxim Levitsky# 3*11d80bfcSMaxim Levitsky# Test encryption key management with luks 4*11d80bfcSMaxim Levitsky# Based on 134 5*11d80bfcSMaxim Levitsky# 6*11d80bfcSMaxim Levitsky# Copyright (C) 2019 Red Hat, Inc. 7*11d80bfcSMaxim Levitsky# 8*11d80bfcSMaxim Levitsky# This program is free software; you can redistribute it and/or modify 9*11d80bfcSMaxim Levitsky# it under the terms of the GNU General Public License as published by 10*11d80bfcSMaxim Levitsky# the Free Software Foundation; either version 2 of the License, or 11*11d80bfcSMaxim Levitsky# (at your option) any later version. 12*11d80bfcSMaxim Levitsky# 13*11d80bfcSMaxim Levitsky# This program is distributed in the hope that it will be useful, 14*11d80bfcSMaxim Levitsky# but WITHOUT ANY WARRANTY; without even the implied warranty of 15*11d80bfcSMaxim Levitsky# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16*11d80bfcSMaxim Levitsky# GNU General Public License for more details. 17*11d80bfcSMaxim Levitsky# 18*11d80bfcSMaxim Levitsky# You should have received a copy of the GNU General Public License 19*11d80bfcSMaxim Levitsky# along with this program. If not, see <http://www.gnu.org/licenses/>. 20*11d80bfcSMaxim Levitsky# 21*11d80bfcSMaxim Levitsky 22*11d80bfcSMaxim Levitsky# creator 23*11d80bfcSMaxim Levitskyowner=mlevitsk@redhat.com 24*11d80bfcSMaxim Levitsky 25*11d80bfcSMaxim Levitskyseq=`basename $0` 26*11d80bfcSMaxim Levitskyecho "QA output created by $seq" 27*11d80bfcSMaxim Levitsky 28*11d80bfcSMaxim Levitskystatus=1 # failure is the default! 29*11d80bfcSMaxim Levitsky 30*11d80bfcSMaxim Levitsky_cleanup() 31*11d80bfcSMaxim Levitsky{ 32*11d80bfcSMaxim Levitsky _cleanup_test_img 33*11d80bfcSMaxim Levitsky} 34*11d80bfcSMaxim Levitskytrap "_cleanup; exit \$status" 0 1 2 3 15 35*11d80bfcSMaxim Levitsky 36*11d80bfcSMaxim Levitsky# get standard environment, filters and checks 37*11d80bfcSMaxim Levitsky. ./common.rc 38*11d80bfcSMaxim Levitsky. ./common.filter 39*11d80bfcSMaxim Levitsky 40*11d80bfcSMaxim Levitsky_supported_fmt qcow2 luks 41*11d80bfcSMaxim Levitsky_supported_proto file #TODO 42*11d80bfcSMaxim Levitsky_require_working_luks 43*11d80bfcSMaxim Levitsky 44*11d80bfcSMaxim LevitskyQEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT 45*11d80bfcSMaxim Levitsky 46*11d80bfcSMaxim Levitskyif [ "$IMGFMT" = "qcow2" ] ; then 47*11d80bfcSMaxim Levitsky PR="encrypt." 48*11d80bfcSMaxim Levitsky EXTRA_IMG_ARGS="-o encrypt.format=luks" 49*11d80bfcSMaxim Levitskyfi 50*11d80bfcSMaxim Levitsky 51*11d80bfcSMaxim Levitsky 52*11d80bfcSMaxim Levitsky# secrets: you are supposed to see the password as *******, see :-) 53*11d80bfcSMaxim LevitskyS0="--object secret,id=sec0,data=hunter0" 54*11d80bfcSMaxim LevitskyS1="--object secret,id=sec1,data=hunter1" 55*11d80bfcSMaxim LevitskyS2="--object secret,id=sec2,data=hunter2" 56*11d80bfcSMaxim LevitskyS3="--object secret,id=sec3,data=hunter3" 57*11d80bfcSMaxim LevitskyS4="--object secret,id=sec4,data=hunter4" 58*11d80bfcSMaxim LevitskySECRETS="$S0 $S1 $S2 $S3 $S4" 59*11d80bfcSMaxim Levitsky 60*11d80bfcSMaxim Levitsky# image with given secret 61*11d80bfcSMaxim LevitskyIMGS0="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec0" 62*11d80bfcSMaxim LevitskyIMGS1="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec1" 63*11d80bfcSMaxim LevitskyIMGS2="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec2" 64*11d80bfcSMaxim LevitskyIMGS3="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec3" 65*11d80bfcSMaxim LevitskyIMGS4="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec4" 66*11d80bfcSMaxim Levitsky 67*11d80bfcSMaxim Levitsky 68*11d80bfcSMaxim Levitskyecho "== creating a test image ==" 69*11d80bfcSMaxim Levitsky_make_test_img $S0 $EXTRA_IMG_ARGS -o ${PR}key-secret=sec0,${PR}iter-time=10 32M 70*11d80bfcSMaxim Levitsky 71*11d80bfcSMaxim Levitskyecho 72*11d80bfcSMaxim Levitskyecho "== test that key 0 opens the image ==" 73*11d80bfcSMaxim Levitsky$QEMU_IO $S0 -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 74*11d80bfcSMaxim Levitsky 75*11d80bfcSMaxim Levitskyecho 76*11d80bfcSMaxim Levitskyecho "== adding a password to slot 4 ==" 77*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec4,${PR}iter-time=10,${PR}keyslot=4 78*11d80bfcSMaxim Levitskyecho "== adding a password to slot 1 ==" 79*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10 80*11d80bfcSMaxim Levitskyecho "== adding a password to slot 3 ==" 81*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10,${PR}keyslot=3 82*11d80bfcSMaxim Levitsky 83*11d80bfcSMaxim Levitskyecho "== adding a password to slot 2 ==" 84*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 85*11d80bfcSMaxim Levitsky 86*11d80bfcSMaxim Levitsky 87*11d80bfcSMaxim Levitskyecho "== erase slot 4 ==" 88*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=4 | _filter_img_create 89*11d80bfcSMaxim Levitsky 90*11d80bfcSMaxim Levitsky 91*11d80bfcSMaxim Levitskyecho 92*11d80bfcSMaxim Levitskyecho "== all secrets should work ==" 93*11d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 94*11d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 95*11d80bfcSMaxim Levitskydone 96*11d80bfcSMaxim Levitsky 97*11d80bfcSMaxim Levitskyecho 98*11d80bfcSMaxim Levitskyecho "== erase slot 0 and try it ==" 99*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 | _filter_img_create 100*11d80bfcSMaxim Levitsky$QEMU_IO $SECRETS -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 101*11d80bfcSMaxim Levitsky 102*11d80bfcSMaxim Levitskyecho 103*11d80bfcSMaxim Levitskyecho "== erase slot 2 and try it ==" 104*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=2 | _filter_img_create 105*11d80bfcSMaxim Levitsky$QEMU_IO $SECRETS -c "read 0 4096" $IMGS2 | _filter_qemu_io | _filter_testdir 106*11d80bfcSMaxim Levitsky 107*11d80bfcSMaxim Levitsky 108*11d80bfcSMaxim Levitsky# at this point slots 1 and 3 should be active 109*11d80bfcSMaxim Levitsky 110*11d80bfcSMaxim Levitskyecho 111*11d80bfcSMaxim Levitskyecho "== filling 4 slots with secret 2 ==" 112*11d80bfcSMaxim Levitskyfor ((i = 0; i < 4; i++)); do 113*11d80bfcSMaxim Levitsky $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 114*11d80bfcSMaxim Levitskydone 115*11d80bfcSMaxim Levitsky 116*11d80bfcSMaxim Levitskyecho 117*11d80bfcSMaxim Levitskyecho "== adding secret 0 ==" 118*11d80bfcSMaxim Levitsky $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 119*11d80bfcSMaxim Levitsky 120*11d80bfcSMaxim Levitskyecho 121*11d80bfcSMaxim Levitskyecho "== adding secret 3 (last slot) ==" 122*11d80bfcSMaxim Levitsky $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 123*11d80bfcSMaxim Levitsky 124*11d80bfcSMaxim Levitskyecho 125*11d80bfcSMaxim Levitskyecho "== trying to add another slot (should fail) ==" 126*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS2 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 127*11d80bfcSMaxim Levitsky 128*11d80bfcSMaxim Levitskyecho 129*11d80bfcSMaxim Levitskyecho "== all secrets should work again ==" 130*11d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 131*11d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 132*11d80bfcSMaxim Levitskydone 133*11d80bfcSMaxim Levitsky 134*11d80bfcSMaxim Levitsky 135*11d80bfcSMaxim Levitskyecho 136*11d80bfcSMaxim Levitsky 137*11d80bfcSMaxim Levitskyecho "== erase all keys of secret 2==" 138*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec2 139*11d80bfcSMaxim Levitsky 140*11d80bfcSMaxim Levitskyecho "== erase all keys of secret 1==" 141*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 142*11d80bfcSMaxim Levitsky 143*11d80bfcSMaxim Levitskyecho "== erase all keys of secret 0==" 144*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec0 145*11d80bfcSMaxim Levitsky 146*11d80bfcSMaxim Levitskyecho "== erasing secret3 will fail now since it is the only secret (in 3 slots) ==" 147*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=inactive,${PR}old-secret=sec3 148*11d80bfcSMaxim Levitsky 149*11d80bfcSMaxim Levitskyecho 150*11d80bfcSMaxim Levitskyecho "== only secret3 should work now ==" 151*11d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 152*11d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 153*11d80bfcSMaxim Levitskydone 154*11d80bfcSMaxim Levitsky 155*11d80bfcSMaxim Levitskyecho 156*11d80bfcSMaxim Levitskyecho "== add secret0 ==" 157*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 158*11d80bfcSMaxim Levitsky 159*11d80bfcSMaxim Levitskyecho "== erase secret3 ==" 160*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec3 161*11d80bfcSMaxim Levitsky 162*11d80bfcSMaxim Levitskyecho 163*11d80bfcSMaxim Levitskyecho "== only secret0 should work now ==" 164*11d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 165*11d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 166*11d80bfcSMaxim Levitskydone 167*11d80bfcSMaxim Levitsky 168*11d80bfcSMaxim Levitskyecho 169*11d80bfcSMaxim Levitskyecho "== replace secret0 with secret1 (should fail) ==" 170*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}keyslot=0 171*11d80bfcSMaxim Levitsky 172*11d80bfcSMaxim Levitskyecho 173*11d80bfcSMaxim Levitskyecho "== replace secret0 with secret1 with force (should work) ==" 174*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10,${PR}keyslot=0 --force 175*11d80bfcSMaxim Levitsky 176*11d80bfcSMaxim Levitskyecho 177*11d80bfcSMaxim Levitskyecho "== only secret1 should work now ==" 178*11d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 179*11d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 180*11d80bfcSMaxim Levitskydone 181*11d80bfcSMaxim Levitsky 182*11d80bfcSMaxim Levitsky 183*11d80bfcSMaxim Levitskyecho 184*11d80bfcSMaxim Levitskyecho "== erase last secret (should fail) ==" 185*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 186*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 187*11d80bfcSMaxim Levitsky 188*11d80bfcSMaxim Levitsky 189*11d80bfcSMaxim Levitskyecho "== erase non existing secrets (should fail) ==" 190*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec5 --force 191*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 --force 192*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=1 --force 193*11d80bfcSMaxim Levitsky 194*11d80bfcSMaxim Levitskyecho 195*11d80bfcSMaxim Levitskyecho "== erase last secret with force by slot (should work) ==" 196*11d80bfcSMaxim Levitsky$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 --force 197*11d80bfcSMaxim Levitsky 198*11d80bfcSMaxim Levitskyecho 199*11d80bfcSMaxim Levitskyecho "== we have no secrets now, data is lost forever ==" 200*11d80bfcSMaxim Levitskyfor IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 201*11d80bfcSMaxim Levitsky $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 202*11d80bfcSMaxim Levitskydone 203*11d80bfcSMaxim Levitsky 204*11d80bfcSMaxim Levitsky# success, all done 205*11d80bfcSMaxim Levitskyecho "*** done" 206*11d80bfcSMaxim Levitskyrm -f $seq.full 207*11d80bfcSMaxim Levitskystatus=0 208*11d80bfcSMaxim Levitsky 209