1#!/usr/bin/env bash 2# 3# Test encryption key management with luks 4# Based on 134 5# 6# Copyright (C) 2019 Red Hat, Inc. 7# 8# This program is free software; you can redistribute it and/or modify 9# it under the terms of the GNU General Public License as published by 10# the Free Software Foundation; either version 2 of the License, or 11# (at your option) any later version. 12# 13# This program is distributed in the hope that it will be useful, 14# but WITHOUT ANY WARRANTY; without even the implied warranty of 15# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16# GNU General Public License for more details. 17# 18# You should have received a copy of the GNU General Public License 19# along with this program. If not, see <http://www.gnu.org/licenses/>. 20# 21 22# creator 23owner=mlevitsk@redhat.com 24 25seq=`basename $0` 26echo "QA output created by $seq" 27 28status=1 # failure is the default! 29 30_cleanup() 31{ 32 _cleanup_test_img 33} 34trap "_cleanup; exit \$status" 0 1 2 3 15 35 36# get standard environment, filters and checks 37. ./common.rc 38. ./common.filter 39 40_supported_fmt qcow2 luks 41_supported_proto file #TODO 42_require_working_luks 43 44QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT 45 46if [ "$IMGFMT" = "qcow2" ] ; then 47 PR="encrypt." 48 EXTRA_IMG_ARGS="-o encrypt.format=luks" 49fi 50 51 52# secrets: you are supposed to see the password as *******, see :-) 53S0="--object secret,id=sec0,data=hunter0" 54S1="--object secret,id=sec1,data=hunter1" 55S2="--object secret,id=sec2,data=hunter2" 56S3="--object secret,id=sec3,data=hunter3" 57S4="--object secret,id=sec4,data=hunter4" 58SECRETS="$S0 $S1 $S2 $S3 $S4" 59 60# image with given secret 61IMGS0="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec0" 62IMGS1="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec1" 63IMGS2="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec2" 64IMGS3="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec3" 65IMGS4="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec4" 66 67 68echo "== creating a test image ==" 69_make_test_img $S0 $EXTRA_IMG_ARGS -o ${PR}key-secret=sec0,${PR}iter-time=10 32M 70 71echo 72echo "== test that key 0 opens the image ==" 73$QEMU_IO $S0 -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 74 75echo 76echo "== adding a password to slot 4 ==" 77$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec4,${PR}iter-time=10,${PR}keyslot=4 78echo "== adding a password to slot 1 ==" 79$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10 80echo "== adding a password to slot 3 ==" 81$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10,${PR}keyslot=3 82 83echo "== adding a password to slot 2 ==" 84$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 85 86 87echo "== erase slot 4 ==" 88$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=4 | _filter_img_create 89 90 91echo 92echo "== all secrets should work ==" 93for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 94 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 95done 96 97echo 98echo "== erase slot 0 and try it ==" 99$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 | _filter_img_create 100$QEMU_IO $SECRETS -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 101 102echo 103echo "== erase slot 2 and try it ==" 104$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=2 | _filter_img_create 105$QEMU_IO $SECRETS -c "read 0 4096" $IMGS2 | _filter_qemu_io | _filter_testdir 106 107 108# at this point slots 1 and 3 should be active 109 110echo 111echo "== filling 4 slots with secret 2 ==" 112for ((i = 0; i < 4; i++)); do 113 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 114done 115 116echo 117echo "== adding secret 0 ==" 118 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 119 120echo 121echo "== adding secret 3 (last slot) ==" 122 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 123 124echo 125echo "== trying to add another slot (should fail) ==" 126$QEMU_IMG amend $SECRETS $IMGS2 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 127 128echo 129echo "== all secrets should work again ==" 130for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 131 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 132done 133 134 135echo 136 137echo "== erase all keys of secret 2==" 138$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec2 139 140echo "== erase all keys of secret 1==" 141$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 142 143echo "== erase all keys of secret 0==" 144$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec0 145 146echo "== erasing secret3 will fail now since it is the only secret (in 3 slots) ==" 147$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=inactive,${PR}old-secret=sec3 148 149echo 150echo "== only secret3 should work now ==" 151for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 152 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 153done 154 155echo 156echo "== add secret0 ==" 157$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 158 159echo "== erase secret3 ==" 160$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec3 161 162echo 163echo "== only secret0 should work now ==" 164for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 165 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 166done 167 168echo 169echo "== replace secret0 with secret1 (should fail) ==" 170$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}keyslot=0 171 172echo 173echo "== replace secret0 with secret1 with force (should work) ==" 174$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10,${PR}keyslot=0 --force 175 176echo 177echo "== only secret1 should work now ==" 178for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 179 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 180done 181 182 183echo 184echo "== erase last secret (should fail) ==" 185$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 186$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 187 188 189echo "== erase non existing secrets (should fail) ==" 190$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec5 --force 191$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 --force 192$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=1 --force 193 194echo 195echo "== erase last secret with force by slot (should work) ==" 196$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 --force 197 198echo 199echo "== we have no secrets now, data is lost forever ==" 200for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 201 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 202done 203 204# success, all done 205echo "*** done" 206rm -f $seq.full 207status=0 208 209