xref: /openbmc/qemu/tests/qemu-iotests/293 (revision c09124dc)
1#!/usr/bin/env bash
2# group: rw
3#
4# Test encryption key management with luks
5# Based on 134
6#
7# Copyright (C) 2019 Red Hat, Inc.
8#
9# This program is free software; you can redistribute it and/or modify
10# it under the terms of the GNU General Public License as published by
11# the Free Software Foundation; either version 2 of the License, or
12# (at your option) any later version.
13#
14# This program is distributed in the hope that it will be useful,
15# but WITHOUT ANY WARRANTY; without even the implied warranty of
16# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17# GNU General Public License for more details.
18#
19# You should have received a copy of the GNU General Public License
20# along with this program.  If not, see <http://www.gnu.org/licenses/>.
21#
22
23# creator
24owner=mlevitsk@redhat.com
25
26seq=`basename $0`
27echo "QA output created by $seq"
28
29status=1	# failure is the default!
30
31_cleanup()
32{
33	_cleanup_test_img
34}
35trap "_cleanup; exit \$status" 0 1 2 3 15
36
37# get standard environment, filters and checks
38. ./common.rc
39. ./common.filter
40
41_supported_fmt qcow2 luks
42_supported_proto file fuse #TODO
43_require_working_luks
44
45QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT
46
47if [ "$IMGFMT" = "qcow2" ] ; then
48	PR="encrypt."
49	EXTRA_IMG_ARGS="-o encrypt.format=luks"
50fi
51
52
53# secrets: you are supposed to see the password as *******, see :-)
54S0="--object secret,id=sec0,data=hunter0"
55S1="--object secret,id=sec1,data=hunter1"
56S2="--object secret,id=sec2,data=hunter2"
57S3="--object secret,id=sec3,data=hunter3"
58S4="--object secret,id=sec4,data=hunter4"
59SECRETS="$S0 $S1 $S2 $S3 $S4"
60
61# image with given secret
62IMGS0="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec0"
63IMGS1="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec1"
64IMGS2="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec2"
65IMGS3="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec3"
66IMGS4="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec4"
67
68
69echo "== creating a test image =="
70_make_test_img $S0 $EXTRA_IMG_ARGS -o ${PR}key-secret=sec0,${PR}iter-time=10 32M
71
72echo
73echo "== test that key 0 opens the image =="
74$QEMU_IO $S0 -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir
75
76echo
77echo "== adding a password to slot 4 =="
78$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec4,${PR}iter-time=10,${PR}keyslot=4
79echo "== adding a password to slot 1 =="
80$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10
81echo "== adding a password to slot 3 =="
82$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10,${PR}keyslot=3
83
84echo "== adding a password to slot 2 =="
85$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10
86
87
88echo "== erase slot 4 =="
89$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=4 | _filter_img_create
90
91
92echo
93echo "== all secrets should work =="
94for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
95	$QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
96done
97
98echo
99echo "== erase slot 0 and try it =="
100$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 | _filter_img_create
101$QEMU_IO $SECRETS -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir
102
103echo
104echo "== erase slot 2 and try it =="
105$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=2 | _filter_img_create
106$QEMU_IO $SECRETS -c "read 0 4096" $IMGS2 | _filter_qemu_io | _filter_testdir
107
108
109# at this point slots 1 and 3 should be active
110
111echo
112echo "== filling  4 slots with secret 2 =="
113for ((i = 0; i < 4; i++)); do
114	$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10
115done
116
117echo
118echo "== adding secret 0 =="
119	$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10
120
121echo
122echo "== adding secret 3 (last slot) =="
123	$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10
124
125echo
126echo "== trying to add another slot (should fail) =="
127$QEMU_IMG amend $SECRETS $IMGS2 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10
128
129echo
130echo "== all secrets should work again =="
131for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
132	$QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
133done
134
135
136echo
137
138echo "== erase all keys of secret 2=="
139$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec2
140
141echo "== erase all keys of secret 1=="
142$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1
143
144echo "== erase all keys of secret 0=="
145$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec0
146
147echo "== erasing secret3 will fail now since it is the only secret (in 3 slots) =="
148$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=inactive,${PR}old-secret=sec3
149
150echo
151echo "== only secret3 should work now  =="
152for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
153	$QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
154done
155
156echo
157echo "== add secret0  =="
158$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10
159
160echo "== erase secret3 =="
161$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec3
162
163echo
164echo "== only secret0 should work now  =="
165for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
166	$QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
167done
168
169echo
170echo "== replace secret0 with secret1 (should fail)  =="
171$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}keyslot=0
172
173echo
174echo "== replace secret0 with secret1 with force (should work)  =="
175$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10,${PR}keyslot=0 --force
176
177echo
178echo "== only secret1 should work now  =="
179for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
180	$QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
181done
182
183
184echo
185echo "== erase last secret (should fail)  =="
186$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0
187$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1
188
189
190echo "== erase non existing secrets (should fail)  =="
191$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec5 --force
192$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 --force
193$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=1 --force
194
195echo
196echo "== erase last secret with force by slot (should work)  =="
197$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 --force
198
199echo
200echo "== we have no secrets now, data is lost forever =="
201for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
202	$QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
203done
204
205# success, all done
206echo "*** done"
207rm -f $seq.full
208status=0
209
210