diff options
author | Ondrej Kozina <okozina@redhat.com> | 2024-04-03 11:39:33 +0200 |
---|---|---|
committer | Milan Broz <gmazyland@gmail.com> | 2024-04-03 11:48:56 +0000 |
commit | 87bf39f71ec318f58a689bf7f1db8c140d04c789 (patch) | |
tree | a77fdec78722b1548f92b0a6d51013b377bb5c00 | |
parent | 1ae70b8c16a960507bce49af4f779e30fdac7131 (diff) | |
download | cryptsetup-87bf39f71ec318f58a689bf7f1db8c140d04c789.tar.gz |
Fix invalid assert for hw-opal data segment keys.
hw-opal segment does not receive volume key for data
encryption, unlike crypt segment or hw-opal-crypt segment.
It gets key encryption key that is passed to device fw which
later unlocks the locking range key sealed in the device.
The assert may be skipped while volume key is not set.
Fixes: #875.
-rw-r--r-- | lib/setup.c | 3 | ||||
-rwxr-xr-x | tests/compat-test-opal | 112 |
2 files changed, 61 insertions, 54 deletions
diff --git a/lib/setup.c b/lib/setup.c index e76430af..70b2ceec 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -5328,7 +5328,8 @@ static int _activate_luks2_by_volume_key(struct crypt_device *cd, } r = _open_and_activate_reencrypt_device_by_vk(cd, &cd->u.luks2.hdr, name, vk, flags); } else { - assert(crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)); + /* hw-opal data segment type does not require volume key for activation */ + assert(!vk || crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)); r = LUKS2_activate(cd, name, vk, external_key, flags); } diff --git a/tests/compat-test-opal b/tests/compat-test-opal index 09384d9a..3a71f126 100755 --- a/tests/compat-test-opal +++ b/tests/compat-test-opal @@ -415,6 +415,60 @@ function test_device_detached_header() #hdr, #opal_mode, #format_params, #--inte rm -f $1 } +function run_token_tests() { + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail + $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail + # keyslot 5 is inactive + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail + # key description is not reachable + $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase && fail + # wrong passphrase + load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" + $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase 2>/dev/null && fail + load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" + $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase || fail + $CRYPTSETUP open --token-only $OPAL2_DEV $DEV_NAME || fail + $CRYPTSETUP status $DEV_NAME > /dev/null || fail + $CRYPTSETUP luksSuspend $DEV_NAME || fail + $CRYPTSETUP luksResume $DEV_NAME <&- || fail + $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" && fail + $CRYPTSETUP luksSuspend $DEV_NAME || fail + $CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail + $CRYPTSETUP close $DEV_NAME || fail + + # check --token-type sort of works (TODO: extend tests when native systemd tokens are available) + echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 22 || fail + # this excludes keyring tokens from unlocking device + $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV --test-passphrase && fail + $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV $DEV_NAME && fail + $CRYPTSETUP status $DEV_NAME > /dev/null && fail + + $CRYPTSETUP token remove --token-id 3 $OPAL2_DEV || fail + $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" && fail + + # test we can remove keyslot with token + echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $OPAL2_DEV || fail + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail + $CRYPTSETUP -q luksKillSlot $OPAL2_DEV 4 || fail + $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail + + # test we can add unassigned token + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail + $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail + $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail + + # test token unassign works + $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail + $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV || fail + $CRYPTSETUP token unassign --token-id 0 $OPAL2_DEV 2>/dev/null && fail + $CRYPTSETUP token unassign -S0 $OPAL2_DEV 2>/dev/null && fail + $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV || fail + $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail + $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV 2>/dev/null && fail + $CRYPTSETUP token unassign --token-id 0 -S44 $OPAL2_DEV 2>/dev/null && fail + $CRYPTSETUP token unassign --token-id 44 -S0 $OPAL2_DEV 2>/dev/null && fail +} + export LANG=C [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." @@ -916,62 +970,14 @@ if dm_crypt_keyring_support && dm_crypt_keyring_new_kernel; then fi prepare "[28] tokens" wipe -echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then - test_and_prepare_keyring + echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q || fail + run_token_tests + keyctl unlink "%user:$TEST_TOKEN0" $TEST_KEYRING || fail - $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail - $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail - # keyslot 5 is inactive - $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail - # key description is not reachable - $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase && fail - # wrong passphrase - load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" - $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase 2>/dev/null && fail - load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type" - $CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase || fail - $CRYPTSETUP open --token-only $OPAL2_DEV $DEV_NAME || fail - $CRYPTSETUP status $DEV_NAME > /dev/null || fail - $CRYPTSETUP luksSuspend $DEV_NAME || fail - $CRYPTSETUP luksResume $DEV_NAME <&- || fail - $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" && fail - $CRYPTSETUP luksSuspend $DEV_NAME || fail - $CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail - $CRYPTSETUP close $DEV_NAME || fail - - # check --token-type sort of works (TODO: extend tests when native systemd tokens are available) - echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 22 || fail - # this excludes keyring tokens from unlocking device - $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV --test-passphrase && fail - $CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV $DEV_NAME && fail - $CRYPTSETUP status $DEV_NAME > /dev/null && fail - - $CRYPTSETUP token remove --token-id 3 $OPAL2_DEV || fail - $CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" && fail - - # test we can remove keyslot with token - echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $OPAL2_DEV || fail - $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail - $CRYPTSETUP -q luksKillSlot $OPAL2_DEV 4 || fail - $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail - - # test we can add unassigned token - $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail - $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail - $CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail - - # test token unassign works - $CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail - $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV || fail - $CRYPTSETUP token unassign --token-id 0 $OPAL2_DEV 2>/dev/null && fail - $CRYPTSETUP token unassign -S0 $OPAL2_DEV 2>/dev/null && fail - $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV || fail - $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail - $CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV 2>/dev/null && fail - $CRYPTSETUP token unassign --token-id 0 -S44 $OPAL2_DEV 2>/dev/null && fail - $CRYPTSETUP token unassign --token-id 44 -S0 $OPAL2_DEV 2>/dev/null && fail + echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV -q || fail + run_token_tests fi echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 10 || fail echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 11 --json-file - || fail |