Fix invalid assert for hw-opal data segment keys.

hw-opal segment does not receive volume key for data encryption, unlike crypt segment or hw-opal-crypt segment. It gets key encryption key that is passed to device fw which later unlocks the locking range key sealed in the device. The assert may be skipped while volume key is not set. Fixes: #875.
author: Ondrej Kozina <okozina@redhat.com> 2024-04-03 11:39:33 +0200
committer: Milan Broz <gmazyland@gmail.com> 2024-04-03 11:48:56 +0000
commit: 87bf39f71ec318f58a689bf7f1db8c140d04c789 (patch)
tree: a77fdec78722b1548f92b0a6d51013b377bb5c00
parent: 1ae70b8c16a960507bce49af4f779e30fdac7131 (diff)
download: cryptsetup-87bf39f71ec318f58a689bf7f1db8c140d04c789.tar.gz
2 files changed, 61 insertions, 54 deletions
diff --git a/lib/setup.c b/lib/setup.c
index e76430af..70b2ceec 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -5328,7 +5328,8 @@ static int _activate_luks2_by_volume_key(struct crypt_device *cd,
 		}
 		r = _open_and_activate_reencrypt_device_by_vk(cd, &cd->u.luks2.hdr, name, vk, flags);
 	} else {
-		assert(crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT));
+		/* hw-opal data segment type does not require volume key for activation */
+		assert(!vk || crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT));
 		r = LUKS2_activate(cd, name, vk, external_key, flags);
 	}
 
diff --git a/tests/compat-test-opal b/tests/compat-test-opal
index 09384d9a..3a71f126 100755
--- a/tests/compat-test-opal
+++ b/tests/compat-test-opal
@@ -415,6 +415,60 @@ function test_device_detached_header() #hdr, #opal_mode, #format_params, #--inte
 	rm -f $1
 }
 
+function run_token_tests() {
+	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail
+	$CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail
+	# keyslot 5 is inactive
+	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail
+	# key description is not reachable
+	$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase && fail
+	# wrong passphrase
+	load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
+	$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase 2>/dev/null && fail
+	load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
+	$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase || fail
+	$CRYPTSETUP open --token-only $OPAL2_DEV $DEV_NAME || fail
+	$CRYPTSETUP status $DEV_NAME > /dev/null || fail
+	$CRYPTSETUP luksSuspend $DEV_NAME || fail
+	$CRYPTSETUP luksResume $DEV_NAME <&- || fail
+	$CRYPTSETUP -q status  $DEV_NAME | grep -q "(suspended)" && fail
+	$CRYPTSETUP luksSuspend $DEV_NAME || fail
+	$CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail
+	$CRYPTSETUP close $DEV_NAME || fail
+
+	# check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
+	echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 22 || fail
+	# this excludes keyring tokens from unlocking device
+	$CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV --test-passphrase && fail
+	$CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV $DEV_NAME && fail
+	$CRYPTSETUP status $DEV_NAME > /dev/null && fail
+
+	$CRYPTSETUP token remove --token-id 3 $OPAL2_DEV || fail
+	$CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" && fail
+
+	# test we can remove keyslot with token
+	echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $OPAL2_DEV || fail
+	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail
+	$CRYPTSETUP -q luksKillSlot $OPAL2_DEV 4 || fail
+	$CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
+
+	# test we can add unassigned token
+	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
+	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
+	$CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
+
+	# test token unassign works
+	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
+	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV || fail
+	$CRYPTSETUP token unassign --token-id 0 $OPAL2_DEV 2>/dev/null && fail
+	$CRYPTSETUP token unassign -S0 $OPAL2_DEV 2>/dev/null && fail
+	$CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV || fail
+	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
+	$CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV 2>/dev/null && fail
+	$CRYPTSETUP token unassign --token-id 0 -S44 $OPAL2_DEV 2>/dev/null && fail
+	$CRYPTSETUP token unassign --token-id 44 -S0 $OPAL2_DEV 2>/dev/null && fail
+}
+
 export LANG=C
 
 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
@@ -916,62 +970,14 @@ if dm_crypt_keyring_support && dm_crypt_keyring_new_kernel; then
 fi
 
 prepare "[28] tokens" wipe
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail
 if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
-
 	test_and_prepare_keyring
+	echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV -q || fail
+	run_token_tests
+	keyctl unlink "%user:$TEST_TOKEN0" $TEST_KEYRING || fail
 
-	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail
-	$CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail
-	# keyslot 5 is inactive
-	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail
-	# key description is not reachable
-	$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase && fail
-	# wrong passphrase
-	load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
-	$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase 2>/dev/null && fail
-	load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
-	$CRYPTSETUP open --token-only $OPAL2_DEV --test-passphrase || fail
-	$CRYPTSETUP open --token-only $OPAL2_DEV $DEV_NAME || fail
-	$CRYPTSETUP status $DEV_NAME > /dev/null || fail
-	$CRYPTSETUP luksSuspend $DEV_NAME || fail
-	$CRYPTSETUP luksResume $DEV_NAME <&- || fail
-	$CRYPTSETUP -q status  $DEV_NAME | grep -q "(suspended)" && fail
-	$CRYPTSETUP luksSuspend $DEV_NAME || fail
-	$CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail
-	$CRYPTSETUP close $DEV_NAME || fail
-
-	# check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
-	echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 22 || fail
-	# this excludes keyring tokens from unlocking device
-	$CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV --test-passphrase && fail
-	$CRYPTSETUP open --token-only --token-type some_type $OPAL2_DEV $DEV_NAME && fail
-	$CRYPTSETUP status $DEV_NAME > /dev/null && fail
-
-	$CRYPTSETUP token remove --token-id 3 $OPAL2_DEV || fail
-	$CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" && fail
-
-	# test we can remove keyslot with token
-	echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $OPAL2_DEV || fail
-	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail
-	$CRYPTSETUP -q luksKillSlot $OPAL2_DEV 4 || fail
-	$CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
-
-	# test we can add unassigned token
-	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
-	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
-	$CRYPTSETUP token remove --token-id 0 $OPAL2_DEV || fail
-
-	# test token unassign works
-	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
-	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV || fail
-	$CRYPTSETUP token unassign --token-id 0 $OPAL2_DEV 2>/dev/null && fail
-	$CRYPTSETUP token unassign -S0 $OPAL2_DEV 2>/dev/null && fail
-	$CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV || fail
-	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $OPAL2_DEV && fail
-	$CRYPTSETUP token unassign --token-id 0 -S0 $OPAL2_DEV 2>/dev/null && fail
-	$CRYPTSETUP token unassign --token-id 0 -S44 $OPAL2_DEV 2>/dev/null && fail
-	$CRYPTSETUP token unassign --token-id 44 -S0 $OPAL2_DEV 2>/dev/null && fail
+	echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV -q || fail
+	run_token_tests
 fi
 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 10 || fail
 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $OPAL2_DEV --token-id 11 --json-file - || fail
author	Ondrej Kozina <okozina@redhat.com>	2024-04-03 11:39:33 +0200
committer	Milan Broz <gmazyland@gmail.com>	2024-04-03 11:48:56 +0000
commit	87bf39f71ec318f58a689bf7f1db8c140d04c789 (patch)
tree	a77fdec78722b1548f92b0a6d51013b377bb5c00
parent	1ae70b8c16a960507bce49af4f779e30fdac7131 (diff)
download	cryptsetup-87bf39f71ec318f58a689bf7f1db8c140d04c789.tar.gz