293 (6916B)
1 #!/usr/bin/env bash 2 # group: rw 3 # 4 # Test encryption key management with luks 5 # Based on 134 6 # 7 # Copyright (C) 2019 Red Hat, Inc. 8 # 9 # This program is free software; you can redistribute it and/or modify 10 # it under the terms of the GNU General Public License as published by 11 # the Free Software Foundation; either version 2 of the License, or 12 # (at your option) any later version. 13 # 14 # This program is distributed in the hope that it will be useful, 15 # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 # GNU General Public License for more details. 18 # 19 # You should have received a copy of the GNU General Public License 20 # along with this program. If not, see <http://www.gnu.org/licenses/>. 21 # 22 23 # creator 24 owner=mlevitsk@redhat.com 25 26 seq=`basename $0` 27 echo "QA output created by $seq" 28 29 status=1 # failure is the default! 30 31 _cleanup() 32 { 33 _cleanup_test_img 34 } 35 trap "_cleanup; exit \$status" 0 1 2 3 15 36 37 # get standard environment, filters and checks 38 . ./common.rc 39 . ./common.filter 40 41 _supported_fmt qcow2 luks 42 _supported_proto file fuse #TODO 43 _require_working_luks 44 45 QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT 46 47 if [ "$IMGFMT" = "qcow2" ] ; then 48 PR="encrypt." 49 EXTRA_IMG_ARGS="-o encrypt.format=luks" 50 fi 51 52 53 # secrets: you are supposed to see the password as *******, see :-) 54 S0="--object secret,id=sec0,data=hunter0" 55 S1="--object secret,id=sec1,data=hunter1" 56 S2="--object secret,id=sec2,data=hunter2" 57 S3="--object secret,id=sec3,data=hunter3" 58 S4="--object secret,id=sec4,data=hunter4" 59 SECRETS="$S0 $S1 $S2 $S3 $S4" 60 61 # image with given secret 62 IMGS0="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec0" 63 IMGS1="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec1" 64 IMGS2="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec2" 65 IMGS3="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec3" 66 IMGS4="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec4" 67 68 69 echo "== creating a test image ==" 70 _make_test_img $S0 $EXTRA_IMG_ARGS -o ${PR}key-secret=sec0,${PR}iter-time=10 32M 71 72 echo 73 echo "== test that key 0 opens the image ==" 74 $QEMU_IO $S0 -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 75 76 echo 77 echo "== adding a password to slot 4 ==" 78 $QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec4,${PR}iter-time=10,${PR}keyslot=4 79 echo "== adding a password to slot 1 ==" 80 $QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10 81 echo "== adding a password to slot 3 ==" 82 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10,${PR}keyslot=3 83 84 echo "== adding a password to slot 2 ==" 85 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 86 87 88 echo "== erase slot 4 ==" 89 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=4 | _filter_img_create 90 91 92 echo 93 echo "== all secrets should work ==" 94 for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 95 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 96 done 97 98 echo 99 echo "== erase slot 0 and try it ==" 100 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 | _filter_img_create 101 $QEMU_IO $SECRETS -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 102 103 echo 104 echo "== erase slot 2 and try it ==" 105 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=2 | _filter_img_create 106 $QEMU_IO $SECRETS -c "read 0 4096" $IMGS2 | _filter_qemu_io | _filter_testdir 107 108 109 # at this point slots 1 and 3 should be active 110 111 echo 112 echo "== filling 4 slots with secret 2 ==" 113 for ((i = 0; i < 4; i++)); do 114 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 115 done 116 117 echo 118 echo "== adding secret 0 ==" 119 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 120 121 echo 122 echo "== adding secret 3 (last slot) ==" 123 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 124 125 echo 126 echo "== trying to add another slot (should fail) ==" 127 $QEMU_IMG amend $SECRETS $IMGS2 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 128 129 echo 130 echo "== all secrets should work again ==" 131 for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 132 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 133 done 134 135 136 echo 137 138 echo "== erase all keys of secret 2==" 139 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec2 140 141 echo "== erase all keys of secret 1==" 142 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 143 144 echo "== erase all keys of secret 0==" 145 $QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec0 146 147 echo "== erasing secret3 will fail now since it is the only secret (in 3 slots) ==" 148 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=inactive,${PR}old-secret=sec3 149 150 echo 151 echo "== only secret3 should work now ==" 152 for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 153 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 154 done 155 156 echo 157 echo "== add secret0 ==" 158 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 159 160 echo "== erase secret3 ==" 161 $QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec3 162 163 echo 164 echo "== only secret0 should work now ==" 165 for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 166 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 167 done 168 169 echo 170 echo "== replace secret0 with secret1 (should fail) ==" 171 $QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}keyslot=0 172 173 echo 174 echo "== replace secret0 with secret1 with force (should work) ==" 175 $QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10,${PR}keyslot=0 --force 176 177 echo 178 echo "== only secret1 should work now ==" 179 for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 180 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 181 done 182 183 184 echo 185 echo "== erase last secret (should fail) ==" 186 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 187 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 188 189 190 echo "== erase non existing secrets (should fail) ==" 191 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec5 --force 192 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 --force 193 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=1 --force 194 195 echo 196 echo "== erase last secret with force by slot (should work) ==" 197 $QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 --force 198 199 echo 200 echo "== we have no secrets now, data is lost forever ==" 201 for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 202 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 203 done 204 205 # success, all done 206 echo "*** done" 207 rm -f $seq.full 208 status=0 209