293 (6916B)
1#!/usr/bin/env bash 2# group: rw 3# 4# Test encryption key management with luks 5# Based on 134 6# 7# Copyright (C) 2019 Red Hat, Inc. 8# 9# This program is free software; you can redistribute it and/or modify 10# it under the terms of the GNU General Public License as published by 11# the Free Software Foundation; either version 2 of the License, or 12# (at your option) any later version. 13# 14# This program is distributed in the hope that it will be useful, 15# but WITHOUT ANY WARRANTY; without even the implied warranty of 16# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17# GNU General Public License for more details. 18# 19# You should have received a copy of the GNU General Public License 20# along with this program. If not, see <http://www.gnu.org/licenses/>. 21# 22 23# creator 24owner=mlevitsk@redhat.com 25 26seq=`basename $0` 27echo "QA output created by $seq" 28 29status=1 # failure is the default! 30 31_cleanup() 32{ 33 _cleanup_test_img 34} 35trap "_cleanup; exit \$status" 0 1 2 3 15 36 37# get standard environment, filters and checks 38. ./common.rc 39. ./common.filter 40 41_supported_fmt qcow2 luks 42_supported_proto file fuse #TODO 43_require_working_luks 44 45QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT 46 47if [ "$IMGFMT" = "qcow2" ] ; then 48 PR="encrypt." 49 EXTRA_IMG_ARGS="-o encrypt.format=luks" 50fi 51 52 53# secrets: you are supposed to see the password as *******, see :-) 54S0="--object secret,id=sec0,data=hunter0" 55S1="--object secret,id=sec1,data=hunter1" 56S2="--object secret,id=sec2,data=hunter2" 57S3="--object secret,id=sec3,data=hunter3" 58S4="--object secret,id=sec4,data=hunter4" 59SECRETS="$S0 $S1 $S2 $S3 $S4" 60 61# image with given secret 62IMGS0="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec0" 63IMGS1="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec1" 64IMGS2="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec2" 65IMGS3="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec3" 66IMGS4="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec4" 67 68 69echo "== creating a test image ==" 70_make_test_img $S0 $EXTRA_IMG_ARGS -o ${PR}key-secret=sec0,${PR}iter-time=10 32M 71 72echo 73echo "== test that key 0 opens the image ==" 74$QEMU_IO $S0 -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 75 76echo 77echo "== adding a password to slot 4 ==" 78$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec4,${PR}iter-time=10,${PR}keyslot=4 79echo "== adding a password to slot 1 ==" 80$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10 81echo "== adding a password to slot 3 ==" 82$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10,${PR}keyslot=3 83 84echo "== adding a password to slot 2 ==" 85$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 86 87 88echo "== erase slot 4 ==" 89$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=4 | _filter_img_create 90 91 92echo 93echo "== all secrets should work ==" 94for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 95 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 96done 97 98echo 99echo "== erase slot 0 and try it ==" 100$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 | _filter_img_create 101$QEMU_IO $SECRETS -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir 102 103echo 104echo "== erase slot 2 and try it ==" 105$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=2 | _filter_img_create 106$QEMU_IO $SECRETS -c "read 0 4096" $IMGS2 | _filter_qemu_io | _filter_testdir 107 108 109# at this point slots 1 and 3 should be active 110 111echo 112echo "== filling 4 slots with secret 2 ==" 113for ((i = 0; i < 4; i++)); do 114 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10 115done 116 117echo 118echo "== adding secret 0 ==" 119 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 120 121echo 122echo "== adding secret 3 (last slot) ==" 123 $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 124 125echo 126echo "== trying to add another slot (should fail) ==" 127$QEMU_IMG amend $SECRETS $IMGS2 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10 128 129echo 130echo "== all secrets should work again ==" 131for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 132 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 133done 134 135 136echo 137 138echo "== erase all keys of secret 2==" 139$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec2 140 141echo "== erase all keys of secret 1==" 142$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 143 144echo "== erase all keys of secret 0==" 145$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec0 146 147echo "== erasing secret3 will fail now since it is the only secret (in 3 slots) ==" 148$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=inactive,${PR}old-secret=sec3 149 150echo 151echo "== only secret3 should work now ==" 152for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 153 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 154done 155 156echo 157echo "== add secret0 ==" 158$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10 159 160echo "== erase secret3 ==" 161$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec3 162 163echo 164echo "== only secret0 should work now ==" 165for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 166 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 167done 168 169echo 170echo "== replace secret0 with secret1 (should fail) ==" 171$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}keyslot=0 172 173echo 174echo "== replace secret0 with secret1 with force (should work) ==" 175$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10,${PR}keyslot=0 --force 176 177echo 178echo "== only secret1 should work now ==" 179for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 180 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 181done 182 183 184echo 185echo "== erase last secret (should fail) ==" 186$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 187$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1 188 189 190echo "== erase non existing secrets (should fail) ==" 191$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec5 --force 192$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 --force 193$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=1 --force 194 195echo 196echo "== erase last secret with force by slot (should work) ==" 197$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 --force 198 199echo 200echo "== we have no secrets now, data is lost forever ==" 201for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do 202 $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir 203done 204 205# success, all done 206echo "*** done" 207rm -f $seq.full 208status=0 209