qemu/tests/qemu-iotests/293
<<
>>
Prefs 
   1#!/usr/bin/env bash
   2# group: rw
   3#
   4# Test encryption key management with luks
   5# Based on 134
   6#
   7# Copyright (C) 2019 Red Hat, Inc.
   8#
   9# This program is free software; you can redistribute it and/or modify
  10# it under the terms of the GNU General Public License as published by
  11# the Free Software Foundation; either version 2 of the License, or
  12# (at your option) any later version.
  13#
  14# This program is distributed in the hope that it will be useful,
  15# but WITHOUT ANY WARRANTY; without even the implied warranty of
  16# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17# GNU General Public License for more details.
  18#
  19# You should have received a copy of the GNU General Public License
  20# along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21#
  22
  23# creator
  24owner=mlevitsk@redhat.com
  25
  26seq=`basename $0`
  27echo "QA output created by $seq"
  28
  29status=1        # failure is the default!
  30
  31_cleanup()
  32{
  33        _cleanup_test_img
  34}
  35trap "_cleanup; exit \$status" 0 1 2 3 15
  36
  37# get standard environment, filters and checks
  38. ./common.rc
  39. ./common.filter
  40
  41_supported_fmt qcow2 luks
  42_supported_proto file fuse #TODO
  43_require_working_luks
  44
  45QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT
  46
  47if [ "$IMGFMT" = "qcow2" ] ; then
  48        PR="encrypt."
  49        EXTRA_IMG_ARGS="-o encrypt.format=luks"
  50fi
  51
  52
  53# secrets: you are supposed to see the password as *******, see :-)
  54S0="--object secret,id=sec0,data=hunter0"
  55S1="--object secret,id=sec1,data=hunter1"
  56S2="--object secret,id=sec2,data=hunter2"
  57S3="--object secret,id=sec3,data=hunter3"
  58S4="--object secret,id=sec4,data=hunter4"
  59SECRETS="$S0 $S1 $S2 $S3 $S4"
  60
  61# image with given secret
  62IMGS0="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec0"
  63IMGS1="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec1"
  64IMGS2="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec2"
  65IMGS3="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec3"
  66IMGS4="--image-opts driver=$IMGFMT,file.filename=$TEST_IMG,${PR}key-secret=sec4"
  67
  68
  69echo "== creating a test image =="
  70_make_test_img $S0 $EXTRA_IMG_ARGS -o ${PR}key-secret=sec0,${PR}iter-time=10 32M
  71
  72echo
  73echo "== test that key 0 opens the image =="
  74$QEMU_IO $S0 -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir
  75
  76echo
  77echo "== adding a password to slot 4 =="
  78$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec4,${PR}iter-time=10,${PR}keyslot=4
  79echo "== adding a password to slot 1 =="
  80$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10
  81echo "== adding a password to slot 3 =="
  82$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10,${PR}keyslot=3
  83
  84echo "== adding a password to slot 2 =="
  85$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10
  86
  87
  88echo "== erase slot 4 =="
  89$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=4 | _filter_img_create
  90
  91
  92echo
  93echo "== all secrets should work =="
  94for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
  95        $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
  96done
  97
  98echo
  99echo "== erase slot 0 and try it =="
 100$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 | _filter_img_create
 101$QEMU_IO $SECRETS -c "read 0 4096" $IMGS0 | _filter_qemu_io | _filter_testdir
 102
 103echo
 104echo "== erase slot 2 and try it =="
 105$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=2 | _filter_img_create
 106$QEMU_IO $SECRETS -c "read 0 4096" $IMGS2 | _filter_qemu_io | _filter_testdir
 107
 108
 109# at this point slots 1 and 3 should be active
 110
 111echo
 112echo "== filling  4 slots with secret 2 =="
 113for ((i = 0; i < 4; i++)); do
 114        $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec2,${PR}iter-time=10
 115done
 116
 117echo
 118echo "== adding secret 0 =="
 119        $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10
 120
 121echo
 122echo "== adding secret 3 (last slot) =="
 123        $QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10
 124
 125echo
 126echo "== trying to add another slot (should fail) =="
 127$QEMU_IMG amend $SECRETS $IMGS2 -o ${PR}state=active,${PR}new-secret=sec3,${PR}iter-time=10
 128
 129echo
 130echo "== all secrets should work again =="
 131for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
 132        $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
 133done
 134
 135
 136echo
 137
 138echo "== erase all keys of secret 2=="
 139$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec2
 140
 141echo "== erase all keys of secret 1=="
 142$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1
 143
 144echo "== erase all keys of secret 0=="
 145$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec0
 146
 147echo "== erasing secret3 will fail now since it is the only secret (in 3 slots) =="
 148$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=inactive,${PR}old-secret=sec3
 149
 150echo
 151echo "== only secret3 should work now  =="
 152for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
 153        $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
 154done
 155
 156echo
 157echo "== add secret0  =="
 158$QEMU_IMG amend $SECRETS $IMGS3 -o ${PR}state=active,${PR}new-secret=sec0,${PR}iter-time=10
 159
 160echo "== erase secret3 =="
 161$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=inactive,${PR}old-secret=sec3
 162
 163echo
 164echo "== only secret0 should work now  =="
 165for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
 166        $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
 167done
 168
 169echo
 170echo "== replace secret0 with secret1 (should fail)  =="
 171$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}keyslot=0
 172
 173echo
 174echo "== replace secret0 with secret1 with force (should work)  =="
 175$QEMU_IMG amend $SECRETS $IMGS0 -o ${PR}state=active,${PR}new-secret=sec1,${PR}iter-time=10,${PR}keyslot=0 --force
 176
 177echo
 178echo "== only secret1 should work now  =="
 179for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
 180        $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
 181done
 182
 183
 184echo
 185echo "== erase last secret (should fail)  =="
 186$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0
 187$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec1
 188
 189
 190echo "== erase non existing secrets (should fail)  =="
 191$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec5 --force
 192$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}old-secret=sec0 --force
 193$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=1 --force
 194
 195echo
 196echo "== erase last secret with force by slot (should work)  =="
 197$QEMU_IMG amend $SECRETS $IMGS1 -o ${PR}state=inactive,${PR}keyslot=0 --force
 198
 199echo
 200echo "== we have no secrets now, data is lost forever =="
 201for IMG in "$IMGS0" "$IMGS1" "$IMGS2" "$IMGS3"; do
 202        $QEMU_IO $SECRETS -c "read 0 4096" $IMG | _filter_qemu_io | _filter_testdir
 203done
 204
 205# success, all done
 206echo "*** done"
 207rm -f $seq.full
 208status=0
 209
 210
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.