Google Git
Sign in
kernel / pub / scm / linux / kernel / git / dgc / xfstests-dev / 828f12b965d9bdaa2871b72ae86e443974b0a9b0 / . / tests / generic / 399
blob: 70896e4341a9729f76d9974f13863d930da47c70 [file] [log] [blame]
#! /bin/bash
# FS QA Test generic/399
#
# Check for weaknesses in filesystem encryption involving the same ciphertext
# being repeated. For file contents, we fill a small filesystem with large
# files of 0's and verify the filesystem is incompressible. For filenames, we
# create an identical symlink in two different directories and verify the
# ciphertext filenames and symlink targets are different.
#
# This test can detect some basic cryptographic mistakes such as nonce reuse
# (across files), initialization vector reuse (across blocks), or data somehow
# being left in plaintext by accident. For example, it detects the
# initialization vector reuse bug fixed in commit 02fc59a0d28f ("f2fs/crypto:
# fix xts_tweak initialization").
#
#-----------------------------------------------------------------------
# Copyright (c) 2016 Google, Inc. All Rights Reserved.
#
# Author: Eric Biggers <ebiggers@google.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it would be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#-----------------------------------------------------------------------
#
seq=`basename $0`
seqres=$RESULT_DIR/$seq
echo "QA output created by $seq"
here=`pwd`
tmp=/tmp/$$
status=1 # failure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15
_cleanup()
{
cd /
rm -f $tmp.*
}
# get standard environment, filters and checks
. ./common/rc
. ./common/filter
. ./common/encrypt
# remove previous $seqres.full before test
rm -f $seqres.full
# real QA test starts here
_supported_fs generic
_supported_os Linux
_require_scratch_encryption
_require_xfs_io_command "set_encpolicy"
_require_command "$XZ_PROG" xz
_require_command "$KEYCTL_PROG" keyctl
_new_session_keyring
#
# Set up a small filesystem containing an encrypted directory. 64 MB is enough
# for both ext4 and f2fs (f2fs doesn't support a 32 MB filesystem). Before
# creating the filesystem, zero out the needed portion of the device so that
# existing data on the device doesn't contribute to the compressed size.
#
fs_size_in_mb=64
fs_size=$((fs_size_in_mb * 1024 * 1024))
dd if=/dev/zero of=$SCRATCH_DEV bs=$((1024 * 1024)) \
count=$fs_size_in_mb &>> $seqres.full
_scratch_mkfs_sized_encrypted $fs_size &>> $seqres.full
_scratch_mount
keydesc=$(_generate_encryption_key)
mkdir $SCRATCH_MNT/encrypted_dir
$XFS_IO_PROG -c "set_encpolicy $keydesc" $SCRATCH_MNT/encrypted_dir
# Create the "same" symlink in two different directories.
# Later we'll check both the name and target of the symlink.
mkdir $SCRATCH_MNT/encrypted_dir/subdir1
mkdir $SCRATCH_MNT/encrypted_dir/subdir2
ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir1/symlink
ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir2/symlink
#
# Write files of 1 MB of all the same byte until we hit ENOSPC. Note that we
# must not create sparse files, since the contents of sparse files are not
# stored on-disk. Also, we create multiple files rather than one big file
# because we want to test for reuse of per-file keys.
#
total_file_size=0
i=1
while true; do
file=$SCRATCH_MNT/encrypted_dir/file$i
if ! $XFS_IO_PROG -f $file -c 'pwrite 0 1M' &> $tmp.out; then
if ! grep -q 'No space left on device' $tmp.out; then
echo "FAIL: unexpected pwrite failure"
cat $tmp.out
elif [ -e $file ]; then
total_file_size=$((total_file_size + $(stat -c %s $file)))
fi
break
fi
total_file_size=$((total_file_size + $(stat -c %s $file)))
i=$((i + 1))
if [ $i -gt $fs_size_in_mb ]; then
echo "FAIL: filesystem never filled up!"
break
fi
done
# We shouldn't have been able to write more data than we had space for.
if (( $total_file_size > $fs_size )); then
echo "FAIL: wrote $total_file_size bytes but should have only" \
"had space for $fs_size bytes at most"
fi
#
# Unmount the filesystem and compute its compressed size. It must be no smaller
# than the amount of data that was written; otherwise there was a compromise in
# the confidentiality of the data. False positives should not be possible
# because filesystem metadata will also contribute to the compressed size.
#
# Note: it's important to use a strong compressor such as xz which can detect
# redundancy across most or all of the filesystem. We run xz with a 64 MB
# sliding window but use some custom settings to make it faster and use less
# memory than the '-9' preset. The memory needed with our settings will be
# 64 * 6.5 = 416 MB; see xz(1).
#
_unlink_encryption_key $keydesc
_scratch_unmount
fs_compressed_size=$(head -c $fs_size $SCRATCH_DEV | \
xz --lzma2=dict=64M,mf=hc4,mode=fast,nice=16 | \
wc -c)
if (( $fs_compressed_size < $total_file_size )); then
echo "FAIL: filesystem was compressible" \
"($total_file_size bytes => $fs_compressed_size bytes)"
else
echo "PASS: ciphertexts were not repeated for contents"
fi
# Verify that encrypted filenames and symlink targets were not reused. Note
# that since the ciphertexts should be unpredictable, we cannot simply include
# the expected names in the expected output file.
_scratch_mount
find $SCRATCH_MNT/encrypted_dir -type l | wc -l
link1=$(find $SCRATCH_MNT/encrypted_dir -type l | head -1)
link2=$(find $SCRATCH_MNT/encrypted_dir -type l | tail -1)
[ $(basename $link1) = $(basename $link2) ] && \
echo "Encrypted filenames were reused!"
[ $(readlink $link1) = $(readlink $link2) ] && \
echo "Encrypted symlink targets were reused!"
# success, all done
status=0
exit