| #! /bin/bash |
| # FS QA Test generic/399 |
| # |
| # Check for weaknesses in filesystem encryption involving the same ciphertext |
| # being repeated. For file contents, we fill a small filesystem with large |
| # files of 0's and verify the filesystem is incompressible. For filenames, we |
| # create an identical symlink in two different directories and verify the |
| # ciphertext filenames and symlink targets are different. |
| # |
| # This test can detect some basic cryptographic mistakes such as nonce reuse |
| # (across files), initialization vector reuse (across blocks), or data somehow |
| # being left in plaintext by accident. For example, it detects the |
| # initialization vector reuse bug fixed in commit 02fc59a0d28f ("f2fs/crypto: |
| # fix xts_tweak initialization"). |
| # |
| #----------------------------------------------------------------------- |
| # Copyright (c) 2016 Google, Inc. All Rights Reserved. |
| # |
| # Author: Eric Biggers <ebiggers@google.com> |
| # |
| # This program is free software; you can redistribute it and/or |
| # modify it under the terms of the GNU General Public License as |
| # published by the Free Software Foundation. |
| # |
| # This program is distributed in the hope that it would be useful, |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| # GNU General Public License for more details. |
| # |
| # You should have received a copy of the GNU General Public License |
| # along with this program; if not, write the Free Software Foundation, |
| # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA |
| #----------------------------------------------------------------------- |
| # |
| |
| seq=`basename $0` |
| seqres=$RESULT_DIR/$seq |
| echo "QA output created by $seq" |
| |
| here=`pwd` |
| tmp=/tmp/$$ |
| status=1 # failure is the default! |
| trap "_cleanup; exit \$status" 0 1 2 3 15 |
| |
| _cleanup() |
| { |
| cd / |
| rm -f $tmp.* |
| } |
| |
| # get standard environment, filters and checks |
| . ./common/rc |
| . ./common/filter |
| . ./common/encrypt |
| |
| # remove previous $seqres.full before test |
| rm -f $seqres.full |
| |
| # real QA test starts here |
| _supported_fs generic |
| _supported_os Linux |
| _require_scratch_encryption |
| _require_xfs_io_command "set_encpolicy" |
| _require_command "$XZ_PROG" xz |
| _require_command "$KEYCTL_PROG" keyctl |
| |
| _new_session_keyring |
| |
| # |
| # Set up a small filesystem containing an encrypted directory. 64 MB is enough |
| # for both ext4 and f2fs (f2fs doesn't support a 32 MB filesystem). Before |
| # creating the filesystem, zero out the needed portion of the device so that |
| # existing data on the device doesn't contribute to the compressed size. |
| # |
| fs_size_in_mb=64 |
| fs_size=$((fs_size_in_mb * 1024 * 1024)) |
| dd if=/dev/zero of=$SCRATCH_DEV bs=$((1024 * 1024)) \ |
| count=$fs_size_in_mb &>> $seqres.full |
| _scratch_mkfs_sized_encrypted $fs_size &>> $seqres.full |
| _scratch_mount |
| |
| keydesc=$(_generate_encryption_key) |
| mkdir $SCRATCH_MNT/encrypted_dir |
| $XFS_IO_PROG -c "set_encpolicy $keydesc" $SCRATCH_MNT/encrypted_dir |
| |
| # Create the "same" symlink in two different directories. |
| # Later we'll check both the name and target of the symlink. |
| mkdir $SCRATCH_MNT/encrypted_dir/subdir1 |
| mkdir $SCRATCH_MNT/encrypted_dir/subdir2 |
| ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir1/symlink |
| ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir2/symlink |
| |
| # |
| # Write files of 1 MB of all the same byte until we hit ENOSPC. Note that we |
| # must not create sparse files, since the contents of sparse files are not |
| # stored on-disk. Also, we create multiple files rather than one big file |
| # because we want to test for reuse of per-file keys. |
| # |
| total_file_size=0 |
| i=1 |
| while true; do |
| file=$SCRATCH_MNT/encrypted_dir/file$i |
| if ! $XFS_IO_PROG -f $file -c 'pwrite 0 1M' &> $tmp.out; then |
| if ! grep -q 'No space left on device' $tmp.out; then |
| echo "FAIL: unexpected pwrite failure" |
| cat $tmp.out |
| elif [ -e $file ]; then |
| total_file_size=$((total_file_size + $(stat -c %s $file))) |
| fi |
| break |
| fi |
| total_file_size=$((total_file_size + $(stat -c %s $file))) |
| i=$((i + 1)) |
| if [ $i -gt $fs_size_in_mb ]; then |
| echo "FAIL: filesystem never filled up!" |
| break |
| fi |
| done |
| |
| # We shouldn't have been able to write more data than we had space for. |
| if (( $total_file_size > $fs_size )); then |
| echo "FAIL: wrote $total_file_size bytes but should have only" \ |
| "had space for $fs_size bytes at most" |
| fi |
| |
| # |
| # Unmount the filesystem and compute its compressed size. It must be no smaller |
| # than the amount of data that was written; otherwise there was a compromise in |
| # the confidentiality of the data. False positives should not be possible |
| # because filesystem metadata will also contribute to the compressed size. |
| # |
| # Note: it's important to use a strong compressor such as xz which can detect |
| # redundancy across most or all of the filesystem. We run xz with a 64 MB |
| # sliding window but use some custom settings to make it faster and use less |
| # memory than the '-9' preset. The memory needed with our settings will be |
| # 64 * 6.5 = 416 MB; see xz(1). |
| # |
| _unlink_encryption_key $keydesc |
| _scratch_unmount |
| fs_compressed_size=$(head -c $fs_size $SCRATCH_DEV | \ |
| xz --lzma2=dict=64M,mf=hc4,mode=fast,nice=16 | \ |
| wc -c) |
| |
| if (( $fs_compressed_size < $total_file_size )); then |
| echo "FAIL: filesystem was compressible" \ |
| "($total_file_size bytes => $fs_compressed_size bytes)" |
| else |
| echo "PASS: ciphertexts were not repeated for contents" |
| fi |
| |
| # Verify that encrypted filenames and symlink targets were not reused. Note |
| # that since the ciphertexts should be unpredictable, we cannot simply include |
| # the expected names in the expected output file. |
| _scratch_mount |
| find $SCRATCH_MNT/encrypted_dir -type l | wc -l |
| link1=$(find $SCRATCH_MNT/encrypted_dir -type l | head -1) |
| link2=$(find $SCRATCH_MNT/encrypted_dir -type l | tail -1) |
| [ $(basename $link1) = $(basename $link2) ] && \ |
| echo "Encrypted filenames were reused!" |
| [ $(readlink $link1) = $(readlink $link2) ] && \ |
| echo "Encrypted symlink targets were reused!" |
| |
| # success, all done |
| status=0 |
| exit |