#!/bin/bash # # Test integritysetup compatibility. # [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." INTSETUP=$CRYPTSETUP_PATH/integritysetup INTSETUP_VALGRIND=../.libs/integritysetup INTSETUP_LIB_VALGRIND=../.libs DEV_NAME=dmc_test DEV_NAME2=dmc_fake DEV_LOOP="" DEV=test123.img DEV2=test124.img KEY_FILE=key.img KEY_FILE2=key2.img dmremove() { # device udevadm settle >/dev/null 2>&1 dmsetup remove --retry $1 >/dev/null 2>&1 } cleanup() { [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME [ -b /dev/mapper/$DEV_NAME2 ] && dmremove $DEV_NAME2 [ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP" DEV_LOOP="" rm -f $DEV $DEV2 $KEY_FILE $KEY_FILE2 >/dev/null 2>&1 } fail() { [ -n "$1" ] && echo "$1" echo "FAILED backtrace:" while caller $frame; do ((frame++)); done cleanup exit 100 } skip() { [ -n "$1" ] && echo "$1" exit 77 } function dm_integrity_features() { VER_STR=$(dmsetup targets | grep integrity | cut -f2 -dv) [ -z "$VER_STR" ] && skip "Cannot find dm-integrity target, test skipped." VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) VER_MIN=$(echo $VER_STR | cut -f 2 -d.) VER_PTC=$(echo $VER_STR | cut -f 3 -d.) [ $VER_MAJ -lt 1 ] && return [ $VER_MIN -gt 1 ] && { DM_INTEGRITY_META=1 DM_INTEGRITY_RECALC=1 } [ $VER_MIN -gt 2 ] && { DM_INTEGRITY_BITMAP=1 } [ $VER_MIN -gt 5 ] && { DM_INTEGRITY_RESIZE_SUPPORTED=1 } [ $VER_MIN -gt 6 ] && { DM_INTEGRITY_HMAC_FIX=1 } [ $VER_MIN -gt 7 ] && { DM_INTEGRITY_RESET=1 } } add_device() { cleanup dd if=/dev/urandom of=$KEY_FILE bs=4096 count=1 >/dev/null 2>&1 dd if=/dev/urandom of=$KEY_FILE2 bs=1 count=32 >/dev/null 2>&1 dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1 dd if=/dev/zero of=$DEV2 bs=1M count=32 >/dev/null 2>&1 sync } status_check() # name value { X=$($INTSETUP status $DEV_NAME | grep "$1" | sed 's/.*: //' | sed 's/^[[:space:]]*//') if [ "$X" != "$2" ] ; then echo "[status FAIL]" echo " Expecting $1:$2 got \"$X\"." fail fi } dump_check() # name value { X=$($INTSETUP dump $DEV | grep "$1" | cut -d' ' -f 2) if [ "$X" != "$2" ] ; then echo "[dump FAIL]" echo " Expecting $1:$2 got \"$X\"." fail fi } kernel_param_check() # number value { X=$(dmsetup table $DEV_NAME | cut -d " " -f $1) if [ "$X" != $2 ] ; then echo "[param_check FAIL]" echo "Expecting $2 got \"$X\"." fail fi } function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $INTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." export LD_LIBRARY_PATH="$INTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" } function valgrind_run() { INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${INTSETUP_VALGRIND} "$@" } int_check_sum_only() # checksum { VSUM=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1) if [ "$VSUM" = "$1" ] ; then echo -n "[CHECKSUM OK]" else echo "[FAIL]" echo " Expecting $1 got $VSUM." fail fi } int_check_sum() # alg checksum [keyfile keysize] { if [ -n "$4" ] ; then KEY_PARAMS="--integrity-key-file $3 --integrity-key-size $4" else KEY_PARAMS="" fi # Fill device with zeroes and reopen it dd if=/dev/zero of=/dev/mapper/$DEV_NAME bs=1M oflag=direct >/dev/null 2>&1 dmremove $DEV_NAME $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device." int_check_sum_only $2 } intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize] { if [ -n "$8" ] ; then KEY_PARAMS="--integrity-key-file $7 --integrity-key-size $8" else KEY_PARAMS="" fi if [ $3 -ne 0 ] ; then TAG_PARAMS="--tag-size $3" else TAG_PARAMS="" fi echo -n "[INTEGRITY:$2:$4:$5]" [ -n "$8" ] && echo -n "[KEYFILE:$8]" echo -n "[FORMAT]" $INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1 if [ $? -ne 0 ] ; then if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then fail "Cannot format device." fi echo "[N/A]" return fi dump_check "tag_size" $4 dump_check "sector_size" $5 echo -n "[ACTIVATE]" $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device." if [ -n "$8" ]; then KEY_HEX=$(xxd -c 4096 -l $8 -p $7) [ -z "$KEY_HEX" ] && fail "Cannot decode key." dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch." fi status_check "tag size" $4 status_check "integrity" $2 status_check "sector size" "$5 bytes" int_check_sum $1 $6 $7 $8 echo -n "[REMOVE]" $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo "[OK]" } int_error_detection() # mode alg tagsize outtagsize sector_size key_file key_size { if [ "$1" == "B" ] ; then INT_MODE="-B" else INT_MODE="" fi if [ -n "$7" ] ; then KEY_PARAMS="--integrity-key-file $6 --integrity-key-size $7" else KEY_PARAMS="" fi if [ $3 -ne 0 ] ; then TAG_PARAMS="--tag-size $3" else TAG_PARAMS="" fi dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1 echo -n "[INTEGRITY:$1:$2:$4:$5]" echo -n "[FORMAT]" $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1 if [ $? -ne 0 ] ; then if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then fail "Cannot format device." fi echo "[N/A]" return fi echo -n "[ACTIVATE]" $INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device." if [ -n "$6" -a -n "$7" ]; then echo -n "[KEYED HASH]" KEY_HEX=$(xxd -c 256 -l $7 -p $6) [ -z "$KEY_HEX" ] && fail "Cannot decode key." dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch." fi echo -n "[WRITE DATA]" echo -n "EXAMPLE TEXT" | dd of=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Cannot write to device." $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." # find offset of data area ARR=($(dd if=$DEV bs=512 2>/dev/null | hexdump -C | grep 'EXAMPLE TEXT')) OFF_HEX=${ARR[0]} OFF_DEC=$((16#$OFF_HEX)) echo -n "[CORRUPT DATA:$OFF_DEC]" echo -n "Z" | dd of=$DEV bs=1 seek=$OFF_DEC conv=notrunc >/dev/null 2>&1 || fail "Cannot write to device." echo -n "[DETECT ERROR]" $INTSETUP open $DEV $DEV_NAME --integrity $2 $KEY_PARAMS $INT_MODE || fail "Cannot activate device." dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 && fail "Error detection failed." echo -n "[REMOVE]" $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo "[OK]" } int_journal() # 1 alg, 2 tagsize, 3 sector_size, 4 watermark, 5 commit_time, 6 journal_integrity, 7 key-file, 8 key-size, 9 journal_integrity_out { echo -n "[INTEGRITY JOURNAL:$6:${4}%:${5}ms:$8]" echo -n "[FORMAT]" ARGS="--integrity $1 --journal-watermark $4 --journal-commit-time $5 --journal-integrity $6 --journal-integrity-key-file $7 --journal-integrity-key-size $8" $INTSETUP format -q --tag-size $2 --sector-size $3 $ARGS $DEV || fail "Cannot format device." echo -n "[ACTIVATE]" $INTSETUP open $DEV $DEV_NAME $ARGS || fail "Cannot activate device." echo -n "[KEYED HASH]" KEY_HEX=$(xxd -c 4096 -l $8 -p $7) [ -z "$KEY_HEX" ] && fail "Cannot decode key." dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch." status_check "journal watermark" "${4}%" status_check "journal commit time" "${5} ms" status_check "journal integrity MAC" $9 echo -n "[REMOVE]" $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo "[OK]" } int_journal_crypt() # crypt_alg crypt_alg_kernel crypt_key crypt_key_size { echo -n "[JOURNAL CRYPT:$1:${4}B]" echo -n "[FORMAT]" ARGS="--journal-crypt $1 --journal-crypt-key-file $3 --journal-crypt-key-size $4" $INTSETUP format -q $ARGS $DEV || fail "Cannot format device." echo -n "[ACTIVATE]" $INTSETUP open $DEV $DEV_NAME $ARGS || fail "Cannot activate device." KEY_HEX=$(xxd -c 256 -l $4 -p $3) [ -z "$KEY_HEX" ] && fail "Cannot decode key." dmsetup table --showkeys $DEV_NAME | grep -q "journal_crypt:$2:$KEY_HEX" || fail "Key mismatch." $INTSETUP close $DEV_NAME echo "[OK]" } int_mode() # alg tag_size sector_size [keyfile keysize] { if [ -n "$5" ] ; then KEY_PARAMS="--integrity-key-file $4 --integrity-key-size $5" else KEY_PARAMS="" fi echo -n "[MODE TESTS:$1:$2:$3]" ARGS="--tag-size $2 --sector-size $3" $INTSETUP format -q $ARGS $KEY_PARAMS $DEV --integrity $1 || fail "Cannot format device." echo -n "[JOURNALED WRITES]" $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device with journal." status_check "mode" "read/write" kernel_param_check 7 "J" $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo -n "[DIRECT WRITES]" $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS --integrity-no-journal || fail "Cannot activate device without journal." status_check "mode" "read/write" status_check "journal" "not active" kernel_param_check 7 "D" $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo -n "[RECOVERY MODE]" $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS --integrity-recovery-mode || fail "Cannot activate device in recovery mode." status_check "mode" "read/write recovery" kernel_param_check 7 "R" $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo "[OK]" } check_device_size() # device_name expected_size error_message { CURRENT_SIZE=$(dmsetup table | grep $1 | cut -d' ' -f 3) [ $CURRENT_SIZE -eq $2 ] || fail "$3: expected $1 to be of size $2, but is $CURRENT_SIZE" } test_resize() # description detached_metadata wipe args { echo -n "$1" if [ -z "$DM_INTEGRITY_RESIZE_SUPPORTED" ] ; then echo "[N/A]" return fi args="$4" if [ $2 -ne 0 ] ; then echo -n "[DETACHED]" else echo -n "[INTERLEAVE]" fi if [ $3 -ne 0 ] ; then wipe_flag="--wipe" echo -n "[WIPE]" else wipe_flag="" echo -n "[RECALCULATE]" fi add_device if [ $2 -ne 0 ] ; then echo -n "[FORMAT]" $INTSETUP format -q $args $DEV2 --data-device $DEV >/dev/null 2>&1 || fail "Cannot format device." echo -n "[ACTIVATE]" $INTSETUP open -q $args $DEV2 $DEV_NAME --data-device $DEV >/dev/null 2>&1 || fail "Cannot activate device." else echo -n "[FORMAT]" $INTSETUP format -q $args $DEV >/dev/null 2>&1 || fail "Cannot format device." echo -n "[ACTIVATE]" $INTSETUP open -q $args $DEV $DEV_NAME >/dev/null 2>&1 || fail "Cannot activate device." fi if [ $2 -ne 0 ] ; then # the whole device has 32MiB, if metadata is detached WHOLE_DISK_SIZE=65536 else WHOLE_DISK_SIZE=$(dmsetup table | grep $DEV_NAME | cut -d' ' -f 3) fi echo -n "[SHRINK]" $INTSETUP resize -q $wipe_flag $DEV_NAME --device-size 1MiB || fail "Failed to resize the device to 1MiB." dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after shrink." check_device_size $DEV_NAME $(( 1024*1024 / 512 )) "Shrinking device failed" echo -n "[FILL]" $INTSETUP resize -q $wipe_flag $DEV_NAME --device-size 0 || fail "Failed to resize the device to maximum size." dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after resize to maximum size." check_device_size $DEV_NAME $WHOLE_DISK_SIZE "Resizing disk to maximum size failed" echo -n "[EXPAND FIXED]" fallocate $DEV --len 64M $INTSETUP resize -q $wipe_flag $DEV_NAME --device-size 40MiB || fail "Failed to expand the device to a fixed size." dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after expanding to a fixed size." check_device_size $DEV_NAME $(( 40*1024*1024 / 512 )) "Resizing disk after expanding to a fixed size failed" echo -n "[FILL]" $INTSETUP resize -q $wipe_flag $DEV_NAME --device-size 0 >/dev/null 2>&1 || fail "Failed to resize the device to maximum size after increasing image size." dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Error detection failed after increasing image size." CURRENT_SIZE=$(dmsetup table | grep $DEV_NAME | cut -d' ' -f 3) [ $CURRENT_SIZE -ge $(( 40*1024*1024 / 512 )) ] || fail "Growing integrity device failed $CURRENT_SIZE is not greater than 40MB ($(( 40*1024*1024 / 512 )) blocks)." if [ $2 -ne 0 ] ; then [ $CURRENT_SIZE -eq 131072 ] || fail "Growing integrity device failed $CURRENT_SIZE is not equal to 64MB (131072 blocks)." fi echo -n "[REMOVE]" $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo "[OK]" } [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." [ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped." command -v blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped." [ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run command -v hexdump >/dev/null || skip "WARNING: hexdump tool required." command -v xxd >/dev/null || skip "WARNING: xxd tool required." modprobe dm-integrity >/dev/null 2>&1 dm_integrity_features add_device intformat blake2s-256 blake2s-256 32 32 512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11 intformat blake2b-256 blake2b-256 32 32 512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11 intformat crc32c crc32c 0 4 512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7 intformat crc32 crc32 0 4 512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7 intformat xxhash64 xxhash64 0 8 512 6ff6bb889a8485f1fb26aa82671ff5da64f60381fc469e31d7be6094241eee09 intformat sha1 sha1 0 20 512 6eedd6344dab8875cd185fcd6565dfc869ab36bc57e577f40c685290b1fa7fe7 intformat sha1 sha1 16 16 4096 e152ec88227b539cd9cafd8bdb587a1072d720cd6bcebe1398d4136c9e7f337b intformat sha256 sha256 0 32 512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11 intformat hmac-sha256 hmac\(sha256\) 0 32 512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11 $KEY_FILE 32 intformat sha256 sha256 0 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 intformat hmac-sha256 hmac\(sha256\) 0 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 $KEY_FILE 32 intformat hmac-sha256 hmac\(sha256\) 0 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 $KEY_FILE 4096 echo "Error detection tests:" int_error_detection J crc32c 0 4 512 int_error_detection J crc32c 0 4 4096 int_error_detection J crc32 0 4 512 int_error_detection J crc32 0 4 4096 int_error_detection J xxhash64 0 8 512 int_error_detection J xxhash64 0 8 4096 int_error_detection J sha1 0 20 512 int_error_detection J sha1 16 16 512 int_error_detection J sha1 0 20 4096 int_error_detection J sha256 0 32 512 int_error_detection J sha256 0 32 4096 command -v xxd >/dev/null || skip "WARNING: xxd tool required." int_error_detection J hmac-sha256 0 32 512 $KEY_FILE 32 int_error_detection J hmac-sha256 0 32 4096 $KEY_FILE 32 echo "Journal parameters tests:" # Watermark is calculated in kernel, so it can be rounded down/up int_journal crc32 4 512 66 1000 hmac-sha256 $KEY_FILE 32 hmac\(sha256\) int_journal sha256 32 4096 34 5000 hmac-sha1 $KEY_FILE 16 hmac\(sha1\) int_journal sha1 20 512 75 9999 hmac-sha256 $KEY_FILE 32 hmac\(sha256\) int_journal sha1 20 512 75 9999 hmac-sha256 $KEY_FILE 4096 hmac\(sha256\) echo "Journal encryption tests:" int_journal_crypt cbc-aes cbc\(aes\) $KEY_FILE 32 int_journal_crypt cbc-aes cbc\(aes\) $KEY_FILE 16 int_journal_crypt ctr-aes ctr\(aes\) $KEY_FILE 32 int_journal_crypt ctr-aes ctr\(aes\) $KEY_FILE 16 echo "Mode tests:" int_mode crc32c 4 512 int_mode crc32 4 512 int_mode sha1 20 512 int_mode sha256 32 512 int_mode hmac-sha256 32 512 $KEY_FILE 32 int_mode hmac-sha256 32 4096 $KEY_FILE 32 echo -n "Recalculate tags in-kernel:" add_device if [ -n "$DM_INTEGRITY_RECALC" ] ; then $INTSETUP format -q $DEV --no-wipe || fail "Cannot format device." $INTSETUP open $DEV $DEV_NAME --integrity-recalculate || fail "Cannot activate device." dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=1M 2>/dev/null || fail "Cannot recalculate tags in-kernel" int_check_sum_only 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7 $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo -n "[OK]" if [ -n "$DM_INTEGRITY_RESET" ] ; then $INTSETUP open $DEV $DEV_NAME -I sha256 --integrity-recalculate-reset || fail "Cannot activate device." dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=1M 2>/dev/null || fail "Cannot reset recalculate tags in-kernel" int_check_sum_only 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7 $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo "[RESET OK]" else echo "[RESET N/A]" fi else echo "[N/A]" fi echo -n "Separate metadata device:" if [ -n "$DM_INTEGRITY_META" ] ; then add_device $INTSETUP format -q $DEV --data-device $DEV2 || fail "Cannot format device." $INTSETUP open $DEV --data-device $DEV2 $DEV_NAME || fail "Cannot activate device." int_check_sum_only 83ee47245398adee79bd9c0a8bc57b821e92aba10f5f9ade8a5d1fae4d8c4302 $INTSETUP status $DEV_NAME | grep -q 'metadata device:' || fail $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo "[OK]" else echo "[N/A]" fi echo -n "Bitmap mode parameters:" if [ -n "$DM_INTEGRITY_BITMAP" ] ; then add_device $INTSETUP format -q $DEV --integrity-bitmap-mode $DEV2 || fail "Cannot format device." $INTSETUP open $DEV --integrity-bitmap-mode --bitmap-sectors-per-bit 65536 --bitmap-flush-time 5000 $DEV_NAME || fail "Cannot activate device." $INTSETUP status $DEV_NAME | grep -q 'bitmap 512-byte sectors per bit: 65536' || fail $INTSETUP status $DEV_NAME | grep -q 'bitmap flush interval: 5000 ms' || fail $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo "[OK]" echo "Bitmap error detection tests:" int_error_detection B crc32c 0 4 512 int_error_detection B crc32c 0 4 4096 int_error_detection B sha256 0 32 512 int_error_detection B sha256 0 32 4096 int_error_detection B hmac-sha256 0 32 512 $KEY_FILE 32 int_error_detection B hmac-sha256 0 32 4096 $KEY_FILE 32 else echo "[N/A]" fi echo -n "Big device:" add_device DEV_LOOP=$(losetup -f $DEV --show) if [ -n "$DEV_LOOP" ] ; then dmsetup create $DEV_NAME2 </dev/null 2>&1 && fail $INTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail $INTSETUP close --deferred $DEV_NAME >/dev/null 2>&1 if [ $? -eq 0 ] ; then dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" || fail $INTSETUP close --cancel-deferred $DEV_NAME >/dev/null 2>&1 dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" >/dev/null 2>&1 && fail $INTSETUP close --deferred $DEV_NAME >/dev/null 2>&1 dmsetup remove $DEV_NAME2 || fail $INTSETUP -q status $DEV_NAME >/dev/null 2>&1 && fail echo "[OK]" else dmsetup remove $DEV_NAME2 >/dev/null 2>&1 $INTSETUP close $DEV_NAME >/dev/null 2>&1 echo "[N/A]" fi echo -n "Fixed HMAC and legacy flags:" if [ -n "$DM_INTEGRITY_HMAC_FIX" ] ; then add_device # only data HMAC ARGS="--integrity hmac-sha256 --integrity-key-file $KEY_FILE --integrity-key-size 32" $INTSETUP format -q $DEV --integrity-legacy-hmac --no-wipe --tag-size 32 $ARGS || fail "Cannot format device." $INTSETUP open $DEV $DEV_NAME --integrity-recalculate $ARGS >/dev/null 2>&1 && fail "Cannot activate device." $INTSETUP open $DEV $DEV_NAME --integrity-legacy-recalculate $ARGS || fail "Cannot activate device." $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." # New version - must fail (no journal HMAC) $INTSETUP format -q $DEV --no-wipe --tag-size 32 $ARGS || fail "Cannot format device." $INTSETUP open $DEV $DEV_NAME --integrity-recalculate $ARGS >/dev/null 2>&1 && fail "Cannot activate device." $INTSETUP open $DEV $DEV_NAME --integrity-legacy-recalculate $ARGS || fail "Cannot activate device." $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." # data and journal HMAC ARGS="$ARGS --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE2 --journal-integrity-key-size 32" $INTSETUP format -q $DEV --integrity-legacy-hmac --no-wipe --tag-size 32 $ARGS || fail "Cannot format device." $INTSETUP open $DEV $DEV_NAME --integrity-recalculate $ARGS >/dev/null 2>&1 && fail "Cannot activate device." $INTSETUP open $DEV $DEV_NAME --integrity-legacy-recalculate $ARGS || fail "Cannot activate device." $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." # New fixed version $INTSETUP format -q $DEV --no-wipe --tag-size 32 $ARGS || fail "Cannot format device." $INTSETUP dump $DEV | grep "flags" | grep -q "fix_hmac" || fail "Flag for HMAC not set." $INTSETUP open $DEV $DEV_NAME --integrity-recalculate $ARGS || fail "Cannot activate device." $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." echo "[OK]" else echo "[N/A]" fi # shrinking the mapping should also work on older kernels echo -n "[INTEGRITY BASIC RESIZE NOKEY]" add_device ARGS="--integrity crc32" echo -n "[FORMAT]" $INTSETUP format -q $DEV $ARGS || fail "Cannot format device." echo -n "[ACTIVATE]" $INTSETUP open -q $DEV $DEV_NAME $ARGS >/dev/null 2>&1 || fail "Cannot activate device." echo -n "[SHRINK]" $INTSETUP resize $DEV_NAME --device-size 1MiB >/dev/null 2>&1 || fail "Failed to resize the device to 1MiB." check_device_size $DEV_NAME $(( 1024*1024 / 512 )) "Shrinking device failed" dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detectied after resize." echo "[OK]" echo -n "[INTEGRITY BASIC RESIZE KEY]" add_device ARGS="--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE" echo -n "[FORMAT]" $INTSETUP format -q $DEV $ARGS || fail "Cannot format device." echo -n "[ACTIVATE]" $INTSETUP open -q $DEV $DEV_NAME $ARGS >/dev/null 2>&1 || fail "Cannot activate device." echo -n "[SHRINK]" $INTSETUP resize $DEV_NAME --device-size 1MiB >/dev/null 2>&1 || fail "Failed to resize the device to 1MiB." check_device_size $DEV_NAME $(( 1024*1024 / 512 )) "Shrinking device failed" dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detectied after resize." echo "[OK]" test_resize "[INTEGRITY RESIZE NOKEY]" 0 0 "--integrity crc32" test_resize "[INTEGRITY RESIZE NOKEY]" 0 1 "--integrity crc32" test_resize "[INTEGRITY RESIZE NOKEY DETACHED]" 1 0 "--integrity crc32" test_resize "[INTEGRITY RESIZE NOKEY DETACHED]" 1 1 "--integrity crc32" if [ -n "$DM_INTEGRITY_HMAC_FIX" ] ; then test_resize "[INTEGRITY RESIZE KEY]" 0 0 "--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE" test_resize "[INTEGRITY RESIZE KEY]" 0 1 "--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE" test_resize "[INTEGRITY RESIZE KEY DETACHED]" 1 0 "--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE" test_resize "[INTEGRITY RESIZE KEY DETACHED]" 1 1 "--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE" fi cleanup