tests/integrity-compat-test

   1 #!/bin/bash
   2 #
   3 # Test integritysetup compatibility.
   4 #
   5 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
   6 INTSETUP=$CRYPTSETUP_PATH/integritysetup
   7
   8 INTSETUP_VALGRIND=../.libs/integritysetup
   9 INTSETUP_LIB_VALGRIND=../.libs
  10
  11 DEV_NAME=dmc_test
  12 DEV_NAME_BIG=dmc_fake
  13 DEV_LOOP=""
  14 DEV=test123.img
  15 DEV2=test124.img
  16 KEY_FILE=key.img
  17 KEY_FILE2=key2.img
  18
  19 dmremove() { # device
  20         udevadm settle >/dev/null 2>&1
  21         dmsetup remove --retry $1 >/dev/null 2>&1
  22 }
  23
  24 cleanup() {
  25         [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
  26         [ -b /dev/mapper/$DEV_NAME_BIG ] && dmremove $DEV_NAME_BIG
  27         [ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP"
  28         DEV_LOOP=""
  29         rm -f $DEV $DEV2 $KEY_FILE $KEY_FILE2 >/dev/null 2>&1
  30 }
  31
  32 fail()
  33 {
  34         [ -n "$1" ] && echo "$1"
  35         echo "FAILED backtrace:"
  36         while caller $frame; do ((frame++)); done
  37         cleanup
  38         exit 100
  39 }
  40
  41 skip()
  42 {
  43         [ -n "$1" ] && echo "$1"
  44         exit 77
  45 }
  46
  47 function dm_integrity_features()
  48 {
  49         VER_STR=$(dmsetup targets | grep integrity | cut -f2 -dv)
  50         [ -z "$VER_STR" ] && skip "Cannot find dm-integrity target, test skipped."
  51
  52         VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
  53         VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
  54         VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
  55
  56         [ $VER_MAJ -lt 1 ] && return
  57         [ $VER_MIN -gt 1 ] && {
  58                 DM_INTEGRITY_META=1
  59                 DM_INTEGRITY_RECALC=1
  60         }
  61         [ $VER_MIN -gt 2 ] && {
  62                 DM_INTEGRITY_BITMAP=1
  63         }
  64         [ $VER_MIN -gt 6 ] && {
  65                 DM_INTEGRITY_HMAC_FIX=1
  66         }
  67 }
  68
  69 add_device() {
  70         cleanup
  71         dd if=/dev/urandom of=$KEY_FILE bs=4096 count=1 >/dev/null 2>&1
  72         dd if=/dev/urandom of=$KEY_FILE2 bs=1 count=32 >/dev/null 2>&1
  73         dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
  74         dd if=/dev/zero of=$DEV2 bs=1M count=32 >/dev/null 2>&1
  75         sync
  76 }
  77
  78 status_check() # name value
  79 {
  80         X=$($INTSETUP status $DEV_NAME | grep "$1" | sed 's/.*: //' | sed 's/^[[:space:]]*//')
  81         if [ "$X" != "$2" ] ; then
  82                 echo "[status FAIL]"
  83                 echo " Expecting $1:$2 got \"$X\"."
  84                 fail
  85         fi
  86 }
  87
  88 dump_check() # name value
  89 {
  90         X=$($INTSETUP dump $DEV | grep "$1" | cut -d' '  -f 2)
  91         if [ "$X" != "$2" ] ; then
  92                 echo "[dump FAIL]"
  93                 echo " Expecting $1:$2 got \"$X\"."
  94                 fail
  95         fi
  96 }
  97
  98 kernel_param_check() # number value
  99 {
 100         X=$(dmsetup table $DEV_NAME | cut -d " " -f $1)
 101         if [ "$X" != $2 ] ; then
 102                 echo "[param_check FAIL]"
 103                 echo "Expecting $2 got \"$X\"."
 104                 fail
 105         fi
 106 }
 107
 108 function valgrind_setup()
 109 {
 110     which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
 111     [ ! -f $INTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
 112     export LD_LIBRARY_PATH="$INTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
 113 }
 114
 115 function valgrind_run()
 116 {
 117     INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${INTSETUP_VALGRIND} "$@"
 118 }
 119
 120 int_check_sum_only() # checksum
 121 {
 122         VSUM=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1)
 123         if [ "$VSUM" = "$1" ] ; then
 124                 echo -n "[CHECKSUM OK]"
 125         else
 126                 echo "[FAIL]"
 127                 echo " Expecting $1 got $VSUM."
 128                 fail
 129         fi
 130 }
 131
 132 int_check_sum() # alg checksum [keyfile keysize]
 133 {
 134         if [ -n "$4" ] ; then
 135                 KEY_PARAMS="--integrity-key-file $3 --integrity-key-size $4"
 136         else
 137                 KEY_PARAMS=""
 138         fi
 139
 140         # Fill device with zeroes and reopen it
 141         dd if=/dev/zero of=/dev/mapper/$DEV_NAME bs=1M oflag=direct >/dev/null 2>&1
 142         dmremove $DEV_NAME
 143
 144         $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device."
 145
 146         int_check_sum_only $2
 147 }
 148
 149 intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
 150 {
 151         if [ -n "$8" ] ; then
 152                 KEY_PARAMS="--integrity-key-file $7 --integrity-key-size $8"
 153         else
 154                 KEY_PARAMS=""
 155         fi
 156
 157         if [ $3 -ne 0 ] ; then
 158                 TAG_PARAMS="--tag-size $3"
 159         else
 160                 TAG_PARAMS=""
 161         fi
 162
 163         echo -n "[INTEGRITY:$2:$4:$5]"
 164         [ -n "$8" ] && echo -n "[KEYFILE:$8]"
 165         echo -n "[FORMAT]"
 166         $INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
 167         if [ $? -ne 0 ] ; then
 168                 ALG=$(echo $1 | sed -e 's/hmac-//')
 169                 if ! grep -q $ALG /proc/crypto ; then
 170                         echo "[N/A]"
 171                         return
 172                 fi
 173                 fail "Cannot format device."
 174         fi
 175
 176         dump_check "tag_size" $4
 177         dump_check "sector_size" $5
 178         echo -n "[ACTIVATE]"
 179         $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device."
 180         if [ -n "$8" ]; then
 181                 KEY_HEX=$(xxd -c 4096 -l $8 -p $7)
 182                 [ -z "$KEY_HEX" ] && fail "Cannot decode key."
 183                 dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch."
 184         fi
 185         status_check "tag size" $4
 186         status_check "integrity" $2
 187         status_check "sector size" "$5 bytes"
 188         int_check_sum $1 $6 $7 $8
 189         echo -n "[REMOVE]"
 190         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 191         echo "[OK]"
 192 }
 193
 194 int_error_detection() # mode alg tagsize outtagsize sector_size key_file key_size
 195 {
 196         if [ "$1" == "B" ] ; then
 197                 INT_MODE="-B"
 198         else
 199                 INT_MODE=""
 200         fi
 201         if [ -n "$7" ] ; then
 202                 KEY_PARAMS="--integrity-key-file $6 --integrity-key-size $7"
 203         else
 204                 KEY_PARAMS=""
 205         fi
 206         if [ $3 -ne 0 ] ; then
 207                 TAG_PARAMS="--tag-size $3"
 208         else
 209                 TAG_PARAMS=""
 210         fi
 211         dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
 212
 213         echo -n "[INTEGRITY:$1:$2:$4:$5]"
 214         echo -n "[FORMAT]"
 215         $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."
 216         echo -n "[ACTIVATE]"
 217         $INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
 218
 219         if [ -n "$6" -a -n "$7" ]; then
 220                 echo -n "[KEYED HASH]"
 221                 KEY_HEX=$(xxd -c 256 -l $7 -p $6)
 222                 [ -z "$KEY_HEX" ] && fail "Cannot decode key."
 223                 dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch."
 224         fi
 225
 226         echo -n "[WRITE DATA]"
 227         echo -n "EXAMPLE TEXT" | dd of=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Cannot write to device."
 228         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 229
 230         # find offset of data area
 231         ARR=($(dd if=$DEV bs=512 2>/dev/null | hexdump -C | grep 'EXAMPLE TEXT'))
 232         OFF_HEX=${ARR[0]}
 233         OFF_DEC=$((16#$OFF_HEX))
 234
 235         echo -n "[CORRUPT DATA:$OFF_DEC]"
 236         echo -n "Z" | dd of=$DEV bs=1 seek=$OFF_DEC conv=notrunc >/dev/null 2>&1 || fail "Cannot write to device."
 237
 238         echo -n "[DETECT ERROR]"
 239         $INTSETUP open $DEV $DEV_NAME --integrity $2 $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
 240         dd if=/dev/mapper/$DEV_NAME  >/dev/null 2>&1 && fail "Error detection failed."
 241         echo -n "[REMOVE]"
 242         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 243         echo "[OK]"
 244 }
 245
 246 int_journal() # 1 alg, 2 tagsize, 3 sector_size, 4 watermark, 5 commit_time, 6 journal_integrity, 7 key-file, 8 key-size, 9 journal_integrity_out
 247 {
 248     echo -n "[INTEGRITY JOURNAL:$6:${4}%:${5}ms:$8]"
 249     echo -n "[FORMAT]"
 250     ARGS="--integrity $1 --journal-watermark $4 --journal-commit-time $5 --journal-integrity $6 --journal-integrity-key-file $7 --journal-integrity-key-size $8"
 251     $INTSETUP format -q --tag-size $2 --sector-size $3 $ARGS $DEV || fail "Cannot format device."
 252
 253     echo -n "[ACTIVATE]"
 254
 255     $INTSETUP open $DEV $DEV_NAME $ARGS || fail "Cannot activate device."
 256
 257     echo -n "[KEYED HASH]"
 258     KEY_HEX=$(xxd -c 4096 -l $8 -p $7)
 259     [ -z "$KEY_HEX" ] && fail "Cannot decode key."
 260     dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch."
 261
 262     status_check "journal watermark" "${4}%"
 263     status_check "journal commit time" "${5} ms"
 264     status_check "journal integrity MAC" $9
 265
 266     echo -n "[REMOVE]"
 267     $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 268     echo "[OK]"
 269 }
 270
 271
 272 int_journal_crypt() # crypt_alg crypt_alg_kernel crypt_key crypt_key_size
 273 {
 274         echo -n "[JOURNAL CRYPT:$1:${4}B]"
 275
 276         echo -n "[FORMAT]"
 277         ARGS="--journal-crypt $1 --journal-crypt-key-file $3 --journal-crypt-key-size $4"
 278         $INTSETUP format -q $ARGS $DEV || fail "Cannot format device."
 279
 280         echo -n "[ACTIVATE]"
 281         $INTSETUP open $DEV $DEV_NAME $ARGS || fail "Cannot activate device."
 282
 283         KEY_HEX=$(xxd -c 256 -l $4 -p $3)
 284         [ -z "$KEY_HEX" ] && fail "Cannot decode key."
 285         dmsetup table --showkeys $DEV_NAME | grep -q "journal_crypt:$2:$KEY_HEX" || fail "Key mismatch."
 286
 287         $INTSETUP close $DEV_NAME
 288         echo "[OK]"
 289 }
 290
 291 int_mode() # alg tag_size sector_size [keyfile keysize]
 292 {
 293         if [ -n "$5" ] ; then
 294                 KEY_PARAMS="--integrity-key-file $4 --integrity-key-size $5"
 295         else
 296                 KEY_PARAMS=""
 297         fi
 298
 299         echo -n "[MODE TESTS:$1:$2:$3]"
 300         ARGS="--tag-size $2 --sector-size $3"
 301
 302         $INTSETUP format -q $ARGS $KEY_PARAMS $DEV --integrity $1 || fail "Cannot format device."
 303
 304         echo -n "[JOURNALED WRITES]"
 305         $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device with journal."
 306         status_check "mode" "read/write"
 307         kernel_param_check 7 "J"
 308
 309         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 310
 311         echo -n "[DIRECT WRITES]"
 312         $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS --integrity-no-journal || fail "Cannot activate device without journal."
 313         status_check "mode" "read/write"
 314         status_check "journal" "not active"
 315         kernel_param_check 7 "D"
 316
 317         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 318
 319         echo -n "[RECOVERY MODE]"
 320         $INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS --integrity-recovery-mode || fail "Cannot activate device in recovery mode."
 321         status_check "mode" "read/write recovery"
 322         kernel_param_check 7 "R"
 323
 324         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 325
 326         echo "[OK]"
 327 }
 328
 329 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
 330 [ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped."
 331 which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
 332
 333 [ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run
 334 which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required."
 335 modprobe dm-integrity >/dev/null 2>&1
 336 dm_integrity_features
 337
 338 add_device
 339 intformat blake2s-256 blake2s-256    32 32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11
 340 intformat blake2b-256 blake2b-256    32 32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11
 341 intformat crc32c      crc32c          0  4  512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
 342 intformat crc32       crc32           0  4  512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
 343 intformat sha1        sha1            0 20  512 6eedd6344dab8875cd185fcd6565dfc869ab36bc57e577f40c685290b1fa7fe7
 344 intformat sha1        sha1           16 16 4096 e152ec88227b539cd9cafd8bdb587a1072d720cd6bcebe1398d4136c9e7f337b
 345 intformat sha256      sha256          0 32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11
 346 intformat hmac-sha256 hmac\(sha256\)  0 32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11 $KEY_FILE 32
 347 intformat sha256      sha256          0 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4
 348 intformat hmac-sha256 hmac\(sha256\)  0 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 $KEY_FILE 32
 349 intformat hmac-sha256 hmac\(sha256\)  0 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 $KEY_FILE 4096
 350
 351 echo "Error detection tests:"
 352 int_error_detection J crc32c  0  4  512
 353 int_error_detection J crc32c  0  4  4096
 354 int_error_detection J crc32   0  4  512
 355 int_error_detection J crc32   0  4  4096
 356 int_error_detection J sha1    0 20 512
 357 int_error_detection J sha1   16 16 512
 358 int_error_detection J sha1    0 20 4096
 359 int_error_detection J sha256  0 32 512
 360 int_error_detection J sha256  0 32 4096
 361
 362 which xxd >/dev/null 2>&1 || skip "WARNING: xxd tool required."
 363 int_error_detection J hmac-sha256  0 32 512 $KEY_FILE 32
 364 int_error_detection J hmac-sha256  0 32 4096 $KEY_FILE 32
 365
 366 echo "Journal parameters tests:"
 367 # Watermark is calculated in kernel, so it can be rounded down/up
 368 int_journal crc32  4  512  66 1000 hmac-sha256 $KEY_FILE 32 hmac\(sha256\)
 369 int_journal sha256 32 4096 34 5000 hmac-sha1   $KEY_FILE 16 hmac\(sha1\)
 370 int_journal sha1   20 512  75 9999 hmac-sha256 $KEY_FILE 32 hmac\(sha256\)
 371 int_journal sha1   20 512  75 9999 hmac-sha256 $KEY_FILE 4096 hmac\(sha256\)
 372
 373 echo "Journal encryption tests:"
 374 int_journal_crypt cbc-aes cbc\(aes\) $KEY_FILE 32
 375 int_journal_crypt cbc-aes cbc\(aes\) $KEY_FILE 16
 376 int_journal_crypt ctr-aes ctr\(aes\) $KEY_FILE 32
 377 int_journal_crypt ctr-aes ctr\(aes\) $KEY_FILE 16
 378
 379 echo "Mode tests:"
 380 int_mode crc32c      4  512
 381 int_mode crc32       4  512
 382 int_mode sha1        20 512
 383 int_mode sha256      32 512
 384 int_mode hmac-sha256 32 512  $KEY_FILE 32
 385 int_mode hmac-sha256 32 4096 $KEY_FILE 32
 386
 387 echo -n "Recalculate tags in-kernel:"
 388 add_device
 389 if [ -n "$DM_INTEGRITY_RECALC" ] ; then
 390         $INTSETUP format -q $DEV --no-wipe || fail "Cannot format device."
 391         $INTSETUP open $DEV $DEV_NAME --integrity-recalculate || fail "Cannot activate device."
 392         dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=1M 2>/dev/null || fail "Cannot recalculate tags in-kernel"
 393         int_check_sum_only 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
 394         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 395         echo "[OK]"
 396 else
 397         echo "[N/A]"
 398 fi
 399
 400 echo -n "Separate metadata device:"
 401 if [ -n "$DM_INTEGRITY_META" ] ; then
 402         add_device
 403         $INTSETUP format -q $DEV --data-device $DEV2 || fail "Cannot format device."
 404         $INTSETUP open $DEV --data-device $DEV2 $DEV_NAME || fail "Cannot activate device."
 405         int_check_sum_only 83ee47245398adee79bd9c0a8bc57b821e92aba10f5f9ade8a5d1fae4d8c4302
 406         $INTSETUP status $DEV_NAME | grep -q 'metadata device:' || fail
 407         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 408         echo "[OK]"
 409 else
 410         echo "[N/A]"
 411 fi
 412
 413 echo -n "Bitmap mode parameters:"
 414 if [ -n "$DM_INTEGRITY_BITMAP" ] ; then
 415         add_device
 416         $INTSETUP format -q $DEV --integrity-bitmap-mode $DEV2 || fail "Cannot format device."
 417         $INTSETUP open $DEV --integrity-bitmap-mode --bitmap-sectors-per-bit 65536 --bitmap-flush-time 5000 $DEV_NAME || fail "Cannot activate device."
 418         $INTSETUP status $DEV_NAME | grep -q 'bitmap 512-byte sectors per bit: 65536' || fail
 419         $INTSETUP status $DEV_NAME | grep -q 'bitmap flush interval: 5000 ms' || fail
 420         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 421         echo "[OK]"
 422         echo "Bitmap error detection tests:"
 423         int_error_detection B crc32c      0  4 512
 424         int_error_detection B crc32c      0  4 4096
 425         int_error_detection B sha256      0 32 512
 426         int_error_detection B sha256      0 32 4096
 427         int_error_detection B hmac-sha256 0 32 512 $KEY_FILE 32
 428         int_error_detection B hmac-sha256 0 32 4096 $KEY_FILE 32
 429 else
 430         echo "[N/A]"
 431 fi
 432
 433 echo -n "Big device:"
 434 add_device
 435 DEV_LOOP=$(losetup -f $DEV --show)
 436 if [ -n "$DEV_LOOP" ] ; then
 437 dmsetup create $DEV_NAME_BIG <<EOF
 438 0 16284 linear $DEV_LOOP 0
 439 16284 80000000000 zero
 440 EOF
 441         [ ! -b /dev/mapper/$DEV_NAME_BIG ] && fail
 442         $INTSETUP format -q -s 512 --no-wipe /dev/mapper/$DEV_NAME_BIG
 443         $INTSETUP open /dev/mapper/$DEV_NAME_BIG $DEV_NAME || fail
 444         D_SIZE=$($INTSETUP dump /dev/mapper/$DEV_NAME_BIG | grep provided_data_sectors | sed -e 's/.*provided_data_sectors\ \+//g')
 445         A_SIZE=$(blockdev --getsz /dev/mapper/$DEV_NAME)
 446         # Compare strings (to avoid 64bit integers), not integers
 447         [ -n "$A_SIZE" -a "$D_SIZE" != "$A_SIZE" ] && fail
 448         echo "[OK]"
 449 else
 450         echo "[N/A]"
 451 fi
 452
 453 echo -n "Fixed HMAC and legacy flags:"
 454 if [ -n "$DM_INTEGRITY_HMAC_FIX" ] ; then
 455         add_device
 456         # only data HMAC
 457         ARGS="--integrity hmac-sha256 --integrity-key-file $KEY_FILE --integrity-key-size 32"
 458         $INTSETUP format -q $DEV --integrity-legacy-hmac --no-wipe --tag-size 32 $ARGS || fail "Cannot format device."
 459         $INTSETUP open $DEV $DEV_NAME --integrity-recalculate $ARGS >/dev/null 2>&1 && fail "Cannot activate device."
 460         $INTSETUP open $DEV $DEV_NAME --integrity-legacy-recalculate $ARGS || fail "Cannot activate device."
 461         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 462         # New version - must fail (no journal HMAC)
 463         $INTSETUP format -q $DEV --no-wipe --tag-size 32 $ARGS || fail "Cannot format device."
 464         $INTSETUP open $DEV $DEV_NAME --integrity-recalculate $ARGS  >/dev/null 2>&1 && fail "Cannot activate device."
 465         $INTSETUP open $DEV $DEV_NAME --integrity-legacy-recalculate $ARGS || fail "Cannot activate device."
 466         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 467
 468         # data and journal HMAC
 469         ARGS="$ARGS --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE2 --journal-integrity-key-size 32"
 470         $INTSETUP format -q $DEV --integrity-legacy-hmac --no-wipe --tag-size 32 $ARGS || fail "Cannot format device."
 471         $INTSETUP open $DEV $DEV_NAME --integrity-recalculate $ARGS >/dev/null 2>&1 && fail "Cannot activate device."
 472         $INTSETUP open $DEV $DEV_NAME --integrity-legacy-recalculate $ARGS || fail "Cannot activate device."
 473         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 474         # New fixed version
 475         $INTSETUP format -q $DEV --no-wipe --tag-size 32 $ARGS || fail "Cannot format device."
 476         $INTSETUP dump $DEV | grep "flags" | grep -q "fix_hmac" || fail "Flag for HMAC not set."
 477         $INTSETUP open $DEV $DEV_NAME --integrity-recalculate $ARGS || fail "Cannot activate device."
 478         $INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 479         echo "[OK]"
 480 else
 481         echo "[N/A]"
 482 fi
 483
 484 cleanup