4 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
5 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
7 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
8 CRYPTSETUP_LIB_VALGRIND=../.libs
10 FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
11 FAST_PBKDF_ARGON="--pbkdf-force-iterations 4 --pbkdf-memory 32 --pbkdf-parallel 1"
12 DEFAULT_ARGON="argon2i"
26 [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
28 function dm_crypt_features()
30 VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
31 [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
33 VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
34 VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
35 VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
37 [ $VER_MAJ -lt 1 ] && return
38 [ $VER_MAJ -gt 1 ] && {
44 [ $VER_MIN -lt 14 ] && return
46 if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
51 function dm_delay_features()
53 local _ver_str=$(dmsetup targets | grep delay | cut -f2 -dv)
54 [ -z "$_ver_str" ] && return 1
58 # $1 path to scsi debug bdev
59 scsi_debug_teardown() {
62 while [ -b "$1" -a $_tries -gt 0 ]; do
63 rmmod scsi_debug 2> /dev/null
70 test ! -b "$1" || rmmod scsi_debug 2> /dev/null
73 function remove_mapping()
75 [ -b /dev/mapper/$DEV_NAME ] && {
76 dmsetup resume $DEV_NAME
77 dmsetup remove --retry $DEV_NAME
79 [ -b /dev/mapper/$DEV_NAME2 ] && {
80 dmsetup resume $DEV_NAME2
81 dmsetup remove --retry $DEV_NAME2
83 [ -b /dev/mapper/$DEV_NAME-overlay ] && {
84 dmsetup resume $DEV_NAME-overlay
85 dmsetup remove --retry $DEV_NAME-overlay
87 [ -b /dev/mapper/$DEV_NAME-hotzone-forward ] && {
88 dmsetup resume $DEV_NAME-hotzone-forward
89 dmsetup remove --retry $DEV_NAME-hotzone-forward
91 [ -b /dev/mapper/$DEV_NAME-hotzone-backward ] && {
92 dmsetup resume $DEV_NAME-hotzone-backward
93 dmsetup remove --retry $DEV_NAME-hotzone-backward
95 [ -b /dev/mapper/$OVRDEV ] && dmsetup remove --retry $OVRDEV 2>/dev/null
96 [ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null
97 [ -n "$LOOPDEV" ] && losetup -d $LOOPDEV
99 rm -f $IMG $IMG_HDR $KEY1 $DEVBIG >/dev/null 2>&1
100 rmmod scsi_debug 2> /dev/null
101 scsi_debug_teardown $DEV
107 [ -n "$1" ] && echo "$1"
108 echo "FAILED backtrace:"
109 while caller $frame; do ((frame++)); done
116 [ -n "$1" ] && echo "$1"
122 [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
125 function add_scsi_device() {
126 scsi_debug_teardown $DEV
127 modprobe scsi_debug $@ delay=0
128 if [ $? -ne 0 ] ; then
129 echo "This kernel seems to not support proper scsi_debug module, test skipped."
134 DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
135 [ -b $DEV ] || fail "Cannot find $DEV."
138 function open_crypt() # $1 pwd, $2 hdr
140 if [ -n "$2" ] ; then
141 echo "$1" | $CRYPTSETUP luksOpen $DEV $DEV_NAME --header $2 || fail
142 elif [ -n "$1" ] ; then
143 echo "$1" | $CRYPTSETUP luksOpen $DEV $DEV_NAME || fail
145 $CRYPTSETUP luksOpen -d $KEY1 $DEV $DEV_NAME || fail
149 function wipe_dev() # $1 dev
152 blkdiscard --zeroout $1 2>/dev/null || dd if=/dev/zero of=$1 bs=1M conv=notrunc >/dev/null 2>&1
154 local size=$(stat --printf="%s" $1)
160 function wipe() # $1 pass, $2 hdr
163 wipe_dev /dev/mapper/$DEV_NAME
164 udevadm settle >/dev/null 2>&1
165 $CRYPTSETUP luksClose $DEV_NAME || fail
168 function prepare() # $1 dev1_siz
172 if [ ! -e $KEY1 ]; then
173 dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
179 function preparebig() # $1 dev1_siz
183 if [ ! -e $KEY1 ]; then
184 dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
187 truncate -s "$1"M $DEVBIG
188 LOOPDEV=$(losetup -f)
189 losetup -f $DEVBIG || fail
193 function check_hash_dev() # $1 dev, $2 hash
195 HASH=$(sha256sum $1 | cut -d' ' -f 1)
196 [ $HASH != "$2" ] && fail "HASH differs (expected: $2) (result $HASH)"
199 function check_hash() # $1 pwd, $2 hash, $3 hdr
202 check_hash_dev /dev/mapper/$DEV_NAME $2
203 $CRYPTSETUP remove $DEV_NAME || fail
206 function check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr
210 echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 --header $4 || fail
212 echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 || fail
214 check_hash_dev /dev/mapper/$DEV_NAME $3
215 $CRYPTSETUP remove $DEV_NAME || fail
218 function resize_file() # $1 dev, $2 shrink bytes
220 local size=$(stat --printf="%s" $1)
221 truncate -s $(($size + $2)) $1
225 function error_writes() { # $1 dmdev, $2 data dev, $3 offset, $4 size
226 local _dev_size=$(blockdev --getsz /dev/mapper/$1)
227 local _offset=$(($3+$4))
228 local _size=$((_dev_size-_offset))
231 dmsetup create $_err --table "0 $_dev_size error" || fail
233 if [ $3 -ne 0 ]; then
234 _table="0 $3 linear $2 0\n"
237 _table=$_table"$3 $4 delay $2 $3 0 /dev/mapper/$_err $3 0"
239 if [ $_size -ne 0 ]; then
240 _table="$_table\n$_offset $_size linear $2 $_offset"
243 echo -e "$_table" | dmsetup load $1 || fail
244 dmsetup resume $1 || fail
245 blockdev --setra 0 /dev/mapper/$1
246 blockdev --setra 0 /dev/mapper/$_err
249 function fix_writes() { # $1 dmdev, $2 data dev
250 local _dev_size=$(blockdev --getsz /dev/mapper/$1)
251 dmsetup load $1 --table "0 $_dev_size linear $2 0" || fail
252 dmsetup resume $1 || fail
253 dmsetup remove --retry $1-err 2>/dev/null || fail
256 function prepare_linear_dev() {
260 if [ "$_sizemb" -gt 32 ]; then
263 prepare dev_size_mb=$_sizemb $@
266 dmsetup create $OVRDEV --table "0 $((_sizemb*1024*2)) linear $DEV 0" || fail
269 DEV=/dev/mapper/$OVRDEV
272 function get_error_offsets() # $1 devsize, $2 minimal offset, $3 sector_size [512 if ommited], $4 max offset
274 local _devsize=$(($1*1024*2))
275 local _sector_size=${3:-512}
276 local _max_offset=${4:-$_devsize}
277 _sector_size=$((_sector_size/512))
279 # 8 sectors minimal size (4096)
280 ERRLENGTH=$((($RANDOM%56)+8))
281 ERRLENGTH=$(($ERRLENGTH-($ERRLENGTH%$_sector_size)))
283 ERROFFSET=$(($2+((2*$RANDOM)%($_max_offset-$2-$ERRLENGTH))))
284 ERROFFSET=$(($ERROFFSET-($ERROFFSET%$_sector_size)))
287 function reencrypt_recover() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
288 echo -n "resilience mode: $2 ..."
290 test -z "$4" || _hdr="--header $4"
292 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
293 echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
294 fix_writes $OVRDEV $OLD_DEV
296 echo $PWD1 | $CRYPTSETUP -q repair $DEV $_hdr || fail
298 check_hash $PWD1 $3 $4
300 echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON || fail
301 check_hash $PWD1 $3 $4
306 function reencrypt_recover_online() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
307 echo -n "resilience mode: $2 ..."
309 test -z "$4" || _hdr="--header $4"
311 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
313 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
314 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
315 $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail
316 $CRYPTSETUP close $DEV_NAME || fail
317 fix_writes $OVRDEV $OLD_DEV
319 # recovery during activation
320 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
321 check_hash_dev /dev/mapper/$DEV_NAME $3
323 $CRYPTSETUP luksDump ${4:-$DEV} | grep -q "online-reencrypt"
324 if [ $? -eq 0 ]; then
325 $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption: in-progress" || fail
326 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --resilience $2 --resume-only -q || fail
327 check_hash_dev /dev/mapper/$DEV_NAME $3
330 $CRYPTSETUP close $DEV_NAME || fail
334 function encrypt_recover() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
336 check_hash_dev $DEV $5
338 echo -n "resilience mode: datashift ..."
340 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 || fail
342 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
343 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q >/dev/null 2>&1 && fail
344 fix_writes $OVRDEV $OLD_DEV
346 echo $PWD1 | $CRYPTSETUP -q repair $DEV || fail
348 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt"
349 if [ $? -eq 0 ]; then
351 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --sector-size $1 -q $FAST_PBKDF_ARGON || fail
354 check_hash_head $PWD1 $4 $3
359 function encrypt_recover_online() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
361 check_hash_dev $DEV $5
363 echo -n "resilience mode: datashift ..."
365 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only > /dev/null || fail
366 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
368 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
369 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q >/dev/null 2>&1 && fail
370 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" || fail
371 $CRYPTSETUP close $DEV_NAME || fail
372 fix_writes $OVRDEV $OLD_DEV
374 # recovery in activation
375 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
377 $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt"
378 if [ $? -eq 0 ]; then
379 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption: in-progress" || fail
380 check_hash_dev /dev/mapper/$DEV_NAME $3
381 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --active-name $DEV_NAME -q || fail
384 $CRYPTSETUP close $DEV_NAME || fail
385 check_hash_head $PWD1 $4 $3
390 function encrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
392 check_hash_dev $DEV $3
394 echo -n "resilience mode: $2 ..."
396 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
397 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --hotzone-size 1M --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
398 fix_writes $OVRDEV $OLD_DEV
400 echo $PWD1 | $CRYPTSETUP repair $DEV --header $4 || fail
402 check_hash $PWD1 $3 $4
404 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON || fail
405 check_hash $PWD1 $3 $4
410 function encrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
412 check_hash_dev $DEV $3
414 echo -n "resilience mode: $2 ..."
416 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --hotzone-size 1M --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only || fail
417 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
419 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
420 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $4 --hotzone-size 1M 2>/dev/null && fail
421 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
422 $CRYPTSETUP close $DEV_NAME || fail
423 fix_writes $OVRDEV $OLD_DEV
425 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
426 check_hash_dev /dev/mapper/$DEV_NAME $3
428 $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
429 if [ $? -eq 0 ]; then
430 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
431 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --resume-only --header $4 --resilience $2 -q || fail
432 check_hash_dev /dev/mapper/$DEV_NAME $3
435 $CRYPTSETUP close $DEV_NAME || fail
440 function decrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
441 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
443 check_hash $PWD1 $3 $4
445 echo -n "resilience mode: $2 ..."
447 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
448 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --hotzone-size 1M --header $4 --resilience $2 -q 2>/dev/null && fail
449 fix_writes $OVRDEV $OLD_DEV
451 echo $PWD1 | $CRYPTSETUP repair $DEV --header $4 || fail
453 $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
454 if [ $? -eq 0 ]; then
455 check_hash $PWD1 $3 $4
456 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --resume-only --header $4 --resilience $2 -q || fail
459 check_hash_dev $DEV $3
464 function decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
465 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
466 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
467 wipe_dev /dev/mapper/$DEV_NAME
468 check_hash_dev /dev/mapper/$DEV_NAME $3
470 echo -n "resilience mode: $2 ..."
472 error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
473 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --hotzone-size 1M --header $4 --resilience $2 -q 2>/dev/null && fail
474 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
475 $CRYPTSETUP close $DEV_NAME || fail
476 fix_writes $OVRDEV $OLD_DEV
478 # recovery during activation
479 echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
481 $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
482 if [ $? -eq 0 ]; then
483 $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption: in-progress" || fail
484 check_hash_dev /dev/mapper/$DEV_NAME $3
485 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 -q || fail
488 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
489 check_hash_dev $DEV $3
494 # sector size (bytes)
495 # reenc dev size (sectors)
501 function reencrypt_offline_fixed_size() {
502 local _esz=$(($1>>9))
504 test -z "$7" || _hdr="--header $7"
506 # reencrypt with fixed device size
507 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --device-size $2s --resilience $4 || fail
508 check_hash_head $PWD1 $2 $3 $7
511 # try to reencrypt device size + 1 encryption sector size
512 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
513 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
514 check_hash $PWD1 $6 $7
516 # misaligned reencryption size
517 if [ $_esz -gt 1 ]; then
518 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
519 $CRYPTSETUP luksDump ${7:-$DEV} | grep -q "2: crypt" || fail
520 $CRYPTSETUP luksDump ${7:-$DEV} | grep -q "3: crypt" && fail
521 check_hash $PWD1 $6 $7
525 # sector size (bytes)
526 # reenc dev size (sectors)
532 function encrypt_offline_fixed_size() {
533 local _esz=$(($1>>9))
535 # reencrypt with fixed device size
537 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --device-size $2s --resilience $4 || fail
538 check_hash_head $PWD1 $2 $3 $7
540 # try to reencrypt device size + 1 encryption sector size
542 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --init-only || fail
543 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
544 check_hash $PWD1 $6 $7
546 # misaligned reencryption size
547 if [ $_esz -gt 1 ]; then
548 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --init-only || fail
549 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $7 --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
550 $CRYPTSETUP luksDump $7 | grep -q "2: crypt" || fail
551 $CRYPTSETUP luksDump $7 | grep -q "3: crypt" && fail
552 check_hash $PWD1 $6 $7
556 # sector size (bytes)
557 # reenc dev size (sectors)
563 function decrypt_offline_fixed_size() {
564 local _esz=$(($1>>9))
566 # decrypt with fixed device size
567 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 || fail
569 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt -q $DEV --header $7 --device-size $2s --resilience $4 || fail
571 dmsetup load $OVRDEV --table "0 $2 linear $OLD_DEV 0" || fail
572 dmsetup resume $OVRDEV || fail
573 check_hash_dev $DEV $3
574 dmsetup load $OVRDEV --table "0 $5 linear $OLD_DEV 0" || fail
575 dmsetup resume $OVRDEV || fail
577 # try to decrypt device size + 1 encryption sector size
578 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 || fail
580 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --init-only || fail
581 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
582 check_hash $PWD1 $6 $7
584 # misaligned reencryption size
585 if [ $_esz -gt 1 ]; then
586 echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $7 --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
587 $CRYPTSETUP luksDump $7 | grep -q "2: linear\|2: crypt" || fail
588 $CRYPTSETUP luksDump $7 | grep -q "3: crypt\|3: linear" && fail
589 check_hash $PWD1 $6 $7
593 # sector size (bytes)
594 # reenc dev size (sectors)
600 function reencrypt_online_fixed_size() {
601 local _esz=$(($1>>9))
603 test -z "$7" || _hdr="--header $7"
605 if [ -z "$_hdr" ]; then
606 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
608 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $_hdr $FAST_PBKDF_ARGON $DEV || fail
612 # reencrypt with fixed device size
613 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
614 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $2 || fail
615 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --resilience $4 || fail
616 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
617 $CRYPTSETUP close $DEV_NAME || fail
618 check_hash_head $PWD1 $2 $3 $7
621 # active device != requested reencryption size
622 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
623 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $2 || fail
624 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
625 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($2-_esz))s --resilience $4 2>/dev/null && fail
626 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $2s --resilience $4 || fail
627 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
628 $CRYPTSETUP close $DEV_NAME || fail
629 check_hash_head $PWD1 $2 $3 $7
631 # misaligned reencryption size
632 if [ $_esz -gt 1 ]; then
633 if [ -z "$_hdr" ]; then
634 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
636 echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $_hdr $FAST_PBKDF_ARGON $DEV || fail
639 check_hash $PWD1 $6 $7
641 echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
642 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $(($2+_esz-1)) || fail
643 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
644 echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --resilience $4 2>/dev/null && fail
645 $CRYPTSETUP close $DEV_NAME || fail
646 check_hash $PWD1 $6 $7
650 function valgrind_setup()
652 which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
653 [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
654 export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
657 function valgrind_run()
659 INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
662 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
663 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
664 fips_mode && skip "This test cannot be run in FIPS mode."
665 modprobe --dry-run scsi_debug || exit 77
666 modprobe dm-crypt || fail "dm-crypt failed to load"
667 modprobe dm-delay > /dev/null 2>&1
670 if [ -n "$DM_SECTOR_SIZE" ]; then
671 TEST_SECTORS="512 4096"
676 modinfo scsi_debug -p | grep -q opt_xferlen_exp && OPT_XFERLEN_EXP="opt_xferlen_exp=6"
680 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
684 # 28 MiBs of zeros (32MiBs - 4MiB LUKS2 header)
685 HASH1=f8280c81b347b01405277bf9e8bf0685ae8be863ff104797c65b7169f8203fd2
687 HASH2=30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58
689 HASH3=a6d72ac7690f53be6ae46ba88506bd97302a093f7108472bd9efc3cefda06484
691 HASH4=3b6a07d0d404fab4e23b6d34bc6696a6a312dd92821332385e5af7c01c421351
693 HASH5=8afcb7e7189ce4d112fd245eaa60c3cfcf5a5d5e1d6bf4eb85941d73ef8cfbd5
695 HASH6=39f7c6d38af574fe2c90ef400dfaba8ef8edccd11bdac998a3f8143a86837331
697 HASH7=18a393d1a505e22ccf3e29effe3005ea8627e4c36b7cca0e53f58121f49b67e1
699 HASH8=cf5ac69ca412f9b3b1a8b8de27d368c5c05ed4b1b6aa40e6c38d9cbf23711342
701 echo "[1] Reencryption"
702 echo -n "[512 sector]"
703 prepare dev_size_mb=32
704 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
706 check_hash $PWD1 $HASH1
707 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
708 check_hash $PWD1 $HASH1
709 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
710 check_hash $PWD1 $HASH1
711 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
712 check_hash $PWD1 $HASH1
713 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
714 check_hash $PWD1 $HASH1
715 # simple test --active-name can consume absolute path to mapping
716 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -c aes-xts-plain64 --init-only $FAST_PBKDF_ARGON || fail
717 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
718 echo $PWD1 | $CRYPTSETUP reencrypt --active-name /dev/mapper/$DEV_NAME --resilience none -q || fail
719 echo $PWD1 | $CRYPTSETUP close $DEV_NAME || fail
720 echo -n "[OK][4096 sector]"
721 prepare sector_size=4096 dev_size_mb=32
722 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
724 check_hash $PWD1 $HASH1
725 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
726 check_hash $PWD1 $HASH1
727 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
728 check_hash $PWD1 $HASH1
729 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
730 check_hash $PWD1 $HASH1
731 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
732 check_hash $PWD1 $HASH1
733 if [ -n "$DM_SECTOR_SIZE" ]; then
734 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 || fail
735 check_hash $PWD1 $HASH1
736 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal --sector-size 2048 $FAST_PBKDF_ARGON || fail
737 check_hash $PWD1 $HASH1
738 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON --sector-size 1024 || fail
739 check_hash $PWD1 $HASH1
740 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum --sector-size 512 $FAST_PBKDF_ARGON || fail
741 check_hash $PWD1 $HASH1
743 echo -n "[OK][4096/512 sector]"
744 prepare sector_size=512 physblk_exp=3 dev_size_mb=32
745 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
747 check_hash $PWD1 $HASH1
748 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
749 check_hash $PWD1 $HASH1
750 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
751 check_hash $PWD1 $HASH1
752 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
753 check_hash $PWD1 $HASH1
754 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
755 check_hash $PWD1 $HASH1
758 # reencrypt minimal device size (FIXME: change data device size to single encryption sector size)
759 # temporary small device size is default luks2 hdr size + 1MiB
760 echo -n "[small device reencryption]"
761 prepare dev_size_mb=5
762 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
764 check_hash $PWD1 $HASH2
765 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
766 check_hash $PWD1 $HASH2
767 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
768 check_hash $PWD1 $HASH2
769 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
770 check_hash $PWD1 $HASH2
771 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
772 check_hash $PWD1 $HASH2
773 if [ -n "$DM_SECTOR_SIZE" ]; then
774 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 || fail
775 check_hash $PWD1 $HASH2
776 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal --sector-size 2048 $FAST_PBKDF_ARGON || fail
777 check_hash $PWD1 $HASH2
778 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON --sector-size 1024 || fail
779 check_hash $PWD1 $HASH2
780 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum --sector-size 512 $FAST_PBKDF_ARGON || fail
781 check_hash $PWD1 $HASH2
785 echo "[2] Encryption with data shift"
786 # well, movin' zeroes :-)
789 check_hash_dev $DEV $HASH4
790 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON || fail
791 check_hash_head $PWD1 $((56*1024*2)) $HASH5
793 check_hash_dev $DEV $HASH4
794 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c twofish-cbc-essiv:sha256 -s 128 --reduce-device-size 21M -q $FAST_PBKDF_ARGON || fail
795 check_hash_head $PWD1 $((43*1024*2)) $HASH6
797 # offset 21504 equals 10,5MiBs, equals --reduce-device-size 21M from test above (30M is ignored here, we'll reduce it to 21M in cryptsetup anyway)
798 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c twofish-cbc-essiv:sha256 -s 128 --offset 21504 --reduce-device-size 30M -q $FAST_PBKDF_ARGON > /dev/null || fail
799 check_hash_head $PWD1 $((43*1024*2)) $HASH6
801 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 33M -q $FAST_PBKDF_ARGON || fail
802 check_hash_head $PWD1 $((31*1024*2)) $HASH7
804 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON > /dev/null 2>&1 && fail
805 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 8M --init-only -q $FAST_PBKDF_ARGON $DEV || fail
806 resize_file $DEVBIG -512
807 echo $PWD1 | $CRYPTSETUP reencrypt $DEV 2> /dev/null && fail
808 resize_file $DEVBIG 512
810 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --offset 32760 --reduce-device-size 8M -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 && fail
811 # data offset at 21MiB
812 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --header $IMG_HDR --offset 43008 --reduce-device-size 21M -q $FAST_PBKDF_ARGON || fail
813 check_hash $PWD1 $HASH6 $IMG_HDR
814 $CRYPTSETUP luksHeaderRestore --header-backup-file $IMG_HDR $DEV -q || fail
815 check_hash $PWD1 $HASH6
817 # Device activation after encryption initialization
819 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 -S11 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
820 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
821 check_hash_dev /dev/mapper/$DEV_NAME $HASH5
822 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only $DEV -q || fail
823 check_hash_dev /dev/mapper/$DEV_NAME $HASH5
825 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
826 $CRYPTSETUP close $DEV_NAME
827 check_hash_head $PWD1 $((56*1024*2)) $HASH5
829 # Device activation using key file
831 echo -n $PWD1 > $KEY1
832 $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
833 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
834 $CRYPTSETUP close $DEV_NAME
835 echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
837 echo "[3] Encryption with detached header"
840 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
841 check_hash $PWD1 $HASH3 $IMG_HDR
843 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --resilience journal --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
844 check_hash $PWD1 $HASH3 $IMG_HDR
846 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c twofish-cbc-essiv:sha256 -s 128 --resilience none --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
847 check_hash $PWD1 $HASH3 $IMG_HDR
849 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
850 check_hash $PWD1 $HASH3 $IMG_HDR
852 # Device activation after encryption initialization
854 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV $DEV_NAME >/dev/null || fail
855 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
856 check_hash_dev /dev/mapper/$DEV_NAME $HASH3
857 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --header $IMG_HDR --active-name $DEV_NAME -q || fail
858 check_hash_dev /dev/mapper/$DEV_NAME $HASH3
859 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
860 $CRYPTSETUP close $DEV_NAME
861 check_hash $PWD1 $HASH3 $IMG_HDR
863 # Device activation using key file
865 echo -n $PWD1 > $KEY1
866 $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
867 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
868 $CRYPTSETUP close $DEV_NAME
869 echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
871 echo "[4] Reencryption with detached header"
873 echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
874 check_hash $PWD1 $HASH3 $IMG_HDR
875 echo $PWD1 | $CRYPTSETUP reencrypt --resilience journal --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
876 check_hash $PWD1 $HASH3 $IMG_HDR
877 echo $PWD1 | $CRYPTSETUP reencrypt -c twofish-cbc-essiv:sha256 -s 128 --resilience none --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
878 check_hash $PWD1 $HASH3 $IMG_HDR
879 echo $PWD1 | $CRYPTSETUP reencrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
880 check_hash $PWD1 $HASH3 $IMG_HDR
881 # trivial check for detached header misuse
882 dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
883 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
884 echo $PWD1 | $CRYPTSETUP open $IMG $DEV_NAME --header $IMG_HDR || fail
885 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME2 --header $IMG_HDR || fail
886 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --header $IMG_HDR -q || fail
887 # key description mismatch in active device
888 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME2 --header $IMG_HDR >/dev/null 2>&1 && fail
889 # also check it can abort initialization in this case
890 $CRYPTSETUP luksDump $IMG_HDR | grep -q "online-reencrypt" && fail
891 $CRYPTSETUP close $DEV_NAME || fail
892 $CRYPTSETUP close $DEV_NAME2 || fail
894 echo "[5] Decryption with detached header"
895 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
897 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR $DEV || fail
898 check_hash_dev $DEV $HASH3
899 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
901 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience journal --header $IMG_HDR $DEV || fail
902 check_hash_dev $DEV $HASH3
903 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c twofish-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
905 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience none --header $IMG_HDR $DEV || fail
906 check_hash_dev $DEV $HASH3
907 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
909 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR $DEV || fail
910 check_hash_dev $DEV $HASH3
912 # check deferred remove works as expected after decryption
913 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
914 open_crypt $PWD1 $IMG_HDR
915 dmsetup create $DEV_NAME2 --table "0 1 linear /dev/mapper/$DEV_NAME 0" || fail
916 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR --active-name $DEV_NAME || fail
917 $CRYPTSETUP status $DEV_NAME >/dev/null || fail
918 dmsetup remove --retry $DEV_NAME2
919 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
921 if ! dm_delay_features; then
922 echo "dm-delay target is missing, skipping recovery tests."
927 echo "[6] Reencryption recovery"
928 # (check opt-io size optimization in reencryption code does not affect recovery)
929 # device with opt-io size 32k
930 prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
933 echo "sector size 512->512"
935 get_error_offsets 32 $OFFSET
936 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
938 check_hash $PWD1 $HASH1
940 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
941 reencrypt_recover 512 checksum $HASH1
942 reencrypt_recover 512 journal $HASH1
944 if [ -n "$DM_SECTOR_SIZE" ]; then
945 echo "sector size 512->4096"
947 get_error_offsets 32 $OFFSET 4096
948 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
950 check_hash $PWD1 $HASH1
952 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
953 reencrypt_recover 4096 checksum $HASH1
954 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
956 check_hash $PWD1 $HASH1
957 reencrypt_recover 4096 journal $HASH1
959 echo "sector size 4096->4096"
961 get_error_offsets 32 $OFFSET 4096
962 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
964 check_hash $PWD1 $HASH1
966 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
967 reencrypt_recover 4096 checksum $HASH1
968 reencrypt_recover 4096 journal $HASH1
971 echo "[7] Reencryption recovery (online i/o error)"
973 echo "sector size 512->512"
975 get_error_offsets 32 $OFFSET
976 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
978 check_hash $PWD1 $HASH1
980 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
981 reencrypt_recover_online 512 checksum $HASH1
982 reencrypt_recover_online 512 journal $HASH1
984 if [ -n "$DM_SECTOR_SIZE" ]; then
985 echo "sector size 512->4096"
987 get_error_offsets 32 $OFFSET 4096
988 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
990 check_hash $PWD1 $HASH1
992 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
993 reencrypt_recover_online 4096 checksum $HASH1
994 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
996 check_hash $PWD1 $HASH1
997 reencrypt_recover_online 4096 journal $HASH1
999 echo "sector size 4096->4096"
1001 get_error_offsets 32 $OFFSET 4096
1002 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
1004 check_hash $PWD1 $HASH1
1006 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1007 reencrypt_recover_online 4096 checksum $HASH1
1008 reencrypt_recover_online 4096 journal $HASH1
1011 echo "[8] Reencryption with detached header recovery"
1012 prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
1014 echo "sector size 512->512"
1016 get_error_offsets 31 0
1017 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1019 check_hash $PWD1 $HASH7 $IMG_HDR
1021 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1022 reencrypt_recover 512 checksum $HASH7 $IMG_HDR
1023 reencrypt_recover 512 journal $HASH7 $IMG_HDR
1025 if [ -n "$DM_SECTOR_SIZE" ]; then
1026 echo "sector size 512->4096"
1028 get_error_offsets 31 0 4096
1029 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1031 check_hash $PWD1 $HASH7 $IMG_HDR
1033 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1034 reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
1035 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1037 check_hash $PWD1 $HASH7 $IMG_HDR
1038 reencrypt_recover 4096 journal $HASH7 $IMG_HDR
1040 echo "sector size 4096->4096"
1042 get_error_offsets 31 0 4096
1043 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1045 check_hash $PWD1 $HASH7 $IMG_HDR
1047 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1048 reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
1049 reencrypt_recover 4096 journal $HASH7 $IMG_HDR
1052 echo "[9] Reencryption with detached header recovery (online i/o error)"
1054 echo "sector size 512->512"
1056 get_error_offsets 31 0
1057 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1059 check_hash $PWD1 $HASH7 $IMG_HDR
1061 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1062 reencrypt_recover_online 512 checksum $HASH7 $IMG_HDR
1063 reencrypt_recover_online 512 journal $HASH7 $IMG_HDR
1065 if [ -n "$DM_SECTOR_SIZE" ]; then
1066 echo "sector size 512->4096"
1068 get_error_offsets 31 0 4096
1069 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1071 check_hash $PWD1 $HASH7 $IMG_HDR
1073 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1074 reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
1075 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1077 check_hash $PWD1 $HASH7 $IMG_HDR
1078 reencrypt_recover_online 4096 journal $HASH7 $IMG_HDR
1080 echo "sector size 4096->4096"
1082 get_error_offsets 31 0 4096
1083 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1085 check_hash $PWD1 $HASH7 $IMG_HDR
1087 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1088 reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
1089 reencrypt_recover_online 4096 journal $HASH7 $IMG_HDR
1092 echo "[10] Encryption recovery"
1093 prepare_linear_dev 64
1094 OFFSET=$((2*1024*2))
1096 echo "sector size 512"
1098 get_error_offsets 64 $OFFSET 512 $((62*1024*2))
1100 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1101 encrypt_recover 512 4M $HASH8 $((60*1024*2)) $HASH4
1103 if [ -n "$DM_SECTOR_SIZE" ]; then
1104 echo "sector size 4096"
1106 get_error_offsets 64 $OFFSET 4096 $((62*1024*2))
1108 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1109 encrypt_recover 4096 4M $HASH8 $((60*1024*2)) $HASH4
1112 echo "[11] Encryption recovery (online i/o error)"
1114 echo "sector size 512"
1116 get_error_offsets 64 $OFFSET 512 $((62*1024*2))
1118 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1119 encrypt_recover_online 512 4M $HASH8 $((60*1024*2)) $HASH4
1121 if [ -n "$DM_SECTOR_SIZE" ]; then
1122 echo "sector size 4096"
1124 get_error_offsets 64 $OFFSET 4096 $((62*1024*2))
1126 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1127 encrypt_recover_online 4096 4M $HASH8 $((60*1024*2)) $HASH4
1130 echo "[12] Encryption with detached header recovery"
1131 prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
1133 get_error_offsets 31 0
1135 echo "sector size 512"
1137 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1138 encrypt_recover_detached 512 checksum $HASH7 $IMG_HDR
1139 encrypt_recover_detached 512 journal $HASH7 $IMG_HDR
1141 if [ -n "$DM_SECTOR_SIZE" ]; then
1142 get_error_offsets 31 0 4096
1144 echo "sector size 4096"
1146 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1147 encrypt_recover_detached 4096 checksum $HASH7 $IMG_HDR
1148 encrypt_recover_detached 4096 journal $HASH7 $IMG_HDR
1151 echo "[13] Encryption with detached header recovery (online i/o error)"
1153 get_error_offsets 31 0
1155 echo "sector size 512"
1157 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1158 encrypt_recover_detached_online 512 checksum $HASH7 $IMG_HDR
1159 encrypt_recover_detached_online 512 journal $HASH7 $IMG_HDR
1161 if [ -n "$DM_SECTOR_SIZE" ]; then
1162 get_error_offsets 31 0 4096
1164 echo "sector size 4096"
1166 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1167 encrypt_recover_detached_online 4096 checksum $HASH7 $IMG_HDR
1168 encrypt_recover_detached_online 4096 journal $HASH7 $IMG_HDR
1171 echo "[14] Decryption with detached header recovery"
1173 echo "sector size 512"
1175 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1176 get_error_offsets 31 2049
1178 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1179 decrypt_recover_detached 512 journal $HASH7 $IMG_HDR
1180 decrypt_recover_detached 512 checksum $HASH7 $IMG_HDR
1182 if [ -n "$DM_SECTOR_SIZE" ]; then
1183 echo "sector size 4096"
1185 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1186 get_error_offsets 31 2048 4096
1188 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1189 decrypt_recover_detached 4096 checksum $HASH7 $IMG_HDR
1190 decrypt_recover_detached 4096 journal $HASH7 $IMG_HDR
1193 echo "[15] Decryption with detached header recovery (online i/o error)"
1195 echo "sector size 512"
1197 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1198 get_error_offsets 31 2049
1200 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1201 decrypt_recover_detached_online 512 journal $HASH7 $IMG_HDR
1202 decrypt_recover_detached_online 512 checksum $HASH7 $IMG_HDR
1204 if [ -n "$DM_SECTOR_SIZE" ]; then
1205 echo "sector size 4096"
1207 # TODO: What should decryption do when it finishes decryption during recovery (with open)
1208 get_error_offsets 31 2048 4096
1210 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
1211 decrypt_recover_detached_online 4096 checksum $HASH7 $IMG_HDR
1212 decrypt_recover_detached_online 4096 journal $HASH7 $IMG_HDR
1215 echo "[16] Offline reencryption with fixed device size."
1217 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
1219 check_hash $PWD1 $HASH8
1221 for test_ss in $TEST_SECTORS; do
1222 printf "sector size %4s: " $test_ss
1223 for test_res in checksum journal none; do
1224 echo -n "[$test_res]"
1225 reencrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
1226 reencrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
1227 reencrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
1233 echo "[17] Online reencryption with fixed device size."
1234 for test_ss in $TEST_SECTORS; do
1235 printf "sector size %4s: " $test_ss
1236 for test_res in checksum journal none; do
1237 echo -n "[$test_res]"
1238 reencrypt_online_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8
1239 reencrypt_online_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
1240 reencrypt_online_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
1246 echo "[18] Offline reencryption with fixed device size (detached header)."
1248 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
1250 check_hash $PWD1 $HASH8 $IMG_HDR
1252 for test_ss in $TEST_SECTORS; do
1253 printf "sector size %4s: " $test_ss
1254 for test_res in checksum journal none; do
1255 echo -n "[$test_res]"
1256 reencrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1257 reencrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1258 reencrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1264 echo "[19] Online reencryption with fixed device size (detached header)."
1265 for test_ss in $TEST_SECTORS; do
1266 printf "sector size %4s: " $test_ss
1267 for test_res in checksum journal none; do
1268 echo -n "[$test_res]"
1269 reencrypt_online_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1270 reencrypt_online_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1271 reencrypt_online_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1277 echo "[20] Offline encryption with fixed device size (detached header)."
1278 for test_ss in $TEST_SECTORS; do
1279 printf "sector size %4s: " $test_ss
1280 for test_res in checksum journal none; do
1281 echo -n "[$test_res]"
1282 encrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1283 encrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1284 encrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1290 echo "[21] Offline decryption with fixed device size (detached header)."
1291 prepare_linear_dev 60
1292 for test_ss in $TEST_SECTORS; do
1293 printf "sector size %4s: " $test_ss
1294 for test_res in checksum journal none; do
1295 echo -n "[$test_res]"
1296 decrypt_offline_fixed_size $test_ss 2048 $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1297 decrypt_offline_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1298 decrypt_offline_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
1304 echo "[22] Multi-keyslot device reencryption"
1305 prepare dev_size_mb=17
1306 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 32768 $FAST_PBKDF_ARGON $DEV || fail
1307 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV || fail
1308 echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
1310 check_hash $PWD1 $HASH2
1312 echo -e "$PWD1\n$PWD2\n$PWD3" | $CRYPTSETUP reencrypt $DEV -q || fail
1313 check_hash $PWD1 $HASH2
1314 check_hash $PWD2 $HASH2
1315 check_hash $PWD3 $HASH2
1317 # check at least pbkdf type is preserved
1318 $CRYPTSETUP luksDump $DEV | grep -e "3: luks2" -A5 | grep -q "argon2" || fail
1319 $CRYPTSETUP luksDump $DEV | grep -e "4: luks2" -A5 | grep -q "pbkdf2" || fail
1320 $CRYPTSETUP luksDump $DEV | grep -e "5: luks2" -A5 | grep -q "argon2" || fail
1322 echo $PWD1 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV $KEY1 || fail
1324 # with more keyslots, specific has to be selected
1325 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q 2>/dev/null && fail
1326 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q -S0 || fail
1328 check_hash_dev /dev/mapper/$DEV_NAME $HASH2
1329 $CRYPTSETUP close $DEV_NAME
1331 # there should be single keyslot now
1332 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q || fail
1333 echo $PWD1 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S1 -d $KEY1 || fail
1335 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S2 --unbound --key-size 32 || fail
1336 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S22 --unbound --key-size 32 || fail
1337 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S23 --unbound --key-size 32 || fail
1339 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -S1 -q || fail
1340 $CRYPTSETUP open --test-passphrase -d $KEY1 $DEV 2>/dev/null && fail
1341 echo $PWD3 | $CRYPTSETUP open --test-passphrase -S2 $DEV || fail
1342 echo $PWD3 | $CRYPTSETUP open --test-passphrase -S22 $DEV || fail
1343 check_hash $PWD1 $HASH2
1347 while [ $COUNT -gt 0 ]; do
1348 echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF_ARGON || fail
1352 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -S0 -q 2>/dev/null && fail
1353 echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 30 || fail
1354 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 || fail
1357 while [ $COUNT -gt 0 ]; do
1358 echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF_ARGON || fail
1362 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1" | $CRYPTSETUP reencrypt $DEV -q 2>/dev/null && fail
1363 echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 1 || fail
1364 # one wrong passphrase
1365 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD2" | $CRYPTSETUP reencrypt $DEV -q 2>/dev/null && fail
1366 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --resume-only -q 2>/dev/null && fail
1367 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1" | $CRYPTSETUP reencrypt $DEV -q || fail