mbox series

[RFC,0/8] xfstests: test the fscrypt hardware-wrapped key support

Message ID 20220228074722.77008-1-ebiggers@kernel.org (mailing list archive)
Headers show
Series xfstests: test the fscrypt hardware-wrapped key support | expand

Message

Eric Biggers Feb. 28, 2022, 7:47 a.m. UTC
This series adds xfstests for the "hardware-wrapped inline encryption
keys" feature which I've proposed adding to the kernel
(https://lore.kernel.org/linux-fscrypt/20220228070520.74082-1-ebiggers@kernel.org/T/#u).

This applies to the master branch of xfstests (commit 2ea74ba4e70b).

For now, the new tests just include ciphertext verification tests.
These are the most important type of test to have here, as they validate
the on-disk format, which must be gotten right from the start.  They
verify that all the cryptography is implemented correctly, including
both the parts handled by the hardware and the parts handled by the
kernel.  Naturally, to do their work they exercise the new UAPIs too.

For now this is an RFC, as the corresponding kernel patches have yet to
be applied.  Patches 1-5 are cleanups that could be applied earlier, but
I need to look them over again first and probably will resend them.

In any case, any reviews would be greatly appreciated!

I've verified that the new tests run and pass when all their
prerequisites are met, namely:                                                             
                                                                         
- Hardware supporting the feature must be present.  I tested this on the
  SM8350 HDK (note: this currently requires a custom TrustZone image);
  this hardware is compatible with both of IV_INO_LBLK_{64,32}.
- The kernel patches for hardware-wrapped key support must be applied.
- The filesystem must be ext4 or f2fs.
- The kernel must have CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y.
- The fscryptctl program must be available, and must have my patches for
  hardware-wrapped key support applied.  These can currently be found at
  https://github.com/ebiggers/fscryptctl/tree/wip-wrapped-keys.

Eric Biggers (8):
  fscrypt-crypt-util: use an explicit --direct-key option
  fscrypt-crypt-util: refactor get_key_and_iv()
  fscrypt-crypt-util: add support for dumping key identifier
  common/encrypt: log full ciphertext verification params
  common/encrypt: verify the key identifiers
  fscrypt-crypt-util: add hardware KDF support
  common/encrypt: support hardware-wrapped key testing
  generic: verify ciphertext with hardware-wrapped keys

 common/config            |   1 +
 common/encrypt           | 149 +++++++++++--
 src/fscrypt-crypt-util.c | 454 ++++++++++++++++++++++++++++++++-------
 tests/generic/900        |  30 +++
 tests/generic/900.out    |   6 +
 tests/generic/901        |  30 +++
 tests/generic/901.out    |   6 +
 7 files changed, 579 insertions(+), 97 deletions(-)
 create mode 100755 tests/generic/900
 create mode 100644 tests/generic/900.out
 create mode 100755 tests/generic/901
 create mode 100644 tests/generic/901.out


base-commit: 2ea74ba4e70b546279896e2a733c8c7f4b206193