[thirdparty/systemd.git] / test / TEST-24-CRYPTSETUP / test.sh

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e

TEST_DESCRIPTION="cryptsetup systemd setup"
IMAGE_NAME="cryptsetup"
IMAGE_ADDITIONAL_DATA_SIZE=100
TEST_NO_NSPAWN=1
TEST_FORCE_NEWIMAGE=1

# shellcheck source=test/test-functions
. "${TEST_BASE_DIR:?}/test-functions"

PART_UUID="deadbeef-dead-dead-beef-000000000000"
DM_NAME="test24_varcrypt"
KERNEL_OPTIONS=(
    "rd.luks=1"
    "luks.name=$PART_UUID=$DM_NAME"
    "luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev"
    "luks.options=$PART_UUID=x-initrd.attach"
)
KERNEL_APPEND+=" ${KERNEL_OPTIONS[*]}"
QEMU_OPTIONS+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img"

check_result_qemu() {
    local ret

    mount_initdir

    cryptsetup luksOpen "${LOOPDEV:?}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
    mount "/dev/mapper/$DM_NAME" "$initdir/var"

    check_result_common "${initdir:?}" && ret=0 || ret=$?

    _umount_dir "$initdir/var"
    _umount_dir "$initdir"
    cryptsetup luksClose "/dev/mapper/$DM_NAME"

    return $ret
}

can_test_pkcs11() {
    if ! command -v "softhsm2-util" >/dev/null; then
        ddebug "softhsm2-util not available, skipping the PKCS#11 test"
        return 1
    fi
    if ! command -v "pkcs11-tool" >/dev/null; then
        ddebug "pkcs11-tool not available, skipping the PKCS#11 test"
        return 1
    fi
    if ! command -v "certtool" >/dev/null; then
        ddebug "certtool not available, skipping the PKCS#11 test"
        return 1
    fi
    if ! "${SYSTEMCTL:?}" --version | grep -q "+P11KIT"; then
        ddebug "Support for p11-kit is disabled, skipping the PKCS#11 test"
        return 1
    fi
    if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP\b"; then
        ddebug "Support for libcryptsetup is disabled, skipping the PKCS#11 test"
        return 1
    fi
    if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
        ddebug "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test"
        return 1
    fi

    return 0
}

setup_pkcs11_token() {
    dinfo "Setup PKCS#11 token"
    local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE

    export SOFTHSM2_CONF="/tmp/softhsm2.conf"
    mkdir -p "$initdir/var/lib/softhsm/tokens/"
    cat >${SOFTHSM2_CONF} <<EOF
directories.tokendir = $initdir/var/lib/softhsm/tokens/
objectstore.backend = file
slots.removable = false
slots.mechanisms = ALL
EOF
    export GNUTLS_PIN="1234"
    export GNUTLS_SO_PIN="12345678"
    softhsm2-util --init-token --free --label "TestToken" --pin ${GNUTLS_PIN} --so-pin ${GNUTLS_SO_PIN}

    if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
        echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
        P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
    fi

    if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
        echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
        P11_MODULE_DIR="/usr/lib/pkcs11"
    fi

    SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
    if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
        SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
    fi

    # RSA #####################################################
    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt

    certtool --generate-self-signed \
      --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
      --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
      --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
      --outder --outfile "/tmp/rsa_test.crt"

    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
    rm "/tmp/rsa_test.crt"

    # prime256v1 ##############################################
    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive

    certtool --generate-self-signed \
      --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
      --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
      --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
      --outder --outfile "/tmp/ec_test.crt"

    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
    rm "/tmp/ec_test.crt"

    ###########################################################
    rm ${SOFTHSM2_CONF}
    unset SOFTHSM2_CONF

    inst_libs "$SOFTHSM_MODULE"
    inst_library "$SOFTHSM_MODULE"
    inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module"

    cat >"$initdir/etc/softhsm2.conf" <<EOF
directories.tokendir = /var/lib/softhsm/tokens/
objectstore.backend = file
slots.removable = false
slots.mechanisms = ALL
log.level = INFO
EOF

    mkdir -p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d"
    cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF
[Service]
Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
Environment="PIN=$GNUTLS_PIN"
EOF

    unset GNUTLS_PIN
    unset GNUTLS_SO_PIN
}

test_create_image() {
    create_empty_image_rootdir

    echo -n test >"${TESTDIR:?}/keyfile"
    cryptsetup -q luksFormat --uuid="$PART_UUID" --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p4" "$TESTDIR/keyfile"
    cryptsetup luksOpen "${LOOPDEV}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
    mkfs.ext4 -L var "/dev/mapper/$DM_NAME"
    mkdir -p "${initdir:?}/var"
    mount "/dev/mapper/$DM_NAME" "$initdir/var"

    LOG_LEVEL=5

    setup_basic_environment
    mask_supporting_services

    install_dmevent
    generate_module_dependencies

    if can_test_pkcs11; then
        setup_pkcs11_token
    fi

    # Create a keydev
    dd if=/dev/zero of="${STATEDIR:?}/keydev.img" bs=1M count=16
    mkfs.ext4 -L varcrypt_keydev "$STATEDIR/keydev.img"
    mkdir -p "$STATEDIR/keydev"
    mount "$STATEDIR/keydev.img" "$STATEDIR/keydev"
    echo -n test >"$STATEDIR/keydev/keyfile"
    sync "$STATEDIR/keydev"
    umount "$STATEDIR/keydev"

    cat >>"$initdir/etc/fstab" <<EOF
/dev/mapper/$DM_NAME    /var    ext4    defaults 0 1
EOF

    # Forward journal messages to the console, so we have something
    # to investigate even if we fail to mount the encrypted /var
    echo ForwardToConsole=yes >>"$initdir/etc/systemd/journald.conf"

    # If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt
    # support
    if [[ -z "$INITRD" ]]; then
        INITRD="${TESTDIR:?}/initrd.img"
        dinfo "Generating a custom initrd with dm-crypt support in '${INITRD:?}'"

        if command -v dracut >/dev/null; then
            dracut --force --verbose --add crypt "$INITRD"
        elif command -v mkinitcpio >/dev/null; then
            mkinitcpio -S autodetect --addhooks sd-encrypt --generate "$INITRD"
        elif command -v mkinitramfs >/dev/null; then
            # The cryptroot hook is provided by the cryptsetup-initramfs package
            if ! dpkg-query -s cryptsetup-initramfs; then
                derror "Missing 'cryptsetup-initramfs' package for dm-crypt support in initrd"
                return 1
            fi

            mkinitramfs -o "$INITRD"
        else
            dfatal "Unrecognized initrd generator, can't continue"
            return 1
        fi
    fi
}

cleanup_root_var() {
    mountpoint -q "$initdir/var" && umount "$initdir/var"
    [[ -b "/dev/mapper/${DM_NAME:?}" ]] && cryptsetup luksClose "/dev/mapper/$DM_NAME"
    mountpoint -q "${STATEDIR:?}/keydev" && umount "$STATEDIR/keydev"
}

test_cleanup() {
    # ignore errors, so cleanup can continue
    cleanup_root_var || :
    _test_cleanup
}

test_setup_cleanup() {
    cleanup_root_var || :
    cleanup_initdir
}

do_test "$@"
Commit	Line	Data
ff12a795	1	#!/usr/bin/env bash
7b3cec95	2	# SPDX-License-Identifier: LGPL-2.1-or-later
818567fc	3	set -e
3f161ba9	4
71dc3ed1	5	TEST_DESCRIPTION="cryptsetup systemd setup"
8c3534b5	6	IMAGE_NAME="cryptsetup"
b7e91384	7	IMAGE_ADDITIONAL_DATA_SIZE=100
054ee249	8	TEST_NO_NSPAWN=1
d9e606e8	9	TEST_FORCE_NEWIMAGE=1
71dc3ed1	10
3f161ba9 FS	11	# shellcheck source=test/test-functions
3f161ba9 FS	12	. "${TEST_BASE_DIR:?}/test-functions"
71dc3ed1	13
1fb7f8e1 FS	14	PART_UUID="deadbeef-dead-dead-beef-000000000000"
1fb7f8e1 FS	15	DM_NAME="test24_varcrypt"
d7c1df84 FS	16	KERNEL_OPTIONS=(
	17	"rd.luks=1"
	18	"luks.name=$PART_UUID=$DM_NAME"
	19	"luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev"
	20	"luks.options=$PART_UUID=x-initrd.attach"
	21	)
	22	KERNEL_APPEND+=" ${KERNEL_OPTIONS[*]}"
6b70d3cf	23	QEMU_OPTIONS+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img"
1fb7f8e1	24
889a9042	25	check_result_qemu() {
e6faf0ee	26	local ret
3f161ba9	27
1506edca	28	mount_initdir
3f161ba9	29
97bbb9cf	30	cryptsetup luksOpen "${LOOPDEV:?}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
1fb7f8e1	31	mount "/dev/mapper/$DM_NAME" "$initdir/var"
e6faf0ee FS	32
	33	check_result_common "${initdir:?}" && ret=0 \|\| ret=$?
	34
3f161ba9 FS	35	_umount_dir "$initdir/var"
3f161ba9 FS	36	_umount_dir "$initdir"
1fb7f8e1	37	cryptsetup luksClose "/dev/mapper/$DM_NAME"
3f161ba9	38
71dc3ed1 LP	39	return $ret
	40	}
	41
a3c1b0d7 VS	42	can_test_pkcs11() {
	43	if ! command -v "softhsm2-util" >/dev/null; then
	44	ddebug "softhsm2-util not available, skipping the PKCS#11 test"
	45	return 1
	46	fi
	47	if ! command -v "pkcs11-tool" >/dev/null; then
	48	ddebug "pkcs11-tool not available, skipping the PKCS#11 test"
	49	return 1
	50	fi
	51	if ! command -v "certtool" >/dev/null; then
	52	ddebug "certtool not available, skipping the PKCS#11 test"
	53	return 1
	54	fi
	55	if ! "${SYSTEMCTL:?}" --version \| grep -q "+P11KIT"; then
	56	ddebug "Support for p11-kit is disabled, skipping the PKCS#11 test"
	57	return 1
	58	fi
	59	if ! "${SYSTEMCTL:?}" --version \| grep -q "+LIBCRYPTSETUP\b"; then
	60	ddebug "Support for libcryptsetup is disabled, skipping the PKCS#11 test"
	61	return 1
	62	fi
	63	if ! "${SYSTEMCTL:?}" --version \| grep -q "+LIBCRYPTSETUP_PLUGINS"; then
	64	ddebug "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test"
	65	return 1
	66	fi
	67
	68	return 0
	69	}
	70
	71	setup_pkcs11_token() {
	72	dinfo "Setup PKCS#11 token"
	73	local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
	74
	75	export SOFTHSM2_CONF="/tmp/softhsm2.conf"
	76	mkdir -p "$initdir/var/lib/softhsm/tokens/"
	77	cat >${SOFTHSM2_CONF} <<EOF
	78	directories.tokendir = $initdir/var/lib/softhsm/tokens/
	79	objectstore.backend = file
	80	slots.removable = false
	81	slots.mechanisms = ALL
	82	EOF
	83	export GNUTLS_PIN="1234"
	84	export GNUTLS_SO_PIN="12345678"
	85	softhsm2-util --init-token --free --label "TestToken" --pin ${GNUTLS_PIN} --so-pin ${GNUTLS_SO_PIN}
	86
	87	if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
	88	echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
	89	P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
	90	fi
	91
	92	if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
	93	echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
	94	P11_MODULE_DIR="/usr/lib/pkcs11"
	95	fi
	96
	97	SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"\| cut -d ':' -f 2\| xargs)
	98	if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
	99	SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
	100	fi
	101
	102	# RSA #####################################################
	103	pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
	104
	105	certtool --generate-self-signed \
106	--load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
107	--load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
108	--template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
109	--outder --outfile "/tmp/rsa_test.crt"
110
111	pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
112	rm "/tmp/rsa_test.crt"
113
114	# prime256v1 ##############################################
115	pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
116
117	certtool --generate-self-signed \
118	--load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
119	--load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
120	--template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
121	--outder --outfile "/tmp/ec_test.crt"
122
123	pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
124	rm "/tmp/ec_test.crt"
125
126	###########################################################
127	rm ${SOFTHSM2_CONF}
128	unset SOFTHSM2_CONF
129
130	inst_libs "$SOFTHSM_MODULE"
131	inst_library "$SOFTHSM_MODULE"
132	inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module"
133
134	cat >"$initdir/etc/softhsm2.conf" <<EOF
135	directories.tokendir = /var/lib/softhsm/tokens/
136	objectstore.backend = file
137	slots.removable = false
138	slots.mechanisms = ALL
139	log.level = INFO
140	EOF
141
142	mkdir -p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d"
143	cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF
144	[Service]
145	Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
146	Environment="PIN=$GNUTLS_PIN"
147	EOF
148
149	unset GNUTLS_PIN
150	unset GNUTLS_SO_PIN
151	}
152
8c3534b5	153	test_create_image() {
ec4cab49	154	create_empty_image_rootdir
3f161ba9 FS	155
3f161ba9 FS	156	echo -n test >"${TESTDIR:?}/keyfile"
97bbb9cf YW	157	cryptsetup -q luksFormat --uuid="$PART_UUID" --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p4" "$TESTDIR/keyfile"
97bbb9cf YW	158	cryptsetup luksOpen "${LOOPDEV}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
1fb7f8e1	159	mkfs.ext4 -L var "/dev/mapper/$DM_NAME"
3f161ba9	160	mkdir -p "${initdir:?}/var"
1fb7f8e1 FS	161	mount "/dev/mapper/$DM_NAME" "$initdir/var"
	162
	163	LOG_LEVEL=5
	164
	165	setup_basic_environment
	166	mask_supporting_services
	167
	168	install_dmevent
	169	generate_module_dependencies
	170
a3c1b0d7 VS	171	if can_test_pkcs11; then
	172	setup_pkcs11_token
	173	fi
	174
6b70d3cf FS	175	# Create a keydev
	176	dd if=/dev/zero of="${STATEDIR:?}/keydev.img" bs=1M count=16
	177	mkfs.ext4 -L varcrypt_keydev "$STATEDIR/keydev.img"
	178	mkdir -p "$STATEDIR/keydev"
	179	mount "$STATEDIR/keydev.img" "$STATEDIR/keydev"
	180	echo -n test >"$STATEDIR/keydev/keyfile"
168ccb87	181	sync "$STATEDIR/keydev"
6b70d3cf	182	umount "$STATEDIR/keydev"
71dc3ed1	183
1fb7f8e1 FS	184	cat >>"$initdir/etc/fstab" <<EOF
1fb7f8e1 FS	185	/dev/mapper/$DM_NAME /var ext4 defaults 0 1
889a9042	186	EOF
e47add9e	187
1fb7f8e1 FS	188	# Forward journal messages to the console, so we have something
1fb7f8e1 FS	189	# to investigate even if we fail to mount the encrypted /var
7a17e41d	190	echo ForwardToConsole=yes >>"$initdir/etc/systemd/journald.conf"
b22d90e5 FS	191
	192	# If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt
	193	# support
	194	if [[ -z "$INITRD" ]]; then
	195	INITRD="${TESTDIR:?}/initrd.img"
	196	dinfo "Generating a custom initrd with dm-crypt support in '${INITRD:?}'"
	197
	198	if command -v dracut >/dev/null; then
	199	dracut --force --verbose --add crypt "$INITRD"
	200	elif command -v mkinitcpio >/dev/null; then
a3c1b0d7	201	mkinitcpio -S autodetect --addhooks sd-encrypt --generate "$INITRD"
b22d90e5 FS	202	elif command -v mkinitramfs >/dev/null; then
	203	# The cryptroot hook is provided by the cryptsetup-initramfs package
	204	if ! dpkg-query -s cryptsetup-initramfs; then
	205	derror "Missing 'cryptsetup-initramfs' package for dm-crypt support in initrd"
	206	return 1
	207	fi
	208
	209	mkinitramfs -o "$INITRD"
	210	else
	211	dfatal "Unrecognized initrd generator, can't continue"
	212	return 1
	213	fi
	214	fi
ec4cab49	215	}
71dc3ed1	216
ec4cab49	217	cleanup_root_var() {
168ccb87	218	mountpoint -q "$initdir/var" && umount "$initdir/var"
1fb7f8e1	219	[[ -b "/dev/mapper/${DM_NAME:?}" ]] && cryptsetup luksClose "/dev/mapper/$DM_NAME"
168ccb87	220	mountpoint -q "${STATEDIR:?}/keydev" && umount "$STATEDIR/keydev"
71dc3ed1 LP	221	}
	222
	223	test_cleanup() {
f85bc044	224	# ignore errors, so cleanup can continue
65dd488f	225	cleanup_root_var \|\| :
ec4cab49 DS	226	_test_cleanup
	227	}
	228
	229	test_setup_cleanup() {
ec43f686 ZJS	230	cleanup_root_var \|\| :
ec43f686 ZJS	231	cleanup_initdir
71dc3ed1 LP	232	}
71dc3ed1 LP	233
c4cd6205	234	do_test "$@"