]>
Commit | Line | Data |
---|---|---|
ff12a795 | 1 | #!/usr/bin/env bash |
7b3cec95 | 2 | # SPDX-License-Identifier: LGPL-2.1-or-later |
818567fc | 3 | set -e |
3f161ba9 | 4 | |
71dc3ed1 | 5 | TEST_DESCRIPTION="cryptsetup systemd setup" |
8c3534b5 | 6 | IMAGE_NAME="cryptsetup" |
b7e91384 | 7 | IMAGE_ADDITIONAL_DATA_SIZE=100 |
054ee249 | 8 | TEST_NO_NSPAWN=1 |
d9e606e8 | 9 | TEST_FORCE_NEWIMAGE=1 |
71dc3ed1 | 10 | |
3f161ba9 FS |
11 | # shellcheck source=test/test-functions |
12 | . "${TEST_BASE_DIR:?}/test-functions" | |
71dc3ed1 | 13 | |
1fb7f8e1 FS |
14 | PART_UUID="deadbeef-dead-dead-beef-000000000000" |
15 | DM_NAME="test24_varcrypt" | |
d7c1df84 FS |
16 | KERNEL_OPTIONS=( |
17 | "rd.luks=1" | |
18 | "luks.name=$PART_UUID=$DM_NAME" | |
19 | "luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev" | |
20 | "luks.options=$PART_UUID=x-initrd.attach" | |
21 | ) | |
22 | KERNEL_APPEND+=" ${KERNEL_OPTIONS[*]}" | |
6b70d3cf | 23 | QEMU_OPTIONS+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img" |
1fb7f8e1 | 24 | |
889a9042 | 25 | check_result_qemu() { |
e6faf0ee | 26 | local ret |
3f161ba9 | 27 | |
1506edca | 28 | mount_initdir |
3f161ba9 | 29 | |
97bbb9cf | 30 | cryptsetup luksOpen "${LOOPDEV:?}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile" |
1fb7f8e1 | 31 | mount "/dev/mapper/$DM_NAME" "$initdir/var" |
e6faf0ee FS |
32 | |
33 | check_result_common "${initdir:?}" && ret=0 || ret=$? | |
34 | ||
3f161ba9 FS |
35 | _umount_dir "$initdir/var" |
36 | _umount_dir "$initdir" | |
1fb7f8e1 | 37 | cryptsetup luksClose "/dev/mapper/$DM_NAME" |
3f161ba9 | 38 | |
71dc3ed1 LP |
39 | return $ret |
40 | } | |
41 | ||
a3c1b0d7 VS |
42 | can_test_pkcs11() { |
43 | if ! command -v "softhsm2-util" >/dev/null; then | |
44 | ddebug "softhsm2-util not available, skipping the PKCS#11 test" | |
45 | return 1 | |
46 | fi | |
47 | if ! command -v "pkcs11-tool" >/dev/null; then | |
48 | ddebug "pkcs11-tool not available, skipping the PKCS#11 test" | |
49 | return 1 | |
50 | fi | |
51 | if ! command -v "certtool" >/dev/null; then | |
52 | ddebug "certtool not available, skipping the PKCS#11 test" | |
53 | return 1 | |
54 | fi | |
55 | if ! "${SYSTEMCTL:?}" --version | grep -q "+P11KIT"; then | |
56 | ddebug "Support for p11-kit is disabled, skipping the PKCS#11 test" | |
57 | return 1 | |
58 | fi | |
59 | if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP\b"; then | |
60 | ddebug "Support for libcryptsetup is disabled, skipping the PKCS#11 test" | |
61 | return 1 | |
62 | fi | |
63 | if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then | |
64 | ddebug "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" | |
65 | return 1 | |
66 | fi | |
67 | ||
68 | return 0 | |
69 | } | |
70 | ||
71 | setup_pkcs11_token() { | |
72 | dinfo "Setup PKCS#11 token" | |
73 | local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE | |
74 | ||
75 | export SOFTHSM2_CONF="/tmp/softhsm2.conf" | |
76 | mkdir -p "$initdir/var/lib/softhsm/tokens/" | |
77 | cat >${SOFTHSM2_CONF} <<EOF | |
78 | directories.tokendir = $initdir/var/lib/softhsm/tokens/ | |
79 | objectstore.backend = file | |
80 | slots.removable = false | |
81 | slots.mechanisms = ALL | |
82 | EOF | |
83 | export GNUTLS_PIN="1234" | |
84 | export GNUTLS_SO_PIN="12345678" | |
85 | softhsm2-util --init-token --free --label "TestToken" --pin ${GNUTLS_PIN} --so-pin ${GNUTLS_SO_PIN} | |
86 | ||
87 | if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then | |
88 | echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2 | |
89 | P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules" | |
90 | fi | |
91 | ||
92 | if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then | |
93 | echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2 | |
94 | P11_MODULE_DIR="/usr/lib/pkcs11" | |
95 | fi | |
96 | ||
97 | SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs) | |
98 | if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then | |
99 | SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE" | |
100 | fi | |
101 | ||
102 | # RSA ##################################################### | |
103 | pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt | |
104 | ||
105 | certtool --generate-self-signed \ | |
106 | --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \ | |
107 | --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \ | |
108 | --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \ | |
109 | --outder --outfile "/tmp/rsa_test.crt" | |
110 | ||
111 | pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey" | |
112 | rm "/tmp/rsa_test.crt" | |
113 | ||
114 | # prime256v1 ############################################## | |
115 | pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive | |
116 | ||
117 | certtool --generate-self-signed \ | |
118 | --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \ | |
119 | --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \ | |
120 | --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \ | |
121 | --outder --outfile "/tmp/ec_test.crt" | |
122 | ||
123 | pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey" | |
124 | rm "/tmp/ec_test.crt" | |
125 | ||
126 | ########################################################### | |
127 | rm ${SOFTHSM2_CONF} | |
128 | unset SOFTHSM2_CONF | |
129 | ||
130 | inst_libs "$SOFTHSM_MODULE" | |
131 | inst_library "$SOFTHSM_MODULE" | |
132 | inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module" | |
133 | ||
134 | cat >"$initdir/etc/softhsm2.conf" <<EOF | |
135 | directories.tokendir = /var/lib/softhsm/tokens/ | |
136 | objectstore.backend = file | |
137 | slots.removable = false | |
138 | slots.mechanisms = ALL | |
139 | log.level = INFO | |
140 | EOF | |
141 | ||
142 | mkdir -p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d" | |
143 | cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF | |
144 | [Service] | |
145 | Environment="SOFTHSM2_CONF=/etc/softhsm2.conf" | |
146 | Environment="PIN=$GNUTLS_PIN" | |
147 | EOF | |
148 | ||
149 | unset GNUTLS_PIN | |
150 | unset GNUTLS_SO_PIN | |
151 | } | |
152 | ||
8c3534b5 | 153 | test_create_image() { |
ec4cab49 | 154 | create_empty_image_rootdir |
3f161ba9 FS |
155 | |
156 | echo -n test >"${TESTDIR:?}/keyfile" | |
97bbb9cf YW |
157 | cryptsetup -q luksFormat --uuid="$PART_UUID" --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p4" "$TESTDIR/keyfile" |
158 | cryptsetup luksOpen "${LOOPDEV}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile" | |
1fb7f8e1 | 159 | mkfs.ext4 -L var "/dev/mapper/$DM_NAME" |
3f161ba9 | 160 | mkdir -p "${initdir:?}/var" |
1fb7f8e1 FS |
161 | mount "/dev/mapper/$DM_NAME" "$initdir/var" |
162 | ||
163 | LOG_LEVEL=5 | |
164 | ||
165 | setup_basic_environment | |
166 | mask_supporting_services | |
167 | ||
168 | install_dmevent | |
169 | generate_module_dependencies | |
170 | ||
a3c1b0d7 VS |
171 | if can_test_pkcs11; then |
172 | setup_pkcs11_token | |
173 | fi | |
174 | ||
6b70d3cf FS |
175 | # Create a keydev |
176 | dd if=/dev/zero of="${STATEDIR:?}/keydev.img" bs=1M count=16 | |
177 | mkfs.ext4 -L varcrypt_keydev "$STATEDIR/keydev.img" | |
178 | mkdir -p "$STATEDIR/keydev" | |
179 | mount "$STATEDIR/keydev.img" "$STATEDIR/keydev" | |
180 | echo -n test >"$STATEDIR/keydev/keyfile" | |
168ccb87 | 181 | sync "$STATEDIR/keydev" |
6b70d3cf | 182 | umount "$STATEDIR/keydev" |
71dc3ed1 | 183 | |
1fb7f8e1 FS |
184 | cat >>"$initdir/etc/fstab" <<EOF |
185 | /dev/mapper/$DM_NAME /var ext4 defaults 0 1 | |
889a9042 | 186 | EOF |
e47add9e | 187 | |
1fb7f8e1 FS |
188 | # Forward journal messages to the console, so we have something |
189 | # to investigate even if we fail to mount the encrypted /var | |
7a17e41d | 190 | echo ForwardToConsole=yes >>"$initdir/etc/systemd/journald.conf" |
b22d90e5 FS |
191 | |
192 | # If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt | |
193 | # support | |
194 | if [[ -z "$INITRD" ]]; then | |
195 | INITRD="${TESTDIR:?}/initrd.img" | |
196 | dinfo "Generating a custom initrd with dm-crypt support in '${INITRD:?}'" | |
197 | ||
198 | if command -v dracut >/dev/null; then | |
199 | dracut --force --verbose --add crypt "$INITRD" | |
200 | elif command -v mkinitcpio >/dev/null; then | |
a3c1b0d7 | 201 | mkinitcpio -S autodetect --addhooks sd-encrypt --generate "$INITRD" |
b22d90e5 FS |
202 | elif command -v mkinitramfs >/dev/null; then |
203 | # The cryptroot hook is provided by the cryptsetup-initramfs package | |
204 | if ! dpkg-query -s cryptsetup-initramfs; then | |
205 | derror "Missing 'cryptsetup-initramfs' package for dm-crypt support in initrd" | |
206 | return 1 | |
207 | fi | |
208 | ||
209 | mkinitramfs -o "$INITRD" | |
210 | else | |
211 | dfatal "Unrecognized initrd generator, can't continue" | |
212 | return 1 | |
213 | fi | |
214 | fi | |
ec4cab49 | 215 | } |
71dc3ed1 | 216 | |
ec4cab49 | 217 | cleanup_root_var() { |
168ccb87 | 218 | mountpoint -q "$initdir/var" && umount "$initdir/var" |
1fb7f8e1 | 219 | [[ -b "/dev/mapper/${DM_NAME:?}" ]] && cryptsetup luksClose "/dev/mapper/$DM_NAME" |
168ccb87 | 220 | mountpoint -q "${STATEDIR:?}/keydev" && umount "$STATEDIR/keydev" |
71dc3ed1 LP |
221 | } |
222 | ||
223 | test_cleanup() { | |
f85bc044 | 224 | # ignore errors, so cleanup can continue |
65dd488f | 225 | cleanup_root_var || : |
ec4cab49 DS |
226 | _test_cleanup |
227 | } | |
228 | ||
229 | test_setup_cleanup() { | |
ec43f686 ZJS |
230 | cleanup_root_var || : |
231 | cleanup_initdir | |
71dc3ed1 LP |
232 | } |
233 | ||
c4cd6205 | 234 | do_test "$@" |