2 # SPDX-License-Identifier: LGPL-2.1-or-later
5 TEST_DESCRIPTION
="cryptsetup systemd setup"
6 IMAGE_NAME
="cryptsetup"
7 IMAGE_ADDITIONAL_DATA_SIZE
=100
11 # shellcheck source=test/test-functions
12 .
"${TEST_BASE_DIR:?}/test-functions"
14 PART_UUID
="deadbeef-dead-dead-beef-000000000000"
15 DM_NAME
="test24_varcrypt"
18 "luks.name=$PART_UUID=$DM_NAME"
19 "luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev"
20 "luks.options=$PART_UUID=x-initrd.attach"
22 KERNEL_APPEND
+=" ${KERNEL_OPTIONS[*]}"
23 QEMU_OPTIONS
+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img"
30 cryptsetup luksOpen
"${LOOPDEV:?}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
31 mount
"/dev/mapper/$DM_NAME" "$initdir/var"
33 check_result_common
"${initdir:?}" && ret
=0 || ret
=$?
35 _umount_dir
"$initdir/var"
36 _umount_dir
"$initdir"
37 cryptsetup luksClose
"/dev/mapper/$DM_NAME"
43 if ! command -v "softhsm2-util" >/dev
/null
; then
44 ddebug
"softhsm2-util not available, skipping the PKCS#11 test"
47 if ! command -v "pkcs11-tool" >/dev
/null
; then
48 ddebug
"pkcs11-tool not available, skipping the PKCS#11 test"
51 if ! command -v "certtool" >/dev
/null
; then
52 ddebug
"certtool not available, skipping the PKCS#11 test"
55 if ! "${SYSTEMCTL:?}" --version |
grep -q "+P11KIT"; then
56 ddebug
"Support for p11-kit is disabled, skipping the PKCS#11 test"
59 if ! "${SYSTEMCTL:?}" --version |
grep -q "+LIBCRYPTSETUP\b"; then
60 ddebug
"Support for libcryptsetup is disabled, skipping the PKCS#11 test"
63 if ! "${SYSTEMCTL:?}" --version |
grep -q "+LIBCRYPTSETUP_PLUGINS"; then
64 ddebug
"Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test"
71 setup_pkcs11_token
() {
72 dinfo
"Setup PKCS#11 token"
73 local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
75 export SOFTHSM2_CONF
="/tmp/softhsm2.conf"
76 mkdir
-p "$initdir/var/lib/softhsm/tokens/"
77 cat >${SOFTHSM2_CONF} <<EOF
78 directories.tokendir = $initdir/var/lib/softhsm/tokens/
79 objectstore.backend = file
80 slots.removable = false
81 slots.mechanisms = ALL
83 export GNUTLS_PIN
="1234"
84 export GNUTLS_SO_PIN
="12345678"
85 softhsm2-util
--init-token --free --label "TestToken" --pin ${GNUTLS_PIN} --so-pin ${GNUTLS_SO_PIN}
87 if ! P11_MODULE_CONFIGS_DIR
=$
(pkg-config
--variable=p11_module_configs p11-kit-1
); then
88 echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
89 P11_MODULE_CONFIGS_DIR
="/usr/share/p11-kit/modules"
92 if ! P11_MODULE_DIR
=$
(pkg-config
--variable=p11_module_path p11-kit-1
); then
93 echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
94 P11_MODULE_DIR
="/usr/lib/pkcs11"
97 SOFTHSM_MODULE
=$
(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut
-d ':' -f 2|
xargs)
98 if [[ "$SOFTHSM_MODULE" =~ ^
[^
/] ]]; then
99 SOFTHSM_MODULE
="$P11_MODULE_DIR/$SOFTHSM_MODULE"
102 # RSA #####################################################
103 pkcs11-tool
--module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
105 certtool
--generate-self-signed \
106 --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
107 --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
108 --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
109 --outder --outfile "/tmp/rsa_test.crt"
111 pkcs11-tool
--module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert
--label "RSATestKey"
112 rm "/tmp/rsa_test.crt"
114 # prime256v1 ##############################################
115 pkcs11-tool
--module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
117 certtool
--generate-self-signed \
118 --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
119 --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
120 --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
121 --outder --outfile "/tmp/ec_test.crt"
123 pkcs11-tool
--module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert
--label "ECTestKey"
124 rm "/tmp/ec_test.crt"
126 ###########################################################
130 inst_libs
"$SOFTHSM_MODULE"
131 inst_library
"$SOFTHSM_MODULE"
132 inst_simple
"$P11_MODULE_CONFIGS_DIR/softhsm2.module"
134 cat >"$initdir/etc/softhsm2.conf" <<EOF
135 directories.tokendir = /var/lib/softhsm/tokens/
136 objectstore.backend = file
137 slots.removable = false
138 slots.mechanisms = ALL
142 mkdir
-p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d"
143 cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF
145 Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
146 Environment="PIN=$GNUTLS_PIN"
153 test_create_image
() {
154 create_empty_image_rootdir
156 echo -n test >"${TESTDIR:?}/keyfile"
157 cryptsetup
-q luksFormat
--uuid="$PART_UUID" --pbkdf pbkdf2
--pbkdf-force-iterations 1000 "${LOOPDEV:?}p4" "$TESTDIR/keyfile"
158 cryptsetup luksOpen
"${LOOPDEV}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
159 mkfs.ext4
-L var
"/dev/mapper/$DM_NAME"
160 mkdir
-p "${initdir:?}/var"
161 mount
"/dev/mapper/$DM_NAME" "$initdir/var"
165 setup_basic_environment
166 mask_supporting_services
169 generate_module_dependencies
171 if can_test_pkcs11
; then
176 dd if=/dev
/zero of
="${STATEDIR:?}/keydev.img" bs
=1M count
=16
177 mkfs.ext4
-L varcrypt_keydev
"$STATEDIR/keydev.img"
178 mkdir
-p "$STATEDIR/keydev"
179 mount
"$STATEDIR/keydev.img" "$STATEDIR/keydev"
180 echo -n test >"$STATEDIR/keydev/keyfile"
181 sync
"$STATEDIR/keydev"
182 umount
"$STATEDIR/keydev"
184 cat >>"$initdir/etc/fstab" <<EOF
185 /dev/mapper/$DM_NAME /var ext4 defaults 0 1
188 # Forward journal messages to the console, so we have something
189 # to investigate even if we fail to mount the encrypted /var
190 echo ForwardToConsole
=yes >>"$initdir/etc/systemd/journald.conf"
192 # If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt
194 if [[ -z "$INITRD" ]]; then
195 INITRD
="${TESTDIR:?}/initrd.img"
196 dinfo
"Generating a custom initrd with dm-crypt support in '${INITRD:?}'"
198 if command -v dracut
>/dev
/null
; then
199 dracut
--force --verbose --add crypt "$INITRD"
200 elif command -v mkinitcpio
>/dev
/null
; then
201 mkinitcpio
-S autodetect
--addhooks sd-encrypt
--generate "$INITRD"
202 elif command -v mkinitramfs
>/dev
/null
; then
203 # The cryptroot hook is provided by the cryptsetup-initramfs package
204 if ! dpkg-query
-s cryptsetup-initramfs
; then
205 derror
"Missing 'cryptsetup-initramfs' package for dm-crypt support in initrd"
209 mkinitramfs
-o "$INITRD"
211 dfatal
"Unrecognized initrd generator, can't continue"
218 mountpoint
-q "$initdir/var" && umount
"$initdir/var"
219 [[ -b "/dev/mapper/${DM_NAME:?}" ]] && cryptsetup luksClose
"/dev/mapper/$DM_NAME"
220 mountpoint
-q "${STATEDIR:?}/keydev" && umount
"$STATEDIR/keydev"
224 # ignore errors, so cleanup can continue
225 cleanup_root_var ||
:
229 test_setup_cleanup
() {
230 cleanup_root_var ||
: