test/TEST-24-CRYPTSETUP/test.sh

   1 #!/usr/bin/env bash
   2 # SPDX-License-Identifier: LGPL-2.1-or-later
   3 set -e
   4
   5 TEST_DESCRIPTION="cryptsetup systemd setup"
   6 IMAGE_NAME="cryptsetup"
   7 IMAGE_ADDITIONAL_DATA_SIZE=100
   8 TEST_NO_NSPAWN=1
   9 TEST_FORCE_NEWIMAGE=1
  10
  11 # shellcheck source=test/test-functions
  12 . "${TEST_BASE_DIR:?}/test-functions"
  13
  14 PART_UUID="deadbeef-dead-dead-beef-000000000000"
  15 DM_NAME="test24_varcrypt"
  16 KERNEL_OPTIONS=(
  17     "rd.luks=1"
  18     "luks.name=$PART_UUID=$DM_NAME"
  19     "luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev"
  20     "luks.options=$PART_UUID=x-initrd.attach"
  21 )
  22 KERNEL_APPEND+=" ${KERNEL_OPTIONS[*]}"
  23 QEMU_OPTIONS+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img"
  24
  25 check_result_qemu() {
  26     local ret
  27
  28     mount_initdir
  29
  30     cryptsetup luksOpen "${LOOPDEV:?}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
  31     mount "/dev/mapper/$DM_NAME" "$initdir/var"
  32
  33     check_result_common "${initdir:?}" && ret=0 || ret=$?
  34
  35     _umount_dir "$initdir/var"
  36     _umount_dir "$initdir"
  37     cryptsetup luksClose "/dev/mapper/$DM_NAME"
  38
  39     return $ret
  40 }
  41
  42 can_test_pkcs11() {
  43     if ! command -v "softhsm2-util" >/dev/null; then
  44         ddebug "softhsm2-util not available, skipping the PKCS#11 test"
  45         return 1
  46     fi
  47     if ! command -v "pkcs11-tool" >/dev/null; then
  48         ddebug "pkcs11-tool not available, skipping the PKCS#11 test"
  49         return 1
  50     fi
  51     if ! command -v "certtool" >/dev/null; then
  52         ddebug "certtool not available, skipping the PKCS#11 test"
  53         return 1
  54     fi
  55     if ! "${SYSTEMCTL:?}" --version | grep -q "+P11KIT"; then
  56         ddebug "Support for p11-kit is disabled, skipping the PKCS#11 test"
  57         return 1
  58     fi
  59     if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP\b"; then
  60         ddebug "Support for libcryptsetup is disabled, skipping the PKCS#11 test"
  61         return 1
  62     fi
  63     if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
  64         ddebug "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test"
  65         return 1
  66     fi
  67
  68     return 0
  69 }
  70
  71 setup_pkcs11_token() {
  72     dinfo "Setup PKCS#11 token"
  73     local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
  74
  75     export SOFTHSM2_CONF="/tmp/softhsm2.conf"
  76     mkdir -p "$initdir/var/lib/softhsm/tokens/"
  77     cat >${SOFTHSM2_CONF} <<EOF
  78 directories.tokendir = $initdir/var/lib/softhsm/tokens/
  79 objectstore.backend = file
  80 slots.removable = false
  81 slots.mechanisms = ALL
  82 EOF
  83     export GNUTLS_PIN="1234"
  84     export GNUTLS_SO_PIN="12345678"
  85     softhsm2-util --init-token --free --label "TestToken" --pin ${GNUTLS_PIN} --so-pin ${GNUTLS_SO_PIN}
  86
  87     if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
  88         echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
  89         P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
  90     fi
  91
  92     if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
  93         echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
  94         P11_MODULE_DIR="/usr/lib/pkcs11"
  95     fi
  96
  97     SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
  98     if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
  99         SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
 100     fi
 101
 102     # RSA #####################################################
 103     pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
 104
 105     certtool --generate-self-signed \
 106       --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
 107       --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
 108       --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
 109       --outder --outfile "/tmp/rsa_test.crt"
 110
 111     pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
 112     rm "/tmp/rsa_test.crt"
 113
 114     # prime256v1 ##############################################
 115     pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
 116
 117     certtool --generate-self-signed \
 118       --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
 119       --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
 120       --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
 121       --outder --outfile "/tmp/ec_test.crt"
 122
 123     pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
 124     rm "/tmp/ec_test.crt"
 125
 126     ###########################################################
 127     rm ${SOFTHSM2_CONF}
 128     unset SOFTHSM2_CONF
 129
 130     inst_libs "$SOFTHSM_MODULE"
 131     inst_library "$SOFTHSM_MODULE"
 132     inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module"
 133
 134     cat >"$initdir/etc/softhsm2.conf" <<EOF
 135 directories.tokendir = /var/lib/softhsm/tokens/
 136 objectstore.backend = file
 137 slots.removable = false
 138 slots.mechanisms = ALL
 139 log.level = INFO
 140 EOF
 141
 142     mkdir -p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d"
 143     cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF
 144 [Service]
 145 Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
 146 Environment="PIN=$GNUTLS_PIN"
 147 EOF
 148
 149     unset GNUTLS_PIN
 150     unset GNUTLS_SO_PIN
 151 }
 152
 153 test_create_image() {
 154     create_empty_image_rootdir
 155
 156     echo -n test >"${TESTDIR:?}/keyfile"
 157     cryptsetup -q luksFormat --uuid="$PART_UUID" --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p4" "$TESTDIR/keyfile"
 158     cryptsetup luksOpen "${LOOPDEV}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
 159     mkfs.ext4 -L var "/dev/mapper/$DM_NAME"
 160     mkdir -p "${initdir:?}/var"
 161     mount "/dev/mapper/$DM_NAME" "$initdir/var"
 162
 163     LOG_LEVEL=5
 164
 165     setup_basic_environment
 166     mask_supporting_services
 167
 168     install_dmevent
 169     generate_module_dependencies
 170
 171     if can_test_pkcs11; then
 172         setup_pkcs11_token
 173     fi
 174
 175     # Create a keydev
 176     dd if=/dev/zero of="${STATEDIR:?}/keydev.img" bs=1M count=16
 177     mkfs.ext4 -L varcrypt_keydev "$STATEDIR/keydev.img"
 178     mkdir -p "$STATEDIR/keydev"
 179     mount "$STATEDIR/keydev.img" "$STATEDIR/keydev"
 180     echo -n test >"$STATEDIR/keydev/keyfile"
 181     sync "$STATEDIR/keydev"
 182     umount "$STATEDIR/keydev"
 183
 184     cat >>"$initdir/etc/fstab" <<EOF
 185 /dev/mapper/$DM_NAME    /var    ext4    defaults 0 1
 186 EOF
 187
 188     # Forward journal messages to the console, so we have something
 189     # to investigate even if we fail to mount the encrypted /var
 190     echo ForwardToConsole=yes >>"$initdir/etc/systemd/journald.conf"
 191
 192     # If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt
 193     # support
 194     if [[ -z "$INITRD" ]]; then
 195         INITRD="${TESTDIR:?}/initrd.img"
 196         dinfo "Generating a custom initrd with dm-crypt support in '${INITRD:?}'"
 197
 198         if command -v dracut >/dev/null; then
 199             dracut --force --verbose --add crypt "$INITRD"
 200         elif command -v mkinitcpio >/dev/null; then
 201             mkinitcpio -S autodetect --addhooks sd-encrypt --generate "$INITRD"
 202         elif command -v mkinitramfs >/dev/null; then
 203             # The cryptroot hook is provided by the cryptsetup-initramfs package
 204             if ! dpkg-query -s cryptsetup-initramfs; then
 205                 derror "Missing 'cryptsetup-initramfs' package for dm-crypt support in initrd"
 206                 return 1
 207             fi
 208
 209             mkinitramfs -o "$INITRD"
 210         else
 211             dfatal "Unrecognized initrd generator, can't continue"
 212             return 1
 213         fi
 214     fi
 215 }
 216
 217 cleanup_root_var() {
 218     mountpoint -q "$initdir/var" && umount "$initdir/var"
 219     [[ -b "/dev/mapper/${DM_NAME:?}" ]] && cryptsetup luksClose "/dev/mapper/$DM_NAME"
 220     mountpoint -q "${STATEDIR:?}/keydev" && umount "$STATEDIR/keydev"
 221 }
 222
 223 test_cleanup() {
 224     # ignore errors, so cleanup can continue
 225     cleanup_root_var || :
 226     _test_cleanup
 227 }
 228
 229 test_setup_cleanup() {
 230     cleanup_root_var || :
 231     cleanup_initdir
 232 }
 233
 234 do_test "$@"