2 # SPDX-License-Identifier: LGPL-2.1-or-later
5 TEST_DESCRIPTION
="cryptsetup systemd setup"
6 IMAGE_NAME
="cryptsetup"
7 IMAGE_ADDITIONAL_DATA_SIZE
=100
11 # shellcheck source=test/test-functions
12 .
"${TEST_BASE_DIR:?}/test-functions"
14 PART_UUID
="deadbeef-dead-dead-beef-000000000000"
15 DM_NAME
="test24_varcrypt"
18 "luks.name=$PART_UUID=$DM_NAME"
19 "luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev"
20 "luks.options=$PART_UUID=x-initrd.attach"
21 # Forward journal to console to make debugging easier (or possible at all) if we fail to bring the
22 # encrypted /var up during boot
23 "systemd.journald.forward_to_console=1"
25 KERNEL_APPEND
+=" ${KERNEL_OPTIONS[*]}"
26 QEMU_OPTIONS
+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img"
33 cryptsetup luksOpen
"${LOOPDEV:?}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
34 mount
"/dev/mapper/$DM_NAME" "$initdir/var"
36 check_result_common
"${initdir:?}" && ret
=0 || ret
=$?
38 _umount_dir
"$initdir/var"
39 _umount_dir
"$initdir"
40 cryptsetup luksClose
"/dev/mapper/$DM_NAME"
46 if ! command -v "softhsm2-util" >/dev
/null
; then
47 ddebug
"softhsm2-util not available, skipping the PKCS#11 test"
50 if ! command -v "pkcs11-tool" >/dev
/null
; then
51 ddebug
"pkcs11-tool not available, skipping the PKCS#11 test"
54 if ! command -v "certtool" >/dev
/null
; then
55 ddebug
"certtool not available, skipping the PKCS#11 test"
58 if ! "${SYSTEMCTL:?}" --version |
grep -q "+P11KIT"; then
59 ddebug
"Support for p11-kit is disabled, skipping the PKCS#11 test"
62 if ! "${SYSTEMCTL:?}" --version |
grep -q "+OPENSSL"; then
63 ddebug
"Support for openssl is disabled, skipping the PKCS#11 test"
66 if ! "${SYSTEMCTL:?}" --version |
grep -q "+LIBCRYPTSETUP\b"; then
67 ddebug
"Support for libcryptsetup is disabled, skipping the PKCS#11 test"
70 if ! "${SYSTEMCTL:?}" --version |
grep -q "+LIBCRYPTSETUP_PLUGINS"; then
71 ddebug
"Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test"
78 setup_pkcs11_token
() {
79 dinfo
"Setup PKCS#11 token"
80 local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
82 export SOFTHSM2_CONF
="/tmp/softhsm2.conf"
83 mkdir
-p "$initdir/var/lib/softhsm/tokens/"
84 cat >${SOFTHSM2_CONF} <<EOF
85 directories.tokendir = $initdir/var/lib/softhsm/tokens/
86 objectstore.backend = file
87 slots.removable = false
88 slots.mechanisms = ALL
90 export GNUTLS_PIN
="1234"
91 export GNUTLS_SO_PIN
="12345678"
92 softhsm2-util
--init-token --free --label "TestToken" --pin ${GNUTLS_PIN} --so-pin ${GNUTLS_SO_PIN}
94 if ! P11_MODULE_CONFIGS_DIR
=$
(pkg-config
--variable=p11_module_configs p11-kit-1
); then
95 echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
96 P11_MODULE_CONFIGS_DIR
="/usr/share/p11-kit/modules"
99 if ! P11_MODULE_DIR
=$
(pkg-config
--variable=p11_module_path p11-kit-1
); then
100 echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
101 P11_MODULE_DIR
="/usr/lib/pkcs11"
104 SOFTHSM_MODULE
=$
(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut
-d ':' -f 2|
xargs)
105 if [[ "$SOFTHSM_MODULE" =~ ^
[^
/] ]]; then
106 SOFTHSM_MODULE
="$P11_MODULE_DIR/$SOFTHSM_MODULE"
109 # RSA #####################################################
110 pkcs11-tool
--module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
112 certtool
--generate-self-signed \
113 --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
114 --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
115 --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
116 --outder --outfile "/tmp/rsa_test.crt"
118 pkcs11-tool
--module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert
--label "RSATestKey"
119 rm "/tmp/rsa_test.crt"
121 # prime256v1 ##############################################
122 pkcs11-tool
--module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
124 certtool
--generate-self-signed \
125 --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
126 --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
127 --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
128 --outder --outfile "/tmp/ec_test.crt"
130 pkcs11-tool
--module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert
--label "ECTestKey"
131 rm "/tmp/ec_test.crt"
133 ###########################################################
137 inst_libs
"$SOFTHSM_MODULE"
138 inst_library
"$SOFTHSM_MODULE"
139 inst_simple
"$P11_MODULE_CONFIGS_DIR/softhsm2.module"
141 cat >"$initdir/etc/softhsm2.conf" <<EOF
142 directories.tokendir = /var/lib/softhsm/tokens/
143 objectstore.backend = file
144 slots.removable = false
145 slots.mechanisms = ALL
149 mkdir
-p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d"
150 cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF
152 # Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
156 Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
157 Environment="PIN=$GNUTLS_PIN"
164 test_create_image
() {
165 create_empty_image_rootdir
167 echo -n test >"${TESTDIR:?}/keyfile"
168 cryptsetup
-q luksFormat
--uuid="$PART_UUID" --pbkdf pbkdf2
--pbkdf-force-iterations 1000 "${LOOPDEV:?}p4" "$TESTDIR/keyfile"
169 cryptsetup luksOpen
"${LOOPDEV}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile"
170 mkfs.ext4
-L var
"/dev/mapper/$DM_NAME"
171 mkdir
-p "${initdir:?}/var"
172 mount
"/dev/mapper/$DM_NAME" "$initdir/var"
176 setup_basic_environment
177 mask_supporting_services
180 generate_module_dependencies
182 if can_test_pkcs11
; then
187 dd if=/dev
/zero of
="${STATEDIR:?}/keydev.img" bs
=1M count
=16
188 mkfs.ext4
-L varcrypt_keydev
"$STATEDIR/keydev.img"
189 mkdir
-p "$STATEDIR/keydev"
190 mount
"$STATEDIR/keydev.img" "$STATEDIR/keydev"
191 echo -n test >"$STATEDIR/keydev/keyfile"
192 sync
"$STATEDIR/keydev"
193 umount
"$STATEDIR/keydev"
195 cat >>"$initdir/etc/fstab" <<EOF
196 /dev/mapper/$DM_NAME /var ext4 defaults 0 1
199 # Forward journal messages to the console, so we have something to investigate even if we fail to mount
201 mkdir
"$initdir/etc/systemd/journald.conf.d/"
202 echo -ne "[Journal]\nForwardToConsole=yes\n" >"$initdir/etc/systemd/journald.conf.d/99-forward.conf"
204 # If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt
206 if [[ -z "$INITRD" ]]; then
207 INITRD
="${TESTDIR:?}/initrd.img"
208 dinfo
"Generating a custom initrd with dm-crypt support in '${INITRD:?}'"
210 if command -v dracut
>/dev
/null
; then
211 dracut
--force --verbose --add crypt "$INITRD"
212 elif command -v mkinitcpio
>/dev
/null
; then
213 mkinitcpio
-S autodetect
--addhooks sd-encrypt
--generate "$INITRD"
214 elif command -v mkinitramfs
>/dev
/null
; then
215 # The cryptroot hook is provided by the cryptsetup-initramfs package
216 if ! dpkg-query
-s cryptsetup-initramfs
; then
217 derror
"Missing 'cryptsetup-initramfs' package for dm-crypt support in initrd"
221 mkinitramfs
-o "$INITRD"
223 dfatal
"Unrecognized initrd generator, can't continue"
230 mountpoint
-q "$initdir/var" && umount
"$initdir/var"
231 [[ -b "/dev/mapper/${DM_NAME:?}" ]] && cryptsetup luksClose
"/dev/mapper/$DM_NAME"
232 mountpoint
-q "${STATEDIR:?}/keydev" && umount
"$STATEDIR/keydev"
236 # ignore errors, so cleanup can continue
237 cleanup_root_var ||
:
241 test_setup_cleanup
() {
242 cleanup_root_var ||
: