From cb2bc7575a8ded46b1743954c07e8583545c50e0 Mon Sep 17 00:00:00 2001
From: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Mon, 13 Oct 2025 15:59:29 +0200
Subject: [PATCH] TEST-58-REPART: add testcase for LUKS2 integrity

Create an encrypted partition with LUKS2 integrity checking enabled, verify
that dm-integrity mapping appears.
---
 test/units/TEST-58-REPART.sh | 61 ++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/test/units/TEST-58-REPART.sh b/test/units/TEST-58-REPART.sh
index de64c84c65a..386462aa26e 100755
--- a/test/units/TEST-58-REPART.sh
+++ b/test/units/TEST-58-REPART.sh
@@ -1838,6 +1838,67 @@ EOF
     cmp "$imgs/disk1.img" "$imgs/disk3.img"
 }
 
+_test_luks2_integrity() {
+    local defs imgs output root
+
+    if [[ "$OFFLINE" != "no" ]]; then
+        return 0
+    fi
+
+    defs="$(mktemp --directory "/tmp/test-repart.defs.XXXXXXXXXX")"
+    imgs="$(mktemp --directory "/var/tmp/test-repart.imgs.XXXXXXXXXX")"
+    root="$(mktemp --directory "/var/test-repart.root.XXXXXXXXXX")"
+    # shellcheck disable=SC2064
+    trap "rm -rf '$defs' '$imgs' '$root'" RETURN
+    chmod 0755 "$defs"
+
+    echo "*** testcase for LUKS2 integrity ***"
+
+    tee "$defs/root.conf" <<EOF
+[Partition]
+Type=root
+Format=ext4
+Encrypt=key-file
+Integrity=inline
+EOF
+
+    [ -n "$1" ] && echo "IntegrityAlgorithm=$1" >> "$defs/root.conf"
+
+    systemd-repart --pretty=yes \
+                   --definitions "$defs" \
+                   --empty=create \
+                   --size=100M \
+                   --seed="$seed" \
+                   --dry-run=no \
+                   --offline=no \
+                   "$imgs/encint.img"
+
+    loop="$(losetup -P --show --find "$imgs/encint.img")"
+    udevadm wait --timeout=60 --settle "${loop:?}p1"
+
+    volume="test-repart-luksint-$RANDOM"
+    dmstatus="$imgs/dmsetup-$RANDOM"
+
+    touch "$imgs/empty-password"
+
+    # the expectation for hmac-sha256 is 'integrity: hmac(sha256)'
+    cryptsetup luksDump "${loop}p1" | grep -q "integrity: $(echo "$1" | sed -r 's/^hmac-(.*)$/hmac(\1)/')"
+
+    cryptsetup open --type=luks2 --key-file="$imgs/empty-password" "${loop}p1" "$volume"
+    dmsetup status > "$dmstatus"
+    cryptsetup close "$volume"
+    losetup -d "$loop"
+    # Check that there's a dm-integrity entry
+    grep -q "$volume""_dif.* integrity " "$dmstatus"
+}
+
+testcase_luks2_integrity() {
+    _test_luks2_integrity ""
+    _test_luks2_integrity "hmac-sha1"
+    _test_luks2_integrity "hmac-sha256"
+    _test_luks2_integrity "hmac-sha512"
+}
+
 OFFLINE="yes"
 run_testcases
 
-- 
2.47.3