-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gadget/install,secboot: use snapcore/secboot luks2 api #8972
Changes from 14 commits
dfeddea
cec9e58
3bf6e07
2779b55
adc23dc
b29b950
f3dee5f
593dfb9
16ef4c0
abed949
aa7d453
7922057
c52045e
242d288
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,9 +20,9 @@ | |
package install_test | ||
|
||
import ( | ||
"errors" | ||
"fmt" | ||
"os" | ||
"path/filepath" | ||
|
||
. "gopkg.in/check.v1" | ||
|
||
|
@@ -58,78 +58,123 @@ func (s *encryptSuite) SetUpTest(c *C) { | |
c.Assert(os.MkdirAll(dirs.SnapRunDir, 0755), IsNil) | ||
} | ||
|
||
func (s *encryptSuite) TestEncryptHappy(c *C) { | ||
s.mockCryptsetup = testutil.MockCommand(c, "cryptsetup", "") | ||
s.AddCleanup(s.mockCryptsetup.Restore) | ||
|
||
// create empty key to prevent blocking on lack of system entropy | ||
key := secboot.EncryptionKey{} | ||
dev, err := install.NewEncryptedDevice(&mockDeviceStructure, key, "some-label") | ||
c.Assert(err, IsNil) | ||
c.Assert(dev.Node, Equals, "/dev/mapper/some-label") | ||
|
||
c.Assert(s.mockCryptsetup.Calls(), DeepEquals, [][]string{ | ||
func (s *encryptSuite) TestNewEncryptedDevice(c *C) { | ||
for _, tc := range []struct { | ||
formatErr error | ||
openErr string | ||
err string | ||
}{ | ||
{ | ||
"cryptsetup", "-q", "luksFormat", "--type", "luks2", "--key-file", "-", | ||
"--cipher", "aes-xts-plain64", "--key-size", "512", "--pbkdf", "argon2i", | ||
"--iter-time", "1", "--label", "some-label-enc", "/dev/node1", | ||
formatErr: nil, | ||
openErr: "", | ||
err: "", | ||
}, | ||
{ | ||
"cryptsetup", "open", "--key-file", "-", "/dev/node1", "some-label", | ||
formatErr: errors.New("format error"), | ||
openErr: "", | ||
err: "cannot format encrypted device: format error", | ||
}, | ||
}) | ||
|
||
err = dev.Close() | ||
c.Assert(err, IsNil) | ||
} | ||
|
||
func (s *encryptSuite) TestEncryptFormatError(c *C) { | ||
s.mockCryptsetup = testutil.MockCommand(c, "cryptsetup", `[ "$2" == "luksFormat" ] && exit 127 || exit 0`) | ||
s.AddCleanup(s.mockCryptsetup.Restore) | ||
|
||
key := secboot.EncryptionKey{} | ||
_, err := install.NewEncryptedDevice(&mockDeviceStructure, key, "some-label") | ||
c.Assert(err, ErrorMatches, "cannot format encrypted device:.*") | ||
} | ||
|
||
func (s *encryptSuite) TestEncryptOpenError(c *C) { | ||
s.mockCryptsetup = testutil.MockCommand(c, "cryptsetup", `[ "$1" == "open" ] && exit 127 || exit 0`) | ||
s.AddCleanup(s.mockCryptsetup.Restore) | ||
|
||
key := secboot.EncryptionKey{} | ||
_, err := install.NewEncryptedDevice(&mockDeviceStructure, key, "some-label") | ||
c.Assert(err, ErrorMatches, "cannot open encrypted device on /dev/node1:.*") | ||
} | ||
|
||
func (s *encryptSuite) TestEncryptAddKey(c *C) { | ||
capturedFifo := filepath.Join(c.MkDir(), "captured-stdin") | ||
s.mockCryptsetup = testutil.MockCommand(c, "cryptsetup", fmt.Sprintf(`[ "$1" == "luksAddKey" ] && cat %s/tmp-rkey > %s || exit 0`, dirs.SnapRunDir, capturedFifo)) | ||
s.AddCleanup(s.mockCryptsetup.Restore) | ||
|
||
key := secboot.EncryptionKey{} | ||
dev, err := install.NewEncryptedDevice(&mockDeviceStructure, key, "some-label") | ||
c.Assert(err, IsNil) | ||
|
||
rkey := secboot.RecoveryKey{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15} | ||
err = dev.AddRecoveryKey(key, rkey) | ||
c.Assert(err, IsNil) | ||
|
||
c.Assert(s.mockCryptsetup.Calls(), DeepEquals, [][]string{ | ||
{ | ||
"cryptsetup", "-q", "luksFormat", "--type", "luks2", "--key-file", "-", | ||
"--cipher", "aes-xts-plain64", "--key-size", "512", "--pbkdf", "argon2i", | ||
"--iter-time", "1", "--label", "some-label-enc", "/dev/node1", | ||
formatErr: nil, | ||
openErr: "open error", | ||
err: "cannot open encrypted device on /dev/node1: open error", | ||
}, | ||
{ | ||
"cryptsetup", "open", "--key-file", "-", "/dev/node1", "some-label", | ||
}, | ||
{ | ||
"cryptsetup", "luksAddKey", "/dev/node1", "-q", "--key-file", "-", | ||
"--key-slot", "1", filepath.Join(dirs.SnapRunDir, "tmp-rkey"), | ||
}, | ||
}) | ||
c.Assert(capturedFifo, testutil.FileEquals, rkey[:]) | ||
} { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For completness we may want to have a test with both "openErr" and "formatErr" to have the full matrix There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
script := "" | ||
if tc.openErr != "" { | ||
script = fmt.Sprintf("echo '%s'>&2; exit 1", tc.openErr) | ||
|
||
} | ||
s.mockCryptsetup = testutil.MockCommand(c, "cryptsetup", script) | ||
s.AddCleanup(s.mockCryptsetup.Restore) | ||
|
||
// create empty key to prevent blocking on lack of system entropy | ||
myKey := secboot.EncryptionKey{} | ||
for i := range myKey { | ||
myKey[i] = byte(i) | ||
} | ||
|
||
calls := 0 | ||
restore := install.MockSecbootFormatEncryptedDevice(func(key secboot.EncryptionKey, label, node string) error { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We are not checking node here, why is that? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oops, this was really missing, thanks Michael. |
||
calls++ | ||
c.Assert(key, DeepEquals, myKey) | ||
c.Assert(label, Equals, "some-label-enc") | ||
return tc.formatErr | ||
}) | ||
defer restore() | ||
|
||
dev, err := install.NewEncryptedDevice(&mockDeviceStructure, myKey, "some-label") | ||
c.Assert(calls, Equals, 1) | ||
if tc.err == "" { | ||
c.Assert(err, IsNil) | ||
} else { | ||
c.Assert(err, ErrorMatches, tc.err) | ||
continue | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We probably want to check here that There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Depending on the test case cryptsetup may have been called at this point (e.g. the open error is the result of a |
||
} | ||
c.Assert(dev.Node, Equals, "/dev/mapper/some-label") | ||
|
||
err = dev.Close() | ||
c.Assert(err, IsNil) | ||
|
||
c.Assert(s.mockCryptsetup.Calls(), DeepEquals, [][]string{ | ||
{"cryptsetup", "open", "--key-file", "-", "/dev/node1", "some-label"}, | ||
{"cryptsetup", "close", "some-label"}, | ||
}) | ||
} | ||
} | ||
|
||
err = dev.Close() | ||
c.Assert(err, IsNil) | ||
func (s *encryptSuite) TestAddRecoveryKey(c *C) { | ||
for _, tc := range []struct { | ||
addErr error | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same comment as above, i.e. maybe slightly more verbose what the relation of addErr and err is? Somehting like "mockedAddErr, expectedErr" maybe ? |
||
err string | ||
}{ | ||
{addErr: nil, err: ""}, | ||
{addErr: errors.New("add key error"), err: "add key error"}, | ||
} { | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Extra whitespace |
||
s.mockCryptsetup = testutil.MockCommand(c, "cryptsetup", "") | ||
s.AddCleanup(s.mockCryptsetup.Restore) | ||
|
||
// create empty key to prevent blocking on lack of system entropy | ||
myKey := secboot.EncryptionKey{} | ||
for i := range myKey { | ||
myKey[i] = byte(i) | ||
} | ||
myRKey := secboot.RecoveryKey{15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0} | ||
|
||
restore := install.MockSecbootFormatEncryptedDevice(func(key secboot.EncryptionKey, label, node string) error { | ||
return nil | ||
}) | ||
defer restore() | ||
|
||
calls := 0 | ||
restore = install.MockSecbootAddRecoveryKey(func(key secboot.EncryptionKey, rkey secboot.RecoveryKey, node string) error { | ||
calls++ | ||
c.Assert(key, DeepEquals, myKey) | ||
c.Assert(rkey, DeepEquals, myRKey) | ||
c.Assert(node, Equals, "/dev/node1") | ||
return tc.addErr | ||
}) | ||
defer restore() | ||
|
||
dev, err := install.NewEncryptedDevice(&mockDeviceStructure, myKey, "some-label") | ||
c.Assert(err, IsNil) | ||
|
||
err = dev.AddRecoveryKey(myKey, myRKey) | ||
c.Assert(calls, Equals, 1) | ||
if tc.err == "" { | ||
c.Assert(err, IsNil) | ||
} else { | ||
c.Assert(err, ErrorMatches, tc.err) | ||
continue | ||
} | ||
|
||
err = dev.Close() | ||
c.Assert(err, IsNil) | ||
|
||
c.Assert(s.mockCryptsetup.Calls(), DeepEquals, [][]string{ | ||
{"cryptsetup", "open", "--key-file", "-", "/dev/node1", "some-label"}, | ||
{"cryptsetup", "close", "some-label"}, | ||
}) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some small comments would be nice here, i.e. we have three times "err" - either some small comment or soemthing like:
(or similar)