bind-already-used-luksmeta-slot 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102
  1. #!/bin/bash -ex
  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  3. #
  4. # Copyright (c) 2019 Red Hat, Inc.
  5. # Author: Sergio Correia <scorreia@redhat.com>
  6. #
  7. # This program is free software: you can redistribute it and/or modify
  8. # it under the terms of the GNU General Public License as published by
  9. # the Free Software Foundation, either version 3 of the License, or
  10. # (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU General Public License
  18. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  19. #
  20. TEST="${0}"
  21. . tests-common-functions
  22. on_exit() {
  23. [ -d "${TMP}" ] && rm -rf "${TMP}"
  24. }
  25. trap 'on_exit' EXIT
  26. trap 'exit' ERR
  27. TMP="$(mktemp -d)"
  28. ADV="${TMP}/adv.jws"
  29. create_tang_adv "${ADV}"
  30. CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
  31. # LUKS1.
  32. DEV="${TMP}/luks1-device"
  33. UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
  34. # We can have a "partially" used if it is an inactive slot that has an UUID
  35. # already:
  36. # 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
  37. # We end up in this situation if the cryptsetup step adding the key failed,
  38. # for instance because we provided a wrong pass phrase, and luksmeta saved
  39. # data anyway. We used to have an issue with clevis luks bind script, in which
  40. # we would still run luksmeta save even if the cryptsetup step failed.
  41. bind_and_verify() {
  42. local DEV="${1}"
  43. local PASS="${2}"
  44. local SLT="${3}"
  45. if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${PASS}"; then
  46. error "${TEST}: Binding is expected to succeed when given a correct (${PASS}) password." >&2
  47. fi
  48. if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
  49. error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
  50. fi
  51. if [ "${state}" != "active" ]; then
  52. error "${TEST}: state (${state}) is expected to be 'active'." >&2
  53. fi
  54. if [ "${uuid}" != "${UUID}" ]; then
  55. error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
  56. fi
  57. }
  58. SLT=1
  59. NEW_PASS="new-pass"
  60. PASS="${DEFAULT_PASS}"
  61. WRONG_PASS="wrong-password-here"
  62. new_device "luks1" "${DEV}"
  63. luksmeta init -f -d "${DEV}"
  64. if cryptsetup luksAddKey "${DEV}" < <(echo "${WRONG_PASS}"; echo -n "${NEW_PASS}"); then
  65. error "${TEST}: cryptsetup should not succeed in adding key when given a wrong passphrase." >&2
  66. fi
  67. # Ok, the cryptsetup step failed, since we gave a wrong password. That means
  68. # that right now the luksmeta slot is inactive. Let's simulate the bad
  69. # condition by saving the UUID there anyway.
  70. echo "foo" | luksmeta save -d "${DEV}" -u "${UUID}"
  71. # Verify we have slot 1 like this:
  72. # # 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
  73. if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
  74. error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
  75. fi
  76. if [ "${state}" != "inactive" ]; then
  77. error "${TEST}: state (${state}) is expected to be 'inactive', in case #1." >&2
  78. fi
  79. if [ "${uuid}" != "${UUID}" ]; then
  80. error "${TEST}: UUID ($uuid) is expected to be '${UUID}', in case #1." >&2
  81. fi
  82. # Verify if can bind correctly in this situation.
  83. bind_and_verify "${DEV}" "${PASS}" "1"