def test_luks2_integrity(self):
"""Verify that we can get create a LUKS 2 device with integrity"""
extra = BlockDev.CryptoLUKSExtra()
extra.integrity = "hmac(sha256)"
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 512, PASSWD,
None, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
info = BlockDev.crypto_integrity_info("libblockdevTestLUKS")
self.assertIsNotNone(info)
self.assertEqual(info.algorithm, "hmac(sha256)")
# get integrity device dm name
_ret, int_name, _err = run_command('ls /sys/block/%s/holders/' %
self.loop_dev.split("/")[-1])
self.assertTrue(int_name) # true == not empty
tag_size = read_file("/sys/block/%s/integrity/tag_size" % int_name)
self.assertEqual(info.tag_size, int(tag_size))
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks2_format(self):
"""Verify that we can get information about a LUKS 2 device"""
extra = BlockDev.CryptoLUKSExtra()
extra.sector_size = 4096
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, PASSWD,
None, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
info = BlockDev.crypto_luks_info("libblockdevTestLUKS")
self.assertIsNotNone(info)
self.assertEqual(info.version, BlockDev.CryptoLUKSVersion.LUKS2)
self.assertEqual(info.cipher, "aes")
self.assertEqual(info.mode, "cbc-essiv:sha256")
self.assertEqual(info.backing_device, self.loop_dev)
self.assertEqual(info.sector_size, 4096)
_ret, uuid, _err = run_command("blkid -p -ovalue -sUUID %s" %
self.loop_dev)
self.assertEqual(info.uuid, uuid)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def _create(self, **kwargs):
log_method_call(self, device=self.device,
type=self.type, status=self.status)
super(LUKS, self)._create(**kwargs) # set up the event sync
if not self.pbkdf_args and self.luks_version == "luks2":
if luks_data.pbkdf_args:
self.pbkdf_args = luks_data.pbkdf_args
else:
mem_limit = crypto.calculate_luks2_max_memory()
if mem_limit:
self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB)))
luks_data.pbkdf_args = self.pbkdf_args
log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit)
if self.pbkdf_args:
pbkdf = blockdev.CryptoLUKSPBKDF(type=self.pbkdf_args.type,
hash=None,
max_memory_kb=self.pbkdf_args.max_memory_kb,
iterations=self.pbkdf_args.iterations,
time_ms=self.pbkdf_args.time_ms)
extra = blockdev.CryptoLUKSExtra(pbkdf=pbkdf)
else:
extra = None
blockdev.crypto.luks_format(self.device,
passphrase=self.__passphrase,
key_file=self._key_file,
cipher=self.cipher,
key_size=self.key_size,
min_entropy=self.min_luks_entropy,
luks_version=crypto.LUKS_VERSIONS[self.luks_version],
extra=extra)
def test_luks2_format(self):
"""Verify that formating device as LUKS 2 works"""
# no passphrase nor keyfile
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_format(self.loop_dev, None, 0, None, None, 0)
# the simple case with password
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, PASSWD,
None, 0)
self.assertTrue(succ)
# create with a keyfile
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0)
self.assertTrue(succ)
# the simple case with password blob
succ = BlockDev.crypto_luks_format_blob(self.loop_dev,
"aes-cbc-essiv:sha256", 0,
[ord(c) for c in PASSWD], 0)
self.assertTrue(succ)
# simple case with extra options
extra = BlockDev.CryptoLUKSExtra()
extra.integrity = None
extra.label = "blockdevLUKS"
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
def _create_luks_integrity(self, device, passphrase):
if not BlockDev.utils_have_kernel_module('dm-integrity'):
self.skipTest('dm-integrity kernel module not available, skipping.')
# UDisks doesn't support creating LUKS2 with integrity, we need to use libblockdev
extra = BlockDev.CryptoLUKSExtra()
extra.integrity = 'hmac(sha256)'
BlockDev.crypto_luks_format(device, 'aes-cbc-essiv:sha256', 512, passphrase,
None, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra)
def test_luks2_format(self):
"""Verify that formating device as LUKS 2 works"""
# no passphrase nor keyfile
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_format(self.loop_dev, None, 0, None, None, 0)
# the simple case with password
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, PASSWD,
None, 0)
self.assertTrue(succ)
# create with a keyfile
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0)
self.assertTrue(succ)
# the simple case with password blob
succ = BlockDev.crypto_luks_format_blob(self.loop_dev,
"aes-cbc-essiv:sha256", 0,
[ord(c) for c in PASSWD], 0)
self.assertTrue(succ)
# simple case with extra options
extra = BlockDev.CryptoLUKSExtra(label="blockdevLUKS")
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, label, _err = run_command("lsblk -oLABEL -n %s" % self.loop_dev)
self.assertEqual(label, "blockdevLUKS")
# different key derivation function
pbkdf = BlockDev.CryptoLUKSPBKDF(type="pbkdf2")
extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev)
m = re.search(r"PBKDF:\s*(\S+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(m.group(1), "pbkdf2")
# different options for argon2 -- all parameters set
pbkdf = BlockDev.CryptoLUKSPBKDF(type="argon2id",
max_memory_kb=100 * 1024,
iterations=10,
parallel_threads=1)
extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev)
m = re.search(r"PBKDF:\s*(\S+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(m.group(1), "argon2id")
m = re.search(r"Memory:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
# both iterations and memory is set --> cryptsetup will use exactly max_memory_kb
self.assertEqual(int(m.group(1)), 100 * 1024)
m = re.search(r"Threads:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(int(m.group(1)), 1)
m = re.search(r"Time cost:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(int(m.group(1)), 10)
# different options for argon2 -- only memory set
pbkdf = BlockDev.CryptoLUKSPBKDF(max_memory_kb=100 * 1024)
extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev)
m = re.search(r"Memory:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
# only memory is set -> cryptsetup will run a benchmark and use
# at most max_memory_kb
self.assertLessEqual(int(m.group(1)), 100 * 1024)
# different options for argon2 -- only miterations set
pbkdf = BlockDev.CryptoLUKSPBKDF(iterations=5)
extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev)
m = re.search(r"Time cost:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(int(m.group(1)), 5)
