def _luks_open_close(self, create_fn):
"""Verify that opening/closing LUKS device works"""
succ = create_fn(self.loop_dev, PASSWD, self.keyfile)
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open("/non/existing/device", "libblockdevTestLUKS", PASSWD, None, False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", None, None, False)
with six.assertRaisesRegex(self, GLib.GError, r"Incorrect passphrase"):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", "wrong-passhprase", None, False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", None, "wrong-keyfile", False)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False)
self.assertTrue(succ)
# use the full /dev/mapper/ path
succ = BlockDev.crypto_luks_close("/dev/mapper/libblockdevTestLUKS")
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", None, self.keyfile, False)
self.assertTrue(succ)
# use just the LUKS device name
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def _luks_open_rw(self, create_fn):
"""Verify that a LUKS device can be activated as RW as well as RO"""
succ = create_fn(self.loop_dev, PASSWD, None)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
# tests that we can write something to the raw LUKS device
succ = BlockDev.utils_exec_and_report_error([
"dd", "if=/dev/zero", "of=/dev/mapper/libblockdevTestLUKS",
"bs=1M", "count=1"
])
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
# now try the same with LUKS device opened as RO
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, True)
self.assertTrue(succ)
# tests that we can write something to the raw LUKS device
with self.assertRaises(GLib.GError):
BlockDev.utils_exec_and_report_error([
"dd", "if=/dev/zero", "of=/dev/mapper/libblockdevTestLUKS",
"bs=1M", "count=1"
])
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks_open_close(self):
"""Verify that opening/closing LUKS device works"""
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, self.keyfile, 0)
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open("/non/existing/device", "libblockdevTestLUKS", PASSWD, None, False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", None, None, False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", "wrong-passhprase", None, False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", None, "wrong-keyfile", False)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False)
self.assertTrue(succ)
# use the full /dev/mapper/ path
succ = BlockDev.crypto_luks_close("/dev/mapper/libblockdevTestLUKS")
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", None, self.keyfile, False)
self.assertTrue(succ)
# use just the LUKS device name
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks_open_rw(self):
"""Verify that a LUKS device can be activated as RW as well as RO"""
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, None, 0)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False)
self.assertTrue(succ)
# tests that we can write something to the raw LUKS device
succ = BlockDev.utils_exec_and_report_error(["dd", "if=/dev/zero", "of=/dev/mapper/libblockdevTestLUKS", "bs=1M", "count=1"])
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
# now try the same with LUKS device opened as RO
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, True)
self.assertTrue(succ)
# tests that we can write something to the raw LUKS device
with self.assertRaises(GLib.GError):
BlockDev.utils_exec_and_report_error(["dd", "if=/dev/zero", "of=/dev/mapper/libblockdevTestLUKS", "bs=1M", "count=1"])
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks2_integrity(self):
"""Verify that we can get create a LUKS 2 device with integrity"""
if not BlockDev.utils_have_kernel_module("dm-integrity"):
self.skipTest('dm-integrity kernel module not available, skipping.')
extra = BlockDev.CryptoLUKSExtra()
extra.integrity = "hmac(sha256)"
succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 512, PASSWD, None, 0,
BlockDev.CryptoLUKSVersion.LUKS2, extra)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False)
self.assertTrue(succ)
info = BlockDev.crypto_integrity_info("libblockdevTestLUKS")
self.assertIsNotNone(info)
self.assertEqual(info.algorithm, "hmac(sha256)")
# get integrity device dm name
_ret, int_name, _err = run_command('ls /sys/block/%s/holders/' % self.loop_dev.split("/")[-1])
self.assertTrue(int_name) # true == not empty
tag_size = read_file("/sys/block/%s/integrity/tag_size" % int_name)
self.assertEqual(info.tag_size, int(tag_size))
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks2_format(self):
"""Verify that we can get information about a LUKS 2 device"""
extra = BlockDev.CryptoLUKSExtra()
extra.sector_size = 4096
succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 256, PASSWD, None, 0,
BlockDev.CryptoLUKSVersion.LUKS2, extra)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False)
self.assertTrue(succ)
info = BlockDev.crypto_luks_info("libblockdevTestLUKS")
self.assertIsNotNone(info)
self.assertEqual(info.version, BlockDev.CryptoLUKSVersion.LUKS2)
self.assertEqual(info.cipher, "aes")
self.assertEqual(info.mode, "cbc-essiv:sha256")
self.assertEqual(info.backing_device, self.loop_dev)
self.assertEqual(info.sector_size, 4096)
_ret, uuid, _err = run_command("blkid -p -ovalue -sUUID %s" % self.loop_dev)
self.assertEqual(info.uuid, uuid)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def _luks_header_backup_restore(self, create_fn):
succ = create_fn(self.loop_dev, PASSWD, None)
self.assertTrue(succ)
backup_file = os.path.join(self.backup_dir, "luks-header.txt")
succ = BlockDev.crypto_luks_header_backup(self.loop_dev, backup_file)
self.assertTrue(succ)
self.assertTrue(os.path.isfile(backup_file))
# now completely destroy the luks header
ret, out, err = run_command("cryptsetup erase %s -q && wipefs -a %s" % (self.loop_dev, self.loop_dev))
if ret != 0:
self.fail("Failed to erase LUKS header from %s:\n%s %s" % (self.loop_dev, out, err))
_ret, fstype, _err = run_command("blkid -p -ovalue -sTYPE %s" % self.loop_dev)
self.assertFalse(fstype) # false == empty
# header is destroyed, should not be possible to open
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None)
# and restore the header back
succ = BlockDev.crypto_luks_header_restore(self.loop_dev, backup_file)
self.assertTrue(succ)
_ret, fstype, _err = run_command("blkid -p -ovalue -sTYPE %s" % self.loop_dev)
self.assertEqual(fstype, "crypto_LUKS")
# opening should now work
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def _luks_kill_slot(self, create_fn):
succ = create_fn(self.loop_dev, PASSWD, None)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_add_key(self.loop_dev, PASSWD, None, PASSWD2, None)
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_kill_slot("/non/existing/device", -1)
# invalid slot
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_kill_slot(self.loop_dev, -1)
# unused slot
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_kill_slot(self.loop_dev, 2)
# destroy second keyslot
succ = BlockDev.crypto_luks_kill_slot(self.loop_dev, 1)
self.assertTrue(succ)
# opening with the second passphrase should fail
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD2)
# opening with passphrase should still work
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks_format(self):
"""Verify that we can get information about a LUKS device"""
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, PASSWD,
None, 0)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
info = BlockDev.crypto_luks_info("libblockdevTestLUKS")
self.assertIsNotNone(info)
self.assertEqual(info.version, BlockDev.CryptoLUKSVersion.LUKS1)
self.assertEqual(info.cipher, "aes")
self.assertEqual(info.mode, "cbc-essiv:sha256")
self.assertEqual(info.backing_device, self.loop_dev)
_ret, uuid, _err = run_command("blkid -p -ovalue -sUUID %s" %
self.loop_dev)
self.assertEqual(info.uuid, uuid)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks2_integrity(self):
"""Verify that we can get create a LUKS 2 device with integrity"""
extra = BlockDev.CryptoLUKSExtra()
extra.integrity = "hmac(sha256)"
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 512, PASSWD,
None, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
info = BlockDev.crypto_integrity_info("libblockdevTestLUKS")
self.assertIsNotNone(info)
self.assertEqual(info.algorithm, "hmac(sha256)")
# get integrity device dm name
_ret, int_name, _err = run_command('ls /sys/block/%s/holders/' %
self.loop_dev.split("/")[-1])
self.assertTrue(int_name) # true == not empty
tag_size = read_file("/sys/block/%s/integrity/tag_size" % int_name)
self.assertEqual(info.tag_size, int(tag_size))
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks2_resize(self):
"""Verify that resizing LUKS 2 device works"""
# the simple case with password
succ = self._luks2_format(self.loop_dev, PASSWD, self.keyfile)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False)
self.assertTrue(succ)
# resize without passphrase should fail if key is saved in keyring
if self._get_key_location("libblockdevTestLUKS") == "keyring":
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_resize("libblockdevTestLUKS", 1024)
# resize to 512 KiB (1024 * 512B sectors)
succ = BlockDev.crypto_luks_resize("libblockdevTestLUKS", 1024, PASSWD)
self.assertTrue(succ)
# resize back to full size (using the keyfile)
succ = BlockDev.crypto_luks_resize("libblockdevTestLUKS", 0, None, self.keyfile)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks2_resize(self):
"""Verify that resizing LUKS 2 device works"""
# the simple case with password
succ = self._luks2_format(self.loop_dev, PASSWD, self.keyfile)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
# resize without passphrase should fail
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_resize("libblockdevTestLUKS", 1024)
# resize to 512 KiB (1024 * 512B sectors)
succ = BlockDev.crypto_luks_resize("libblockdevTestLUKS", 1024, PASSWD)
self.assertTrue(succ)
# resize back to full size (using the keyfile)
succ = BlockDev.crypto_luks_resize("libblockdevTestLUKS", 0, None,
self.keyfile)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks_status(self):
"""Verify that LUKS device status reporting works"""
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_status("/non/existing/device")
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, None, 0)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False)
self.assertTrue(succ)
# use the full /dev/mapper path
status = BlockDev.crypto_luks_status("/dev/mapper/libblockdevTestLUKS")
self.assertEqual(status, "active")
# use just the LUKS device name
status = BlockDev.crypto_luks_status("libblockdevTestLUKS")
self.assertEqual(status, "active")
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_status("libblockdevTestLUKS")
def _luks_status(self, create_fn):
"""Verify that LUKS device status reporting works"""
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_status("/non/existing/device")
succ = create_fn(self.loop_dev, PASSWD, None)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
# use the full /dev/mapper path
status = BlockDev.crypto_luks_status("/dev/mapper/libblockdevTestLUKS")
self.assertEqual(status, "active")
# use just the LUKS device name
status = BlockDev.crypto_luks_status("libblockdevTestLUKS")
self.assertEqual(status, "active")
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_status("libblockdevTestLUKS")
def _luks_suspend_resume(self, create_fn):
succ = create_fn(self.loop_dev, PASSWD, self.keyfile)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None)
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_suspend("/non/existing/device")
# use the full /dev/mapper/ path
succ = BlockDev.crypto_luks_suspend("/dev/mapper/libblockdevTestLUKS")
self.assertTrue(succ)
_ret, state, _err = run_command(
"lsblk -oSTATE -n /dev/mapper/libblockdevTestLUKS")
self.assertEqual(state, "suspended")
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_resume("libblockdevTestLUKS", None, None)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_resume("libblockdevTestLUKS",
"wrong-passhprase", None)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_resume("libblockdevTestLUKS", None,
"wrong-keyfile")
succ = BlockDev.crypto_luks_resume("libblockdevTestLUKS", PASSWD, None)
self.assertTrue(succ)
_ret, state, _err = run_command(
"lsblk -oSTATE -n /dev/mapper/libblockdevTestLUKS")
self.assertEqual(state, "running")
# use just the LUKS device name
succ = BlockDev.crypto_luks_suspend("libblockdevTestLUKS")
self.assertTrue(succ)
_ret, state, _err = run_command(
"lsblk -oSTATE -n /dev/mapper/libblockdevTestLUKS")
self.assertEqual(state, "suspended")
succ = BlockDev.crypto_luks_resume("libblockdevTestLUKS", None,
self.keyfile)
self.assertTrue(succ)
_ret, state, _err = run_command(
"lsblk -oSTATE -n /dev/mapper/libblockdevTestLUKS")
self.assertEqual(state, "running")
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def _clean_up(self):
try:
BlockDev.crypto_luks_close("libblockdevTestLUKS")
except:
pass
succ = BlockDev.loop_teardown(self.loop_dev)
if not succ:
os.unlink(self.dev_file)
raise RuntimeError("Failed to tear down loop device used for testing")
os.unlink(self.dev_file)
succ = BlockDev.loop_teardown(self.loop_dev2)
if not succ:
os.unlink(self.dev_file2)
raise RuntimeError("Failed to tear down loop device used for testing")
os.unlink(self.dev_file2)
os.unlink(self.keyfile)
def _clean_up(self):
try:
BlockDev.crypto_luks_close("libblockdevTestLUKS")
except:
pass
try:
delete_lio_device(self.loop_dev)
except RuntimeError:
# just move on, we can do no better here
pass
os.unlink(self.dev_file)
try:
delete_lio_device(self.loop_dev2)
except RuntimeError:
# just move on, we can do no better here
pass
os.unlink(self.dev_file2)
os.unlink(self.keyfile)
def _clean_up(self):
try:
BlockDev.crypto_luks_close("libblockdevTestLUKS")
except:
pass
try:
delete_lio_device(self.loop_dev)
except RuntimeError:
# just move on, we can do no better here
pass
os.unlink(self.dev_file)
try:
delete_lio_device(self.loop_dev2)
except RuntimeError:
# just move on, we can do no better here
pass
os.unlink(self.dev_file2)
os.unlink(self.keyfile)
def test_luks_open_close(self):
"""Verify that opening/closing LUKS device works"""
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD,
self.keyfile, 0)
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open("/non/existing/device",
"libblockdevTestLUKS", PASSWD, None,
False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
None, None, False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
"wrong-passhprase", None, False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
None, "wrong-keyfile", False)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
# use the full /dev/mapper/ path
succ = BlockDev.crypto_luks_close("/dev/mapper/libblockdevTestLUKS")
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
None, self.keyfile, False)
self.assertTrue(succ)
# use just the LUKS device name
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def _clean_up(self):
try:
BlockDev.crypto_luks_close("libblockdevTestLUKS")
except:
pass
succ = BlockDev.loop_teardown(self.loop_dev)
if not succ:
os.unlink(self.dev_file)
raise RuntimeError(
"Failed to tear down loop device used for testing")
os.unlink(self.dev_file)
succ = BlockDev.loop_teardown(self.loop_dev2)
if not succ:
os.unlink(self.dev_file2)
raise RuntimeError(
"Failed to tear down loop device used for testing")
os.unlink(self.dev_file2)
os.unlink(self.keyfile)
def _luks_open_close(self, create_fn):
"""Verify that opening/closing LUKS device works"""
succ = create_fn(self.loop_dev, PASSWD, self.keyfile)
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open("/non/existing/device",
"libblockdevTestLUKS", PASSWD, None,
False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
None, None, False)
with six.assertRaisesRegex(self, GLib.GError, r"Incorrect passphrase"):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
"wrong-passhprase", None, False)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
None, "wrong-keyfile", False)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
# use the full /dev/mapper/ path
succ = BlockDev.crypto_luks_close("/dev/mapper/libblockdevTestLUKS")
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
None, self.keyfile, False)
self.assertTrue(succ)
# use just the LUKS device name
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks_open_rw(self):
"""Verify that opened LUKS device is usable (activated as RW)"""
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD, None, 0)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None)
self.assertTrue(succ)
# tests that we can write something to the raw LUKS device
succ = BlockDev.utils_exec_and_report_error(["dd", "if=/dev/zero", "of=/dev/mapper/libblockdevTestLUKS", "bs=1M", "count=1"])
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def _luks_suspend_resume(self, create_fn):
succ = create_fn(self.loop_dev, PASSWD, self.keyfile)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None)
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_suspend("/non/existing/device")
# use the full /dev/mapper/ path
succ = BlockDev.crypto_luks_suspend("/dev/mapper/libblockdevTestLUKS")
self.assertTrue(succ)
_ret, state, _err = run_command("lsblk -oSTATE -n /dev/mapper/libblockdevTestLUKS")
self.assertEqual(state, "suspended")
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_resume("libblockdevTestLUKS", None, None)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_resume("libblockdevTestLUKS", "wrong-passhprase", None)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_resume("libblockdevTestLUKS", None, "wrong-keyfile")
succ = BlockDev.crypto_luks_resume("libblockdevTestLUKS", PASSWD, None)
self.assertTrue(succ)
_ret, state, _err = run_command("lsblk -oSTATE -n /dev/mapper/libblockdevTestLUKS")
self.assertEqual(state, "running")
# use just the LUKS device name
succ = BlockDev.crypto_luks_suspend("libblockdevTestLUKS")
self.assertTrue(succ)
_ret, state, _err = run_command("lsblk -oSTATE -n /dev/mapper/libblockdevTestLUKS")
self.assertEqual(state, "suspended")
succ = BlockDev.crypto_luks_resume("libblockdevTestLUKS", None, self.keyfile)
self.assertTrue(succ)
_ret, state, _err = run_command("lsblk -oSTATE -n /dev/mapper/libblockdevTestLUKS")
self.assertEqual(state, "running")
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_resize(self):
"""Verify that resizing LUKS device works"""
# the simple case with password
succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False)
self.assertTrue(succ)
# resize to 512 KiB (1024 * 512B sectors)
succ = BlockDev.crypto_luks_resize("libblockdevTestLUKS", 1024)
self.assertTrue(succ)
# resize back to full size
succ = BlockDev.crypto_luks_resize("libblockdevTestLUKS", 0)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks_open_rw(self):
"""Verify that opened LUKS device is usable (activated as RW)"""
succ = BlockDev.crypto_luks_format(self.loop_dev, None, 0, PASSWD,
None, 0)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None)
self.assertTrue(succ)
# tests that we can write something to the raw LUKS device
succ = BlockDev.utils_exec_and_report_error([
"dd", "if=/dev/zero", "of=/dev/mapper/libblockdevTestLUKS",
"bs=1M", "count=1"
])
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def _luks_header_backup_restore(self, create_fn):
succ = create_fn(self.loop_dev, PASSWD, None)
self.assertTrue(succ)
backup_file = os.path.join(self.backup_dir, "luks-header.txt")
succ = BlockDev.crypto_luks_header_backup(self.loop_dev, backup_file)
self.assertTrue(succ)
self.assertTrue(os.path.isfile(backup_file))
# now completely destroy the luks header
ret, out, err = run_command("cryptsetup erase %s -q && wipefs -a %s" %
(self.loop_dev, self.loop_dev))
if ret != 0:
self.fail("Failed to erase LUKS header from %s:\n%s %s" %
(self.loop_dev, out, err))
_ret, fstype, _err = run_command("blkid -p -ovalue -sTYPE %s" %
self.loop_dev)
self.assertFalse(fstype) # false == empty
# header is destroyed, should not be possible to open
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None)
# and restore the header back
succ = BlockDev.crypto_luks_header_restore(self.loop_dev, backup_file)
self.assertTrue(succ)
_ret, fstype, _err = run_command("blkid -p -ovalue -sTYPE %s" %
self.loop_dev)
self.assertEqual(fstype, "crypto_LUKS")
# opening should now work
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def test_luks_resize(self):
"""Verify that resizing LUKS device works"""
# the simple case with password
succ = self._luks_format(self.loop_dev, PASSWD, None)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD, None, False)
self.assertTrue(succ)
# resize to 512 KiB (1024 * 512B sectors)
succ = BlockDev.crypto_luks_resize("libblockdevTestLUKS", 1024)
self.assertTrue(succ)
# resize back to full size
succ = BlockDev.crypto_luks_resize("libblockdevTestLUKS", 0)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
def _luks_kill_slot(self, create_fn):
succ = create_fn(self.loop_dev, PASSWD, None)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_add_key(self.loop_dev, PASSWD, None,
PASSWD2, None)
self.assertTrue(succ)
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_kill_slot("/non/existing/device", -1)
# invalid slot
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_kill_slot(self.loop_dev, -1)
# unused slot
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_kill_slot(self.loop_dev, 2)
# destroy second keyslot
succ = BlockDev.crypto_luks_kill_slot(self.loop_dev, 1)
self.assertTrue(succ)
# opening with the second passphrase should fail
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD2)
# opening with passphrase should still work
succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS",
PASSWD)
self.assertTrue(succ)
succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
self.assertTrue(succ)
