def test_luks2_integrity(self): """Verify that we can get create a LUKS 2 device with integrity""" extra = BlockDev.CryptoLUKSExtra() extra.integrity = "hmac(sha256)" succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 512, PASSWD, None, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False) self.assertTrue(succ) info = BlockDev.crypto_integrity_info("libblockdevTestLUKS") self.assertIsNotNone(info) self.assertEqual(info.algorithm, "hmac(sha256)") # get integrity device dm name _ret, int_name, _err = run_command('ls /sys/block/%s/holders/' % self.loop_dev.split("/")[-1]) self.assertTrue(int_name) # true == not empty tag_size = read_file("/sys/block/%s/integrity/tag_size" % int_name) self.assertEqual(info.tag_size, int(tag_size)) succ = BlockDev.crypto_luks_close("libblockdevTestLUKS") self.assertTrue(succ)
def test_luks2_format(self): """Verify that we can get information about a LUKS 2 device""" extra = BlockDev.CryptoLUKSExtra() extra.sector_size = 4096 succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) succ = BlockDev.crypto_luks_open(self.loop_dev, "libblockdevTestLUKS", PASSWD, None, False) self.assertTrue(succ) info = BlockDev.crypto_luks_info("libblockdevTestLUKS") self.assertIsNotNone(info) self.assertEqual(info.version, BlockDev.CryptoLUKSVersion.LUKS2) self.assertEqual(info.cipher, "aes") self.assertEqual(info.mode, "cbc-essiv:sha256") self.assertEqual(info.backing_device, self.loop_dev) self.assertEqual(info.sector_size, 4096) _ret, uuid, _err = run_command("blkid -p -ovalue -sUUID %s" % self.loop_dev) self.assertEqual(info.uuid, uuid) succ = BlockDev.crypto_luks_close("libblockdevTestLUKS") self.assertTrue(succ)
def _create(self, **kwargs): log_method_call(self, device=self.device, type=self.type, status=self.status) super(LUKS, self)._create(**kwargs) # set up the event sync if not self.pbkdf_args and self.luks_version == "luks2": if luks_data.pbkdf_args: self.pbkdf_args = luks_data.pbkdf_args else: mem_limit = crypto.calculate_luks2_max_memory() if mem_limit: self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB))) luks_data.pbkdf_args = self.pbkdf_args log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit) if self.pbkdf_args: pbkdf = blockdev.CryptoLUKSPBKDF(type=self.pbkdf_args.type, hash=None, max_memory_kb=self.pbkdf_args.max_memory_kb, iterations=self.pbkdf_args.iterations, time_ms=self.pbkdf_args.time_ms) extra = blockdev.CryptoLUKSExtra(pbkdf=pbkdf) else: extra = None blockdev.crypto.luks_format(self.device, passphrase=self.__passphrase, key_file=self._key_file, cipher=self.cipher, key_size=self.key_size, min_entropy=self.min_luks_entropy, luks_version=crypto.LUKS_VERSIONS[self.luks_version], extra=extra)
def test_luks2_format(self): """Verify that formating device as LUKS 2 works""" # no passphrase nor keyfile with self.assertRaises(GLib.GError): BlockDev.crypto_luks_format(self.loop_dev, None, 0, None, None, 0) # the simple case with password succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0) self.assertTrue(succ) # create with a keyfile succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0) self.assertTrue(succ) # the simple case with password blob succ = BlockDev.crypto_luks_format_blob(self.loop_dev, "aes-cbc-essiv:sha256", 0, [ord(c) for c in PASSWD], 0) self.assertTrue(succ) # simple case with extra options extra = BlockDev.CryptoLUKSExtra() extra.integrity = None extra.label = "blockdevLUKS" succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra)
def _create_luks_integrity(self, device, passphrase): if not BlockDev.utils_have_kernel_module('dm-integrity'): self.skipTest('dm-integrity kernel module not available, skipping.') # UDisks doesn't support creating LUKS2 with integrity, we need to use libblockdev extra = BlockDev.CryptoLUKSExtra() extra.integrity = 'hmac(sha256)' BlockDev.crypto_luks_format(device, 'aes-cbc-essiv:sha256', 512, passphrase, None, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra)
def test_luks2_format(self): """Verify that formating device as LUKS 2 works""" # no passphrase nor keyfile with self.assertRaises(GLib.GError): BlockDev.crypto_luks_format(self.loop_dev, None, 0, None, None, 0) # the simple case with password succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0) self.assertTrue(succ) # create with a keyfile succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0) self.assertTrue(succ) # the simple case with password blob succ = BlockDev.crypto_luks_format_blob(self.loop_dev, "aes-cbc-essiv:sha256", 0, [ord(c) for c in PASSWD], 0) self.assertTrue(succ) # simple case with extra options extra = BlockDev.CryptoLUKSExtra(label="blockdevLUKS") succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, label, _err = run_command("lsblk -oLABEL -n %s" % self.loop_dev) self.assertEqual(label, "blockdevLUKS") # different key derivation function pbkdf = BlockDev.CryptoLUKSPBKDF(type="pbkdf2") extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf) succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev) m = re.search(r"PBKDF:\s*(\S+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(m.group(1), "pbkdf2") # different options for argon2 -- all parameters set pbkdf = BlockDev.CryptoLUKSPBKDF(type="argon2id", max_memory_kb=100 * 1024, iterations=10, parallel_threads=1) extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf) succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev) m = re.search(r"PBKDF:\s*(\S+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(m.group(1), "argon2id") m = re.search(r"Memory:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) # both iterations and memory is set --> cryptsetup will use exactly max_memory_kb self.assertEqual(int(m.group(1)), 100 * 1024) m = re.search(r"Threads:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(int(m.group(1)), 1) m = re.search(r"Time cost:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(int(m.group(1)), 10) # different options for argon2 -- only memory set pbkdf = BlockDev.CryptoLUKSPBKDF(max_memory_kb=100 * 1024) extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf) succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev) m = re.search(r"Memory:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) # only memory is set -> cryptsetup will run a benchmark and use # at most max_memory_kb self.assertLessEqual(int(m.group(1)), 100 * 1024) # different options for argon2 -- only miterations set pbkdf = BlockDev.CryptoLUKSPBKDF(iterations=5) extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf) succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, None, self.keyfile, 0, BlockDev.CryptoLUKSVersion.LUKS2, extra) self.assertTrue(succ) _ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev) m = re.search(r"Time cost:\s*(\d+)\s*", out) if not m or len(m.groups()) != 1: self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) self.assertEqual(int(m.group(1)), 5)