From: Simon Glass <simon.glass@canonical.com> The current tests check that decryption happens but don't go so far as reading a file. Add the logic for this. Since this currently fails for LUKSv2, leave the last part of that test out for now. Use direct filesystem calls for LUKSv2 since it is easier to check for the current error. Add more information on the errors returned by luks_unlock() so we can check for the correct one. Co-developed-by: Claude <noreply@anthropic.com> Signed-off-by: Simon Glass <simon.glass@canonical.com> --- include/luks.h | 8 +++++++- test/boot/luks.c | 44 +++++++++++++++++++++++++++++++++++++++----- 2 files changed, 46 insertions(+), 6 deletions(-) diff --git a/include/luks.h b/include/luks.h index 2c52cc48689..4f65f3029f8 100644 --- a/include/luks.h +++ b/include/luks.h @@ -148,7 +148,13 @@ int luks_show_info(struct udevice *blk, struct disk_partition *pinfo); * @pass: Passphrase to unlock the partition * @master_key: Buffer to receive the decrypted master key * @key_size: Size of the master_key buffer - * Return: 0 on success, -ve on error + * Return: 0 on success, + * -EINVAL if null parameters, + * -EACCES if passphrase is incorrect, + * -ENOENT if not a LUKS partition or no active key slots, + * -ENOTSUPP if unsupported version/cipher/hash, + * -ENOMEM if memory allocation failed, + * -EIO if failed to read from block device */ int luks_unlock(struct udevice *blk, struct disk_partition *pinfo, const char *pass, u8 *master_key, u32 *key_size); diff --git a/test/boot/luks.c b/test/boot/luks.c index 4ee6081a790..ec95b241d8a 100644 --- a/test/boot/luks.c +++ b/test/boot/luks.c @@ -7,6 +7,8 @@ #include <blk.h> #include <dm.h> +#include <errno.h> +#include <fs_legacy.h> #include <luks.h> #include <mmc.h> #include <part.h> @@ -217,7 +219,9 @@ BOOTSTD_TEST(bootstd_test_luks2_info, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE); /* Test LUKS unlock command with LUKS1 encrypted partition */ static int bootstd_test_luks_unlock(struct unit_test_state *uts) { + struct blk_desc *desc; struct udevice *mmc; + loff_t file_size; ut_assertok(setup_mmc11(uts, &mmc)); @@ -233,6 +237,18 @@ static int bootstd_test_luks_unlock(struct unit_test_state *uts) ut_assert_nextline("Unlocked LUKS partition as blkmap device 'luks-mmc-b:2'"); ut_assert_console_end(); + /* Get the blkmap device number */ + ut_assertok(run_command("blkmap get luks-mmc-b:2 dev devnum", 0)); + ut_assert_console_end(); + + /* Verify that a file can be read from the decrypted filesystem */ + desc = blk_get_devnum_by_uclass_idname("blkmap", 0); + ut_assertnonnull(desc); + + ut_assertok(fs_set_blk_dev_with_part(desc, 0)); + ut_assertok(fs_size("/bin/bash", &file_size)); + ut_asserteq(5, file_size); + /* Test unlocking with wrong passphrase */ ut_asserteq(1, run_command("luks unlock mmc b:2 wrongpass", 0)); ut_assert_skip_to_line("Failed to unlock LUKS partition (err -13: Permission denied)"); @@ -244,15 +260,22 @@ BOOTSTD_TEST(bootstd_test_luks_unlock, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE); /* Test LUKS2 unlock command with LUKS2 encrypted partition */ static int bootstd_test_luks2_unlock(struct unit_test_state *uts) { + struct disk_partition info; + struct blk_desc *desc; struct udevice *mmc; + u8 master_key[512]; + loff_t file_size; + u32 key_size; ut_assertok(setup_mmc12(uts, &mmc)); + desc = blk_get_by_device(mmc); + ut_assertnonnull(desc); + ut_assertnonnull(desc->bdev); - /* Test that unlock command exists and handles errors properly */ - /* Should fail because partition 1 is not LUKS */ - ut_asserteq(1, run_command("luks unlock mmc c:1 test", 0)); - ut_assert_nextline("Not a LUKS partition"); - ut_assert_console_end(); + /* Test that unlock fails for partition 1 (not LUKS) */ + ut_assertok(part_get_info(desc, 1, &info)); + ut_asserteq(-ENOENT, luks_unlock(desc->bdev, &info, "test", master_key, + &key_size)); /* Test unlocking partition 2 with correct passphrase */ ut_assertok(run_command("luks unlock mmc c:2 test", 0)); @@ -260,6 +283,17 @@ static int bootstd_test_luks2_unlock(struct unit_test_state *uts) ut_assert_nextline("Unlocked LUKS partition as blkmap device 'luks-mmc-c:2'"); ut_assert_console_end(); + /* Verify that a file can be read from the decrypted filesystem */ + desc = blk_get_devnum_by_uclass_idname("blkmap", 0); + ut_assertnonnull(desc); + + /* at present this fails due to incorrect decryption */ + if (0) { + ut_assertok(fs_set_blk_dev_with_part(desc, 0)); + ut_assertok(fs_size("/bin/bash", &file_size)); + ut_asserteq(5, file_size); + } + /* Test unlocking with wrong passphrase */ ut_asserteq(1, run_command("luks unlock mmc c:2 wrongpass", 0)); ut_assert_nextline("Unlocking LUKS2 partition..."); -- 2.43.0