From patchwork Wed Nov 12 12:42:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 688 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762951395; bh=piGvgppAO+h7Ht1u1pvFi3mSeZEKbA8QbwP3g0U6NxM=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=qvRSz0dr8kRXzQ8BCXNSBWwvb1i+t51dgEdfAb4moZ2enuuSE5R9GFL8FPodE7Dsx GZ7WZPQ1SHuIBBAsQjzPo6k1z9Rlo5lBevi+bzxudar0yUraejgnvDulJCJmsFYQDn pmyCkugITK602ESiWUjEhaWPL+ZG6raDYhvGTFICvcudoRfypEWAzRSklfkn/ajsgP hOvVQtKts9j8YJUJZ1tvm/VIJKi9/VqeLblbsnbtCFWcnmKfpLQYg1ZJFU9cewNjSC fpYx1OhuChsF+Bwu8q24XsRl53aHa/SVh59fZ+nYIQPoBVb5ze7WnIKbhDjtQjeWns P31pyzYFQ7Q8w== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 7ACC2682E4 for ; Wed, 12 Nov 2025 05:43:15 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id PuoBabPbCnDw for ; Wed, 12 Nov 2025 05:43:15 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762951394; bh=piGvgppAO+h7Ht1u1pvFi3mSeZEKbA8QbwP3g0U6NxM=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=sGKL0xhEqHzCsrQSL83SlIpY1VBJwShTRSW9KMOT0NdI8GjxgvCSwUK2AEWbMS6/H 9X+wSvqDjwGk7RO06gtrsIuGTs0JyWUuLDxR3G1eLqNLG7NEXTrGIQ94T315Coaa2+ +9Gx0fWDJ6JeAOuZOTX0hmdRWMDOrcWt3jFNAYNHqorbJWG1bN8o8spbI4j5vE3DOI jZM9a1SgeHzJBSDklXLkAuopf69gpxV4gcfZWGFC2StB/L6mDRvxdZdAkT5hiG5GbA DuUfoftXGc1bALmNcCrkOqsTdF/k3I9qWtUXaBoVDC3Fw60cxV4bnrD7jfGk/r3ajh eg5jOgigs0IGg== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 6AFDD683FC for ; Wed, 12 Nov 2025 05:43:14 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762951391; bh=i5hZMmUYGwmWnjv/EneJ+T7vAqSgW/l+o2vu/NxfLAE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XBRLPMVmg96sMuiXFjUwsVyKM473c0ooInGgH6zzQxthur7mDwh2o170k4S+Ax3Fx IVGjTOf3EVkMqmR7IMNq/CX0Rem/SlotGMOU9+brxTqaVas7i9AywmLmknf3QX3GGL J1fbYsinGHPsZg09GwAhJHJVLCcSIbBp9CN2UHecGw6M7s4kJEDGcXcWNeT4Pm99mk buQ9/CTwfjFAiif/5R+uEyWcbt8sN2j5P5ySd5CkKoNu6BILTaztoJOv7JeRZEHsFj ovCK3s9PZdI73Vh9p4Cvu5QJtNGAGn/nNtnRm3zxqyv2XSx6FeAK0GbUz7TMLZk9LW MdsMagskRi92w== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id BABC6682E4; Wed, 12 Nov 2025 05:43:11 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id EAVa7_LGVNxm; Wed, 12 Nov 2025 05:43:11 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762951391; bh=hEd+2hOQIdHLBqpiHiQPdDRSBBkVhpJIaD81XK+/V+A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=e3iuVWt+E0Tk5L9wTMDoghe/fzvAZrOekF9fqfBBycJGgjCjoJtqHSx9UK68/V8+/ +cRkC3TtgeAoQfAYXJblLdESJpXUTHSJ4M2D+ma9YluABxeQWnPWHtGlYoySzDUoeS kG+mZY4PMGr10OwRqO6J00/n8QkYoeCrvuXTcbxhtiwOihGZNi6qHcoz5FOKQBJv8M o8bXLSoBHgcNsGCaiLez8+w1iwez8dn5bSRzPtt0LIb/+ShczAtFXQbTh6CRuuR2T9 ieij2ZZeuH0U84NWb4MgTK7TadIefCRcunoiXVhGR6/0ZF5+x/FL46oBWVB+C2HwSC ElYwVzgyrck/A== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id 268B868375; Wed, 12 Nov 2025 05:43:11 -0700 (MST) From: Simon Glass To: U-Boot Concept Date: Wed, 12 Nov 2025 05:42:43 -0700 Message-ID: <20251112124252.1081477-3-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251112124252.1081477-1-sjg@u-boot.org> References: <20251112124252.1081477-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: C56PFEUT5FHA7J24N62WJQG2FD5VQIY5 X-Message-ID-Hash: C56PFEUT5FHA7J24N62WJQG2FD5VQIY5 X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 2/5] luks: test: Check file access in the decryption tests List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass The current tests check that decryption happens but don't go so far as reading a file. Add the logic for this. Since this currently fails for LUKSv2, leave the last part of that test out for now. Use direct filesystem calls for LUKSv2 since it is easier to check for the current error. Add more information on the errors returned by luks_unlock() so we can check for the correct one. Co-developed-by: Claude Signed-off-by: Simon Glass --- include/luks.h | 8 +++++++- test/boot/luks.c | 44 +++++++++++++++++++++++++++++++++++++++----- 2 files changed, 46 insertions(+), 6 deletions(-) diff --git a/include/luks.h b/include/luks.h index 2c52cc48689..4f65f3029f8 100644 --- a/include/luks.h +++ b/include/luks.h @@ -148,7 +148,13 @@ int luks_show_info(struct udevice *blk, struct disk_partition *pinfo); * @pass: Passphrase to unlock the partition * @master_key: Buffer to receive the decrypted master key * @key_size: Size of the master_key buffer - * Return: 0 on success, -ve on error + * Return: 0 on success, + * -EINVAL if null parameters, + * -EACCES if passphrase is incorrect, + * -ENOENT if not a LUKS partition or no active key slots, + * -ENOTSUPP if unsupported version/cipher/hash, + * -ENOMEM if memory allocation failed, + * -EIO if failed to read from block device */ int luks_unlock(struct udevice *blk, struct disk_partition *pinfo, const char *pass, u8 *master_key, u32 *key_size); diff --git a/test/boot/luks.c b/test/boot/luks.c index 4ee6081a790..ec95b241d8a 100644 --- a/test/boot/luks.c +++ b/test/boot/luks.c @@ -7,6 +7,8 @@ #include #include +#include +#include #include #include #include @@ -217,7 +219,9 @@ BOOTSTD_TEST(bootstd_test_luks2_info, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE); /* Test LUKS unlock command with LUKS1 encrypted partition */ static int bootstd_test_luks_unlock(struct unit_test_state *uts) { + struct blk_desc *desc; struct udevice *mmc; + loff_t file_size; ut_assertok(setup_mmc11(uts, &mmc)); @@ -233,6 +237,18 @@ static int bootstd_test_luks_unlock(struct unit_test_state *uts) ut_assert_nextline("Unlocked LUKS partition as blkmap device 'luks-mmc-b:2'"); ut_assert_console_end(); + /* Get the blkmap device number */ + ut_assertok(run_command("blkmap get luks-mmc-b:2 dev devnum", 0)); + ut_assert_console_end(); + + /* Verify that a file can be read from the decrypted filesystem */ + desc = blk_get_devnum_by_uclass_idname("blkmap", 0); + ut_assertnonnull(desc); + + ut_assertok(fs_set_blk_dev_with_part(desc, 0)); + ut_assertok(fs_size("/bin/bash", &file_size)); + ut_asserteq(5, file_size); + /* Test unlocking with wrong passphrase */ ut_asserteq(1, run_command("luks unlock mmc b:2 wrongpass", 0)); ut_assert_skip_to_line("Failed to unlock LUKS partition (err -13: Permission denied)"); @@ -244,15 +260,22 @@ BOOTSTD_TEST(bootstd_test_luks_unlock, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE); /* Test LUKS2 unlock command with LUKS2 encrypted partition */ static int bootstd_test_luks2_unlock(struct unit_test_state *uts) { + struct disk_partition info; + struct blk_desc *desc; struct udevice *mmc; + u8 master_key[512]; + loff_t file_size; + u32 key_size; ut_assertok(setup_mmc12(uts, &mmc)); + desc = blk_get_by_device(mmc); + ut_assertnonnull(desc); + ut_assertnonnull(desc->bdev); - /* Test that unlock command exists and handles errors properly */ - /* Should fail because partition 1 is not LUKS */ - ut_asserteq(1, run_command("luks unlock mmc c:1 test", 0)); - ut_assert_nextline("Not a LUKS partition"); - ut_assert_console_end(); + /* Test that unlock fails for partition 1 (not LUKS) */ + ut_assertok(part_get_info(desc, 1, &info)); + ut_asserteq(-ENOENT, luks_unlock(desc->bdev, &info, "test", master_key, + &key_size)); /* Test unlocking partition 2 with correct passphrase */ ut_assertok(run_command("luks unlock mmc c:2 test", 0)); @@ -260,6 +283,17 @@ static int bootstd_test_luks2_unlock(struct unit_test_state *uts) ut_assert_nextline("Unlocked LUKS partition as blkmap device 'luks-mmc-c:2'"); ut_assert_console_end(); + /* Verify that a file can be read from the decrypted filesystem */ + desc = blk_get_devnum_by_uclass_idname("blkmap", 0); + ut_assertnonnull(desc); + + /* at present this fails due to incorrect decryption */ + if (0) { + ut_assertok(fs_set_blk_dev_with_part(desc, 0)); + ut_assertok(fs_size("/bin/bash", &file_size)); + ut_asserteq(5, file_size); + } + /* Test unlocking with wrong passphrase */ ut_asserteq(1, run_command("luks unlock mmc c:2 wrongpass", 0)); ut_assert_nextline("Unlocking LUKS2 partition...");