From patchwork Mon Dec 8 12:39:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 856 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765197631; bh=C/GGooPfVo+C+H8lT6NCIjBZ9HZ689UuYHUSyzADwPs=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=AuYsu+grLNjuTva8rs6YsLXcmkziABp98p1zvZR72pbA3gL9frwJaLN2Ahoq/ZePj eQ8VqbBDmEDIFo65d9FUg7vT7DImhu40h1uQczAfXpb21mZEKeAdFMgygsUskOw1Ue OeNDbIF7CsfVDEodtfceykH+6xg92Jbu5FIixSSZbTLEjtS5Rm//6m2TqNhSS9oKP2 pyZZHrkGuPqiP6WtHYUn5DbkzNHrGZthK59GcKVc0Jf/MZby9blj/5FYRIuvakjrkj Kxqy0Dwalz6KyCuCXHHRePu2CKvsvdTu7y7cD/bWqPm4rajon+5IUMnONQRwlKupQW RBPyz4Wo9mjXg== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 89E2968958 for ; Mon, 8 Dec 2025 05:40:31 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id L8PqC0GgRrH0 for ; Mon, 8 Dec 2025 05:40:31 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765197629; bh=C/GGooPfVo+C+H8lT6NCIjBZ9HZ689UuYHUSyzADwPs=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=k6RHf7CjdTF6naIiyScmTGhhcxlPSH5+Xag3un/Wu8D4BAyLC8YD/zhjtNM7Y3Ixc 0UVA1gjEEHlb1WXCVKLeWfQ30hTTDGF05vVE/9P4zXdd26+Yb/Orsu4EuozKXxoFzL nytSF+VMG2/8Q/GlZRXVstD69/DU8xSGqpjFDb0/9vuZB3Eqanl2waRkUhCmGDQR6p yL3k92TuOYPTY4h4l5h6yrchgXFj4UsIRB+TGJ3letPgQDpZZrYyShytHAkT1CjPfY mgZTJsrciFYlszugQvcbEkgA2KR/HEnlNL1/jHEoaHd3XO/H8vmS9DufF9+xWMqh4m GXcYH5sy5hJkQ== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 83B8B6895C for ; Mon, 8 Dec 2025 05:40:29 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765197627; bh=ykVakMCpgn0xphFhItbZqFiCy+KRRqjwfhyETlaZEco=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Hs7CR/Xk21gogF4LPYlHYFqAhOlsU1ne2cgHoM6c/zCcwLCYKTjqdpwzK2EQkGaTe aERL4Vd8/YNTT5DMyrPuyy3SdunRzfd0u4HddY0mOy6cMfraFM3rgv508D5G4Xm7u6 hdxU3Zit5kLlKyzHBXwr8UVt8RXIMebyx+w2YuyeeEQx9GZ7K+im2fm37MfV7E6Sb8 r5ssMemrjmcJvh0UXH826xt3kAXEW866ur1y8ybXeTubfvpfV2/FBmS97a49SB7k8Q z1oKnXgmrX045dB4kcdMwJwRpC0AG6nXgQweCnjsxkawsOKNGoSXJw/la33oDAPJQF HY2YKqlGbOrrg== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 6CAE0689E0; Mon, 8 Dec 2025 05:40:27 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id RuPlU7Dv1VNB; Mon, 8 Dec 2025 05:40:27 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765197627; bh=I5r8mqZEBRV2eQm/HUF1+xqi6El5gKPtK4U5GwmQpyM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QhOYPbyPcqoa7+Qemmj4rv47XtbcqZdH15i6Ka/fCdiA8AK7vXjp1fVin3vjTzG6W ShrjXrqDRpMh2WLETmcDfud2uag6y+mhA2BLCMN1M7iLTE4DNYhIV4Lcq1iJl4W2yJ eQghMIYSLcYcOe2bNfEFHyd3NcVsn0ccoduCVEwTV0t4jE//ACI8M2gr/nVt0f2Ejd cMhr5xTDM5g5em3aHermYJeapgXgUtcdsAiUQFiFwavGn77lSLONp9bKZvoonxvmFq 2wUwFVehKtqMOny90BEGlc2ZTlPNQOMyYCASYpX3wCgXKIkSwJX0pQ5MkVJt+8QxMW i2vBvbfIb0OUA== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id DC37E688C1; Mon, 8 Dec 2025 05:40:26 -0700 (MST) From: Simon Glass To: U-Boot Concept Date: Mon, 8 Dec 2025 05:39:53 -0700 Message-ID: <20251208124001.775057-5-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251208124001.775057-1-sjg@u-boot.org> References: <20251208124001.775057-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: X5HE4EQ33JOGT5AX53GAZFFNVS3QAZCV X-Message-ID-Hash: X5HE4EQ33JOGT5AX53GAZFFNVS3QAZCV X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 4/7] test: luks: Add test for pre-derived master key unlock List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass Add a test for the LUKS pre-derived master key unlock path using mmc14. The test verifies that: - A LUKS partition can be unlocked with the correct pre-derived key - Files can be read from the decrypted filesystem - Unlock fails with an incorrect pre-derived key This exercises the -p flag path in the luks unlock command. Co-developed-by: Claude Signed-off-by: Simon Glass --- test/boot/luks.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/test/boot/luks.c b/test/boot/luks.c index dfd6f7b411c..339c7d7fc94 100644 --- a/test/boot/luks.c +++ b/test/boot/luks.c @@ -299,3 +299,55 @@ static int bootstd_test_luks2_unlock(struct unit_test_state *uts) return 0; } BOOTSTD_TEST(bootstd_test_luks2_unlock, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE); + +/* Setup mmc14 device */ +static int setup_mmc14(struct unit_test_state *uts, struct udevice **mmcp) +{ + ut_assertok(setup_mmc_device(uts, "mmc14", mmcp)); + + return 0; +} + +/* Test LUKS2 unlock with pre-derived master key on mmc14 */ +static int bootstd_test_luks2_unlock_prederived(struct unit_test_state *uts) +{ + struct blk_desc *desc; + struct udevice *mmc; + loff_t file_size; + + /* + * mmc14 is encrypted with a known master key: + * bytes([0x20 + (i & 0x3f) for i in range(64)]) + * This tests the pre_derived=true path in luks_unlock() + */ + ut_assertok(setup_mmc14(uts, &mmc)); + + /* Test unlocking partition 2 with pre-derived master key (-p flag) */ + ut_assertok(run_command("luks unlock -p mmc e:2 " + "202122232425262728292a2b2c2d2e2f" + "303132333435363738393a3b3c3d3e3f" + "404142434445464748494a4b4c4d4e4f" + "505152535455565758595a5b5c5d5e5f", 0)); + ut_assert_nextline("Unlocking LUKS2 partition..."); + ut_assert_nextline("Unlocked LUKS partition as blkmap device 'luks-mmc-e:2'"); + ut_assert_console_end(); + + /* Verify that a file can be read from the decrypted filesystem */ + desc = blk_get_devnum_by_uclass_idname("blkmap", 0); + ut_assertnonnull(desc); + + ut_assertok(fs_set_blk_dev_with_part(desc, 0)); + ut_assertok(fs_size("/bin/bash", &file_size)); + ut_asserteq(5, file_size); + + /* Test unlocking with wrong pre-derived key */ + ut_asserteq(1, run_command("luks unlock -p mmc e:2 " + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000", 0)); + ut_assert_nextline("Unlocking LUKS2 partition..."); + ut_assert_skip_to_line("Failed to unlock LUKS partition (err -13: Permission denied)"); + + return 0; +} +BOOTSTD_TEST(bootstd_test_luks2_unlock_prederived, + UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);