diff options
author | Eric Biggers <ebiggers@google.com> | 2024-04-29 19:44:52 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2024-04-29 19:44:52 +0000 |
commit | b76e6b02d41654959b4c2222c4eee8a91dbf166a (patch) | |
tree | 9b05d7aa54a5fbc5689b43288c16f4e2648295c4 | |
parent | 7f3f3523a768fed683f056c4908ac5593f60751c (diff) | |
parent | 84d097d452a0b4bb7e77cecf77dc9d99ca721f2b (diff) | |
download | kernel-master.tar.gz |
-rw-r--r-- | encryption/file_based_encryption_tests.cpp | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/encryption/file_based_encryption_tests.cpp b/encryption/file_based_encryption_tests.cpp index 8f28ec16..b7717fa2 100644 --- a/encryption/file_based_encryption_tests.cpp +++ b/encryption/file_based_encryption_tests.cpp @@ -623,7 +623,7 @@ bool FBEPolicyTest::CreateAndSetHwWrappedKey(std::vector<uint8_t> *enc_key, enum { kSkipIfNoPolicySupport = 1 << 0, kSkipIfNoCryptoAPISupport = 1 << 1, - kSkipIfNoHardwareSupport = 1 << 2, + kSkipIfInlineEncryptionNotUsable = 1 << 2, }; // Returns 0 if encryption policies that include the inode number in the IVs @@ -682,7 +682,8 @@ bool FBEPolicyTest::SetEncryptionPolicy(int contents_mode, int filenames_mode, << std::hex << flags << std::dec << Errno(); return false; } - if (skip_flags & (kSkipIfNoCryptoAPISupport | kSkipIfNoHardwareSupport)) { + if (skip_flags & + (kSkipIfNoCryptoAPISupport | kSkipIfInlineEncryptionNotUsable)) { android::base::unique_fd fd( open(test_file_.c_str(), O_WRONLY | O_CREAT | O_CLOEXEC, 0600)); if (fd < 0) { @@ -696,13 +697,21 @@ bool FBEPolicyTest::SetEncryptionPolicy(int contents_mode, int filenames_mode, "unsupported on this kernel, due to missing crypto API support"; return false; } - // We get EINVAL here when using a hardware-wrapped key and the inline - // encryption hardware supports wrapped keys but doesn't support the - // number of DUN bytes that the file contents encryption requires. - if (errno == EINVAL && (skip_flags & kSkipIfNoHardwareSupport)) { + // We get EINVAL here when we're using a hardware-wrapped key, the device + // has inline encryption hardware that supports hardware-wrapped keys, and + // there are hardware or kernel limitations that make it impossible for + // inline encryption to actually be used with the policy. For example: + // + // - The device's inline encryption hardware doesn't support the number + // of DUN bytes needed for file contents encryption. + // + // - The policy uses the IV_INO_LBLK_32 flag, and the filesystem block + // size differs from the page size. (Kernel limitation.) + if (errno == EINVAL && (skip_flags & kSkipIfInlineEncryptionNotUsable)) { GTEST_LOG_(INFO) - << "Skipping test because encryption policy is not compatible with " - "this device's inline encryption hardware"; + << "Skipping test because encryption policy requires inline " + "encryption, but inline encryption is unsupported with this " + "policy on this device due to hardware or kernel limitations"; return false; } } @@ -960,11 +969,11 @@ TEST_F(FBEPolicyTest, TestAesInlineCryptOptimizedHwWrappedKeyPolicy) { std::vector<uint8_t> enc_key, sw_secret; if (!CreateAndSetHwWrappedKey(&enc_key, &sw_secret)) return; - if (!SetEncryptionPolicy( - FSCRYPT_MODE_AES_256_XTS, FSCRYPT_MODE_AES_256_CTS, - FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64, - // 64-bit DUN support is not guaranteed. - kSkipIfNoHardwareSupport | GetSkipFlagsForInoBasedEncryption())) + if (!SetEncryptionPolicy(FSCRYPT_MODE_AES_256_XTS, FSCRYPT_MODE_AES_256_CTS, + FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64, + // 64-bit DUN support is not guaranteed. + kSkipIfInlineEncryptionNotUsable | + GetSkipFlagsForInoBasedEncryption())) return; TestFileInfo file_info; @@ -1102,9 +1111,12 @@ TEST_F(FBEPolicyTest, TestAesEmmcOptimizedHwWrappedKeyPolicy) { std::vector<uint8_t> enc_key, sw_secret; if (!CreateAndSetHwWrappedKey(&enc_key, &sw_secret)) return; + int skip_flags = GetSkipFlagsForInoBasedEncryption(); + if (kFilesystemBlockSize != getpagesize()) + skip_flags |= kSkipIfInlineEncryptionNotUsable; + if (!SetEncryptionPolicy(FSCRYPT_MODE_AES_256_XTS, FSCRYPT_MODE_AES_256_CTS, - FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32, - GetSkipFlagsForInoBasedEncryption())) + FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32, skip_flags)) return; TestFileInfo file_info; |