gopkg.in/ubuntu-core/snappy.v0@v0.0.0-20210902073436-25a8614f10a6/secboot/encrypt_sb_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 // +build !nosecboot 3 4 /* 5 * Copyright (C) 2021 Canonical Ltd 6 * 7 * This program is free software: you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 3 as 9 * published by the Free Software Foundation. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program. If not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 package secboot_test 22 23 import ( 24 "errors" 25 "io/ioutil" 26 "path/filepath" 27 28 sb "github.com/snapcore/secboot" 29 . "gopkg.in/check.v1" 30 31 "github.com/snapcore/snapd/osutil" 32 "github.com/snapcore/snapd/secboot" 33 ) 34 35 func (s *encryptSuite) TestFormatEncryptedDevice(c *C) { 36 for _, tc := range []struct { 37 initErr error 38 err string 39 }{ 40 {initErr: nil, err: ""}, 41 {initErr: errors.New("some error"), err: "some error"}, 42 } { 43 // create empty key to prevent blocking on lack of system entropy 44 myKey := secboot.EncryptionKey{} 45 for i := range myKey { 46 myKey[i] = byte(i) 47 } 48 49 calls := 0 50 restore := secboot.MockSbInitializeLUKS2Container(func(devicePath, label string, key []byte, 51 opts *sb.InitializeLUKS2ContainerOptions) error { 52 calls++ 53 c.Assert(devicePath, Equals, "/dev/node") 54 c.Assert(label, Equals, "my label") 55 c.Assert(key, DeepEquals, []byte(myKey)) 56 c.Assert(opts, DeepEquals, &sb.InitializeLUKS2ContainerOptions{ 57 MetadataKiBSize: 2048, 58 KeyslotsAreaKiBSize: 2560, 59 KDFOptions: &sb.KDFOptions{ 60 MemoryKiB: 32, 61 ForceIterations: 4, 62 }, 63 }) 64 return tc.initErr 65 }) 66 defer restore() 67 68 err := secboot.FormatEncryptedDevice(myKey, "my label", "/dev/node") 69 c.Assert(calls, Equals, 1) 70 if tc.err == "" { 71 c.Assert(err, IsNil) 72 } else { 73 c.Assert(err, ErrorMatches, tc.err) 74 } 75 } 76 } 77 78 const mockedMeminfo = `MemTotal: 929956 kB 79 CmaTotal: 131072 kB 80 ` 81 82 func (s *encryptSuite) TestAddRecoveryKey(c *C) { 83 mockedMeminfoFile := filepath.Join(c.MkDir(), "meminfo") 84 err := ioutil.WriteFile(mockedMeminfoFile, []byte(mockedMeminfo), 0644) 85 c.Assert(err, IsNil) 86 restore := osutil.MockProcMeminfo(mockedMeminfoFile) 87 defer restore() 88 89 for _, tc := range []struct { 90 addErr error 91 err string 92 }{ 93 {addErr: nil, err: ""}, 94 {addErr: errors.New("some error"), err: "some error"}, 95 } { 96 // create empty key to prevent blocking on lack of system entropy 97 myKey := secboot.EncryptionKey{} 98 for i := range myKey { 99 myKey[i] = byte(i) 100 } 101 102 myRecoveryKey := secboot.RecoveryKey{15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0} 103 104 calls := 0 105 restore := secboot.MockSbAddRecoveryKeyToLUKS2Container(func(devicePath string, key []byte, recoveryKey sb.RecoveryKey, opts *sb.KDFOptions) error { 106 calls++ 107 c.Assert(devicePath, Equals, "/dev/node") 108 c.Assert(recoveryKey[:], DeepEquals, myRecoveryKey[:]) 109 c.Assert(key, DeepEquals, []byte(myKey)) 110 c.Assert(opts, DeepEquals, &sb.KDFOptions{ 111 // (TotalMem - CmaMem - 384MB hardcoded) / 2 112 MemoryKiB: int((929956 - 131072 - 384*1024) / 2), 113 ForceIterations: 4, 114 }) 115 return tc.addErr 116 }) 117 defer restore() 118 119 err := secboot.AddRecoveryKey(myKey, myRecoveryKey, "/dev/node") 120 c.Assert(calls, Equals, 1) 121 if tc.err == "" { 122 c.Assert(err, IsNil) 123 } else { 124 c.Assert(err, ErrorMatches, tc.err) 125 } 126 } 127 }