Inicio Explorar Ayuda
Iniciar sesión
phcoder
/
grub
forked de grub/grub
Seguir 1
Destacar 0
Fork 0
Archivos
Árbol: 03e6ea18f6
Ramas Etiquetas
grub
/
tests
/
util
/
grub-shell-luks-tester.in

grub-shell-luks-tester.in 10 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375 
  1. #! @BUILD_SHEBANG@ -e
    2. 

  2. 

  3. # Test GRUBs ability to read various LUKS containers
    4. 

  4. # Copyright (C) 2023  Free Software Foundation, Inc.
    5. 

  5. #
    6. 

  6. # GRUB is free software: you can redistribute it and/or modify
    7. 

  7. # it under the terms of the GNU General Public License as published by
    8. 

  8. # the Free Software Foundation, either version 3 of the License, or
    9. 

  9. # (at your option) any later version.
    10. 

  10. #
    11. 

  11. # GRUB is distributed in the hope that it will be useful,
    12. 

  12. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14. 

  14. # GNU General Public License for more details.
    15. 

  15. #
    16. 

  16. # You should have received a copy of the GNU General Public License
    17. 

  17. # along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
    18. 

  18. 

  19. # Initialize some variables.
    20. 

  20. prefix="@prefix@"
    21. 

  21. exec_prefix="@exec_prefix@"
    22. 

  22. datarootdir="@datarootdir@"
    23. 

  23. builddir="@builddir@"
    24. 

  24. PACKAGE_NAME=@PACKAGE_NAME@
    25. 

  25. PACKAGE_TARNAME=@PACKAGE_TARNAME@
    26. 

  26. PACKAGE_VERSION=@PACKAGE_VERSION@
    27. 

  27. 

  28. # Force build directory components
    29. 

  29. PATH="${builddir}:$PATH"
    30. 

  30. export PATH
    31. 

  31. 

  32. grub_shell_opts=
    33. 

  33. disksize=20M
    34. 

  34. detached_header=
    35. 

  35. keyfile=
    36. 

  36. keyfile_offset=
    37. 

  37. keyfile_size=
    38. 

  38. KEYFILE_SIZE_MAX=4096
    39. 

  39. 

  40. debug="${GRUB_SHELL_LUKS_DEFAULT_DEBUG:-$GRUB_TEST_DEFAULT_DEBUG}"
    41. 

  41. GRUB_SHELL_LUKS_TIMEOUT=${GRUB_SHELL_LUKS_TIMEOUT:-${GRUB_SHELL_DEFAULT_TIMEOUT:-600s}}
    42. 

  42. 

  43. # Usage: usage
    44. 

  44. # Print the usage.
    45. 

  45. usage () {
    46. 

  46.     cat <<EOF
    47. 

  47. Usage: $0 [OPTION] [SOURCE]
    48. 

  48. Create a LUKS disk with cryptsetup, then verify that it is accessible by grub
    49. 

  49. running in a QEMU instance.
    50. 

  50. 

  51.   -h, --help              print this message and exit
    52. 

  52.   -v, --version           print the version information and exit
    53. 

  53.   --modules=MODULES       pre-load specified modules MODULES
    54. 

  54.   --qemu-opts=OPTIONS     extra options to pass to Qemu instance
    55. 

  55.   --cs-opts=OPTIONS       extra options to pass to cryptsetup instance
    56. 

  56.   --cs-script=FILE        script of cryptsetup commands to be run after format
    57. 

  57.   --luks=1|2              Use LUKS1 or LUKS2 volumes
    58. 

  58.   --detached-header       Use a detached header
    59. 

  59.   --keyfile[=FILE]        Use a randomly generated key file of size $KEYFILE_SIZE_MAX if not
    60. 

  60.                           given a FILE to use as the key file.
    61. 

  61. 

  62. $0 creates a LUKS disk with cryptsetup, then verify that it is accessible by
    63. 

  63. grub running in a QEMU instance.
    64. 

  64. 

  65. Report bugs to <bug-grub@gnu.org>.
    66. 

  66. EOF
    67. 

  67. }
    68. 

  68. 

  69. . "${builddir}/grub-core/modinfo.sh"
    70. 

  70. 

  71. # TODO: We should be selecting the drive based on disk id, change this once
    72. 

  72. # grub support searching by disk id.
    73. 

  73. disk="hd0"
    74. 

  74. case "${grub_modinfo_target_cpu}-${grub_modinfo_platform}" in
    75. 

  75.     i386-qemu)
    76. 

  76. 	disk="ata0"
    77. 

  77. 	;;
    78. 

  78.     loongarch64-efi)
    79. 

  79. 	disk="hd1"
    80. 

  80. 	;;
    81. 

  81. esac
    82. 

  82. 

  83. # Check the arguments.
    84. 

  84. for option in "$@"; do
    85. 

  85.     case "$option" in
    86. 

  86.     -h | --help)
    87. 

  87. 	usage
    88. 

  88. 	exit 0 ;;
    89. 

  89.     -v | --version)
    90. 

  90. 	echo "$0 (GNU GRUB ${PACKAGE_VERSION})"
    91. 

  91. 	exit 0 ;;
    92. 

  92.     -d | --debug)
    93. 

  93.         debug=$((${debug:-0}+1)) ;;
    94. 

  94.     --debug=*)
    95. 

  95.         debug=$((`echo "$option" | sed -e 's/--debug=//'`)) ;;
    96. 

  96.     --modules=*)
    97. 

  97. 	ms=`echo "$option" | sed -e 's/--modules=//'`
    98. 

  98. 	modules="$modules,$ms" ;;
    99. 

  99.     --qemu-opts=*)
    100. 

  100.         qs=`echo "$option" | sed -e 's/--qemu-opts=//'`
    101. 

  101.         qemuopts="$qemuopts $qs" ;;
    102. 

  102.     --cs-opts=*)
    103. 

  103.         qs=`echo "$option" | sed -e 's/--cs-opts=//'`
    104. 

  104.         csopts="$csopts $qs" ;;
    105. 

  105.     --cs-script=*)
    106. 

  106.         qs=`echo "$option" | sed -e 's/--cs-script=//'`
    107. 

  107.         csscripts="$csscripts $qs" ;;
    108. 

  108.     --luks=*)
    109. 

  109.         qs=`echo "$option" | sed -e 's/--luks=//'`
    110. 

  110.         csopts="$csopts --type luks$qs" ;;
    111. 

  111.     --detached-header)
    112. 

  112.         detached_header=1 ;;
    113. 

  113.     --keyfile=*)
    114. 

  114.         qs=`echo "$option" | sed -e 's/--keyfile=//'`
    115. 

  115.         keyfile="$qs" ;;
    116. 

  116.     --keyfile)
    117. 

  117.         keyfile=1 ;;
    118. 

  118.     --disksize=*)
    119. 

  119.         qs=`echo "$option" | sed -e 's/--disksize=//'`
    120. 

  120.         disksize="$qs" ;;
    121. 

  121.     -*)
    122. 

  122. 	echo "Unrecognized option \`$option'" 1>&2
    123. 

  123. 	usage
    124. 

  124. 	exit 3
    125. 

  125. 	;;
    126. 

  126.     *)
    127. 

  127. 	if [ "x${source}" != x ] ; then
    128. 

  128. 	    echo "too many parameters at the end" 1>&2
    129. 

  129. 	    usage
    130. 

  130. 	    exit 4
    131. 

  131. 	fi
    132. 

  132. 	source="${option}" ;;
    133. 

  133.     esac
    134. 

  134. done
    135. 

  135. 

  136. [ "${debug:-0}" -gt 1 ] && set -x
    137. 

  137. 

  138. grub_shell_opts="$grub_shell_opts --timeout=${GRUB_SHELL_LUKS_TIMEOUT}"
    139. 

  139. 

  140. if [ "${debug:-0}" -gt 2 ]; then
    141. 

  141.     grub_shell_opts="$grub_shell_opts --qemu-opts=-nographic"
    142. 

  142. fi
    143. 

  143. 

  144. # Make sure that the dm-crypto device is shutdown
    145. 

  145. cleanup() {
    146. 

  146.     if [ -e "$luksdev" ]; then
    147. 

  147.         cryptsetup close "$luksdev"
    148. 

  148.     fi
    149. 

  149.     if [ -z "$debug" ] && [ "${RET:-1}" -eq 0 ]; then
    150. 

  150.         rm -rf "$lukstestdir" || :
    151. 

  151.     fi
    152. 

  152. }
    153. 

  153. trap cleanup EXIT INT TERM KILL QUIT
    154. 

  154. 

  155. get_random_bytes() {
    156. 

  156.     local NUM_BYTES=$1
    157. 

  157.     dd if=/dev/urandom bs=512 count=$((($NUM_BYTES / 512)+2)) 2>/dev/null \
    158. 

  158.         | tr -d '\0' | dd bs=1 count=$(($NUM_BYTES)) 2>/dev/null
    159. 

  159. }
    160. 

  160. 

  161. # create a random directory to be hold generated files
    162. 

  162. lukstestdir="`mktemp -d "${TMPDIR:-/tmp}/$(basename "$0").XXXXXXXXXX"`" || exit 20
    163. 

  163. luksfile=$lukstestdir/luks.disk
    164. 

  164. lukshdrfile=$lukstestdir/luks.header
    165. 

  165. lukskeyfile=$lukstestdir/luks.key
    166. 

  166. vfile=$lukstestdir/mnt/test.verify
    167. 

  167. vtext="TEST VERIFIED"
    168. 

  168. testvars=$lukstestdir/testvars
    169. 

  169. testcase=$lukstestdir/testcase.cfg
    170. 

  170. testoutput=$lukstestdir/testoutput
    171. 

  171. password=testpass
    172. 

  172. 

  173. [ -n "$debug" ] && echo "LUKS TEST directory: $lukstestdir" >&2
    174. 

  174. 

  175. # If testing keyfiles, create a big one.
    176. 

  176. if [ -e "$keyfile" ]; then
    177. 

  177.     password=`cat "$keyfile"`
    178. 

  178. elif [ -n "$keyfile" ]; then
    179. 

  179.     password=`get_random_bytes $KEYFILE_SIZE_MAX`
    180. 

  180. fi
    181. 

  181. 

  182. if [ -n "$detached_header" ]; then
    183. 

  183.     csopts="$csopts --header $lukshdrfile"
    184. 

  184. fi
    185. 

  185. 

  186. # create the key file
    187. 

  187. echo -n "$password" > $lukskeyfile
    188. 

  188. 

  189. # Create a very small LUKS container for the test
    190. 

  190. truncate -s $disksize $luksfile || exit 21
    191. 

  191. 

  192. # Format the luks disk file
    193. 

  193. cryptsetup luksFormat -q $csopts $luksfile $lukskeyfile || exit 22
    194. 

  194. 

  195. # Run any cryptsetup scripts
    196. 

  196. export luksdiskfile=${detached_header:+$lukshdrfile}${detached_header:-$luksfile}
    197. 

  197. export lukskeyfile
    198. 

  198. for csscript in $csscripts; do
    199. 

  199.     [ -f "$csscript" ] && . $csscript
    200. 

  200. done
    201. 

  201. 

  202. # Look for --keyfile-offset and --keyfile-size options in the cryptsetup
    203. 

  203. # options, and process them specially.
    204. 

  204. csopen_opts=
    205. 

  205. get_args=0
    206. 

  206. varname=
    207. 

  207. for option in $csopts; do
    208. 

  208.     if [ "$get_args" -gt 0 ]; then
    209. 

  209.         csopen_opts=" $csopen_opts $option"
    210. 

  210.         get_args=$(($get_args - 1))
    211. 

  211.         eval ${varname}=$option
    212. 

  212.         continue
    213. 

  213.     fi
    214. 

  214. 

  215.     case "$option" in
    216. 

  216.     --keyfile-offset)
    217. 

  217.         varname=keyfile_offset
    218. 

  218.         get_args=1 ;;
    219. 

  219.     --keyfile-offset=*)
    220. 

  220.         keyfile_offset=`echo "$option" | sed -e 's/--keyfile-offset=//'` ;;
    221. 

  221.     --keyfile-size | -l)
    222. 

  222.         varname=keyfile_size
    223. 

  223.         get_args=1 ;;
    224. 

  224.     --keyfile-size=*)
    225. 

  225.         keyfile_size=`echo "$option" | sed -e 's/--keyfile-size=//'` ;;
    226. 

  226.     *)
    227. 

  227.         continue ;;
    228. 

  228.     esac
    229. 

  229. 

  230.     csopen_opts=" $csopen_opts $option"
    231. 

  231. done
    232. 

  232. 

  233. # Open LUKS device
    234. 

  234. luksdev=/dev/mapper/`basename $lukstestdir`
    235. 

  235. cryptsetup open ${detached_header:+--header $lukshdrfile} $csopen_opts \
    236. 

  236.     --key-file $lukskeyfile $luksfile `basename $luksdev` || exit 23
    237. 

  237. 

  238. # Make filesystem on the luks disk
    239. 

  239. mkfs.vfat $luksdev >/dev/null 2>&1 || exit 24
    240. 

  240. 

  241. # Add verification file to filesystem
    242. 

  242. mkdir $lukstestdir/mnt
    243. 

  243. mount $luksdev $lukstestdir/mnt || exit 25
    244. 

  244. echo "$vtext" > $vfile
    245. 

  245. 

  246. # Unmount filesystem
    247. 

  247. umount $lukstestdir/mnt || exit 26
    248. 

  248. 

  249. . "@builddir@/grub-core/modinfo.sh"
    250. 

  250. 

  251. if [ x"${grub_modinfo_platform}" = xemu ]; then
    252. 

  252.     grub_testvars="(host)$testvars"
    253. 

  253.     grub_key_file="(host)$lukskeyfile"
    254. 

  254.     grub_lukshdr_file="(host)$lukshdrfile"
    255. 

  255. else
    256. 

  256.     grub_testvars="/testvars"
    257. 

  257.     grub_key_file="/keyfile"
    258. 

  258.     grub_lukshdr_file="/luks.header"
    259. 

  259. fi
    260. 

  260. 

  261. 

  262. # Can not use --disk with a raw LUKS container because it appears qemu
    263. 

  263. # tries to convert the image to and is failing with:
    264. 

  264. #  "Parameter 'key-secret' is required for cipher"
    265. 

  265. qemuopts="$qemuopts -drive file=$luksfile,index=0,media=disk,format=raw"
    266. 

  266. 

  267. # Add crypto modules
    268. 

  268. modules="$modules cryptodisk luks luks2 fat"
    269. 

  269. 

  270. # Create randomly generated trim line
    271. 

  271. trim_line=`mktemp -u XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
    272. 

  272. 

  273. # Create vars to import into grub script
    274. 

  274. cat >$testvars <<EOF
    275. 

  275. grub_debug="$debug"
    276. 

  276. grub_lukshdr_file="$grub_lukshdr_file"
    277. 

  277. grub_key_file="$grub_key_file"
    278. 

  278. grub_keyfile_offset="$keyfile_offset"
    279. 

  279. grub_keyfile_size="$keyfile_size"
    280. 

  280. vfilename="`basename $vfile`"
    281. 

  281. vtext="$vtext"
    282. 

  282. trim_line="$trim_line"
    283. 

  283. disk="$disk"
    284. 

  284. EOF
    285. 

  285. 

  286. # If testing keyfiles, do not use password variable
    287. 

  287. if [ -z "$keyfile" ]; then
    288. 

  288.     echo "grub_password=\"$password\"" >>$testvars
    289. 

  289. fi
    290. 

  290. 

  291. # Create testcase script
    292. 

  292. cat >$testcase <<'EOF'
    293. 

  293. set debug=all
    294. 

  294. search -n -f --set=testvarsdev /testvars
    295. 

  295. if [ "$?" -ne 0 ]; then
    296. 

  296.     echo; echo "$trim_line"
    297. 

  297.     echo "Could not find testvars file."
    298. 

  298.     ${halt_cmd}
    299. 

  299. fi
    300. 

  300. set debug=
    301. 

  301. 

  302. . ($testvarsdev)/testvars
    303. 

  303. 

  304. # If key file exists, use it instead of password
    305. 

  305. if [ -e "$grub_key_file" ]; then
    306. 

  306.     cryptomount_opts="$cryptomount_opts -k $grub_key_file"
    307. 

  307. else
    308. 

  308.     cryptomount_opts="$cryptomount_opts -p $grub_password"
    309. 

  309. fi
    310. 

  310. 

  311. if [ -n "$grub_keyfile_offset" ]; then
    312. 

  312.     cryptomount_opts="$cryptomount_opts -O $grub_keyfile_offset"
    313. 

  313. fi
    314. 

  314. 

  315. if [ -n "$grub_keyfile_size" ]; then
    316. 

  316.     cryptomount_opts="$cryptomount_opts -S $grub_keyfile_size"
    317. 

  317. fi
    318. 

  318. 

  319. if [ -e "$grub_lukshdr_file" ]; then
    320. 

  320.     cryptomount_opts="$cryptomount_opts -H $grub_lukshdr_file"
    321. 

  321. fi
    322. 

  322. 

  323. cdisk=crypto0
    324. 

  324. 

  325. if test -n "$grub_debug" -a "$grub_debug" -gt 0; then
    326. 

  326.     echo cmd: cryptomount $cryptomount_opts ($disk)
    327. 

  327.     echo -n "devices: "
    328. 

  328.     ls
    329. 

  329. fi
    330. 

  330. 

  331. if test -n "$grub_debug" -a "$grub_debug" -gt 1; then
    332. 

  332.     set debug=all
    333. 

  333. fi
    334. 

  334. cryptomount $cryptomount_opts ($disk)
    335. 

  335. ret="$?"
    336. 

  336. if test -n "$grub_debug" -a "$grub_debug" -eq 2; then
    337. 

  337.     set debug=
    338. 

  338. fi
    339. 

  339. 

  340. echo; echo "$trim_line"
    341. 

  341. if test $ret -eq 0; then
    342. 

  342.     cat ($cdisk)/$vfilename
    343. 

  343. else
    344. 

  344.     echo "cryptomount failed: $ret"
    345. 

  345. fi
    346. 

  346. EOF
    347. 

  347. 

  348. grub_shell_opts="$grub_shell_opts --trim=${trim_line}"
    349. 

  349. if [ -n "$keyfile" ]; then
    350. 

  350.     grub_shell_opts="$grub_shell_opts --files=${keyfile:+${grub_key_file}=${lukskeyfile}}"
    351. 

  351. fi
    352. 

  352. 

  353. if [ -n "$detached_header" ]; then
    354. 

  354.     grub_shell_opts="$grub_shell_opts --files=${detached_header:+${grub_lukshdr_file}=${lukshdrfile}}"
    355. 

  355. fi
    356. 

  356. 

  357. # Run the test in grub-shell
    358. 

  358. @builddir@/grub-shell ${debug:+--debug=$debug} $grub_shell_opts \
    359. 

  359.     --modules="$modules" --qemu-opts="$qemuopts" \
    360. 

  360.     --files="${grub_testvars}=${testvars}" "$testcase" \
    361. 

  361.     >$testoutput
    362. 

  362. ret=$?
    363. 

  363. 

  364. if [ "$ret" -eq 0 ]; then
    365. 

  365.     if ! grep -q "^${vtext}$" "$testoutput"; then
    366. 

  366.         echo "error: test not verified [`cat $testoutput`]" >&2
    367. 

  367.         exit 1
    368. 

  368.     fi
    369. 

  369. else
    370. 

  370.     echo "grub-shell exited with error: $ret" >&2
    371. 

  371.     exit 27
    372. 

  372. fi
    373. 

  373. 

  374. exit $ret
    375. 

  375.