Last active
March 14, 2019 11:34
-
-
Save maedoc/153388fee659e1fdfdd4eb427477ff8c to your computer and use it in GitHub Desktop.
small dm integrity & encryption test
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # verify that plaintext isn't visible on disk | |
| # increment this for retesting on same system | |
| i=22 | |
| # create disk file, mount point, loop back device & file system | |
| # nb. if this is too small, cryptsetup will fail | |
| truncate -s 100M /opt/disk$i | |
| losetup /dev/loop$i /opt/disk$i | |
| dd if=/dev/zero of=/dev/loop$i bs=1M | |
| # see pdf in this folder for details or here: | |
| # https://archive.fosdem.org/2018/schedule/event/cryptsetup/attachments/slides/2506/export/events/attachments/cryptsetup/slides/2506/fosdem18_cryptsetup_aead.pdf | |
| cryptsetup --debug -y luksFormat --type luks2 --integrity poly1305 --cipher chacha20-random --sector-size 4096 --force-password /dev/loop$i <<EOF | |
| password | |
| EOF | |
| cryptsetup luksOpen /dev/loop$i data-enc$i <<EOF | |
| password | |
| EOF | |
| cryptsetup status data-enc$i | |
| # make file system | |
| mkfs.ext2 /dev/mapper/data-enc$i | |
| # mount & create file & sync fs | |
| mkdir /mnt/data-enc$i | |
| mount /dev/mapper/data-enc$i /mnt/data-enc$i | |
| echo 'epileptor' > /mnt/data-enc$i/hello | |
| sync | |
| # unmount, unloop | |
| umount /mnt/data-enc$i | |
| cryptsetup close data-enc$i | |
| losetup -d /dev/loop$i | |
| # check word is not found | |
| if ! grep epileptor /opt/disk$i | |
| then | |
| echo "plaintext word not found in disk image" | |
| exit 0 | |
| else | |
| echo "should have failed find plaintext content!" | |
| exit 1 | |
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # available on f29 (but integrity isn't on c7) | |
| if [[ -z $(which integritysetup) ]]; then dnf install -y cryptsetup integritysetup; fi | |
| # increment this for retesting on same system | |
| i=11 | |
| # create disk file, mount point, loop back device & file system | |
| truncate -s 1M /opt/disk$i | |
| mkdir /mnt/data-int$i | |
| losetup /dev/loop$i /opt/disk$i | |
| integritysetup format /dev/loop$i <<EOF | |
| YES | |
| EOF | |
| integritysetup open /dev/loop$i data-int$i | |
| mkfs.ext2 /dev/mapper/data-int$i | |
| # mount & create file & sync fs | |
| mount /dev/mapper/data-int$i /mnt/data-int$i | |
| echo 'epileptor' > /mnt/data-int$i/hello | |
| sync | |
| # unmount, unloop | |
| umount /mnt/data-int$i | |
| integritysetup close data-int$i | |
| losetup -d /dev/loop$i | |
| # check word is found | |
| grep epileptor /opt/disk$i | |
| # corrupt disk | |
| sed -i "s,epileptor,epi234tor,g" /opt/disk$i | |
| # reloop, remount | |
| losetup /dev/loop$i /opt/disk$i | |
| integritysetup open /dev/loop$i data-int$i | |
| mount /dev/mapper/data-int$i /mnt/data-int$i | |
| # check for word | |
| if ! grep epi234tor /mnt/data-int$i/hello | |
| then | |
| if dmesg | tail -n1 | grep "Checksum failed" | |
| then | |
| echo "DM integrity successfully detected corruption" | |
| exit 0 | |
| else | |
| echo "DM integrity failed to detect corruption?" | |
| exit 1 | |
| fi | |
| else | |
| echo "should have failed to read file!" | |
| exit 1 | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I wanted to layer luks on top of this, but it's easier to first verify integrity layer is working w/o encryption