Skip to content

Add: Qualcomm User Data Encryption test script & Document #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add: Qualcomm User Data Encryption test script & Document #141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 91 additions & 0 deletions Runner/suites/Kernel/Baseport/UserDataEncryption/README_UserDataEncryption.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
SPDX-License-Identifier: BSD-3-Clause-Clear

# Qualcomm UserDataEncryption Functionality Test Script
## Overview

The `UserDataEncryption` test script verifies basic filesystem encryption functionality. It generates a 64-byte key, adds it to the system, applies an encryption policy to a mount directory, and confirms the setup by creating and reading a test file. This ensures that key management and encryption policies work as expected.

## Features

- **Dependency Check**: Verifies the presence of the `fscryptctl` binary.
- **Key Management**: Generates a 64-byte key and adds it to the filesystem.
- **Encryption Policy**: Applies and verifies encryption policy on a mount directory.
- **Functional Validation**: Creates and reads a test file to confirm encryption functionality.
- **Automated Result Logging**: Outputs test results to a `.res` file for automated result collection.

## Prerequisites

Ensure the following components are present on the target device:

- `fscryptctl` binary available in `/data/`
- Sufficient permissions to create and mount directories

## Directory Structure
```
Runner/
├── suites/
│ ├── Kernel/
│ │ ├── FunctionalArea/
│ │ │ ├── baseport/
│ │ │ │ ├── UserDataEncryption/
│ │ │ │ │ ├── run.sh
```
## Usage

1. Copy repo to Target Device: Use scp to transfer the scripts from the host to the target device. The scripts should be copied to the ```/<user-defined-location>``` directory on the target device.

2. Verify Transfer: Ensure that the repo have been successfully copied to the ```/<user-defined-location>``` directory on the target device.

3. Run Scripts: Navigate to the ```/<user-defined-location>``` directory on the target device and execute the scripts as needed.

---
Quick Example
```
git clone <this-repo>
cd <this-repo>
scp -r common Runner user@target_device_ip:/<user-defined-location>
ssh user@target_device_ip
cd /<user-defined-location>/Runner && ./run-test.sh UserDataEncryption

Sample output:
sh-5.2# ./run-test.sh UserDataEncryption
[Executing test case: UserDataEncryption] 1970-01-11 18:09:02 -
[INFO] 1970-01-11 18:09:02 - -----------------------------------------------------------------------------------------
[INFO] 1970-01-11 18:09:02 - -------------------Starting UserDataEncryption Testcase----------------------------
[INFO] 1970-01-11 18:09:02 - === Test Initialization ===
[INFO] 1970-01-11 18:09:02 - Checking if dependency binary is available
[INFO] 1970-01-11 18:09:02 - Generating 64-byte encryption key
[INFO] 1970-01-11 18:09:02 - Creating mount folder at /mnt/testing
[INFO] 1970-01-11 18:09:02 - /mnt/testing already exists. Deleting it first.
[INFO] 1970-01-11 18:09:02 - Adding encryption key to the filesystem
[INFO] 1970-01-11 18:09:02 - Key ID: a17eee9a6d74585b6703b54285e95894
[INFO] 1970-01-11 18:09:02 - Checking key status
[INFO] 1970-01-11 18:09:02 - Key Status: Present (user_count=1, added_by_self)
[INFO] 1970-01-11 18:09:02 - Setting encryption policy on /mnt/testing
[INFO] 1970-01-11 18:09:02 - Verifying encryption policy
[INFO] 1970-01-11 18:09:02 - Policy verification successful
[INFO] 1970-01-11 18:09:02 - Creating test file in encrypted directory
[INFO] 1970-01-11 18:09:02 - Reading test file
[PASS] 1970-01-11 18:09:02 - UserDataEncryption : Test Passed
[INFO] 1970-01-11 18:09:02 - -------------------Completed UserDataEncryption Testcase----------------------------
[PASS] 1970-01-11 18:09:02 - UserDataEncryption passed

[INFO] 1970-01-11 18:09:02 - ========== Test Summary ==========
PASSED:
UserDataEncryption

FAILED:
None

SKIPPED:
None
[INFO] 1970-01-11 18:09:02 - ==================================
```
4. Results will be available in the `/<user-defined-location>/Runner/suites/Kernel/FunctionalArea/baseport/UserDataEncryption/` directory.

## Notes

- The script uses /data/UserDataEncryption for all operations.
- Temporary files such as the encryption key are cleaned up after the test.
- If any test fails, the script logs the error and exits with a failure code.
138 changes: 138 additions & 0 deletions Runner/suites/Kernel/Baseport/UserDataEncryption/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
#!/bin/sh

# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
# SPDX-License-Identifier: BSD-3-Clause-Clear

# Robustly find and source init_env
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
INIT_ENV=""
SEARCH="$SCRIPT_DIR"
while [ "$SEARCH" != "/" ]; do
if [ -f "$SEARCH/init_env" ]; then
INIT_ENV="$SEARCH/init_env"
break
fi
SEARCH=$(dirname "$SEARCH")
done

if [ -z "$INIT_ENV" ]; then
echo "[ERROR] Could not find init_env (starting at $SCRIPT_DIR)" >&2
exit 1
fi

if [ -z "$__INIT_ENV_LOADED" ]; then
# shellcheck disable=SC1090
. "$INIT_ENV"
fi

# shellcheck disable=SC1090,SC1091
. "$TOOLS/functestlib.sh"

TESTNAME="UserDataEncryption"
test_path=$(find_test_case_by_name "$TESTNAME")
cd "$test_path" || exit 1
res_file="./$TESTNAME.res"

log_info "-----------------------------------------------------------------------------------------"
log_info "-------------------Starting $TESTNAME Testcase----------------------------"
log_info "=== Test Initialization ==="

log_info "Checking if dependency binary is available"
check_dependencies fscryptctl
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Root/user -> fscrypt operations usually require root. Add a quick root check and fail early if not root.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it not expected that all tests will be run as root by default?


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kernel/filesystem precheck: Add check_kernel_config CONFIG_FS_ENCRYPTION (and optional CONFIG_FS_VERITY if you care) to SKIP gracefully on kernels without fscrypt. Also verify that the mount backing $MOUNT_DIR is ext4/f2fs with encryption support (or at least that add_key succeeds on that mountpoint).

KEY_FILE="/data/std_key"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use mktemp for the key path (instead of /data/std_key which may not exist), and set chmod 600.

MOUNT_DIR="/mnt/testing"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You add_key … /mnt but set policy on $MOUNT_DIR (/mnt/testing). That’s okay if $MOUNT_DIR is on the same filesystem, but brittle. Resolve the mountpoint of $MOUNT_DIR (its parent, typically /mnt) and use that consistently for add_key and key_status.


# Step 1: Generate a 64-byte key
log_info "Generating 64-byte encryption key"
if ! head -c 64 /dev/urandom > "$KEY_FILE"; then
log_fail "$TESTNAME : Failed to generate encryption key"
echo "$TESTNAME FAIL" > "$res_file"
exit 1
fi

# Step 2: Create mount folder
log_info "Creating mount folder at $MOUNT_DIR"
if [ -d "$MOUNT_DIR" ]; then
log_info "$MOUNT_DIR already exists. Deleting it first."
if ! rm -rf "$MOUNT_DIR"; then
log_fail "$TESTNAME : Failed to delete existing mount directory"
echo "$TESTNAME FAIL" > "$res_file"
rm -f "$KEY_FILE"
exit 1
fi
fi

if ! mkdir -p "$MOUNT_DIR"; then
log_fail "$TESTNAME : Failed to create mount directory"
echo "$TESTNAME FAIL" > "$res_file"
rm -f "$KEY_FILE"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure the key file is always removed via a trap on exit.

exit 1
fi

# Step 3: Add the key to the filesystem
log_info "Adding encryption key to the filesystem"
key_id=$(/data/fscryptctl add_key /mnt < "$KEY_FILE" 2>/dev/null)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You call /data/fscryptctl … directly. That will fail on Debian/Yocto where it’s /usr/bin/fscryptctl. Use a single variable (e.g., FSCRYPTCTL="${FSCRYPTCTL:-fscryptctl}") and always call "$FSCRYPTCTL".

if [ -z "$key_id" ]; then
log_fail "$TESTNAME : Failed to add encryption key"
echo "$TESTNAME FAIL" > "$res_file"
rm -f "$KEY_FILE"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can’t “unset” policy trivially, but you can remove the fs key (fscryptctl remove_key). Do that in cleanup so subsequent tests aren’t polluted.

exit 1
fi

log_info "Key ID: $key_id"

# Step 4: Check key status
log_info "Checking key status"
status=$(/data/fscryptctl key_status "$key_id" / 2>/dev/null)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT

if [ -z "$status" ]; then
log_fail "$TESTNAME : Failed to get key status"
echo "$TESTNAME FAIL" > "$res_file"
rm -f "$KEY_FILE"
exit 1
fi
log_info "Key Status: $status"

# Step 5: Set encryption policy
log_info "Setting encryption policy on $MOUNT_DIR"
if ! /data/fscryptctl set_policy "$key_id" "$MOUNT_DIR"; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT

log_fail "$TESTNAME : Failed to set encryption policy"
echo "$TESTNAME FAIL" > "$res_file"
rm -f "$KEY_FILE"
exit 1
fi

# Step 6: Verify policy
log_info "Verifying encryption policy"
policy_output=$(/data/fscryptctl get_policy "$MOUNT_DIR" 2>/dev/null)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT

if echo "$policy_output" | grep -q "$key_id"; then
log_info "Policy verification successful"
else
log_fail "$TESTNAME : Policy verification failed"
echo "$TESTNAME FAIL" > "$res_file"
rm -f "$KEY_FILE"
exit 1
fi

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use scan_dmesg_errors around the critical sections to catch fscrypt issues.

# Step 7: Create and read a test file
log_info "Creating test file in encrypted directory"
echo "file" > "$MOUNT_DIR/file.txt"

log_info "Reading test file"
file_content=$(cat "$MOUNT_DIR/file.txt")
if [ "$file_content" = "file" ]; then
log_pass "$TESTNAME : Test Passed"
echo "$TESTNAME PASS" > "$res_file"
else
log_fail "$TESTNAME : Test Failed"
echo "$TESTNAME FAIL" > "$res_file"
rm -f "$KEY_FILE"
exit 1
fi

# Cleanup
rm -f "$KEY_FILE"
rm -f "$MOUNT_DIR/file.txt"
rmdir "$MOUNT_DIR"

log_info "-------------------Completed $TESTNAME Testcase----------------------------"
Loading