enable_filename_encryption tunable only makes sense when Lustre client
is built against embedded llcrypt. When built against in-kernel
fscrypt, this tunable is silently ignored, as fscrypt always carries
out file name encryption.
So have the enable_filename_encryption tunable only when Lustre client
is built against embedded llcrypt. Also fix sanity-sec test_54 so that
it works for in-kernel fscrypt.
Lustre-change: https://review.whamcloud.com/47520
Lustre-commit:
4887aff7f10423674939682a2fd56f0490224e6e
Fixes:
e68d496ada ("LU-15858 sec: reinstate null encryption for file names")
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Ibe52feb670a00c9f421907ecd438bcccc62856f0
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-on: https://review.whamcloud.com/48521
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: jsimmons <jsimmons@infradead.org>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
if (err)
GOTO(out_free_cfg, err);
if (err)
GOTO(out_free_cfg, err);
+ /* LSI_FILENAME_ENC is only used by embedded llcrypt */
+#ifdef CONFIG_LL_ENCRYPTION
if (ll_sb_has_test_dummy_encryption(sb))
/* enable filename encryption by default for dummy enc mode */
lsi->lsi_flags |= LSI_FILENAME_ENC;
else
/* filename encryption is disabled by default */
lsi->lsi_flags &= ~LSI_FILENAME_ENC;
if (ll_sb_has_test_dummy_encryption(sb))
/* enable filename encryption by default for dummy enc mode */
lsi->lsi_flags |= LSI_FILENAME_ENC;
else
/* filename encryption is disabled by default */
lsi->lsi_flags &= ~LSI_FILENAME_ENC;
/* kernel >= 2.6.38 store dentry operations in sb->s_d_op. */
sb->s_d_op = &ll_d_ops;
/* kernel >= 2.6.38 store dentry operations in sb->s_d_op. */
sb->s_d_op = &ll_d_ops;
LDEBUGFS_SEQ_FOPS(ll_nosquash_nids);
LDEBUGFS_SEQ_FOPS(ll_nosquash_nids);
+#ifdef CONFIG_LL_ENCRYPTION
static int ll_filename_enc_seq_show(struct seq_file *m, void *v)
{
struct super_block *sb = m->private;
static int ll_filename_enc_seq_show(struct seq_file *m, void *v)
{
struct super_block *sb = m->private;
}
LDEBUGFS_SEQ_FOPS(ll_filename_enc);
}
LDEBUGFS_SEQ_FOPS(ll_filename_enc);
+#endif /* CONFIG_LL_ENCRYPTION */
static int ll_pcc_seq_show(struct seq_file *m, void *v)
{
static int ll_pcc_seq_show(struct seq_file *m, void *v)
{
.fops = &ll_nosquash_nids_fops },
{ .name = "pcc",
.fops = &ll_pcc_fops, },
.fops = &ll_nosquash_nids_fops },
{ .name = "pcc",
.fops = &ll_pcc_fops, },
+#ifdef CONFIG_LL_ENCRYPTION
{ .name = "enable_filename_encryption",
.fops = &ll_filename_enc_fops, },
{ .name = "enable_filename_encryption",
.fops = &ll_filename_enc_fops, },
which fscrypt || skip "This test needs fscrypt userspace tool"
which fscrypt || skip "This test needs fscrypt userspace tool"
- fscrypt setup --force --verbose || error "fscrypt global setup failed"
+ yes | fscrypt setup --force --verbose ||
+ error "fscrypt global setup failed"
sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
/etc/fscrypt.conf
sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
/etc/fscrypt.conf
- fscrypt setup --verbose $MOUNT || error "fscrypt setup $MOUNT failed"
+ yes | fscrypt setup --verbose $MOUNT ||
+ error "fscrypt setup $MOUNT failed"
mkdir -p $testdir
chown -R $ID0:$ID0 $testdir
mkdir -p $testdir
chown -R $ID0:$ID0 $testdir
[ $filecount -eq 3 ] || error "found $filecount files"
# check enable_filename_encryption default value
[ $filecount -eq 3 ] || error "found $filecount files"
# check enable_filename_encryption default value
+ # tunable only available for client built against embedded llcrypt
$LCTL get_param mdc.*.connect_flags | grep -q name_encryption &&
nameenc=$(lctl get_param -n llite.*.enable_filename_encryption |
head -n1)
$LCTL get_param mdc.*.connect_flags | grep -q name_encryption &&
nameenc=$(lctl get_param -n llite.*.enable_filename_encryption |
head -n1)
+ # If client is built against in-kernel fscrypt, it is not possible
+ # to decide to encrypt file names or not: they are always encrypted.
if [ -n "$nameenc" ]; then
[ $nameenc -eq 0 ] ||
error "enable_filename_encryption should be 0 by default"
if [ -n "$nameenc" ]; then
[ $nameenc -eq 0 ] ||
error "enable_filename_encryption should be 0 by default"
# setup encryption from inside this subdir mount
# the .fscrypt directory is going to be created at the real fs root
# setup encryption from inside this subdir mount
# the .fscrypt directory is going to be created at the real fs root
- fscrypt setup --verbose $MOUNT ||
+ yes | fscrypt setup --verbose $MOUNT ||
error "fscrypt setup $MOUNT failed (2)"
testdir=$MOUNT/vault
mkdir $testdir
error "fscrypt setup $MOUNT failed (2)"
testdir=$MOUNT/vault
mkdir $testdir
fid1=$(path2fid $MOUNT/.fscrypt)
echo "With FILESET $tdir, .fscrypt FID is $fid1"
fid1=$(path2fid $MOUNT/.fscrypt)
echo "With FILESET $tdir, .fscrypt FID is $fid1"
- # enable name encryption
+ # enable name encryption, only valid if built against embedded llcrypt
if [ -n "$nameenc" ]; then
do_facet mgs $LCTL set_param -P \
llite.*.enable_filename_encryption=1
if [ -n "$nameenc" ]; then
do_facet mgs $LCTL set_param -P \
llite.*.enable_filename_encryption=1
$RUNAS fscrypt lock --verbose $DIR/$tdir/vault ||
error "fscrypt lock $DIR/$tdir/vault failed (5)"
$RUNAS fscrypt lock --verbose $DIR/$tdir/vault ||
error "fscrypt lock $DIR/$tdir/vault failed (5)"
- # disable name encryption
+ # disable name encryption, only valid if built against embedded llcrypt
if [ -n "$nameenc" ]; then
do_facet mgs $LCTL set_param -P \
llite.*.enable_filename_encryption=0
if [ -n "$nameenc" ]; then
do_facet mgs $LCTL set_param -P \
llite.*.enable_filename_encryption=0