[qemu.git] / tests / qemu-iotests / 296

#!/usr/bin/env python3
# group: rw
#
# Test case for encryption key management versus image sharing
#
# Copyright (C) 2019 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

import iotests
import os
import time
import json

test_img = os.path.join(iotests.test_dir, 'test.img')

class Secret:
    def __init__(self, index):
        self._id = "keysec" + str(index)
        # you are not supposed to see the password...
        self._secret = "hunter" + str(index)

    def id(self):
        return self._id

    def secret(self):
        return self._secret

    def to_cmdline_object(self):
        return  [ "secret,id=" + self._id + ",data=" + self._secret]

    def to_qmp_object(self):
        return { "qom_type" : "secret", "id": self.id(),
                 "props": { "data": self.secret() } }

################################################################################

class EncryptionSetupTestCase(iotests.QMPTestCase):

    # test case startup
    def setUp(self):

        # start the VMs
        self.vm1 = iotests.VM(path_suffix = 'VM1')
        self.vm2 = iotests.VM(path_suffix = 'VM2')
        self.vm1.launch()
        self.vm2.launch()

        # create the secrets and load 'em into the VMs
        self.secrets = [ Secret(i) for i in range(0, 4) ]
        for secret in self.secrets:
            result = self.vm1.qmp("object-add", **secret.to_qmp_object())
            self.assert_qmp(result, 'return', {})
            result = self.vm2.qmp("object-add", **secret.to_qmp_object())
            self.assert_qmp(result, 'return', {})

    # test case shutdown
    def tearDown(self):
        # stop the VM
        self.vm1.shutdown()
        self.vm2.shutdown()

    ###########################################################################
    # create the encrypted block device using qemu-img
    def createImg(self, file, secret):

        output = iotests.qemu_img_pipe(
            'create',
            '--object', *secret.to_cmdline_object(),
            '-f', iotests.imgfmt,
            '-o', 'key-secret=' + secret.id(),
            '-o', 'iter-time=10',
            file,
            '1M')

        iotests.log(output, filters=[iotests.filter_test_dir])

    # attempts to add a key using qemu-img
    def addKey(self, file, secret, new_secret):

        image_options = {
            'key-secret' : secret.id(),
            'driver' : iotests.imgfmt,
            'file' : {
                'driver':'file',
                'filename': file,
                }
            }

        output = iotests.qemu_img_pipe(
            'amend',
            '--object', *secret.to_cmdline_object(),
            '--object', *new_secret.to_cmdline_object(),

            '-o', 'state=active',
            '-o', 'new-secret=' + new_secret.id(),
            '-o', 'iter-time=10',

            "json:" + json.dumps(image_options)
            )

        iotests.log(output, filters=[iotests.filter_test_dir])

    ###########################################################################
    # open an encrypted block device
    def openImageQmp(self, vm, id, file, secret,
                     readOnly = False, reOpen = False):

        command = 'x-blockdev-reopen' if reOpen else 'blockdev-add'

        result = vm.qmp(command, **
            {
                'driver': iotests.imgfmt,
                'node-name': id,
                'read-only': readOnly,
                'key-secret' : secret.id(),
                'file': {
                    'driver': 'file',
                    'filename': test_img,
                }
            }
        )
        self.assert_qmp(result, 'return', {})


    ###########################################################################
    # add virtio-blk consumer for a block device
    def addImageUser(self, vm, id, disk_id, share_rw=False):
        result = vm.qmp('device_add', **
            {
                'driver': 'virtio-blk',
                'id': id,
                'drive': disk_id,
                'share-rw' : share_rw
            }
        )

        iotests.log(result)

    # close the encrypted block device
    def closeImageQmp(self, vm, id):
        result = vm.qmp('blockdev-del', **{ 'node-name': id })
        self.assert_qmp(result, 'return', {})

    ###########################################################################

    # add a key to an encrypted block device
    def addKeyQmp(self, vm, id, new_secret):

        args = {
            'node-name': id,
            'job-id' : 'job0',
            'options' : {
                'state'     : 'active',
                'driver'    : iotests.imgfmt,
                'new-secret': new_secret.id(),
                'iter-time' : 10
            },
        }

        result = vm.qmp('x-blockdev-amend', **args)
        assert result['return'] == {}
        vm.run_job('job0')

    # test that when the image opened by two qemu processes,
    # neither of them can update the encryption keys
    def test1(self):
        self.createImg(test_img, self.secrets[0]);

        # VM1 opens the image and adds a key
        self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0])
        self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[1])


        # VM2 opens the image
        self.openImageQmp(self.vm2, "testdev", test_img, self.secrets[0])


        # neither VMs now should be able to add a key
        self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[2])
        self.addKeyQmp(self.vm2, "testdev", new_secret = self.secrets[2])


        # VM 1 closes the image
        self.closeImageQmp(self.vm1, "testdev")


        # now VM2 can add the key
        self.addKeyQmp(self.vm2, "testdev", new_secret = self.secrets[2])


        # qemu-img should also not be able to add a key
        self.addKey(test_img, self.secrets[0], self.secrets[2])

        # cleanup
        self.closeImageQmp(self.vm2, "testdev")
        os.remove(test_img)


    # test that when the image opened by two qemu processes,
    # even if first VM opens it read-only, the second can't update encryption
    # keys
    def test2(self):
        self.createImg(test_img, self.secrets[0]);

        # VM1 opens the image readonly
        self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0],
                          readOnly = True)

        # VM2 opens the image
        self.openImageQmp(self.vm2, "testdev", test_img, self.secrets[0])

        # VM1 can't add a key since image is readonly
        self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[2])

        # VM2 can't add a key since VM is has the image opened
        self.addKeyQmp(self.vm2, "testdev", new_secret = self.secrets[2])


        #VM1 reopens the image read-write
        self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0],
                          reOpen = True, readOnly = False)

        # VM1 still can't add the key
        self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[2])

        # VM2 gets away
        self.closeImageQmp(self.vm2, "testdev")

        # VM1 now can add the key
        self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[2])

        self.closeImageQmp(self.vm1, "testdev")
        os.remove(test_img)

    # test that two VMs can't open the same luks image by default
    # and attach it to a guest device
    def test3(self):
        self.createImg(test_img, self.secrets[0]);

        self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0])
        self.addImageUser(self.vm1, "testctrl", "testdev")

        self.openImageQmp(self.vm2, "testdev", test_img, self.secrets[0])
        self.addImageUser(self.vm2, "testctrl", "testdev")


    # test that two VMs can attach the same luks image to a guest device,
    # if both use share-rw=on
    def test4(self):
        self.createImg(test_img, self.secrets[0]);

        self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0])
        self.addImageUser(self.vm1, "testctrl", "testdev", share_rw=True)

        self.openImageQmp(self.vm2, "testdev", test_img, self.secrets[0])
        self.addImageUser(self.vm2, "testctrl", "testdev", share_rw=True)


if __name__ == '__main__':
    # support only raw luks since luks encrypted qcow2 is a proper
    # format driver which doesn't allow any sharing
    iotests.activate_logging()
    iotests.main(supported_fmts = ['luks'])
Commit	Line	Data
a2cd85f6	1	#!/usr/bin/env python3
9dd003a9	2	# group: rw
a2cd85f6 ML	3	#
	4	# Test case for encryption key management versus image sharing
	5	#
	6	# Copyright (C) 2019 Red Hat, Inc.
	7	#
	8	# This program is free software; you can redistribute it and/or modify
	9	# it under the terms of the GNU General Public License as published by
	10	# the Free Software Foundation; either version 2 of the License, or
	11	# (at your option) any later version.
	12	#
	13	# This program is distributed in the hope that it will be useful,
	14	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	# GNU General Public License for more details.
	17	#
	18	# You should have received a copy of the GNU General Public License
	19	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	20	#
	21
	22	import iotests
	23	import os
	24	import time
	25	import json
	26
	27	test_img = os.path.join(iotests.test_dir, 'test.img')
	28
	29	class Secret:
	30	def __init__(self, index):
	31	self._id = "keysec" + str(index)
	32	# you are not supposed to see the password...
	33	self._secret = "hunter" + str(index)
	34
	35	def id(self):
	36	return self._id
	37
	38	def secret(self):
	39	return self._secret
	40
	41	def to_cmdline_object(self):
	42	return [ "secret,id=" + self._id + ",data=" + self._secret]
	43
	44	def to_qmp_object(self):
	45	return { "qom_type" : "secret", "id": self.id(),
	46	"props": { "data": self.secret() } }
	47
	48	################################################################################
	49
	50	class EncryptionSetupTestCase(iotests.QMPTestCase):
	51
	52	# test case startup
	53	def setUp(self):
	54
	55	# start the VMs
	56	self.vm1 = iotests.VM(path_suffix = 'VM1')
	57	self.vm2 = iotests.VM(path_suffix = 'VM2')
	58	self.vm1.launch()
	59	self.vm2.launch()
	60
	61	# create the secrets and load 'em into the VMs
	62	self.secrets = [ Secret(i) for i in range(0, 4) ]
	63	for secret in self.secrets:
	64	result = self.vm1.qmp("object-add", **secret.to_qmp_object())
	65	self.assert_qmp(result, 'return', {})
	66	result = self.vm2.qmp("object-add", **secret.to_qmp_object())
67	self.assert_qmp(result, 'return', {})
68
69	# test case shutdown
70	def tearDown(self):
71	# stop the VM
72	self.vm1.shutdown()
73	self.vm2.shutdown()
74
75	###########################################################################
76	# create the encrypted block device using qemu-img
77	def createImg(self, file, secret):
78
79	output = iotests.qemu_img_pipe(
80	'create',
81	'--object', *secret.to_cmdline_object(),
82	'-f', iotests.imgfmt,
83	'-o', 'key-secret=' + secret.id(),
84	'-o', 'iter-time=10',
85	file,
86	'1M')
87
88	iotests.log(output, filters=[iotests.filter_test_dir])
89
90	# attempts to add a key using qemu-img
91	def addKey(self, file, secret, new_secret):
92
93	image_options = {
94	'key-secret' : secret.id(),
95	'driver' : iotests.imgfmt,
96	'file' : {
97	'driver':'file',
98	'filename': file,
99	}
100	}
101
102	output = iotests.qemu_img_pipe(
103	'amend',
104	'--object', *secret.to_cmdline_object(),
105	'--object', *new_secret.to_cmdline_object(),
106
107	'-o', 'state=active',
108	'-o', 'new-secret=' + new_secret.id(),
109	'-o', 'iter-time=10',
110
111	"json:" + json.dumps(image_options)
112	)
113
114	iotests.log(output, filters=[iotests.filter_test_dir])
115
116	###########################################################################
117	# open an encrypted block device
118	def openImageQmp(self, vm, id, file, secret,
119	readOnly = False, reOpen = False):
120
121	command = 'x-blockdev-reopen' if reOpen else 'blockdev-add'
122
123	result = vm.qmp(command, **
124	{
125	'driver': iotests.imgfmt,
126	'node-name': id,
127	'read-only': readOnly,
128	'key-secret' : secret.id(),
129	'file': {
130	'driver': 'file',
131	'filename': test_img,
132	}
133	}
134	)
135	self.assert_qmp(result, 'return', {})
136
0fca43de ML	137
	138	###########################################################################
	139	# add virtio-blk consumer for a block device
	140	def addImageUser(self, vm, id, disk_id, share_rw=False):
	141	result = vm.qmp('device_add', **
	142	{
	143	'driver': 'virtio-blk',
	144	'id': id,
	145	'drive': disk_id,
	146	'share-rw' : share_rw
	147	}
	148	)
	149
	150	iotests.log(result)
	151
a2cd85f6 ML	152	# close the encrypted block device
	153	def closeImageQmp(self, vm, id):
	154	result = vm.qmp('blockdev-del', **{ 'node-name': id })
	155	self.assert_qmp(result, 'return', {})
	156
	157	###########################################################################
	158
	159	# add a key to an encrypted block device
	160	def addKeyQmp(self, vm, id, new_secret):
	161
	162	args = {
	163	'node-name': id,
	164	'job-id' : 'job0',
	165	'options' : {
	166	'state' : 'active',
	167	'driver' : iotests.imgfmt,
	168	'new-secret': new_secret.id(),
	169	'iter-time' : 10
	170	},
	171	}
	172
	173	result = vm.qmp('x-blockdev-amend', **args)
	174	assert result['return'] == {}
	175	vm.run_job('job0')
	176
	177	# test that when the image opened by two qemu processes,
0fca43de	178	# neither of them can update the encryption keys
a2cd85f6 ML	179	def test1(self):
	180	self.createImg(test_img, self.secrets[0]);
	181
	182	# VM1 opens the image and adds a key
	183	self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0])
	184	self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[1])
	185
	186
	187	# VM2 opens the image
	188	self.openImageQmp(self.vm2, "testdev", test_img, self.secrets[0])
	189
	190
	191	# neither VMs now should be able to add a key
	192	self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[2])
	193	self.addKeyQmp(self.vm2, "testdev", new_secret = self.secrets[2])
	194
	195
	196	# VM 1 closes the image
	197	self.closeImageQmp(self.vm1, "testdev")
	198
	199
	200	# now VM2 can add the key
	201	self.addKeyQmp(self.vm2, "testdev", new_secret = self.secrets[2])
	202
	203
	204	# qemu-img should also not be able to add a key
	205	self.addKey(test_img, self.secrets[0], self.secrets[2])
	206
	207	# cleanup
	208	self.closeImageQmp(self.vm2, "testdev")
	209	os.remove(test_img)
	210
	211
0fca43de ML	212	# test that when the image opened by two qemu processes,
	213	# even if first VM opens it read-only, the second can't update encryption
	214	# keys
a2cd85f6 ML	215	def test2(self):
	216	self.createImg(test_img, self.secrets[0]);
	217
	218	# VM1 opens the image readonly
	219	self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0],
	220	readOnly = True)
	221
	222	# VM2 opens the image
	223	self.openImageQmp(self.vm2, "testdev", test_img, self.secrets[0])
	224
	225	# VM1 can't add a key since image is readonly
	226	self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[2])
	227
	228	# VM2 can't add a key since VM is has the image opened
	229	self.addKeyQmp(self.vm2, "testdev", new_secret = self.secrets[2])
	230
	231
	232	#VM1 reopens the image read-write
	233	self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0],
	234	reOpen = True, readOnly = False)
	235
	236	# VM1 still can't add the key
	237	self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[2])
	238
	239	# VM2 gets away
	240	self.closeImageQmp(self.vm2, "testdev")
	241
	242	# VM1 now can add the key
	243	self.addKeyQmp(self.vm1, "testdev", new_secret = self.secrets[2])
	244
	245	self.closeImageQmp(self.vm1, "testdev")
	246	os.remove(test_img)
	247
0fca43de ML	248	# test that two VMs can't open the same luks image by default
	249	# and attach it to a guest device
	250	def test3(self):
	251	self.createImg(test_img, self.secrets[0]);
	252
	253	self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0])
	254	self.addImageUser(self.vm1, "testctrl", "testdev")
	255
	256	self.openImageQmp(self.vm2, "testdev", test_img, self.secrets[0])
	257	self.addImageUser(self.vm2, "testctrl", "testdev")
	258
	259
	260	# test that two VMs can attach the same luks image to a guest device,
	261	# if both use share-rw=on
	262	def test4(self):
	263	self.createImg(test_img, self.secrets[0]);
	264
	265	self.openImageQmp(self.vm1, "testdev", test_img, self.secrets[0])
	266	self.addImageUser(self.vm1, "testctrl", "testdev", share_rw=True)
	267
	268	self.openImageQmp(self.vm2, "testdev", test_img, self.secrets[0])
	269	self.addImageUser(self.vm2, "testctrl", "testdev", share_rw=True)
	270
	271
a2cd85f6 ML	272
	273	if __name__ == '__main__':
	274	# support only raw luks since luks encrypted qcow2 is a proper
	275	# format driver which doesn't allow any sharing
	276	iotests.activate_logging()
	277	iotests.main(supported_fmts = ['luks'])