Skip TestAesEmmcOptimizedHwWrappedKeyPolicy when not runnable
Currently, due to a kernel limitation, an IV_INO_LBLK_32 encryption
policy can't use inline encryption when the filesystem block size
differs from the page size. Since HW-wrapped keys require inline
encryption, IV_INO_LBLK_32 + HW-wrapped keys cannot be used in this
scenario. Update TestAesEmmcOptimizedHwWrappedKeyPolicy to be aware of
this. As part of this, rename kSkipIfNoHardwareSupport to
kSkipIfInlineEncryptionNotUsable to reflect its new meaning.
This fixes a failure in TestAesEmmcOptimizedHwWrappedKeyPolicy on
devices that use 16K pages while also using ext4 with 4K blocks.
Bug: 302429871
Test: atest vts_kernel_encryption_test
Change-Id: I6759a577f180ca8c15613a67169943f7ef72db87
diff --git a/encryption/file_based_encryption_tests.cpp b/encryption/file_based_encryption_tests.cpp
index 8f28ec1..b7717fa 100644
--- a/encryption/file_based_encryption_tests.cpp
+++ b/encryption/file_based_encryption_tests.cpp
@@ -623,7 +623,7 @@
enum {
kSkipIfNoPolicySupport = 1 << 0,
kSkipIfNoCryptoAPISupport = 1 << 1,
- kSkipIfNoHardwareSupport = 1 << 2,
+ kSkipIfInlineEncryptionNotUsable = 1 << 2,
};
// Returns 0 if encryption policies that include the inode number in the IVs
@@ -682,7 +682,8 @@
<< std::hex << flags << std::dec << Errno();
return false;
}
- if (skip_flags & (kSkipIfNoCryptoAPISupport | kSkipIfNoHardwareSupport)) {
+ if (skip_flags &
+ (kSkipIfNoCryptoAPISupport | kSkipIfInlineEncryptionNotUsable)) {
android::base::unique_fd fd(
open(test_file_.c_str(), O_WRONLY | O_CREAT | O_CLOEXEC, 0600));
if (fd < 0) {
@@ -696,13 +697,21 @@
"unsupported on this kernel, due to missing crypto API support";
return false;
}
- // We get EINVAL here when using a hardware-wrapped key and the inline
- // encryption hardware supports wrapped keys but doesn't support the
- // number of DUN bytes that the file contents encryption requires.
- if (errno == EINVAL && (skip_flags & kSkipIfNoHardwareSupport)) {
+ // We get EINVAL here when we're using a hardware-wrapped key, the device
+ // has inline encryption hardware that supports hardware-wrapped keys, and
+ // there are hardware or kernel limitations that make it impossible for
+ // inline encryption to actually be used with the policy. For example:
+ //
+ // - The device's inline encryption hardware doesn't support the number
+ // of DUN bytes needed for file contents encryption.
+ //
+ // - The policy uses the IV_INO_LBLK_32 flag, and the filesystem block
+ // size differs from the page size. (Kernel limitation.)
+ if (errno == EINVAL && (skip_flags & kSkipIfInlineEncryptionNotUsable)) {
GTEST_LOG_(INFO)
- << "Skipping test because encryption policy is not compatible with "
- "this device's inline encryption hardware";
+ << "Skipping test because encryption policy requires inline "
+ "encryption, but inline encryption is unsupported with this "
+ "policy on this device due to hardware or kernel limitations";
return false;
}
}
@@ -960,11 +969,11 @@
std::vector<uint8_t> enc_key, sw_secret;
if (!CreateAndSetHwWrappedKey(&enc_key, &sw_secret)) return;
- if (!SetEncryptionPolicy(
- FSCRYPT_MODE_AES_256_XTS, FSCRYPT_MODE_AES_256_CTS,
- FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64,
- // 64-bit DUN support is not guaranteed.
- kSkipIfNoHardwareSupport | GetSkipFlagsForInoBasedEncryption()))
+ if (!SetEncryptionPolicy(FSCRYPT_MODE_AES_256_XTS, FSCRYPT_MODE_AES_256_CTS,
+ FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64,
+ // 64-bit DUN support is not guaranteed.
+ kSkipIfInlineEncryptionNotUsable |
+ GetSkipFlagsForInoBasedEncryption()))
return;
TestFileInfo file_info;
@@ -1102,9 +1111,12 @@
std::vector<uint8_t> enc_key, sw_secret;
if (!CreateAndSetHwWrappedKey(&enc_key, &sw_secret)) return;
+ int skip_flags = GetSkipFlagsForInoBasedEncryption();
+ if (kFilesystemBlockSize != getpagesize())
+ skip_flags |= kSkipIfInlineEncryptionNotUsable;
+
if (!SetEncryptionPolicy(FSCRYPT_MODE_AES_256_XTS, FSCRYPT_MODE_AES_256_CTS,
- FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32,
- GetSkipFlagsForInoBasedEncryption()))
+ FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32, skip_flags))
return;
TestFileInfo file_info;