Add: Qualcomm User Data Encryption test script & Document #141
Conversation
xbharani
commented
Aug 11, 2025
xbharani
commented
- Checks for fscryptctl binary presence
- Creates a random sw encryption key
- Applies and verifies encryption policy
- Confirms functionality with a test file
|
|
||
| log_info "Checking if dependency binary is available" | ||
| check_dependencies fscryptctl | ||
|
|
There was a problem hiding this comment.
Kernel/filesystem precheck: Add check_kernel_config CONFIG_FS_ENCRYPTION (and optional CONFIG_FS_VERITY if you care) to SKIP gracefully on kernels without fscrypt. Also verify that the mount backing $MOUNT_DIR is ext4/f2fs with encryption support (or at least that add_key succeeds on that mountpoint).
There was a problem hiding this comment.
check for add_key success exists,
key_id=$("$FSCRYPTCTL" add_key "$FS_PATH" < "$KEY_FILE" 2>/dev/null)
if [ -z "$key_id" ]; then
log_fail "$TESTNAME : Failed to add encryption key"
Runner/suites/Kernel/Baseport/UserDataEncryption/README_UserDataEncryption.md
Outdated
Show resolved
Hide resolved
|
This pull request has been marked as stale due to 30 days of inactivity. To prevent automatic closure in 7 days, remove the stale label or add a comment. You can reopen a closed pull request at any time. |
|
@xbharani Any update on the requested changes? |
|
This pull request has been marked as stale due to 30 days of inactivity. To prevent automatic closure in 7 days, remove the stale label or add a comment. You can reopen a closed pull request at any time. |
- Checks for fscryptctl binary presence - Creates a random sw encryption key - Applies and verifies encryption policy - Confirms functionality with a test file Signed-off-by: Bharani Bhuvanagiri <[email protected]>
| } | ||
|
|
||
| # Run cleanup on normal exit, Ctrl-C, or SIGTERM | ||
| trap cleanup EXIT INT TERM |
There was a problem hiding this comment.
Trap cleanup can delete /file.txt if $MOUNT_DIR is empty.
cleanup() runs on any exit, including before $MOUNT_DIR is set. Guard all path deletions:
|
|
||
| FSCRYPTCTL="${FSCRYPTCTL:-fscryptctl}" | ||
| TESTNAME="UserDataEncryption" | ||
| test_path=$(find_test_case_by_name "$TESTNAME") |
There was a problem hiding this comment.
find_test_case_by_name may return empty; cd "$test_path" would fail.
Fallback to SCRIPT_DIR if not found:
| TESTNAME="UserDataEncryption" | ||
| test_path=$(find_test_case_by_name "$TESTNAME") | ||
| cd "$test_path" || exit 1 | ||
| res_file="./$TESTNAME.res" |
There was a problem hiding this comment.
Result file isn’t written for some early exits (e.g., not root / init_env missing).
If your CI expects a .res, write it before exiting anywhere you can. Minimal way: define res_file early and use it in early failures:
| log_info "=== Test Initialization ===" | ||
|
|
||
| log_info "Checking if dependency binary is available" | ||
| check_dependencies "$FSCRYPTCTL" |
There was a problem hiding this comment.
SKIP the test if the required bin is not present.
| exit 1 | ||
| fi | ||
|
|
||
| MOUNT_DIR="/mnt/testing" |
There was a problem hiding this comment.
Use a unique temp directory for the encrypted path (avoid races & leftovers).
Instead of fixed /mnt/testing, make it unique and under a known mountpoint:
|
|
||
| # Step 3: Add the key to the filesystem | ||
| log_info "Adding encryption key to the filesystem" | ||
| key_id=$("$FSCRYPTCTL" add_key "$FS_PATH" < "$KEY_FILE" 2>/dev/null) |
There was a problem hiding this comment.
Derive the correct mountpoint for the directory you will encrypt.
fscryptctl add_key conceptually targets the filesystem mount that backs your directory. Derive it from the target dir instead of hardcoding /mnt:
|
|
||
| # Step 6: Verify policy | ||
| log_info "Verifying encryption policy" | ||
| policy_output=$("$FSCRYPTCTL" get_policy "$MOUNT_DIR" 2>/dev/null) |
There was a problem hiding this comment.
Policy verification should parse the actual field, not grep the raw key_id.
get_policy typically prints a “Key descriptor:” line (v1) which may be formatted. Prefer a field match
|
|
||
| # Step 4: Check key status | ||
| log_info "Checking key status" | ||
| status=$("$FSCRYPTCTL" key_status "$key_id" "$FS_PATH" 2>/dev/null) |
There was a problem hiding this comment.
Interpret key status for a sanity check.
Make sure the key is actually present/usable:
|
|
||
| # Cleanup | ||
| rm -f "$MOUNT_DIR/file.txt" | ||
| rmdir "$MOUNT_DIR" |
There was a problem hiding this comment.
Don’t double-clean (you already have a trap).
You’re deleting the file and rmdir both in the main flow and in cleanup. Rely on the trap only; drop the explicit end-of-script deletes.
3 participants
