Add: Qualcomm User Data Encryption test script & Document #141
Conversation
xbharani
commented
Aug 11, 2025
xbharani
commented
- Checks for fscryptctl binary presence
- Creates a random sw encryption key
- Applies and verifies encryption policy
- Confirms functionality with a test file
- Checks for fscryptctl binary presence - Creates a random sw encryption key - Applies and verifies encryption policy - Confirms functionality with a test file Signed-off-by: Bharani Bhuvanagiri <[email protected]>
| log_info "=== Test Initialization ===" | ||
|
|
||
| log_info "Checking if dependency binary is available" | ||
| check_dependencies fscryptctl |
There was a problem hiding this comment.
Root/user -> fscrypt operations usually require root. Add a quick root check and fail early if not root.
|
|
||
| log_info "Checking if dependency binary is available" | ||
| check_dependencies fscryptctl | ||
|
|
There was a problem hiding this comment.
Kernel/filesystem precheck: Add check_kernel_config CONFIG_FS_ENCRYPTION (and optional CONFIG_FS_VERITY if you care) to SKIP gracefully on kernels without fscrypt. Also verify that the mount backing $MOUNT_DIR is ext4/f2fs with encryption support (or at least that add_key succeeds on that mountpoint).
| check_dependencies fscryptctl | ||
|
|
||
| KEY_FILE="/data/std_key" | ||
| MOUNT_DIR="/mnt/testing" |
There was a problem hiding this comment.
You add_key … /mnt but set policy on $MOUNT_DIR (/mnt/testing). That’s okay if $MOUNT_DIR is on the same filesystem, but brittle. Resolve the mountpoint of $MOUNT_DIR (its parent, typically /mnt) and use that consistently for add_key and key_status.
| log_info "Checking if dependency binary is available" | ||
| check_dependencies fscryptctl | ||
|
|
||
| KEY_FILE="/data/std_key" |
There was a problem hiding this comment.
Use mktemp for the key path (instead of /data/std_key which may not exist), and set chmod 600.
| if ! mkdir -p "$MOUNT_DIR"; then | ||
| log_fail "$TESTNAME : Failed to create mount directory" | ||
| echo "$TESTNAME FAIL" > "$res_file" | ||
| rm -f "$KEY_FILE" |
There was a problem hiding this comment.
Make sure the key file is always removed via a trap on exit.
| if [ -z "$key_id" ]; then | ||
| log_fail "$TESTNAME : Failed to add encryption key" | ||
| echo "$TESTNAME FAIL" > "$res_file" | ||
| rm -f "$KEY_FILE" |
There was a problem hiding this comment.
You can’t “unset” policy trivially, but you can remove the fs key (fscryptctl remove_key). Do that in cleanup so subsequent tests aren’t polluted.
|
|
||
| # Step 3: Add the key to the filesystem | ||
| log_info "Adding encryption key to the filesystem" | ||
| key_id=$(/data/fscryptctl add_key /mnt < "$KEY_FILE" 2>/dev/null) |
There was a problem hiding this comment.
You call /data/fscryptctl … directly. That will fail on Debian/Yocto where it’s /usr/bin/fscryptctl. Use a single variable (e.g., FSCRYPTCTL="${FSCRYPTCTL:-fscryptctl}") and always call "$FSCRYPTCTL".
|
|
||
| # Step 4: Check key status | ||
| log_info "Checking key status" | ||
| status=$(/data/fscryptctl key_status "$key_id" / 2>/dev/null) |
|
|
||
| # Step 5: Set encryption policy | ||
| log_info "Setting encryption policy on $MOUNT_DIR" | ||
| if ! /data/fscryptctl set_policy "$key_id" "$MOUNT_DIR"; then |
|
|
||
| # Step 6: Verify policy | ||
| log_info "Verifying encryption policy" | ||
| policy_output=$(/data/fscryptctl get_policy "$MOUNT_DIR" 2>/dev/null) |
| Runner/ | ||
| ├── suites/ | ||
| │ ├── Kernel/ | ||
| │ │ ├── FunctionalArea/ |
There was a problem hiding this comment.
This folder is no more available. Please correct the structure accordingly.
