"Fossies" - the Fresh Open Source Software Archive

Member "cryptsetup-2.4.3/tests/luks2-reencryption-test" (13 Jan 2022, 61633 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "luks2-reencryption-test": 2.4.2_vs_2.4.3.

    1 #!/bin/bash
    2 
    3 PS4='$LINENO:'
    4 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
    5 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
    6 
    7 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
    8 CRYPTSETUP_LIB_VALGRIND=../.libs
    9 
   10 FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
   11 FAST_PBKDF_ARGON="--pbkdf-force-iterations 4 --pbkdf-memory 32 --pbkdf-parallel 1"
   12 DEFAULT_ARGON="argon2i"
   13 
   14 DEV=""
   15 OVRDEV="123reenc321"
   16 DEVBIG="reenc2134"
   17 DEV_NAME=reenc9768
   18 DEV_NAME2=reenc97682
   19 IMG=reenc-data
   20 IMG_HDR=$IMG.hdr
   21 KEY1=key1
   22 VKEY1=vkey1
   23 PWD1="93R4P4pIqAH8"
   24 PWD2="1cND4319812f"
   25 PWD3="1-9Qu5Ejfnqv"
   26 DEV_LINK="reenc-test-link"
   27 
   28 [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
   29 
   30 function dm_crypt_features()
   31 {
   32     VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
   33     [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
   34 
   35     VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
   36     VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
   37     VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
   38 
   39     [ $VER_MAJ -lt 1 ] && return
   40     [ $VER_MAJ -gt 1 ] && {
   41         DM_PERF_CPU=1
   42         DM_SECTOR_SIZE=1
   43         return
   44     }
   45 
   46     [ $VER_MIN -lt 14 ] && return
   47     DM_PERF_CPU=1
   48     if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
   49         DM_SECTOR_SIZE=1
   50     fi
   51 }
   52 
   53 function dm_delay_features()
   54 {
   55     local _ver_str=$(dmsetup targets | grep delay | cut -f2 -dv)
   56     [ -z "$_ver_str" ] && return 1
   57     return 0
   58 }
   59 
   60 # $1 path to scsi debug bdev
   61 scsi_debug_teardown() {
   62     local _tries=15;
   63 
   64     while [ -b "$1" -a $_tries -gt 0 ]; do
   65         rmmod scsi_debug >/dev/null 2>&1
   66         if [ -b "$1" ]; then
   67             sleep .1
   68             _tries=$((_tries-1))
   69         fi
   70     done
   71 
   72     test ! -b "$1" || rmmod scsi_debug >/dev/null 2>&1
   73 }
   74 
   75 function remove_mapping()
   76 {
   77     [ -b /dev/mapper/$DEV_NAME ] && {
   78         dmsetup resume $DEV_NAME
   79         dmsetup remove --retry $DEV_NAME
   80     }
   81     [ -b /dev/mapper/$DEV_NAME2 ] && {
   82         dmsetup resume $DEV_NAME2
   83         dmsetup remove --retry $DEV_NAME2
   84     }
   85     [ -b /dev/mapper/$DEV_NAME-overlay ] && {
   86         dmsetup resume $DEV_NAME-overlay
   87         dmsetup remove --retry $DEV_NAME-overlay
   88     }
   89     [ -b /dev/mapper/$DEV_NAME-hotzone-forward ] && {
   90         dmsetup resume $DEV_NAME-hotzone-forward
   91         dmsetup remove --retry $DEV_NAME-hotzone-forward
   92     }
   93     [ -b /dev/mapper/$DEV_NAME-hotzone-backward ] && {
   94         dmsetup resume $DEV_NAME-hotzone-backward
   95         dmsetup remove --retry $DEV_NAME-hotzone-backward
   96     }
   97     [ -b /dev/mapper/$OVRDEV ] && dmsetup remove --retry $OVRDEV 2>/dev/null
   98     [ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null
   99     [ -n "$LOOPDEV" ] && losetup -d $LOOPDEV
  100     unset LOOPDEV
  101     rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK >/dev/null 2>&1
  102     rmmod scsi_debug >/dev/null 2>&1
  103     scsi_debug_teardown $DEV
  104 }
  105 
  106 function fail()
  107 {
  108     local frame=0
  109     [ -n "$1" ] && echo "$1"
  110     echo "FAILED backtrace:"
  111     while caller $frame; do ((frame++)); done
  112     remove_mapping
  113     exit 2
  114 }
  115 
  116 function skip()
  117 {
  118     [ -n "$1" ] && echo "$1"
  119     remove_mapping
  120     exit 77
  121 }
  122 
  123 function fips_mode()
  124 {
  125     [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
  126 }
  127 
  128 function add_scsi_device() {
  129     scsi_debug_teardown $DEV
  130     if [ -d /sys/module/scsi_debug ] ; then
  131         echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
  132         exit 77
  133     fi
  134     modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
  135     if [ $? -ne 0 ] ; then
  136         echo "This kernel seems to not support proper scsi_debug module, test skipped."
  137         exit 77
  138     fi
  139 
  140     sleep 1
  141     DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
  142     [ -b $DEV ] || fail "Cannot find $DEV."
  143 }
  144 
  145 function open_crypt() # $1 pwd, $2 hdr
  146 {
  147     if [ -n "$2" ] ; then
  148         echo "$1" | $CRYPTSETUP luksOpen $DEV $DEV_NAME --header $2 || fail
  149     elif [ -n "$1" ] ; then
  150         echo "$1" | $CRYPTSETUP luksOpen $DEV $DEV_NAME || fail
  151     else
  152         $CRYPTSETUP luksOpen -d $KEY1 $DEV $DEV_NAME || fail
  153     fi
  154 }
  155 
  156 function wipe_dev_head() # $1 dev, $2 length (in MiBs)
  157 {
  158     dd if=/dev/zero of=$1 bs=1M count=$2 conv=notrunc >/dev/null 2>&1
  159 }
  160 
  161 function wipe_dev() # $1 dev
  162 {
  163     if [ -b $1 ] ; then
  164         blkdiscard --zeroout $1 2>/dev/null || dd if=/dev/zero of=$1 bs=1M conv=notrunc >/dev/null 2>&1
  165         if [ $# -gt 2 ]; then
  166             dd if=/dev/urandom of=$1 bs=1M seek=$2 conv=notrunc >/dev/null 2>&1
  167         fi
  168     else
  169         local size=$(stat --printf="%s" $1)
  170         truncate -s 0 $1
  171         if [ $# -gt 2 ]; then
  172             local diff=$((size-$2*1024*1024))
  173             echo "size: $size, diff: $diff"
  174             truncate -s $diff $1
  175             # wipe_dev_head $1 $((diff/(1024*1024)))
  176             dd if=/dev/urandom of=$1 bs=1M seek=$2 size=$((diff/(1024*1024))) conv=notrunc >/dev/null 2>&1
  177         else
  178             truncate -s $size $1
  179         fi
  180     fi
  181 }
  182 
  183 function wipe() # $1 pass, $2 hdr
  184 {
  185     open_crypt $1 $2
  186     wipe_dev /dev/mapper/$DEV_NAME
  187     udevadm settle >/dev/null 2>&1
  188     $CRYPTSETUP luksClose $DEV_NAME || fail
  189 }
  190 
  191 function prepare() # $1 dev1_siz
  192 {
  193     remove_mapping
  194 
  195     if [ ! -e $KEY1 ]; then
  196         dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
  197     fi
  198 
  199     if [ ! -e $VKEY1 ]; then
  200         echo -n $'\x44\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$VKEY1
  201         echo -n $'\x9c\x03\xba\xbe\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$VKEY1
  202     fi
  203 
  204     add_scsi_device $@
  205 }
  206 
  207 function preparebig() # $1 dev1_siz
  208 {
  209     remove_mapping
  210 
  211     if [ ! -e $KEY1 ]; then
  212         dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
  213     fi
  214 
  215     truncate -s "$1"M $DEVBIG
  216     LOOPDEV=$(losetup -f)
  217     losetup -f $DEVBIG || fail
  218     DEV=$LOOPDEV
  219 }
  220 
  221 function check_hash_dev() # $1 dev, $2 hash
  222 {
  223     HASH=$(sha256sum $1 | cut -d' ' -f 1)
  224     [ $HASH != "$2" ] && fail "HASH differs (expected: $2) (result $HASH)"
  225 }
  226 
  227 function check_hash() # $1 pwd, $2 hash, $3 hdr
  228 {
  229     open_crypt $1 $3
  230     check_hash_dev /dev/mapper/$DEV_NAME $2
  231     $CRYPTSETUP remove $DEV_NAME || fail
  232 }
  233 
  234 function check_hash_dev_head() # $1 dev, $2 len, $3 hash
  235 {
  236     local hash=$(dd if=$1 bs=512 count=$2 2>/dev/null | sha256sum | cut -d' ' -f1)
  237     [ $hash != "$3" ] && fail "HASH differs (expected: $3) (result $hash)"
  238 }
  239 
  240 function check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr
  241 {
  242     open_crypt $1 $4
  243     check_hash_dev_head /dev/mapper/$DEV_NAME $2 $3
  244     $CRYPTSETUP remove $DEV_NAME || fail
  245 }
  246 
  247 function resize_file() # $1 dev, $2 shrink bytes
  248 {
  249     local size=$(stat --printf="%s" $1)
  250     truncate -s $(($size + $2)) $1
  251     losetup -c $LOOPDEV
  252 }
  253 
  254 function error_writes() { # $1 dmdev, $2 data dev, $3 offset, $4 size
  255     local _dev_size=$(blockdev --getsz /dev/mapper/$1)
  256     local _offset=$(($3+$4))
  257     local _size=$((_dev_size-_offset))
  258     local _err=$1-err
  259     local _table=
  260     dmsetup create $_err --table "0 $_dev_size error" || fail
  261 
  262     if [ $3 -ne 0 ]; then
  263         _table="0 $3 linear $2 0\n"
  264     fi
  265 
  266     _table=$_table"$3 $4 delay $2 $3 0 /dev/mapper/$_err $3 0"
  267 
  268     if [ $_size -ne 0 ]; then
  269         _table="$_table\n$_offset $_size linear $2 $_offset"
  270     fi
  271 
  272     echo -e "$_table" | dmsetup load $1 || fail
  273     dmsetup resume $1 || fail
  274     blockdev --setra 0 /dev/mapper/$1
  275     blockdev --setra 0 /dev/mapper/$_err
  276 }
  277 
  278 function fix_writes() { # $1 dmdev, $2 data dev
  279     local _dev_size=$(blockdev --getsz /dev/mapper/$1)
  280     dmsetup load $1 --table "0 $_dev_size linear $2 0" || fail
  281     dmsetup resume $1 || fail
  282     dmsetup remove --retry $1-err 2>/dev/null || fail
  283 }
  284 
  285 function prepare_linear_dev() {
  286     local _sizemb=$1
  287     shift
  288 
  289     if [ "$_sizemb" -gt 32 ]; then
  290         preparebig $_sizemb
  291     else
  292         prepare dev_size_mb=$_sizemb $@
  293     fi
  294 
  295     dmsetup create $OVRDEV --table "0 $((_sizemb*1024*2)) linear $DEV 0" || fail
  296 
  297     OLD_DEV=$DEV
  298     DEV=/dev/mapper/$OVRDEV
  299 }
  300 
  301 function get_error_offsets() # $1 devsize, $2 minimal offset, $3 sector_size [512 if omitted], $4 max offset
  302 {
  303     local _devsize=$(($1*1024*2))
  304     local _sector_size=${3:-512}
  305     local _max_offset=${4:-$_devsize}
  306     _sector_size=$((_sector_size/512))
  307 
  308     # 8 sectors minimal size (4096)
  309     ERRLENGTH=$((($RANDOM%56)+8))
  310     ERRLENGTH=$(($ERRLENGTH-($ERRLENGTH%$_sector_size)))
  311 
  312     ERROFFSET=$(($2+((2*$RANDOM)%($_max_offset-$2-$ERRLENGTH))))
  313     ERROFFSET=$(($ERROFFSET-($ERROFFSET%$_sector_size)))
  314 }
  315 
  316 function reencrypt_recover() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
  317     echo -n "resilience mode: $2 ..."
  318     local _hdr=""
  319     test -z "$4" || _hdr="--header $4"
  320 
  321     error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
  322     echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
  323     fix_writes $OVRDEV $OLD_DEV
  324 
  325     echo $PWD1 | $CRYPTSETUP -q repair $DEV $_hdr || fail
  326 
  327     check_hash $PWD1 $3 $4
  328 
  329     echo $PWD1 | $CRYPTSETUP reencrypt $DEV $_hdr --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON || fail
  330     check_hash $PWD1 $3 $4
  331 
  332     echo "[OK]"
  333 }
  334 
  335 function reencrypt_recover_online() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
  336     echo -n "resilience mode: $2 ..."
  337     local _hdr=""
  338     test -z "$4" || _hdr="--header $4"
  339 
  340     echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
  341 
  342     error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
  343     echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --hotzone-size 1M --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
  344     $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption:  in-progress" || fail
  345     $CRYPTSETUP close $DEV_NAME || fail
  346     fix_writes $OVRDEV $OLD_DEV
  347 
  348     # recovery during activation
  349     echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
  350     check_hash_dev /dev/mapper/$DEV_NAME $3
  351 
  352     $CRYPTSETUP luksDump ${4:-$DEV} | grep -q "online-reencrypt"
  353     if [ $? -eq 0 ]; then
  354         $CRYPTSETUP status $DEV_NAME $_hdr | grep -q "reencryption:  in-progress" || fail
  355         echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME $_hdr --resilience $2 --resume-only -q || fail
  356         check_hash_dev /dev/mapper/$DEV_NAME $3
  357     fi
  358 
  359     $CRYPTSETUP close $DEV_NAME || fail
  360     echo "[OK]"
  361 }
  362 
  363 function encrypt_recover() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
  364     wipe_dev $DEV
  365     check_hash_dev $DEV $5
  366 
  367     echo -n "resilience mode: datashift ..."
  368 
  369     echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 || fail
  370 
  371     error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
  372     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q >/dev/null 2>&1 && fail
  373     fix_writes $OVRDEV $OLD_DEV
  374 
  375     echo $PWD1 | $CRYPTSETUP -q repair $DEV || fail
  376 
  377     $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt"
  378     if [ $? -eq 0 ]; then
  379         check_hash $PWD1 $3
  380         echo $PWD1 | $CRYPTSETUP reencrypt $DEV --sector-size $1 -q $FAST_PBKDF_ARGON || fail
  381     fi
  382 
  383     check_hash_head $PWD1 $4 $3
  384 
  385     echo "[OK]"
  386 }
  387 
  388 function encrypt_recover_online() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
  389     wipe_dev $DEV
  390     check_hash_dev $DEV $5
  391 
  392     echo -n "resilience mode: datashift ..."
  393 
  394     echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only > /dev/null || fail
  395     echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
  396 
  397     error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
  398     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q >/dev/null 2>&1 && fail
  399     $CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" || fail
  400     $CRYPTSETUP close $DEV_NAME || fail
  401     fix_writes $OVRDEV $OLD_DEV
  402 
  403     # recovery in activation
  404     echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
  405 
  406     $CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt"
  407     if [ $? -eq 0 ]; then
  408         $CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" || fail
  409         check_hash_dev /dev/mapper/$DEV_NAME $3
  410         echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --active-name $DEV_NAME -q || fail
  411     fi
  412 
  413     $CRYPTSETUP close $DEV_NAME || fail
  414     check_hash_head $PWD1 $4 $3
  415 
  416     echo "[OK]"
  417 }
  418 
  419 function encrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
  420     wipe_dev $DEV
  421     check_hash_dev $DEV $3
  422 
  423     echo -n "resilience mode: $2 ..."
  424 
  425     error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
  426     echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --hotzone-size 1M --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
  427     fix_writes $OVRDEV $OLD_DEV
  428 
  429     echo $PWD1 | $CRYPTSETUP repair $DEV --header $4 || fail
  430 
  431     check_hash $PWD1 $3 $4
  432 
  433     echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON || fail
  434     check_hash $PWD1 $3 $4
  435 
  436     echo "[OK]"
  437 }
  438 
  439 function encrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
  440     wipe_dev $DEV
  441     check_hash_dev $DEV $3
  442 
  443     echo -n "resilience mode: $2 ..."
  444 
  445     echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --hotzone-size 1M --header $4 --resilience $2 --sector-size $1 -q $FAST_PBKDF_ARGON --init-only || fail
  446     echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
  447 
  448     error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
  449     echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $4 --hotzone-size 1M  2>/dev/null && fail
  450     $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption:  in-progress" || fail
  451     $CRYPTSETUP close $DEV_NAME || fail
  452     fix_writes $OVRDEV $OLD_DEV
  453 
  454     echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
  455     check_hash_dev /dev/mapper/$DEV_NAME $3
  456 
  457     $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
  458     if [ $? -eq 0 ]; then
  459         $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption:  in-progress" || fail
  460         echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --resume-only --header $4 --resilience $2 -q || fail
  461         check_hash_dev /dev/mapper/$DEV_NAME $3
  462     fi
  463 
  464     $CRYPTSETUP close $DEV_NAME || fail
  465 
  466     echo "[OK]"
  467 }
  468 
  469 function decrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
  470     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
  471     wipe $PWD1 $4
  472     check_hash $PWD1 $3 $4
  473 
  474     echo -n "resilience mode: $2 ..."
  475 
  476     error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
  477     echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --hotzone-size 1M --header $4 --resilience $2 -q 2>/dev/null && fail
  478     fix_writes $OVRDEV $OLD_DEV
  479 
  480     echo $PWD1 | $CRYPTSETUP repair $DEV --header $4 || fail
  481 
  482     $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
  483     if [ $? -eq 0 ]; then
  484         check_hash $PWD1 $3 $4
  485         echo $PWD1 | $CRYPTSETUP reencrypt $DEV --resume-only --header $4 --resilience $2 -q || fail
  486     fi
  487 
  488     check_hash_dev $DEV $3
  489 
  490     echo "[OK]"
  491 }
  492 
  493 function decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
  494     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
  495     echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
  496     wipe_dev /dev/mapper/$DEV_NAME
  497     check_hash_dev /dev/mapper/$DEV_NAME $3
  498 
  499     echo -n "resilience mode: $2 ..."
  500 
  501     error_writes $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
  502     echo $PWD1 | $CRYPTSETUP reencrypt $DEV --decrypt --hotzone-size 1M --header $4 --resilience $2 -q 2>/dev/null && fail
  503     $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption:  in-progress" || fail
  504     $CRYPTSETUP close $DEV_NAME || fail
  505     fix_writes $OVRDEV $OLD_DEV
  506 
  507     # recovery during activation
  508     echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
  509 
  510     $CRYPTSETUP luksDump $4 | grep -q "online-reencrypt"
  511     if [ $? -eq 0 ]; then
  512         $CRYPTSETUP status $DEV_NAME --header $4 | grep -q "reencryption:  in-progress" || fail
  513         check_hash_dev /dev/mapper/$DEV_NAME $3
  514         echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 -q || fail
  515     fi
  516 
  517     $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
  518     check_hash_dev $DEV $3
  519 
  520     echo "[OK]"
  521 }
  522 
  523 # sector size (bytes)
  524 # reenc dev size (sectors)
  525 # reenc dev digest
  526 # resilience
  527 # orig size
  528 # orig size digest
  529 # hdr (optional)
  530 function reencrypt_offline_fixed_size() {
  531     local _esz=$(($1>>9))
  532     local _hdr=""
  533     test -z "$7" || _hdr="--header $7"
  534 
  535     # reencrypt with fixed device size
  536     echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV  $_hdr --sector-size $1 --device-size $2s --resilience $4 || fail
  537     check_hash_head $PWD1 $2 $3 $7
  538     wipe $PWD1 $7
  539 
  540     # try to reencrypt device size + 1 encryption sector size
  541     echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
  542     echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
  543     check_hash $PWD1 $6 $7
  544 
  545     # misaligned reencryption size
  546     if [ $_esz -gt 1 ]; then
  547         echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
  548         $CRYPTSETUP luksDump ${7:-$DEV} | grep -q "2: crypt" || fail
  549         $CRYPTSETUP luksDump ${7:-$DEV} | grep -q "3: crypt" && fail
  550         check_hash $PWD1 $6 $7
  551     fi
  552 }
  553 
  554 # sector size (bytes)
  555 # reenc dev size (sectors)
  556 # reenc dev digest
  557 # resilience
  558 # orig size
  559 # orig size digest
  560 # hdr
  561 function encrypt_offline_fixed_size() {
  562     local _esz=$(($1>>9))
  563 
  564     # reencrypt with fixed device size
  565     wipe_dev $DEV
  566     echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --device-size $2s --resilience $4 || fail
  567     check_hash_head $PWD1 $2 $3 $7
  568 
  569     # try to reencrypt device size + 1 encryption sector size
  570     wipe_dev $DEV
  571     echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --init-only || fail
  572     echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV  --header $7 --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
  573     check_hash $PWD1 $6 $7
  574 
  575     # misaligned reencryption size
  576     if [ $_esz -gt 1 ]; then
  577         echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 --init-only || fail
  578         echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $7 --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
  579         $CRYPTSETUP luksDump $7 | grep -q "2: crypt" || fail
  580         $CRYPTSETUP luksDump $7 | grep -q "3: crypt" && fail
  581         check_hash $PWD1 $6 $7
  582     fi
  583 }
  584 
  585 # sector size (bytes)
  586 # reenc dev size (sectors)
  587 # reenc dev digest
  588 # resilience
  589 # orig size
  590 # orig size digest
  591 # hdr
  592 function decrypt_offline_fixed_size() {
  593     local _esz=$(($1>>9))
  594 
  595     # decrypt with fixed device size
  596     echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 || fail
  597     wipe $PWD1 $7
  598     echo $PWD1 | $CRYPTSETUP reencrypt --decrypt -q $DEV --header $7 --device-size $2s --resilience $4 || fail
  599 
  600     dmsetup load $OVRDEV --table "0 $2 linear $OLD_DEV 0" || fail
  601     dmsetup resume $OVRDEV || fail
  602     check_hash_dev $DEV $3
  603     dmsetup load $OVRDEV --table "0 $5 linear $OLD_DEV 0" || fail
  604     dmsetup resume $OVRDEV || fail
  605 
  606     # try to decrypt device size + 1 encryption sector size
  607     echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -q $FAST_PBKDF_ARGON $DEV --header $7 --sector-size $1 || fail
  608     wipe $PWD1 $7
  609     echo $PWD1 | $CRYPTSETUP reencrypt --decrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --init-only || fail
  610     echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV --header $7 --device-size $(($5+_esz))s --resilience $4 2>/dev/null && fail
  611     check_hash $PWD1 $6 $7
  612 
  613     # misaligned reencryption size
  614     if [ $_esz -gt 1 ]; then
  615         echo $PWD1 | $CRYPTSETUP reencrypt -q $DEV --header $7 --device-size $(($2+_esz-1))s --resilience $4 2>/dev/null && fail
  616         $CRYPTSETUP luksDump $7 | grep -q "2: linear\|2: crypt" || fail
  617         $CRYPTSETUP luksDump $7 | grep -q "3: crypt\|3: linear" && fail
  618         check_hash $PWD1 $6 $7
  619     fi
  620 }
  621 
  622 # sector size (bytes)
  623 # reenc dev size (sectors)
  624 # reenc dev digest
  625 # resilience
  626 # orig size
  627 # orig size digest
  628 # hdr (optional)
  629 function reencrypt_online_fixed_size() {
  630     local _esz=$(($1>>9))
  631     local _hdr=""
  632     test -z "$7" || _hdr="--header $7"
  633 
  634     if [ -z "$_hdr" ]; then
  635         echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
  636     else
  637         echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $_hdr $FAST_PBKDF_ARGON $DEV || fail
  638     fi
  639     wipe $PWD1 $7
  640 
  641     # reencrypt with fixed device size
  642     echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
  643     echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $2 || fail
  644     echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --resilience $4 || fail
  645     $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
  646     $CRYPTSETUP close $DEV_NAME || fail
  647     check_hash_head $PWD1 $2 $3 $7
  648     wipe $PWD1 $7
  649 
  650     # active device != requested reencryption size
  651     echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
  652     echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $2 || fail
  653     echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
  654     echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($2-_esz))s --resilience $4 2>/dev/null && fail
  655     echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $2s --resilience $4 || fail
  656     $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
  657     $CRYPTSETUP close $DEV_NAME || fail
  658     check_hash_head $PWD1 $2 $3 $7
  659 
  660     # misaligned reencryption size
  661     if [ $_esz -gt 1 ]; then
  662         if [ -z "$_hdr" ]; then
  663             echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
  664         else
  665             echo $PWD1 | $CRYPTSETUP -q luksFormat --sector-size 512 --type luks2 $_hdr $FAST_PBKDF_ARGON $DEV || fail
  666         fi
  667         wipe $PWD1 $7
  668         check_hash $PWD1 $6 $7
  669 
  670         echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
  671         echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $(($2+_esz-1)) || fail
  672         echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
  673         echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --resilience $4 2>/dev/null && fail
  674         $CRYPTSETUP close $DEV_NAME || fail
  675         check_hash $PWD1 $6 $7
  676     fi
  677 }
  678 
  679 function setup_luks2_env() {
  680     echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
  681     echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
  682     HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring")
  683     if [ -n "$HAVE_KEYRING" ]; then
  684         HAVE_KEYRING=1
  685     else
  686         HAVE_KEYRING=0
  687     fi
  688     DEF_XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\(  keysize: \)\([0-9]\+\)\(.*\)/\2/')
  689     [ -n "$DEF_XTS_KEY" ] || fail "Failed to parse xts mode key size."
  690     $CRYPTSETUP close $DEV_NAME || fail
  691 }
  692 
  693 function valgrind_setup()
  694 {
  695     which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
  696     [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
  697     export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
  698 }
  699 
  700 function valgrind_run()
  701 {
  702     INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
  703 }
  704 
  705 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
  706 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
  707 fips_mode && skip "This test cannot be run in FIPS mode."
  708 modprobe --dry-run scsi_debug >/dev/null 2>&1 || skip "This kernel seems to not support proper scsi_debug module, test skipped."
  709 modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
  710 modprobe dm-delay > /dev/null 2>&1
  711 dm_crypt_features
  712 
  713 if [ -n "$DM_SECTOR_SIZE" ]; then
  714     TEST_SECTORS="512 4096"
  715 else
  716     TEST_SECTORS="512"
  717 fi
  718 
  719 modinfo scsi_debug -p | grep -q opt_xferlen_exp && OPT_XFERLEN_EXP="opt_xferlen_exp=6"
  720 
  721 export LANG=C
  722 
  723 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
  724 
  725 # REENCRYPTION tests
  726 
  727 # 28 MiBs of zeros (32MiBs - 4MiB LUKS2 header)
  728 HASH1=f8280c81b347b01405277bf9e8bf0685ae8be863ff104797c65b7169f8203fd2
  729 # 1 MiB of zeros
  730 HASH2=30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58
  731 # 256 MiBs of zeros
  732 HASH3=a6d72ac7690f53be6ae46ba88506bd97302a093f7108472bd9efc3cefda06484
  733 # 64 MiBs of zeroes
  734 HASH4=3b6a07d0d404fab4e23b6d34bc6696a6a312dd92821332385e5af7c01c421351
  735 # 56 MiBs of zeroes
  736 HASH5=8afcb7e7189ce4d112fd245eaa60c3cfcf5a5d5e1d6bf4eb85941d73ef8cfbd5
  737 # 43 MiBs of zeroes
  738 HASH6=39f7c6d38af574fe2c90ef400dfaba8ef8edccd11bdac998a3f8143a86837331
  739 # 31 MiBs of zeroes
  740 HASH7=18a393d1a505e22ccf3e29effe3005ea8627e4c36b7cca0e53f58121f49b67e1
  741 # 60 MiBs of zeroes
  742 HASH8=cf5ac69ca412f9b3b1a8b8de27d368c5c05ed4b1b6aa40e6c38d9cbf23711342
  743 # 240 MiBs of zeroes (256MiBs - 16MiBs default LUKS2 header size)
  744 HASH9=17088b031491a37e0ee9e1025a3938f55ee94ae27653370ad2fe5b0b32e35334
  745 
  746 prepare dev_size_mb=32
  747 setup_luks2_env
  748 
  749 echo "[1] Reencryption"
  750 echo -n "[512 sector]"
  751 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
  752 wipe $PWD1
  753 check_hash $PWD1 $HASH1
  754 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>&1 | tail -1 | grep -q "not supported" && skip " No reenryption support, test skipped."
  755 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
  756 check_hash $PWD1 $HASH1
  757 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
  758 check_hash $PWD1 $HASH1
  759 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
  760 check_hash $PWD1 $HASH1
  761 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
  762 check_hash $PWD1 $HASH1
  763 # simple test --active-name can consume absolute path to mapping
  764 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -c aes-xts-plain64 --init-only $FAST_PBKDF_ARGON || fail
  765 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
  766 echo $PWD1 | $CRYPTSETUP reencrypt --active-name /dev/mapper/$DEV_NAME --resilience none -q || fail
  767 XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\(  keysize: \)\([0-9]\+\)\(.*\)/\2/')
  768 [ "$XTS_KEY" -eq "$DEF_XTS_KEY" ] || fail "xts mode has wrong key size after reencryption ($XTS_KEY != expected $DEF_XTS_KEY)"
  769 echo $PWD1 | $CRYPTSETUP close $DEV_NAME || fail
  770 echo -n "[OK][4096 sector]"
  771 prepare sector_size=4096 dev_size_mb=32
  772 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
  773 wipe $PWD1
  774 check_hash $PWD1 $HASH1
  775 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
  776 check_hash $PWD1 $HASH1
  777 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
  778 check_hash $PWD1 $HASH1
  779 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
  780 check_hash $PWD1 $HASH1
  781 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
  782 check_hash $PWD1 $HASH1
  783 if [ -n "$DM_SECTOR_SIZE" ]; then
  784     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 || fail
  785     check_hash $PWD1 $HASH1
  786     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal --sector-size 2048 $FAST_PBKDF_ARGON || fail
  787     check_hash $PWD1 $HASH1
  788     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON --sector-size 1024 || fail
  789     check_hash $PWD1 $HASH1
  790     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum --sector-size 512 $FAST_PBKDF_ARGON || fail
  791     check_hash $PWD1 $HASH1
  792 fi
  793 echo -n "[OK][4096/512 sector]"
  794 prepare sector_size=512 physblk_exp=3 dev_size_mb=32
  795 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
  796 wipe $PWD1
  797 check_hash $PWD1 $HASH1
  798 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
  799 check_hash $PWD1 $HASH1
  800 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
  801 check_hash $PWD1 $HASH1
  802 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
  803 check_hash $PWD1 $HASH1
  804 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
  805 check_hash $PWD1 $HASH1
  806 echo "[OK]"
  807 
  808 # reencrypt minimal device size (FIXME: change data device size to single encryption sector size)
  809 # temporary small device size is default luks2 hdr size + 1MiB
  810 echo -n "[small device reencryption]"
  811 prepare dev_size_mb=5
  812 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
  813 wipe $PWD1
  814 check_hash $PWD1 $HASH2
  815 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
  816 check_hash $PWD1 $HASH2
  817 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail
  818 check_hash $PWD1 $HASH2
  819 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON || fail
  820 check_hash $PWD1 $HASH2
  821 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum $FAST_PBKDF_ARGON || fail
  822 check_hash $PWD1 $HASH2
  823 if [ -n "$DM_SECTOR_SIZE" ]; then
  824     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON --sector-size 4096 || fail
  825     check_hash $PWD1 $HASH2
  826     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal --sector-size 2048 $FAST_PBKDF_ARGON || fail
  827     check_hash $PWD1 $HASH2
  828     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience none $FAST_PBKDF_ARGON --sector-size 1024 || fail
  829     check_hash $PWD1 $HASH2
  830     echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 128 -c aes-cbc-essiv:sha256 --resilience checksum --sector-size 512 $FAST_PBKDF_ARGON || fail
  831     check_hash $PWD1 $HASH2
  832 fi
  833 echo "[OK]"
  834 
  835 echo "[2] Encryption with data shift"
  836 # well, movin' zeroes :-)
  837 preparebig 64
  838 wipe_dev $DEV
  839 check_hash_dev $DEV $HASH4
  840 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON || fail
  841 check_hash_head $PWD1 $((56*1024*2)) $HASH5
  842 wipe_dev $DEV
  843 check_hash_dev $DEV $HASH4
  844 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c twofish-cbc-essiv:sha256 -s 128 --reduce-device-size 21M -q $FAST_PBKDF_ARGON || fail
  845 check_hash_head $PWD1 $((43*1024*2)) $HASH6
  846 wipe_dev $DEV
  847 # offset 21504 equals 10,5MiBs, equals --reduce-device-size 21M from test above (30M is ignored here, we'll reduce it to 21M in cryptsetup anyway)
  848 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c twofish-cbc-essiv:sha256 -s 128 --offset 21504 --reduce-device-size 30M -q $FAST_PBKDF_ARGON > /dev/null || fail
  849 check_hash_head $PWD1 $((43*1024*2)) $HASH6
  850 wipe_dev $DEV
  851 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 33M -q $FAST_PBKDF_ARGON || fail
  852 check_hash_head $PWD1 $((31*1024*2)) $HASH7
  853 wipe_dev $DEV
  854 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON > /dev/null 2>&1 && fail
  855 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 8M --init-only -q $FAST_PBKDF_ARGON $DEV || fail
  856 resize_file $DEVBIG -512
  857 echo $PWD1 | $CRYPTSETUP reencrypt $DEV 2> /dev/null && fail
  858 resize_file $DEVBIG 512
  859 wipe_dev $DEV
  860 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --offset 32760 --reduce-device-size 8M -q $FAST_PBKDF_ARGON --init-only >/dev/null 2>&1 && fail
  861 # data offset at 21MiB
  862 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --header $IMG_HDR --offset 43008 --reduce-device-size 21M -q $FAST_PBKDF_ARGON || fail
  863 check_hash $PWD1 $HASH6 $IMG_HDR
  864 $CRYPTSETUP luksHeaderRestore --header-backup-file $IMG_HDR $DEV -q || fail
  865 check_hash $PWD1 $HASH6
  866 
  867 # Device activation after encryption initialization
  868 wipe_dev $DEV
  869 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 -S11 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
  870 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
  871 check_hash_dev /dev/mapper/$DEV_NAME $HASH5
  872 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only $DEV -q || fail
  873 check_hash_dev /dev/mapper/$DEV_NAME $HASH5
  874 
  875 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
  876 $CRYPTSETUP close $DEV_NAME
  877 check_hash_head $PWD1 $((56*1024*2)) $HASH5
  878 
  879 # Device activation using key file
  880 wipe_dev $DEV
  881 echo -n $PWD1 > $KEY1
  882 $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
  883 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
  884 $CRYPTSETUP close $DEV_NAME
  885 echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
  886 
  887 # Small device encryption test
  888 preparebig 65
  889 # wipe only 1st MiB (final data size after encryption)
  890 wipe_dev $DEV 1
  891 check_hash_dev_head $DEV 2048 $HASH2
  892 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON || fail
  893 check_hash_head $PWD1 2048 $HASH2
  894 
  895 wipe_dev_head $DEV 1
  896 check_hash_dev_head $DEV 2048 $HASH2
  897 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M --init-only -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
  898 check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
  899 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q || fail
  900 check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
  901 
  902 echo "[3] Encryption with detached header"
  903 preparebig 256
  904 wipe_dev $DEV
  905 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  906 check_hash $PWD1 $HASH3 $IMG_HDR
  907 wipe_dev $DEV
  908 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --resilience journal --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  909 check_hash $PWD1 $HASH3 $IMG_HDR
  910 wipe_dev $DEV
  911 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c twofish-cbc-essiv:sha256 -s 128 --resilience none --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  912 check_hash $PWD1 $HASH3 $IMG_HDR
  913 wipe_dev $DEV
  914 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  915 check_hash $PWD1 $HASH3 $IMG_HDR
  916 
  917 # Device activation after encryption initialization
  918 wipe_dev $DEV
  919 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV $DEV_NAME >/dev/null || fail
  920 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
  921 check_hash_dev /dev/mapper/$DEV_NAME $HASH3
  922 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --header $IMG_HDR --active-name $DEV_NAME -q || fail
  923 check_hash_dev /dev/mapper/$DEV_NAME $HASH3
  924 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
  925 $CRYPTSETUP close $DEV_NAME
  926 check_hash $PWD1 $HASH3 $IMG_HDR
  927 
  928 # Device encryption with data offset set in detached header
  929 wipe_dev $DEV
  930 dd if=/dev/urandom of=$DEV bs=512 count=32768 >/dev/null 2>&1
  931 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR --offset 32768 -q $FAST_PBKDF_ARGON $DEV || fail
  932 check_hash $PWD1 $HASH9 $IMG_HDR
  933 
  934 # Device activation using key file
  935 wipe_dev $DEV
  936 echo -n $PWD1 > $KEY1
  937 $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
  938 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
  939 $CRYPTSETUP close $DEV_NAME
  940 echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
  941 
  942 echo "[4] Reencryption with detached header"
  943 wipe $PWD1 $IMG_HDR
  944 echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  945 check_hash $PWD1 $HASH3 $IMG_HDR
  946 echo $PWD1 | $CRYPTSETUP reencrypt --resilience journal --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  947 check_hash $PWD1 $HASH3 $IMG_HDR
  948 echo $PWD1 | $CRYPTSETUP reencrypt -c twofish-cbc-essiv:sha256 -s 128 --resilience none --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  949 check_hash $PWD1 $HASH3 $IMG_HDR
  950 echo $PWD1 | $CRYPTSETUP reencrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  951 check_hash $PWD1 $HASH3 $IMG_HDR
  952 # trivial check for detached header misuse
  953 dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
  954 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  955 echo $PWD1 | $CRYPTSETUP open $IMG $DEV_NAME --header $IMG_HDR || fail
  956 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME2 --header $IMG_HDR || fail
  957 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --header $IMG_HDR -q || fail
  958 # key description mismatch in active device
  959 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME2 --header $IMG_HDR >/dev/null 2>&1 && fail
  960 # also check it can abort initialization in this case
  961 $CRYPTSETUP luksDump $IMG_HDR | grep -q "online-reencrypt" && fail
  962 $CRYPTSETUP close $DEV_NAME || fail
  963 $CRYPTSETUP close $DEV_NAME2 || fail
  964 
  965 echo "[5] Decryption with detached header"
  966 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --sector-size 512 -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  967 wipe $PWD1 $IMG_HDR
  968 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR $DEV || fail
  969 check_hash_dev $DEV $HASH3
  970 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  971 wipe $PWD1 $IMG_HDR
  972 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience journal --header $IMG_HDR $DEV || fail
  973 check_hash_dev $DEV $HASH3
  974 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c twofish-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  975 wipe $PWD1 $IMG_HDR
  976 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience none --header $IMG_HDR $DEV || fail
  977 check_hash_dev $DEV $HASH3
  978 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  979 wipe $PWD1 $IMG_HDR
  980 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR $DEV || fail
  981 check_hash_dev $DEV $HASH3
  982 
  983 # check deferred remove works as expected after decryption
  984 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --sector-size 512 -c serpent-xts-plain --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
  985 open_crypt $PWD1 $IMG_HDR
  986 dmsetup create $DEV_NAME2 --table "0 1 linear /dev/mapper/$DEV_NAME 0" || fail
  987 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR --active-name $DEV_NAME || fail
  988 $CRYPTSETUP status $DEV_NAME >/dev/null || fail
  989 dmsetup remove --retry $DEV_NAME2
  990 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
  991 
  992 # check tool can block some funny user ideas
  993 preparebig 64
  994 ln -s $DEV $DEV_LINK || fail
  995 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain -q $FAST_PBKDF_ARGON $DEV || fail
  996 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q 2>/dev/null && fail
  997 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $DEV -q 2>/dev/null && fail
  998 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $DEV_LINK -q 2>/dev/null && fail
  999 open_crypt $PWD1
 1000 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME -q 2>/dev/null && fail
 1001 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $DEV -q 2>/dev/null && fail
 1002 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $DEV_LINK -q 2>/dev/null && fail
 1003 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" && fail
 1004 $CRYPTSETUP close $DEV_NAME
 1005 
 1006 # yet another funny idea
 1007 rm -f $IMG_HDR
 1008 $CRYPTSETUP luksHeaderBackup --header-backup-file $IMG_HDR $DEV || fail
 1009 chmod +w $IMG_HDR || fail
 1010 which wipefs >/dev/null 2>&1 && {
 1011     wipefs -a $DEV >/dev/null 2>&1  || fail
 1012 }
 1013 open_crypt $PWD1 $IMG_HDR
 1014 echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --decrypt --header $IMG_HDR -q 2>/dev/null && fail
 1015 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" && fail
 1016 $CRYPTSETUP close $DEV_NAME || fail
 1017 
 1018 if ! dm_delay_features; then
 1019     echo "dm-delay target is missing, skipping recovery tests."
 1020     remove_mapping
 1021     exit 0
 1022 fi
 1023 
 1024 echo "[6] Reencryption recovery"
 1025 # (check opt-io size optimization in reencryption code does not affect recovery)
 1026 # device with opt-io size 32k
 1027 prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
 1028 OFFSET=8192
 1029 
 1030 echo "sector size 512->512"
 1031 
 1032 get_error_offsets 32 $OFFSET
 1033 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1034 wipe $PWD1
 1035 check_hash $PWD1 $HASH1
 1036 
 1037 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1038 reencrypt_recover 512 checksum $HASH1
 1039 reencrypt_recover 512 journal $HASH1
 1040 
 1041 if [ -n "$DM_SECTOR_SIZE" ]; then
 1042     echo "sector size 512->4096"
 1043 
 1044     get_error_offsets 32 $OFFSET 4096
 1045     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1046     wipe $PWD1
 1047     check_hash $PWD1 $HASH1
 1048 
 1049     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1050     reencrypt_recover 4096 checksum $HASH1
 1051     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1052     wipe $PWD1
 1053     check_hash $PWD1 $HASH1
 1054     reencrypt_recover 4096 journal $HASH1
 1055 
 1056     echo "sector size 4096->4096"
 1057 
 1058     get_error_offsets 32 $OFFSET 4096
 1059     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1060     wipe $PWD1
 1061     check_hash $PWD1 $HASH1
 1062 
 1063     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1064     reencrypt_recover 4096 checksum $HASH1
 1065     reencrypt_recover 4096 journal $HASH1
 1066 fi
 1067 
 1068 echo "[7] Reencryption recovery (online i/o error)"
 1069 
 1070 echo "sector size 512->512"
 1071 
 1072 get_error_offsets 32 $OFFSET
 1073 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1074 wipe $PWD1
 1075 check_hash $PWD1 $HASH1
 1076 
 1077 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1078 reencrypt_recover_online 512 checksum $HASH1
 1079 reencrypt_recover_online 512 journal $HASH1
 1080 
 1081 if [ -n "$DM_SECTOR_SIZE" ]; then
 1082     echo "sector size 512->4096"
 1083 
 1084     get_error_offsets 32 $OFFSET 4096
 1085     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1086     wipe $PWD1
 1087     check_hash $PWD1 $HASH1
 1088 
 1089     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1090     reencrypt_recover_online 4096 checksum $HASH1
 1091     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1092     wipe $PWD1
 1093     check_hash $PWD1 $HASH1
 1094     reencrypt_recover_online 4096 journal $HASH1
 1095 
 1096     echo "sector size 4096->4096"
 1097 
 1098     get_error_offsets 32 $OFFSET 4096
 1099     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 --sector-size 4096 -c aes-cbc-essiv:sha256 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1100     wipe $PWD1
 1101     check_hash $PWD1 $HASH1
 1102 
 1103     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1104     reencrypt_recover_online 4096 checksum $HASH1
 1105     reencrypt_recover_online 4096 journal $HASH1
 1106 fi
 1107 
 1108 echo "[8] Reencryption with detached header recovery"
 1109 prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
 1110 
 1111 echo "sector size 512->512"
 1112 
 1113 get_error_offsets 31 0
 1114 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
 1115 wipe $PWD1 $IMG_HDR
 1116 check_hash $PWD1 $HASH7 $IMG_HDR
 1117 
 1118 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1119 reencrypt_recover 512 checksum $HASH7 $IMG_HDR
 1120 reencrypt_recover 512 journal $HASH7 $IMG_HDR
 1121 
 1122 if [ -n "$DM_SECTOR_SIZE" ]; then
 1123     echo "sector size 512->4096"
 1124 
 1125     get_error_offsets 31 0 4096
 1126     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
 1127     wipe $PWD1 $IMG_HDR
 1128     check_hash $PWD1 $HASH7 $IMG_HDR
 1129 
 1130     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1131     reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
 1132     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
 1133     wipe $PWD1 $IMG_HDR
 1134     check_hash $PWD1 $HASH7 $IMG_HDR
 1135     reencrypt_recover 4096 journal $HASH7 $IMG_HDR
 1136 
 1137     echo "sector size 4096->4096"
 1138 
 1139     get_error_offsets 31 0 4096
 1140     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
 1141     wipe $PWD1 $IMG_HDR
 1142     check_hash $PWD1 $HASH7 $IMG_HDR
 1143 
 1144     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1145     reencrypt_recover 4096 checksum $HASH7 $IMG_HDR
 1146     reencrypt_recover 4096 journal $HASH7 $IMG_HDR
 1147 fi
 1148 
 1149 echo "[9] Reencryption with detached header recovery (online i/o error)"
 1150 
 1151 echo "sector size 512->512"
 1152 
 1153 get_error_offsets 31 0
 1154 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
 1155 wipe $PWD1 $IMG_HDR
 1156 check_hash $PWD1 $HASH7 $IMG_HDR
 1157 
 1158 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1159 reencrypt_recover_online 512 checksum $HASH7 $IMG_HDR
 1160 reencrypt_recover_online 512 journal $HASH7 $IMG_HDR
 1161 
 1162 if [ -n "$DM_SECTOR_SIZE" ]; then
 1163     echo "sector size 512->4096"
 1164 
 1165     get_error_offsets 31 0 4096
 1166     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
 1167     wipe $PWD1 $IMG_HDR
 1168     check_hash $PWD1 $HASH7 $IMG_HDR
 1169 
 1170     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1171     reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
 1172     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
 1173     wipe $PWD1 $IMG_HDR
 1174     check_hash $PWD1 $HASH7 $IMG_HDR
 1175     reencrypt_recover_online 4096 journal $HASH7 $IMG_HDR
 1176 
 1177     echo "sector size 4096->4096"
 1178 
 1179     get_error_offsets 31 0 4096
 1180     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 4096 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
 1181     wipe $PWD1 $IMG_HDR
 1182     check_hash $PWD1 $HASH7 $IMG_HDR
 1183 
 1184     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1185     reencrypt_recover_online 4096 checksum $HASH7 $IMG_HDR
 1186     reencrypt_recover_online 4096 journal $HASH7 $IMG_HDR
 1187 fi
 1188 
 1189 echo "[10] Encryption recovery"
 1190 prepare_linear_dev 64
 1191 OFFSET=$((2*1024*2))
 1192 
 1193 echo "sector size 512"
 1194 
 1195 get_error_offsets 64 $OFFSET 512 $((62*1024*2))
 1196 
 1197 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1198 encrypt_recover 512 4M $HASH8 $((60*1024*2)) $HASH4
 1199 
 1200 if [ -n "$DM_SECTOR_SIZE" ]; then
 1201     echo "sector size 4096"
 1202 
 1203     get_error_offsets 64 $OFFSET 4096 $((62*1024*2))
 1204 
 1205     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1206     encrypt_recover 4096 4M $HASH8 $((60*1024*2)) $HASH4
 1207 fi
 1208 
 1209 echo "[11] Encryption recovery (online i/o error)"
 1210 
 1211 echo "sector size 512"
 1212 
 1213 get_error_offsets 64 $OFFSET 512 $((62*1024*2))
 1214 
 1215 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1216 encrypt_recover_online 512 4M $HASH8 $((60*1024*2)) $HASH4
 1217 
 1218 if [ -n "$DM_SECTOR_SIZE" ]; then
 1219     echo "sector size 4096"
 1220 
 1221     get_error_offsets 64 $OFFSET 4096 $((62*1024*2))
 1222 
 1223     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1224     encrypt_recover_online 4096 4M $HASH8 $((60*1024*2)) $HASH4
 1225 fi
 1226 
 1227 echo "[12] Encryption with detached header recovery"
 1228 prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
 1229 
 1230 get_error_offsets 31 0
 1231 
 1232 echo "sector size 512"
 1233 
 1234 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1235 encrypt_recover_detached 512 checksum $HASH7 $IMG_HDR
 1236 encrypt_recover_detached 512 journal $HASH7 $IMG_HDR
 1237 
 1238 if [ -n "$DM_SECTOR_SIZE" ]; then
 1239     get_error_offsets 31 0 4096
 1240 
 1241     echo "sector size 4096"
 1242 
 1243     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1244     encrypt_recover_detached 4096 checksum $HASH7 $IMG_HDR
 1245     encrypt_recover_detached 4096 journal $HASH7 $IMG_HDR
 1246 fi
 1247 
 1248 echo "[13] Encryption with detached header recovery (online i/o error)"
 1249 
 1250 get_error_offsets 31 0
 1251 
 1252 echo "sector size 512"
 1253 
 1254 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1255 encrypt_recover_detached_online 512 checksum $HASH7 $IMG_HDR
 1256 encrypt_recover_detached_online 512 journal $HASH7 $IMG_HDR
 1257 
 1258 if [ -n "$DM_SECTOR_SIZE" ]; then
 1259     get_error_offsets 31 0 4096
 1260 
 1261     echo "sector size 4096"
 1262 
 1263     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1264     encrypt_recover_detached_online 4096 checksum $HASH7 $IMG_HDR
 1265     encrypt_recover_detached_online 4096 journal $HASH7 $IMG_HDR
 1266 fi
 1267 
 1268 echo "[14] Decryption with detached header recovery"
 1269 
 1270 echo "sector size 512"
 1271 
 1272 # TODO: What should decryption do when it finishes decryption during recovery (with open)
 1273 get_error_offsets 31 2049
 1274 
 1275 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1276 decrypt_recover_detached 512 journal $HASH7 $IMG_HDR
 1277 decrypt_recover_detached 512 checksum $HASH7 $IMG_HDR
 1278 
 1279 if [ -n "$DM_SECTOR_SIZE" ]; then
 1280     echo "sector size 4096"
 1281 
 1282     # TODO: What should decryption do when it finishes decryption during recovery (with open)
 1283     get_error_offsets 31 2048 4096
 1284 
 1285     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1286     decrypt_recover_detached 4096 checksum $HASH7 $IMG_HDR
 1287     decrypt_recover_detached 4096 journal $HASH7 $IMG_HDR
 1288 fi
 1289 
 1290 echo "[15] Decryption with detached header recovery (online i/o error)"
 1291 
 1292 echo "sector size 512"
 1293 
 1294 # TODO: What should decryption do when it finishes decryption during recovery (with open)
 1295 get_error_offsets 31 2049
 1296 
 1297 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1298 decrypt_recover_detached_online 512 journal $HASH7 $IMG_HDR
 1299 decrypt_recover_detached_online 512 checksum $HASH7 $IMG_HDR
 1300 
 1301 if [ -n "$DM_SECTOR_SIZE" ]; then
 1302     echo "sector size 4096"
 1303 
 1304     # TODO: What should decryption do when it finishes decryption during recovery (with open)
 1305     get_error_offsets 31 2048 4096
 1306 
 1307     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1308     decrypt_recover_detached_online 4096 checksum $HASH7 $IMG_HDR
 1309     decrypt_recover_detached_online 4096 journal $HASH7 $IMG_HDR
 1310 fi
 1311 
 1312 echo "[16] Offline reencryption with fixed device size."
 1313 preparebig 68
 1314 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 16384 $FAST_PBKDF_ARGON $DEV || fail
 1315 wipe $PWD1
 1316 check_hash $PWD1 $HASH8
 1317 
 1318 for test_ss in $TEST_SECTORS; do
 1319 printf "sector size %4s: " $test_ss
 1320 for test_res in checksum journal none; do
 1321     echo -n "[$test_res]"
 1322     reencrypt_offline_fixed_size $test_ss 2048      $HASH2 $test_res $((60*1024*2)) $HASH8
 1323     reencrypt_offline_fixed_size $test_ss $((28*1024*2))    $HASH1 $test_res $((60*1024*2)) $HASH8
 1324     reencrypt_offline_fixed_size $test_ss $((31*1024*2))    $HASH7 $test_res $((60*1024*2)) $HASH8
 1325     echo -n "[OK]"
 1326 done
 1327 echo ""
 1328 done
 1329 
 1330 echo "[17] Online reencryption with fixed device size."
 1331 for test_ss in $TEST_SECTORS; do
 1332 printf "sector size %4s: " $test_ss
 1333 for test_res in checksum journal none; do
 1334     echo -n "[$test_res]"
 1335     reencrypt_online_fixed_size $test_ss 2048       $HASH2 $test_res $((60*1024*2)) $HASH8
 1336     reencrypt_online_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8
 1337     reencrypt_online_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8
 1338     echo -n "[OK]"
 1339 done
 1340 echo ""
 1341 done
 1342 
 1343 echo "[18] Offline reencryption with fixed device size (detached header)."
 1344 preparebig 60
 1345 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
 1346 wipe $PWD1 $IMG_HDR
 1347 check_hash $PWD1 $HASH8 $IMG_HDR
 1348 
 1349 for test_ss in $TEST_SECTORS; do
 1350 printf "sector size %4s: " $test_ss
 1351 for test_res in checksum journal none; do
 1352     echo -n "[$test_res]"
 1353     reencrypt_offline_fixed_size $test_ss 2048      $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1354     reencrypt_offline_fixed_size $test_ss $((28*1024*2))    $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1355     reencrypt_offline_fixed_size $test_ss $((31*1024*2))    $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1356     echo -n "[OK]"
 1357 done
 1358 echo ""
 1359 done
 1360 
 1361 echo "[19] Online reencryption with fixed device size (detached header)."
 1362 for test_ss in $TEST_SECTORS; do
 1363 printf "sector size %4s: " $test_ss
 1364 for test_res in checksum journal none; do
 1365     echo -n "[$test_res]"
 1366     reencrypt_online_fixed_size $test_ss 2048       $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1367     reencrypt_online_fixed_size $test_ss $((28*1024*2)) $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1368     reencrypt_online_fixed_size $test_ss $((31*1024*2)) $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1369     echo -n "[OK]"
 1370 done
 1371 echo ""
 1372 done
 1373 
 1374 echo "[20] Offline encryption with fixed device size (detached header)."
 1375 for test_ss in $TEST_SECTORS; do
 1376 printf "sector size %4s: " $test_ss
 1377 for test_res in checksum journal none; do
 1378     echo -n "[$test_res]"
 1379     encrypt_offline_fixed_size $test_ss 2048        $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1380     encrypt_offline_fixed_size $test_ss $((28*1024*2))  $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1381     encrypt_offline_fixed_size $test_ss $((31*1024*2))  $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1382     echo -n "[OK]"
 1383 done
 1384 echo ""
 1385 done
 1386 
 1387 echo "[21] Offline decryption with fixed device size (detached header)."
 1388 prepare_linear_dev 60
 1389 for test_ss in $TEST_SECTORS; do
 1390 printf "sector size %4s: " $test_ss
 1391 for test_res in checksum journal none; do
 1392     echo -n "[$test_res]"
 1393     decrypt_offline_fixed_size $test_ss 2048        $HASH2 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1394     decrypt_offline_fixed_size $test_ss $((28*1024*2))  $HASH1 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1395     decrypt_offline_fixed_size $test_ss $((31*1024*2))  $HASH7 $test_res $((60*1024*2)) $HASH8 $IMG_HDR
 1396     echo -n "[OK]"
 1397 done
 1398 echo ""
 1399 done
 1400 
 1401 echo "[22] Multi-keyslot device reencryption"
 1402 prepare dev_size_mb=17
 1403 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 32768 $FAST_PBKDF_ARGON $DEV || fail
 1404 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV || fail
 1405 echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
 1406 wipe $PWD1
 1407 check_hash $PWD1 $HASH2
 1408 
 1409 echo -e "$PWD1\n$PWD2\n$PWD3" | $CRYPTSETUP reencrypt $DEV -q || fail
 1410 check_hash $PWD1 $HASH2
 1411 check_hash $PWD2 $HASH2
 1412 check_hash $PWD3 $HASH2
 1413 
 1414 # check at least pbkdf type is preserved
 1415 $CRYPTSETUP luksDump $DEV | grep -e "3: luks2" -A5 | grep -q "argon2" || fail
 1416 $CRYPTSETUP luksDump $DEV | grep -e "4: luks2" -A5 | grep -q "pbkdf2" || fail
 1417 $CRYPTSETUP luksDump $DEV | grep -e "5: luks2" -A5 | grep -q "argon2" || fail
 1418 
 1419 echo $PWD1 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV $KEY1 || fail
 1420 
 1421 # with more keyslots, specific has to be selected
 1422 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q 2>/dev/null && fail
 1423 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q -S0 || fail
 1424 open_crypt
 1425 check_hash_dev /dev/mapper/$DEV_NAME $HASH2
 1426 $CRYPTSETUP close $DEV_NAME
 1427 
 1428 # there should be single keyslot now
 1429 $CRYPTSETUP reencrypt $DEV -d $KEY1 -q || fail
 1430 echo $PWD1 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S1 -d $KEY1 || fail
 1431 
 1432 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S2 --unbound --key-size 32 || fail
 1433 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S22 --unbound --key-size 32 || fail
 1434 echo $PWD3 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF2 $DEV -S23 --unbound --key-size 32 || fail
 1435 
 1436 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -S1 -q || fail
 1437 $CRYPTSETUP open --test-passphrase -d $KEY1 $DEV 2>/dev/null && fail
 1438 echo $PWD3 | $CRYPTSETUP open --test-passphrase -S2 $DEV || fail
 1439 echo $PWD3 | $CRYPTSETUP open --test-passphrase -S22 $DEV || fail
 1440 check_hash $PWD1 $HASH2
 1441 
 1442 # fill 31 keyslots
 1443 COUNT=27
 1444 while [ $COUNT -gt 0 ]; do
 1445     echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF_ARGON || fail
 1446     COUNT=$((COUNT-1))
 1447 done
 1448 
 1449 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -S0 -q 2>/dev/null && fail
 1450 echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 30 || fail
 1451 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 || fail
 1452 
 1453 COUNT=14
 1454 while [ $COUNT -gt 0 ]; do
 1455     echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey $DEV -q $FAST_PBKDF_ARGON || fail
 1456     COUNT=$((COUNT-1))
 1457 done
 1458 
 1459 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1" | $CRYPTSETUP reencrypt $DEV -q 2>/dev/null && fail
 1460 echo $PWD1 | $CRYPTSETUP luksKillSlot $DEV 1 || fail
 1461 # one wrong passphrase
 1462 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD2" | $CRYPTSETUP reencrypt $DEV -q 2>/dev/null && fail
 1463 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --resume-only -q 2>/dev/null && fail
 1464 echo -e "$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1\n$PWD1" | $CRYPTSETUP reencrypt $DEV -q  || fail
 1465 
 1466 echo "[23] Reencryption with specified new volume key"
 1467 prepare dev_size_mb=32
 1468 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 256 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
 1469 echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
 1470 wipe $PWD1
 1471 check_hash $PWD1 $HASH1
 1472 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 $FAST_PBKDF_ARGON --master-key-file $VKEY1 -s 128 || fail
 1473 check_hash $PWD1 $HASH1
 1474 $CRYPTSETUP luksErase -q $DEV || fail
 1475 echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_ARGON --master-key-file $VKEY1 -s 128 $DEV || fail
 1476 check_hash $PWD1 $HASH1
 1477 
 1478 echo "[24] Reencryption with initial cipher_null"
 1479 # aka custom encryption
 1480 prepare dev_size_mb=32
 1481 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
 1482 wipe $PWD1
 1483 check_hash $PWD1 $HASH1
 1484 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
 1485 check_hash $PWD1 $HASH1
 1486 
 1487 # online
 1488 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
 1489 wipe $PWD1
 1490 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
 1491 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
 1492 check_hash_dev /dev/mapper/$DEV_NAME $HASH1
 1493 if [ $HAVE_KEYRING -gt 0 ]; then
 1494     $CRYPTSETUP status $DEV_NAME | grep -q "key location: keyring" || fail
 1495 fi
 1496 $CRYPTSETUP close $DEV_NAME
 1497 
 1498 # simulate LUKS2 device with cipher_null in both keyslot and segment (it can be created only by up conversion from LUKS1)
 1499 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF2 $DEV || fail
 1500 $CRYPTSETUP convert -q --type luks2 $DEV || fail
 1501 wipe $PWD1
 1502 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON >/dev/null || fail
 1503 check_hash $PWD1 $HASH1
 1504 # both keyslot and segment cipher must not be null after reencryption with default params
 1505 $CRYPTSETUP luksDump $DEV | grep -q "cipher_null" && fail
 1506 
 1507 # multistep reencryption with initial cipher_null
 1508 preparebig 64
 1509 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $DEV -c null --offset 16384 -q $FAST_PBKDF_ARGON || fail
 1510 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
 1511 wipe_dev /dev/mapper/$DEV_NAME
 1512 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --hotzone-size 1M --resilience none -q $FAST_PBKDF_ARGON >/dev/null || fail
 1513 $CRYPTSETUP close $DEV_NAME
 1514 check_hash $PWD1 $HASH5
 1515 
 1516 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $DEV -c null --offset 16384 -q $FAST_PBKDF_ARGON || fail
 1517 wipe $PWD1
 1518 echo $PWD1 | $CRYPTSETUP reencrypt $DEV --hotzone-size 1M --resilience none -q $FAST_PBKDF_ARGON >/dev/null || fail
 1519 check_hash $PWD1 $HASH5
 1520 
 1521 echo "[25] Reencryption recovery with cipher_null"
 1522 # (check opt-io size optimization in reencryption code does not affect recovery)
 1523 # device with opt-io size 32k
 1524 prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
 1525 OFFSET=8192
 1526 
 1527 echo "sector size 512->512"
 1528 
 1529 get_error_offsets 32 $OFFSET
 1530 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1531 wipe $PWD1
 1532 check_hash $PWD1 $HASH1
 1533 
 1534 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1535 reencrypt_recover 512 checksum $HASH1
 1536 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1537 wipe $PWD1
 1538 reencrypt_recover 512 journal $HASH1
 1539 
 1540 if [ -n "$DM_SECTOR_SIZE" ]; then
 1541     echo "sector size 512->4096"
 1542 
 1543     get_error_offsets 32 $OFFSET 4096
 1544     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1545     wipe $PWD1
 1546     check_hash $PWD1 $HASH1
 1547 
 1548     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1549     reencrypt_recover 4096 checksum $HASH1
 1550     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1551     wipe $PWD1
 1552     check_hash $PWD1 $HASH1
 1553     reencrypt_recover 4096 journal $HASH1
 1554 
 1555     echo "sector size 4096->4096"
 1556 
 1557     get_error_offsets 32 $OFFSET 4096
 1558     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1559     wipe $PWD1
 1560     check_hash $PWD1 $HASH1
 1561 
 1562     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1563     reencrypt_recover 4096 checksum $HASH1
 1564     reencrypt_recover 4096 journal $HASH1
 1565 fi
 1566 
 1567 echo "[26] Reencryption recovery with cipher_null (online i/o error)"
 1568 
 1569 echo "sector size 512->512"
 1570 
 1571 get_error_offsets 32 $OFFSET
 1572 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 -c null --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1573 wipe $PWD1
 1574 check_hash $PWD1 $HASH1
 1575 
 1576 echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1577 reencrypt_recover_online 512 checksum $HASH1
 1578 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size 512 -c null --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1579 wipe $PWD1
 1580 reencrypt_recover_online 512 journal $HASH1
 1581 
 1582 if [ -n "$DM_SECTOR_SIZE" ]; then
 1583     echo "sector size 512->4096"
 1584 
 1585     get_error_offsets 32 $OFFSET 4096
 1586     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1587     wipe $PWD1
 1588     check_hash $PWD1 $HASH1
 1589 
 1590     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1591     reencrypt_recover_online 4096 checksum $HASH1
 1592     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 512 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1593     wipe $PWD1
 1594     check_hash $PWD1 $HASH1
 1595     reencrypt_recover_online 4096 journal $HASH1
 1596 
 1597     echo "sector size 4096->4096"
 1598 
 1599     get_error_offsets 32 $OFFSET 4096
 1600     echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c null --sector-size 4096 --offset $OFFSET $FAST_PBKDF_ARGON $DEV || fail
 1601     wipe $PWD1
 1602     check_hash $PWD1 $HASH1
 1603 
 1604     echo "ERR writes to sectors [$ERROFFSET,$(($ERROFFSET+$ERRLENGTH-1))]"
 1605     reencrypt_recover_online 4096 checksum $HASH1
 1606     reencrypt_recover_online 4096 journal $HASH1
 1607 fi
 1608 
 1609 remove_mapping
 1610 exit 0