generic: handle fs.verity.require_signatures being enabled

Most of the fs-verity tests fail if the fs.verity.require_signatures sysctl has been set to 1. Update them to set this sysctl to 0 at the beginning of the test and restore it to its previous value at the end. generic/577 intentionally sets this sysctl to 1. Make it restore the previous value at the end of the test rather than assuming it was 0. Also simplify _require_fsverity_builtin_signatures() to just check for the presence of the file /proc/sys/fs/verity/require_signatures rather than check whether the fs-verity keyring is listed in /proc/keys. Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Eryu Guan <guaneryu@gmail.com> Signed-off-by: Eryu Guan <guaneryu@gmail.com>
2026-05-01 15:01:44 -07:00 · 2019-11-01 16:22:19 -07:00
parent 0f211f5bca
commit eff343fb5d
9 changed files with 49 additions and 9 deletions
@@ -33,9 +33,12 @@ _require_scratch_verity()
 	# default.  E.g., ext4 only supports verity on extent-based files, so it
 	# doesn't work on ext3-style filesystems.  So, try actually using it.
 	echo foo > $SCRATCH_MNT/tmpfile
+	_disable_fsverity_signatures
 	if ! _fsv_enable $SCRATCH_MNT/tmpfile; then
+		_restore_fsverity_signatures
 		_notrun "$FSTYP verity isn't usable by default with these mkfs options"
 	fi
+	_restore_fsverity_signatures
 	rm -f $SCRATCH_MNT/tmpfile

 	_scratch_unmount
@@ -48,14 +51,40 @@ _require_scratch_verity()
 # Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y.
 _require_fsverity_builtin_signatures()
 {
-	if [ ! -e /proc/keys ]; then
-		_notrun "kernel doesn't support keyrings"
-	fi
-	if ! awk '{print $9}' /proc/keys | grep -q '^\.fs-verity:$'; then
+	if [ ! -e /proc/sys/fs/verity/require_signatures ]; then
 		_notrun "kernel doesn't support fs-verity builtin signatures"
 	fi
 }

+# Disable mandatory signatures for fs-verity files, if they are supported.
+_disable_fsverity_signatures()
+{
+	if [ -e /proc/sys/fs/verity/require_signatures ]; then
+		if [ -z "$FSVERITY_SIG_CTL_ORIG" ]; then
+			FSVERITY_SIG_CTL_ORIG=$(</proc/sys/fs/verity/require_signatures)
+		fi
+		echo 0 > /proc/sys/fs/verity/require_signatures
+	fi
+}
+
+# Enable mandatory signatures for fs-verity files.
+# This assumes that _require_fsverity_builtin_signatures() was called.
+_enable_fsverity_signatures()
+{
+	if [ -z "$FSVERITY_SIG_CTL_ORIG" ]; then
+		FSVERITY_SIG_CTL_ORIG=$(</proc/sys/fs/verity/require_signatures)
+	fi
+	echo 1 > /proc/sys/fs/verity/require_signatures
+}
+
+# Restore the original signature verification setting.
+_restore_fsverity_signatures()
+{
+        if [ -n "$FSVERITY_SIG_CTL_ORIG" ]; then
+                echo "$FSVERITY_SIG_CTL_ORIG" > /proc/sys/fs/verity/require_signatures
+        fi
+}
+
 _scratch_mkfs_verity()
 {
 	case $FSTYP in