mirror of
https://github.com/linux-apfs/apfstests.git
synced 2026-05-01 15:01:44 -07:00
Eric Biggers
eff343fb5d
Most of the fs-verity tests fail if the fs.verity.require_signatures sysctl has been set to 1. Update them to set this sysctl to 0 at the beginning of the test and restore it to its previous value at the end. generic/577 intentionally sets this sysctl to 1. Make it restore the previous value at the end of the test rather than assuming it was 0. Also simplify _require_fsverity_builtin_signatures() to just check for the presence of the file /proc/sys/fs/verity/require_signatures rather than check whether the fs-verity keyring is listed in /proc/keys. Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Eryu Guan <guaneryu@gmail.com> Signed-off-by: Eryu Guan <guaneryu@gmail.com>
151 lines
4.0 KiB
Bash
Executable File
151 lines
4.0 KiB
Bash
Executable File
#! /bin/bash
|
|
# SPDX-License-Identifier: GPL-2.0
|
|
# Copyright 2019 Google LLC
|
|
#
|
|
# FS QA Test generic/577
|
|
#
|
|
# Test the fs-verity built-in signature verification support.
|
|
#
|
|
seq=`basename $0`
|
|
seqres=$RESULT_DIR/$seq
|
|
echo "QA output created by $seq"
|
|
|
|
here=`pwd`
|
|
tmp=/tmp/$$
|
|
status=1 # failure is the default!
|
|
trap "_cleanup; exit \$status" 0 1 2 3 15
|
|
|
|
_cleanup()
|
|
{
|
|
cd /
|
|
_restore_fsverity_signatures
|
|
rm -f $tmp.*
|
|
}
|
|
|
|
# get standard environment, filters and checks
|
|
. ./common/rc
|
|
. ./common/filter
|
|
. ./common/verity
|
|
|
|
# remove previous $seqres.full before test
|
|
rm -f $seqres.full
|
|
|
|
# real QA test starts here
|
|
_supported_fs generic
|
|
_supported_os Linux
|
|
_require_scratch_verity
|
|
_require_fsverity_builtin_signatures
|
|
_require_command "$OPENSSL_PROG" openssl
|
|
_require_command "$KEYCTL_PROG" keyctl
|
|
|
|
_scratch_mkfs_verity &>> $seqres.full
|
|
_scratch_mount
|
|
|
|
fsv_file=$SCRATCH_MNT/file.fsv
|
|
fsv_orig_file=$SCRATCH_MNT/file
|
|
keyfile=$tmp.key.pem
|
|
certfile=$tmp.cert.pem
|
|
certfileder=$tmp.cert.der
|
|
sigfile=$tmp.sig
|
|
otherfile=$SCRATCH_MNT/otherfile
|
|
othersigfile=$tmp.othersig
|
|
|
|
# Setup
|
|
|
|
echo -e "\n# Generating certificates and private keys"
|
|
for suffix in '' '.2'; do
|
|
if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
|
|
-keyout $keyfile$suffix -out $certfile$suffix \
|
|
&>> $seqres.full; then
|
|
_fail "Failed to generate certificate and private key (see $seqres.full)"
|
|
fi
|
|
$OPENSSL_PROG x509 -in $certfile$suffix -out $certfileder$suffix \
|
|
-outform der
|
|
done
|
|
|
|
echo -e "\n# Clearing fs-verity keyring"
|
|
$KEYCTL_PROG clear %keyring:.fs-verity
|
|
|
|
echo -e "\n# Loading first certificate into fs-verity keyring"
|
|
$KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
|
|
< $certfileder >> $seqres.full
|
|
|
|
echo -e "\n# Enabling fs.verity.require_signatures"
|
|
_enable_fsverity_signatures
|
|
|
|
echo -e "\n# Generating file and signing it for fs-verity"
|
|
head -c 100000 /dev/zero > $fsv_orig_file
|
|
for suffix in '' '.2'; do
|
|
_fsv_sign $fsv_orig_file $sigfile$suffix --key=$keyfile$suffix \
|
|
--cert=$certfile$suffix | _filter_scratch
|
|
done
|
|
|
|
echo -e "\n# Signing a different file for fs-verity"
|
|
head -c 100000 /dev/zero | tr '\0' 'X' > $otherfile
|
|
_fsv_sign $otherfile $othersigfile --key=$keyfile --cert=$certfile \
|
|
| _filter_scratch
|
|
|
|
# Actual tests
|
|
|
|
reset_fsv_file()
|
|
{
|
|
rm -f $fsv_file
|
|
cp $fsv_orig_file $fsv_file
|
|
}
|
|
|
|
echo -e "\n# Enabling verity with valid signature (should succeed)"
|
|
reset_fsv_file
|
|
_fsv_enable $fsv_file --signature=$sigfile
|
|
cmp $fsv_file $fsv_orig_file
|
|
|
|
echo -e "\n# Enabling verity without signature (should fail)"
|
|
reset_fsv_file
|
|
_fsv_enable $fsv_file |& _filter_scratch
|
|
|
|
echo -e "\n# Opening verity file without signature (should fail)"
|
|
reset_fsv_file
|
|
_disable_fsverity_signatures
|
|
_fsv_enable $fsv_file
|
|
_enable_fsverity_signatures
|
|
_scratch_cycle_mount
|
|
md5sum $fsv_file |& _filter_scratch
|
|
|
|
echo -e "\n# Enabling verity with untrusted signature (should fail)"
|
|
reset_fsv_file
|
|
_fsv_enable $fsv_file --signature=$sigfile.2 |& _filter_scratch
|
|
|
|
echo -e "\n# Enabling verity with wrong file's signature (should fail)"
|
|
reset_fsv_file
|
|
_fsv_enable $fsv_file --signature=$othersigfile |& _filter_scratch
|
|
|
|
echo -e "\n# Enabling verity with malformed signature (should fail)"
|
|
echo foobarbaz > $tmp.malformed_sig
|
|
reset_fsv_file
|
|
_fsv_enable $fsv_file --signature=$tmp.malformed_sig |& _filter_scratch
|
|
|
|
echo -e "\n# Testing salt"
|
|
reset_fsv_file
|
|
_fsv_sign $fsv_orig_file $sigfile.salted --key=$keyfile --cert=$certfile \
|
|
--salt=abcd | _filter_scratch
|
|
_fsv_enable $fsv_file --signature=$sigfile.salted --salt=abcd
|
|
cmp $fsv_file $fsv_orig_file
|
|
|
|
echo -e "\n# Testing non-default hash algorithm"
|
|
if _fsv_have_hash_algorithm sha512 $fsv_file; then
|
|
reset_fsv_file
|
|
_fsv_sign $fsv_orig_file $sigfile.sha512 --key=$keyfile \
|
|
--cert=$certfile --hash-alg=sha512 > /dev/null
|
|
_fsv_enable $fsv_file --signature=$sigfile.sha512 --hash-alg=sha512
|
|
cmp $fsv_file $fsv_orig_file
|
|
fi
|
|
|
|
echo -e "\n# Testing empty file"
|
|
echo -n > $fsv_file
|
|
_fsv_sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile | \
|
|
_filter_scratch
|
|
_fsv_enable $fsv_file --signature=$sigfile.emptyfile
|
|
|
|
# success, all done
|
|
status=0
|
|
exit
|