* [PATCH v4 0/8] xfstests: add fs-verity tests
@ 2019-09-30 21:15 Eric Biggers
2019-09-30 21:15 ` [PATCH v4 1/8] common/filter: add _filter_xfs_io_fiemap() Eric Biggers
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: Eric Biggers @ 2019-09-30 21:15 UTC (permalink / raw)
To: fstests
Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel, Jaegeuk Kim,
Theodore Y . Ts'o
Add tests for fs-verity. fs-verity is an ext4 and f2fs filesystem
feature which provides Merkle tree based hashing (similar to dm-verity)
for individual read-only files, mainly for the purpose of efficient
authenticity verification. Other filesystems may add fs-verity support
later, using the same API.
Running these tests requires:
- Kernel v5.4-rc1 or later configured with CONFIG_FS_VERITY=y,
and optionally CONFIG_FS_ENCRYPTION=y (for generic/904),
CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y (for generic/905), and
CONFIG_CRYPTO_SHA512=y (for generic/903 to cover SHA-512).
- The 'fsverity' utility program from
https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
- e2fsprogs v1.45.2 or later for ext4 tests, or f2fs-tools v1.11.0 or
later for f2fs tests
- generic/905 also requires the 'openssl' program.
Example with kvm-xfstests:
$ kvm-xfstests -c ext4,f2fs -g verity
For more information about fs-verity, see
https://www.kernel.org/doc/html/latest/filesystems/fsverity.html
This patchset can also be retrieved from tag "fsverity_2019-09-30" of
https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/xfstests-dev.git
Note: my other pending xfstests patchset
"xfstests: add tests for fscrypt key management improvements"
renames the function _generate_encryption_key(), which is used by
generic/904 in this patchset. This will need to be fixed up when the
second of these two patchsets is merged.
Changed since v3:
- Update generic/900 to also test executing FS_IOC_ENABLE_VERITY while
another process is already executing it on the same file.
Changed since v2:
- Updated the signature verification test (generic/905) to match the
latest kernel and fsverity-utils changes.
- Added _fsv_sign() utility function.
- Correctly skip the fs-verity tests on ext3-style filesystems.
Changed since v1:
- Updated all tests to use the new fs-verity kernel API.
- Many cleanups, additional checks in the tests, and other improvements.
- Addressed review comments from Eryu Guan.
- Added a test for the built-in signature verification feature.
- Removed the fs-verity descriptor validation test, since the on-disk
format of this part was greatly simplified and made fs-specific.
Eric Biggers (8):
common/filter: add _filter_xfs_io_fiemap()
common/verity: add common functions for testing fs-verity
generic: test general behavior of verity files
generic: test access controls on the fs-verity ioctls
generic: test corrupting verity files
generic: test that fs-verity is using the correct measurement values
generic: test using fs-verity and fscrypt simultaneously
generic: test the fs-verity built-in signature verification support
common/config | 2 +
common/filter | 24 +++++
common/verity | 215 ++++++++++++++++++++++++++++++++++++++++++
tests/generic/900 | 199 ++++++++++++++++++++++++++++++++++++++
tests/generic/900.out | 74 +++++++++++++++
tests/generic/901 | 73 ++++++++++++++
tests/generic/901.out | 14 +++
tests/generic/902 | 154 ++++++++++++++++++++++++++++++
tests/generic/902.out | 91 ++++++++++++++++++
tests/generic/903 | 112 ++++++++++++++++++++++
tests/generic/903.out | 5 +
tests/generic/904 | 80 ++++++++++++++++
tests/generic/904.out | 12 +++
tests/generic/905 | 150 +++++++++++++++++++++++++++++
tests/generic/905.out | 42 +++++++++
tests/generic/group | 6 ++
16 files changed, 1253 insertions(+)
create mode 100644 common/verity
create mode 100755 tests/generic/900
create mode 100644 tests/generic/900.out
create mode 100755 tests/generic/901
create mode 100644 tests/generic/901.out
create mode 100755 tests/generic/902
create mode 100644 tests/generic/902.out
create mode 100755 tests/generic/903
create mode 100644 tests/generic/903.out
create mode 100755 tests/generic/904
create mode 100644 tests/generic/904.out
create mode 100755 tests/generic/905
create mode 100644 tests/generic/905.out
--
2.23.0.444.g18eeb5a265-goog
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v4 1/8] common/filter: add _filter_xfs_io_fiemap()
2019-09-30 21:15 [PATCH v4 0/8] xfstests: add fs-verity tests Eric Biggers
@ 2019-09-30 21:15 ` Eric Biggers
2019-09-30 21:15 ` [PATCH v4 2/8] common/verity: add common functions for testing fs-verity Eric Biggers
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2019-09-30 21:15 UTC (permalink / raw)
To: fstests
Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel, Jaegeuk Kim,
Theodore Y . Ts'o
From: Eric Biggers <ebiggers@google.com>
Add _filter_xfs_io_fiemap() to clean up the output of
'xfs_io -c fiemap'. This will be used by a function in common/verity.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/filter | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/common/filter b/common/filter
index 26fc2132..2477f386 100644
--- a/common/filter
+++ b/common/filter
@@ -541,6 +541,30 @@ _filter_filefrag()
$flags, "\n"'
}
+# Clean up the extents list output of 'xfs_io -c fiemap', e.g.
+#
+# file:
+# 0: [0..79]: 628365312..628365391
+# 1: [80..159]: hole
+# 2: [160..319]: 628365472..628365631
+# =>
+# 0 79 628365312 628365391
+# 160 319 628365472 628365631
+#
+# The fields are:
+#
+# first_logical_block last_logical_block first_physical_block last_physical_block
+#
+# Blocks are 512 bytes, and holes are omitted.
+#
+_filter_xfs_io_fiemap()
+{
+ grep -E '^[[:space:]]+[0-9]+:' \
+ | grep -v '\<hole\>' \
+ | sed -E 's/^[[:space:]]+[0-9]+://' \
+ | tr '][.:' ' '
+}
+
# We generate WARNINGs on purpose when applications mix buffered/mmap IO with
# direct IO on the same file. This is a helper for _check_dmesg() to filter out
# such warnings.
--
2.23.0.444.g18eeb5a265-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v4 2/8] common/verity: add common functions for testing fs-verity
2019-09-30 21:15 [PATCH v4 0/8] xfstests: add fs-verity tests Eric Biggers
2019-09-30 21:15 ` [PATCH v4 1/8] common/filter: add _filter_xfs_io_fiemap() Eric Biggers
@ 2019-09-30 21:15 ` Eric Biggers
2019-09-30 21:15 ` [PATCH v4 3/8] generic: test general behavior of verity files Eric Biggers
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2019-09-30 21:15 UTC (permalink / raw)
To: fstests
Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel, Jaegeuk Kim,
Theodore Y . Ts'o
From: Eric Biggers <ebiggers@google.com>
Add common functions for setting up and testing fs-verity. fs-verity is
an ext4 and f2fs filesystem feature which provides Merkle tree based
hashing (similar to dm-verity) for individual read-only files, mainly
for the purpose of efficient authenticity verification. Other
filesystems may add fs-verity support later, using the same API.
Running the fs-verity tests will require:
- Kernel v5.4-rc1 or later configured with CONFIG_FS_VERITY=y
- The 'fsverity' utility program from
https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
- e2fsprogs v1.45.2 or later for ext4 tests, or f2fs-tools v1.11.0 or
later for f2fs tests
Some individual tests will have additional requirements.
For more information about fs-verity, see
https://www.kernel.org/doc/html/latest/filesystems/fsverity.html
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/config | 1 +
common/verity | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 200 insertions(+)
create mode 100644 common/verity
diff --git a/common/config b/common/config
index 4c86a492..fb4097b8 100644
--- a/common/config
+++ b/common/config
@@ -213,6 +213,7 @@ export CHECKBASHISMS_PROG="$(type -P checkbashisms)"
export XFS_INFO_PROG="$(type -P xfs_info)"
export DUPEREMOVE_PROG="$(type -P duperemove)"
export CC_PROG="$(type -P cc)"
+export FSVERITY_PROG="$(type -P fsverity)"
# use 'udevadm settle' or 'udevsettle' to wait for lv to be settled.
# newer systems have udevadm command but older systems like RHEL5 don't.
diff --git a/common/verity b/common/verity
new file mode 100644
index 00000000..a8aae51e
--- /dev/null
+++ b/common/verity
@@ -0,0 +1,199 @@
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2018 Google LLC
+#
+# Functions for setting up and testing fs-verity
+
+_require_scratch_verity()
+{
+ _require_scratch
+ _require_command "$FSVERITY_PROG" fsverity
+
+ if ! _scratch_mkfs_verity &>>$seqres.full; then
+ # ext4: need e2fsprogs v1.44.5 or later (but actually v1.45.2+
+ # is needed for some tests to pass, due to an e2fsck bug)
+ # f2fs: need f2fs-tools v1.11.0 or later
+ _notrun "$FSTYP userspace tools don't support fs-verity"
+ fi
+
+ # Try to mount the filesystem. If this fails then either the kernel
+ # isn't aware of fs-verity, or the mkfs options were not compatible with
+ # verity (e.g. ext4 with block size != PAGE_SIZE).
+ if ! _try_scratch_mount &>>$seqres.full; then
+ _notrun "kernel is unaware of $FSTYP verity feature," \
+ "or mkfs options are not compatible with verity"
+ fi
+
+ # The filesystem may be aware of fs-verity but have it disabled by
+ # CONFIG_FS_VERITY=n. Detect support via sysfs.
+ if [ ! -e /sys/fs/$FSTYP/features/verity ]; then
+ _notrun "kernel $FSTYP isn't configured with verity support"
+ fi
+
+ # The filesystem may have fs-verity enabled but not actually usable by
+ # default. E.g., ext4 only supports verity on extent-based files, so it
+ # doesn't work on ext3-style filesystems. So, try actually using it.
+ echo foo > $SCRATCH_MNT/tmpfile
+ if ! _fsv_enable $SCRATCH_MNT/tmpfile; then
+ _notrun "$FSTYP verity isn't usable by default with these mkfs options"
+ fi
+ rm -f $SCRATCH_MNT/tmpfile
+
+ _scratch_unmount
+
+ # Merkle tree block size. Currently all filesystems only support
+ # PAGE_SIZE for this. This is also the default for 'fsverity enable'.
+ FSV_BLOCK_SIZE=$(get_page_size)
+}
+
+_scratch_mkfs_verity()
+{
+ case $FSTYP in
+ ext4|f2fs)
+ _scratch_mkfs -O verity
+ ;;
+ *)
+ _notrun "No verity support for $FSTYP"
+ ;;
+ esac
+}
+
+_scratch_mkfs_encrypted_verity()
+{
+ case $FSTYP in
+ ext4)
+ _scratch_mkfs -O encrypt,verity
+ ;;
+ f2fs)
+ # f2fs-tools as of v1.11.0 doesn't allow comma-separated
+ # features with -O. Instead -O must be supplied multiple times.
+ _scratch_mkfs -O encrypt -O verity
+ ;;
+ *)
+ _notrun "$FSTYP not supported in _scratch_mkfs_encrypted_verity"
+ ;;
+ esac
+}
+
+_fsv_scratch_begin_subtest()
+{
+ local msg=$1
+
+ rm -rf "${SCRATCH_MNT:?}"/*
+ echo -e "\n# $msg"
+}
+
+_fsv_enable()
+{
+ $FSVERITY_PROG enable "$@"
+}
+
+_fsv_measure()
+{
+ $FSVERITY_PROG measure "$@" | awk '{print $1}'
+}
+
+# Generate a file, then enable verity on it.
+_fsv_create_enable_file()
+{
+ local file=$1
+ shift
+
+ head -c $((FSV_BLOCK_SIZE * 2)) /dev/zero > "$file"
+ _fsv_enable "$file" "$@"
+}
+
+_fsv_have_hash_algorithm()
+{
+ local hash_alg=$1
+ local test_file=$2
+
+ rm -f $test_file
+ head -c 4096 /dev/zero > $test_file
+ if ! _fsv_enable --hash-alg=$hash_alg $test_file &>> $seqres.full; then
+ # no kernel support
+ return 1
+ fi
+ rm -f $test_file
+ return 0
+}
+
+#
+# _fsv_scratch_corrupt_bytes - Write some bytes to a file, bypassing the filesystem
+#
+# Write the bytes sent on stdin to the given offset in the given file, but do so
+# by writing directly to the extents on the block device, with the filesystem
+# unmounted. This can be used to corrupt a verity file for testing purposes,
+# bypassing the restrictions imposed by the filesystem.
+#
+# The file is assumed to be located on $SCRATCH_DEV.
+#
+_fsv_scratch_corrupt_bytes()
+{
+ local file=$1
+ local offset=$2
+ local lstart lend pstart pend
+ local dd_cmds=()
+ local cmd
+
+ sync # Sync to avoid unwritten extents
+
+ cat > $tmp.bytes
+ local end=$(( offset + $(stat -c %s $tmp.bytes ) ))
+
+ # For each extent that intersects the requested range in order, add a
+ # command that writes the next part of the data to that extent.
+ while read -r lstart lend pstart pend; do
+ lstart=$((lstart * 512))
+ lend=$(((lend + 1) * 512))
+ pstart=$((pstart * 512))
+ pend=$(((pend + 1) * 512))
+
+ if (( lend - lstart != pend - pstart )); then
+ _fail "Logical and physical extent lengths differ for file '$file'"
+ elif (( offset < lstart )); then
+ _fail "Hole in file '$file' at byte $offset. Next extent begins at byte $lstart"
+ elif (( offset < lend )); then
+ local len=$((lend - offset))
+ local seek=$((pstart + (offset - lstart)))
+ dd_cmds+=("head -c $len | dd of=$SCRATCH_DEV oflag=seek_bytes seek=$seek status=none")
+ (( offset += len ))
+ fi
+ done < <($XFS_IO_PROG -r -c "fiemap $offset $((end - offset))" "$file" \
+ | _filter_xfs_io_fiemap)
+
+ if (( offset < end )); then
+ _fail "Extents of file '$file' ended at byte $offset, but needed until $end"
+ fi
+
+ # Execute the commands to write the data
+ _scratch_unmount
+ for cmd in "${dd_cmds[@]}"; do
+ eval "$cmd"
+ done < $tmp.bytes
+ sync # Sync to flush the block device's pagecache
+ _scratch_mount
+}
+
+#
+# _fsv_scratch_corrupt_merkle_tree - Corrupt a file's Merkle tree
+#
+# Like _fsv_scratch_corrupt_bytes(), but this corrupts the file's fs-verity
+# Merkle tree. The offset is given as a byte offset into the Merkle tree.
+#
+_fsv_scratch_corrupt_merkle_tree()
+{
+ local file=$1
+ local offset=$2
+
+ case $FSTYP in
+ ext4|f2fs)
+ # ext4 and f2fs store the Merkle tree after the file contents
+ # itself, starting at the next 65536-byte aligned boundary.
+ (( offset += ($(stat -c %s $file) + 65535) & ~65535 ))
+ _fsv_scratch_corrupt_bytes $file $offset
+ ;;
+ *)
+ _fail "_fsv_scratch_corrupt_merkle_tree() unimplemented on $FSTYP"
+ ;;
+ esac
+}
--
2.23.0.444.g18eeb5a265-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v4 3/8] generic: test general behavior of verity files
2019-09-30 21:15 [PATCH v4 0/8] xfstests: add fs-verity tests Eric Biggers
2019-09-30 21:15 ` [PATCH v4 1/8] common/filter: add _filter_xfs_io_fiemap() Eric Biggers
2019-09-30 21:15 ` [PATCH v4 2/8] common/verity: add common functions for testing fs-verity Eric Biggers
@ 2019-09-30 21:15 ` Eric Biggers
2019-09-30 21:15 ` [PATCH v4 4/8] generic: test access controls on the fs-verity ioctls Eric Biggers
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2019-09-30 21:15 UTC (permalink / raw)
To: fstests
Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel, Jaegeuk Kim,
Theodore Y . Ts'o
From: Eric Biggers <ebiggers@google.com>
This is a basic fs-verity test which verifies:
- conditions for enabling verity
- verity files have expected contents and size
- can't change contents of verity files, but can change metadata
- can retrieve a verity file's measurement via FS_IOC_MEASURE_VERITY
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
tests/generic/900 | 199 ++++++++++++++++++++++++++++++++++++++++++
tests/generic/900.out | 74 ++++++++++++++++
tests/generic/group | 1 +
3 files changed, 274 insertions(+)
create mode 100755 tests/generic/900
create mode 100644 tests/generic/900.out
diff --git a/tests/generic/900 b/tests/generic/900
new file mode 100755
index 00000000..04cbcfdf
--- /dev/null
+++ b/tests/generic/900
@@ -0,0 +1,199 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2018 Google LLC
+#
+# FS QA Test generic/900
+#
+# This is a basic fs-verity test which verifies:
+#
+# - conditions for enabling verity
+# - verity files have correct contents and size
+# - can't change contents of verity files, but can change metadata
+# - can retrieve a verity file's measurement via FS_IOC_MEASURE_VERITY
+#
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+ cd /
+ rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/verity
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+_require_scratch_verity
+
+_scratch_mkfs_verity &>> $seqres.full
+_scratch_mount
+fsv_orig_file=$SCRATCH_MNT/file
+fsv_file=$SCRATCH_MNT/file.fsv
+
+verify_data_readable()
+{
+ local file=$1
+
+ md5sum $file > /dev/null
+}
+
+verify_data_unreadable()
+{
+ local file=$1
+
+ # try both reading just the first data block, and reading until EOF
+ head -c $FSV_BLOCK_SIZE $file 2>&1 >/dev/null | _filter_scratch
+ md5sum $file |& _filter_scratch
+}
+
+_fsv_scratch_begin_subtest "Enabling verity on file with verity already enabled fails with EEXIST"
+_fsv_create_enable_file $fsv_file
+echo "(trying again)"
+_fsv_enable $fsv_file |& _filter_scratch
+
+_fsv_scratch_begin_subtest "Enabling verity with invalid hash algorithm fails with EINVAL"
+_fsv_create_enable_file $fsv_file --hash-alg=257 |& _filter_scratch
+verify_data_readable $fsv_file
+
+_fsv_scratch_begin_subtest "Enabling verity with invalid block size fails with EINVAL"
+_fsv_create_enable_file $fsv_file --block-size=1 |& _filter_scratch
+verify_data_readable $fsv_file
+
+_fsv_scratch_begin_subtest "Enabling verity on directory fails with EISDIR"
+mkdir $SCRATCH_MNT/dir
+_fsv_enable $SCRATCH_MNT/dir |& _filter_scratch
+
+_fsv_scratch_begin_subtest "Enabling verity with too-long salt fails with EMSGSIZE"
+_fsv_create_enable_file $fsv_file --salt=$(perl -e 'print "A" x 1000') |& _filter_scratch
+verify_data_readable $fsv_file
+
+_fsv_scratch_begin_subtest "Enabling verity on file on read-only filesystem fails with EROFS"
+echo foo > $fsv_file
+_scratch_remount ro
+_fsv_enable $fsv_file |& _filter_scratch
+_scratch_remount rw
+
+_fsv_scratch_begin_subtest "Enabling verity on file open for writing fails with ETXTBSY"
+echo foo > $fsv_file
+exec 3<> $fsv_file
+_fsv_enable $fsv_file |& _filter_scratch
+exec 3<&-
+verify_data_readable $fsv_file
+
+_fsv_scratch_begin_subtest "Enabling verity can be interrupted"
+dd if=/dev/zero of=$fsv_file bs=1 count=0 seek=$((1 << 34)) status=none
+start_time=$(date +%s)
+$FSVERITY_PROG enable $fsv_file &
+sleep 0.5
+kill %1
+wait
+elapsed=$(( $(date +%s) - start_time ))
+if (( elapsed > 5 )); then
+ echo "Failed to interrupt FS_IOC_ENABLE_VERITY ($elapsed seconds elapsed)"
+fi
+
+_fsv_scratch_begin_subtest "Enabling verity on file with verity already being enabled fails with EBUSY"
+dd if=/dev/zero of=$fsv_file bs=1 count=0 seek=$((1 << 34)) status=none
+start_time=$(date +%s)
+$FSVERITY_PROG enable $fsv_file &
+sleep 0.5
+_fsv_enable $fsv_file |& _filter_scratch
+kill %1
+wait
+
+_fsv_scratch_begin_subtest "verity file can't be opened for writing"
+_fsv_create_enable_file $fsv_file >> $seqres.full
+echo "* reading"
+$XFS_IO_PROG -r $fsv_file -c ''
+echo "* xfs_io writing, should be O_RDWR"
+$XFS_IO_PROG $fsv_file -c '' |& _filter_scratch
+echo "* bash >>, should be O_APPEND"
+bash -c "echo >> $fsv_file" |& _filter_scratch
+echo "* bash >, should be O_WRONLY|O_CREAT|O_TRUNC"
+bash -c "echo > $fsv_file" |& _filter_scratch
+
+_fsv_scratch_begin_subtest "verity file can be read"
+_fsv_create_enable_file $fsv_file >> $seqres.full
+verify_data_readable $fsv_file
+
+_fsv_scratch_begin_subtest "verity file can be measured"
+_fsv_create_enable_file $fsv_file >> $seqres.full
+_fsv_measure $fsv_file
+
+_fsv_scratch_begin_subtest "verity file can be renamed"
+_fsv_create_enable_file $fsv_file
+mv $fsv_file $fsv_file.newname
+
+_fsv_scratch_begin_subtest "verity file can be unlinked"
+_fsv_create_enable_file $fsv_file
+rm $fsv_file
+
+_fsv_scratch_begin_subtest "verity file can be linked to"
+_fsv_create_enable_file $fsv_file
+ln $fsv_file $fsv_file.newname
+
+_fsv_scratch_begin_subtest "verity file can be chmodded"
+_fsv_create_enable_file $fsv_file
+chmod 777 $fsv_file
+chmod 444 $fsv_file
+
+_fsv_scratch_begin_subtest "verity file can be chowned"
+_fsv_create_enable_file $fsv_file
+chown 1:1 $fsv_file
+chown 0:0 $fsv_file
+
+_fsv_scratch_begin_subtest "verity file has correct contents and size"
+head -c 100000 /dev/urandom > $fsv_orig_file
+cp $fsv_orig_file $fsv_file
+_fsv_enable $fsv_file >> $seqres.full
+cmp $fsv_file $fsv_orig_file
+stat -c %s $fsv_file
+_scratch_cycle_mount
+cmp $fsv_file $fsv_orig_file
+stat -c %s $fsv_file
+
+_fsv_scratch_begin_subtest "Trying to measure non-verity file fails with ENODATA"
+echo foo > $fsv_file
+_fsv_measure $fsv_file |& _filter_scratch
+verify_data_readable $fsv_file
+
+# Test files <= 1 block in size. These are a bit of a special case since there
+# are no hash blocks; the root hash is calculated directly over the data block.
+for size in 1 $((FSV_BLOCK_SIZE - 1)) $FSV_BLOCK_SIZE; do
+ _fsv_scratch_begin_subtest "verity on $size-byte file"
+ head -c $size /dev/urandom > $fsv_orig_file
+ cp $fsv_orig_file $fsv_file
+ _fsv_enable $fsv_file
+ cmp $fsv_orig_file $fsv_file && echo "Files matched"
+ rm -f $fsv_file
+done
+
+_fsv_scratch_begin_subtest "verity on 100M file (multiple levels in hash tree)"
+head -c 100000000 /dev/urandom > $fsv_orig_file
+cp $fsv_orig_file $fsv_file
+_fsv_enable $fsv_file
+cmp $fsv_orig_file $fsv_file && echo "Files matched"
+
+_fsv_scratch_begin_subtest "verity on sparse file"
+dd if=/dev/zero of=$fsv_orig_file bs=1 count=1 seek=1000000 status=none
+cp $fsv_orig_file $fsv_file
+_fsv_enable $fsv_file
+cmp $fsv_orig_file $fsv_file && echo "Files matched"
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/900.out b/tests/generic/900.out
new file mode 100644
index 00000000..93f91f27
--- /dev/null
+++ b/tests/generic/900.out
@@ -0,0 +1,74 @@
+QA output created by 900
+
+# Enabling verity on file with verity already enabled fails with EEXIST
+(trying again)
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': File exists
+
+# Enabling verity with invalid hash algorithm fails with EINVAL
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Invalid argument
+
+# Enabling verity with invalid block size fails with EINVAL
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Invalid argument
+
+# Enabling verity on directory fails with EISDIR
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/dir': Is a directory
+
+# Enabling verity with too-long salt fails with EMSGSIZE
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Message too long
+
+# Enabling verity on file on read-only filesystem fails with EROFS
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Read-only file system
+
+# Enabling verity on file open for writing fails with ETXTBSY
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Text file busy
+
+# Enabling verity can be interrupted
+
+# Enabling verity on file with verity already being enabled fails with EBUSY
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Device or resource busy
+
+# verity file can't be opened for writing
+* reading
+* xfs_io writing, should be O_RDWR
+SCRATCH_MNT/file.fsv: Operation not permitted
+* bash >>, should be O_APPEND
+bash: SCRATCH_MNT/file.fsv: Operation not permitted
+* bash >, should be O_WRONLY|O_CREAT|O_TRUNC
+bash: SCRATCH_MNT/file.fsv: Operation not permitted
+
+# verity file can be read
+
+# verity file can be measured
+sha256:be54121da3877f8852c65136d731784f134c4dd9d95071502e80d7be9f99b263
+
+# verity file can be renamed
+
+# verity file can be unlinked
+
+# verity file can be linked to
+
+# verity file can be chmodded
+
+# verity file can be chowned
+
+# verity file has correct contents and size
+100000
+100000
+
+# Trying to measure non-verity file fails with ENODATA
+ERROR: FS_IOC_MEASURE_VERITY failed on 'SCRATCH_MNT/file.fsv': No data available
+
+# verity on 1-byte file
+Files matched
+
+# verity on 4095-byte file
+Files matched
+
+# verity on 4096-byte file
+Files matched
+
+# verity on 100M file (multiple levels in hash tree)
+Files matched
+
+# verity on sparse file
+Files matched
diff --git a/tests/generic/group b/tests/generic/group
index 7cf4f6c4..8c5212a1 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -570,3 +570,4 @@
565 auto quick copy_range
566 auto quick quota metadata
567 auto quick rw punch
+900 auto quick verity
--
2.23.0.444.g18eeb5a265-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v4 4/8] generic: test access controls on the fs-verity ioctls
2019-09-30 21:15 [PATCH v4 0/8] xfstests: add fs-verity tests Eric Biggers
` (2 preceding siblings ...)
2019-09-30 21:15 ` [PATCH v4 3/8] generic: test general behavior of verity files Eric Biggers
@ 2019-09-30 21:15 ` Eric Biggers
2019-09-30 21:15 ` [PATCH v4 5/8] generic: test corrupting verity files Eric Biggers
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2019-09-30 21:15 UTC (permalink / raw)
To: fstests
Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel, Jaegeuk Kim,
Theodore Y . Ts'o
From: Eric Biggers <ebiggers@google.com>
Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is
allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
tests/generic/901 | 73 +++++++++++++++++++++++++++++++++++++++++++
tests/generic/901.out | 14 +++++++++
tests/generic/group | 1 +
3 files changed, 88 insertions(+)
create mode 100755 tests/generic/901
create mode 100644 tests/generic/901.out
diff --git a/tests/generic/901 b/tests/generic/901
new file mode 100755
index 00000000..56dab587
--- /dev/null
+++ b/tests/generic/901
@@ -0,0 +1,73 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2018 Google LLC
+#
+# FS QA Test generic/901
+#
+# Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is
+# allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access.
+#
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+ cd /
+ rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/verity
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+_require_scratch_verity
+_require_user
+_require_chattr ia
+
+_scratch_mkfs_verity &>> $seqres.full
+_scratch_mount
+fsv_file=$SCRATCH_MNT/file.fsv
+
+_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY doesn't require root"
+echo foo > $fsv_file
+chmod 666 $fsv_file
+_user_do "$FSVERITY_PROG enable $fsv_file"
+
+_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires write access"
+echo foo > $fsv_file >> $seqres.full
+chmod 444 $fsv_file
+_user_do "$FSVERITY_PROG enable $fsv_file" |& _filter_scratch
+
+_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !append-only"
+echo foo > $fsv_file >> $seqres.full
+$CHATTR_PROG +a $fsv_file
+$FSVERITY_PROG enable $fsv_file |& _filter_scratch
+$CHATTR_PROG -a $fsv_file
+
+_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !immutable"
+echo foo > $fsv_file >> $seqres.full
+$CHATTR_PROG +i $fsv_file
+$FSVERITY_PROG enable $fsv_file |& _filter_scratch
+$CHATTR_PROG -i $fsv_file
+
+_fsv_scratch_begin_subtest "FS_IOC_MEASURE_VERITY doesn't require root"
+_fsv_create_enable_file $fsv_file >> $seqres.full
+chmod 444 $fsv_file
+su $qa_user -c "$FSVERITY_PROG measure $fsv_file" >> $seqres.full
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/901.out b/tests/generic/901.out
new file mode 100644
index 00000000..a9e4c364
--- /dev/null
+++ b/tests/generic/901.out
@@ -0,0 +1,14 @@
+QA output created by 901
+
+# FS_IOC_ENABLE_VERITY doesn't require root
+
+# FS_IOC_ENABLE_VERITY requires write access
+Permission denied
+
+# FS_IOC_ENABLE_VERITY requires !append-only
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted
+
+# FS_IOC_ENABLE_VERITY requires !immutable
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted
+
+# FS_IOC_MEASURE_VERITY doesn't require root
diff --git a/tests/generic/group b/tests/generic/group
index 8c5212a1..a0450d42 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -571,3 +571,4 @@
566 auto quick quota metadata
567 auto quick rw punch
900 auto quick verity
+901 auto quick verity
--
2.23.0.444.g18eeb5a265-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v4 5/8] generic: test corrupting verity files
2019-09-30 21:15 [PATCH v4 0/8] xfstests: add fs-verity tests Eric Biggers
` (3 preceding siblings ...)
2019-09-30 21:15 ` [PATCH v4 4/8] generic: test access controls on the fs-verity ioctls Eric Biggers
@ 2019-09-30 21:15 ` Eric Biggers
2019-09-30 21:15 ` [PATCH v4 6/8] generic: test that fs-verity is using the correct measurement values Eric Biggers
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2019-09-30 21:15 UTC (permalink / raw)
To: fstests
Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel, Jaegeuk Kim,
Theodore Y . Ts'o
From: Eric Biggers <ebiggers@google.com>
This test corrupts various parts of the contents of a verity file, or
parts of its Merkle tree, by writing directly to the block device. It
verifies that this causes I/O errors when the relevant part of the
contents is later read by any means.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
tests/generic/902 | 154 ++++++++++++++++++++++++++++++++++++++++++
tests/generic/902.out | 91 +++++++++++++++++++++++++
tests/generic/group | 1 +
3 files changed, 246 insertions(+)
create mode 100755 tests/generic/902
create mode 100644 tests/generic/902.out
diff --git a/tests/generic/902 b/tests/generic/902
new file mode 100755
index 00000000..5ef2cca1
--- /dev/null
+++ b/tests/generic/902
@@ -0,0 +1,154 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2018 Google LLC
+#
+# FS QA Test generic/902
+#
+# Test corrupting verity files. This test corrupts various parts of the
+# contents of a verity file, or parts of its Merkle tree, by writing directly to
+# the block device. It verifies that this causes I/O errors when the relevant
+# part of the contents is later read by any means.
+#
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+ cd /
+ rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/verity
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+_require_scratch_verity
+
+_scratch_mkfs_verity &>> $seqres.full
+_scratch_mount
+fsv_orig_file=$SCRATCH_MNT/file
+fsv_file=$SCRATCH_MNT/file.fsv
+
+setup_zeroed_file()
+{
+ local len=$1
+ local sparse=$2
+
+ if $sparse; then
+ dd if=/dev/zero of=$fsv_orig_file bs=1 count=0 seek=$len \
+ status=none
+ else
+ head -c $len /dev/zero > $fsv_orig_file
+ fi
+ cp $fsv_orig_file $fsv_file
+ _fsv_enable $fsv_file
+ md5sum $fsv_file |& _filter_scratch
+}
+
+filter_sigbus()
+{
+ sed -e 's/.*Bus error.*/Bus error/'
+}
+
+round_up_to_page_boundary()
+{
+ local n=$1
+ local page_size=$(get_page_size)
+
+ echo $(( (n + page_size - 1) & ~(page_size - 1) ))
+}
+
+corruption_test()
+{
+ local file_len=$1
+ local zap_offset=$2
+ local zap_len=$3
+ local is_merkle_tree=${4:-false} # if true, zap tree instead of data
+ local use_sparse_file=${5:-false}
+ local page_aligned_eof=$(round_up_to_page_boundary $file_len)
+ local measurement
+
+ if $is_merkle_tree; then
+ local corrupt_func=_fsv_scratch_corrupt_merkle_tree
+ else
+ local corrupt_func=_fsv_scratch_corrupt_bytes
+ fi
+
+ local msg="Corruption test:"
+ msg+=" file_len=$file_len"
+ if $use_sparse_file; then
+ msg+=" (sparse)"
+ fi
+ msg+=" zap_offset=$zap_offset"
+ if $is_merkle_tree; then
+ msg+=" (in Merkle tree)"
+ fi
+ msg+=" zap_len=$zap_len"
+
+ _fsv_scratch_begin_subtest "$msg"
+ setup_zeroed_file $file_len $use_sparse_file
+ cmp $fsv_file $fsv_orig_file
+ echo "Corrupting bytes..."
+ head -c $zap_len /dev/zero | tr '\0' X \
+ | $corrupt_func $fsv_file $zap_offset
+
+ echo "Validating corruption (reading full file)..."
+ _scratch_cycle_mount
+ md5sum $fsv_file |& _filter_scratch
+
+ echo "Validating corruption (direct I/O)..."
+ _scratch_cycle_mount
+ dd if=$fsv_file bs=$FSV_BLOCK_SIZE iflag=direct status=none \
+ of=/dev/null |& _filter_scratch
+
+ if ! $is_merkle_tree; then
+ echo "Validating corruption (reading just corrupted part)..."
+ dd if=$fsv_file bs=1 skip=$zap_offset count=$zap_len \
+ of=/dev/null status=none |& _filter_scratch
+ fi
+
+ echo "Validating corruption (reading full file via mmap)..."
+ bash -c "trap '' SIGBUS; $XFS_IO_PROG -r $fsv_file \
+ -c 'mmap -r 0 $page_aligned_eof' \
+ -c 'mread 0 $file_len'" |& filter_sigbus
+
+ if ! $is_merkle_tree; then
+ echo "Validating corruption (reading just corrupted part via mmap)..."
+ bash -c "trap '' SIGBUS; $XFS_IO_PROG -r $fsv_file \
+ -c 'mmap -r 0 $page_aligned_eof' \
+ -c 'mread $zap_offset $zap_len'" |& filter_sigbus
+ fi
+}
+
+corruption_test 131072 0 1
+corruption_test 131072 4095 1
+corruption_test 131072 65536 65536
+corruption_test 131072 131071 1
+
+# Non-zeroed bytes in the final partial block beyond EOF should cause reads to
+# fail too. Such bytes would be visible via mmap().
+corruption_test 130999 131000 72
+
+# Merkle tree corruption.
+corruption_test 200000 100 10 true
+
+# Sparse file. Corrupting the Merkle tree should still cause reads to fail,
+# i.e. the filesystem must verify holes.
+corruption_test 200000 100 10 true true
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/902.out b/tests/generic/902.out
new file mode 100644
index 00000000..15fe691e
--- /dev/null
+++ b/tests/generic/902.out
@@ -0,0 +1,91 @@
+QA output created by 902
+
+# Corruption test: file_len=131072 zap_offset=0 zap_len=1
+0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv
+Corrupting bytes...
+Validating corruption (reading full file)...
+md5sum: SCRATCH_MNT/file.fsv: Input/output error
+Validating corruption (direct I/O)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading just corrupted part)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading full file via mmap)...
+Bus error
+Validating corruption (reading just corrupted part via mmap)...
+Bus error
+
+# Corruption test: file_len=131072 zap_offset=4095 zap_len=1
+0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv
+Corrupting bytes...
+Validating corruption (reading full file)...
+md5sum: SCRATCH_MNT/file.fsv: Input/output error
+Validating corruption (direct I/O)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading just corrupted part)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading full file via mmap)...
+Bus error
+Validating corruption (reading just corrupted part via mmap)...
+Bus error
+
+# Corruption test: file_len=131072 zap_offset=65536 zap_len=65536
+0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv
+Corrupting bytes...
+Validating corruption (reading full file)...
+md5sum: SCRATCH_MNT/file.fsv: Input/output error
+Validating corruption (direct I/O)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading just corrupted part)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading full file via mmap)...
+Bus error
+Validating corruption (reading just corrupted part via mmap)...
+Bus error
+
+# Corruption test: file_len=131072 zap_offset=131071 zap_len=1
+0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv
+Corrupting bytes...
+Validating corruption (reading full file)...
+md5sum: SCRATCH_MNT/file.fsv: Input/output error
+Validating corruption (direct I/O)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading just corrupted part)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading full file via mmap)...
+Bus error
+Validating corruption (reading just corrupted part via mmap)...
+Bus error
+
+# Corruption test: file_len=130999 zap_offset=131000 zap_len=72
+f5cca0d7fbb8b02bc6118a9954d5d306 SCRATCH_MNT/file.fsv
+Corrupting bytes...
+Validating corruption (reading full file)...
+md5sum: SCRATCH_MNT/file.fsv: Input/output error
+Validating corruption (direct I/O)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading just corrupted part)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading full file via mmap)...
+Bus error
+Validating corruption (reading just corrupted part via mmap)...
+Bus error
+
+# Corruption test: file_len=200000 zap_offset=100 (in Merkle tree) zap_len=10
+4a1e4325031b13f933ac4f1db9ecb63f SCRATCH_MNT/file.fsv
+Corrupting bytes...
+Validating corruption (reading full file)...
+md5sum: SCRATCH_MNT/file.fsv: Input/output error
+Validating corruption (direct I/O)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading full file via mmap)...
+Bus error
+
+# Corruption test: file_len=200000 (sparse) zap_offset=100 (in Merkle tree) zap_len=10
+4a1e4325031b13f933ac4f1db9ecb63f SCRATCH_MNT/file.fsv
+Corrupting bytes...
+Validating corruption (reading full file)...
+md5sum: SCRATCH_MNT/file.fsv: Input/output error
+Validating corruption (direct I/O)...
+dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error
+Validating corruption (reading full file via mmap)...
+Bus error
diff --git a/tests/generic/group b/tests/generic/group
index a0450d42..22df626f 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -572,3 +572,4 @@
567 auto quick rw punch
900 auto quick verity
901 auto quick verity
+902 auto quick verity
--
2.23.0.444.g18eeb5a265-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v4 6/8] generic: test that fs-verity is using the correct measurement values
2019-09-30 21:15 [PATCH v4 0/8] xfstests: add fs-verity tests Eric Biggers
` (4 preceding siblings ...)
2019-09-30 21:15 ` [PATCH v4 5/8] generic: test corrupting verity files Eric Biggers
@ 2019-09-30 21:15 ` Eric Biggers
2019-09-30 21:15 ` [PATCH v4 7/8] generic: test using fs-verity and fscrypt simultaneously Eric Biggers
2019-09-30 21:15 ` [PATCH v4 8/8] generic: test the fs-verity built-in signature verification support Eric Biggers
7 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2019-09-30 21:15 UTC (permalink / raw)
To: fstests
Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel, Jaegeuk Kim,
Theodore Y . Ts'o
From: Eric Biggers <ebiggers@google.com>
This test verifies that fs-verity is doing its Merkle tree-based hashing
correctly, i.e. that it hasn't been broken by a change.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
tests/generic/903 | 112 ++++++++++++++++++++++++++++++++++++++++++
tests/generic/903.out | 5 ++
tests/generic/group | 1 +
3 files changed, 118 insertions(+)
create mode 100755 tests/generic/903
create mode 100644 tests/generic/903.out
diff --git a/tests/generic/903 b/tests/generic/903
new file mode 100755
index 00000000..55f4a3ba
--- /dev/null
+++ b/tests/generic/903
@@ -0,0 +1,112 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2018 Google LLC
+#
+# FS QA Test generic/903
+#
+# Test that fs-verity is using the correct measurement values. This test
+# verifies that fs-verity is doing its Merkle tree-based hashing correctly,
+# i.e. that it hasn't been broken by a change.
+#
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+ cd /
+ rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/verity
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+_require_scratch_verity
+if [ $FSV_BLOCK_SIZE != 4096 ]; then
+ _notrun "4096-byte verity block size not supported on this platform"
+fi
+
+_scratch_mkfs_verity &>> $seqres.full
+_scratch_mount
+fsv_orig_file=$SCRATCH_MNT/file
+fsv_file=$SCRATCH_MNT/file.fsv
+
+algs=(sha256 sha512)
+
+# Try files with 0, 1, and multiple Merkle tree levels.
+file_sizes=(0 4096 65536 65536 100000000)
+
+# Try both unsalted and salted, and check that empty salt is the same as no salt
+salts=('' '' '' '--salt=' '--salt=f3c93fa6fb828c0e1587e5714ecf6f56')
+
+# The expected file measurements are here rather than in the expected output
+# file because not all hash algorithms may be available.
+sha256_vals=(
+sha256:3d248ca542a24fc62d1c43b916eae5016878e2533c88238480b26128a1f1af95
+sha256:babc284ee4ffe7f449377fbf6692715b43aec7bc39c094a95878904d34bac97e
+sha256:011e3f2b1dc89b75d78cddcc2a1b85cd8a64b2883e5f20f277ae4c0617e0404f
+sha256:011e3f2b1dc89b75d78cddcc2a1b85cd8a64b2883e5f20f277ae4c0617e0404f
+sha256:9d33cab743468fcbe4edab91a275b30dd543c12dd5e6ce6f2f737f66a1558f06
+)
+sha512_vals=(
+sha512:ccf9e5aea1c2a64efa2f2354a6024b90dffde6bbc017825045dce374474e13d10adb9dadcc6ca8e17a3c075fbd31336e8f266ae6fa93a6c3bed66f9e784e5abf
+sha512:928922686c4caf32175f5236a7f964e9925d10a74dc6d8344a8bd08b23c228ff5792573987d7895f628f39c4f4ebe39a7367d7aeb16aaa0cd324ac1d53664e61
+sha512:eab7224ce374a0a4babcb2db25e24836247f38b87806ad9be9e5ba4daac2f5b814fc0cbdfd9f1f8499b3c9a6c1b38fe08974cce49883ab4ccd04462fd2f9507f
+sha512:eab7224ce374a0a4babcb2db25e24836247f38b87806ad9be9e5ba4daac2f5b814fc0cbdfd9f1f8499b3c9a6c1b38fe08974cce49883ab4ccd04462fd2f9507f
+sha512:f7083a38644880d25539488313e9e5b41a4d431a0e383945129ad2c36e3c1d0f28928a424641bb1363c12b6e770578102566acea73baf1ce8ee15336f5ba2446
+)
+
+test_alg()
+{
+ local alg=$1
+ local -n vals=${alg}_vals
+ local i
+ local file_size
+ local expected actual salt_arg
+
+ _fsv_scratch_begin_subtest "Check for expected measurement values ($alg)"
+
+ if ! _fsv_have_hash_algorithm $alg $fsv_file; then
+ if [ "$alg" = sha256 ]; then
+ _fail "Something is wrong - sha256 hash should always be available"
+ fi
+ return 0
+ fi
+
+ for i in ${!file_sizes[@]}; do
+ file_size=${file_sizes[$i]}
+ expected=${vals[$i]}
+ salt_arg=${salts[$i]}
+
+ head -c $file_size /dev/zero > $fsv_orig_file
+ cp $fsv_orig_file $fsv_file
+ _fsv_enable --hash-alg=$alg $salt_arg $fsv_file
+ actual=$(_fsv_measure $fsv_file)
+ if [ "$actual" != "$expected" ]; then
+ echo "Mismatch: expected $expected, kernel calculated $actual (file_size=$file_size)"
+ fi
+ cmp $fsv_orig_file $fsv_file
+ rm -f $fsv_file
+ done
+}
+
+for alg in ${algs[@]}; do
+ test_alg $alg
+done
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/903.out b/tests/generic/903.out
new file mode 100644
index 00000000..02508828
--- /dev/null
+++ b/tests/generic/903.out
@@ -0,0 +1,5 @@
+QA output created by 903
+
+# Check for expected measurement values (sha256)
+
+# Check for expected measurement values (sha512)
diff --git a/tests/generic/group b/tests/generic/group
index 22df626f..864bab46 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -573,3 +573,4 @@
900 auto quick verity
901 auto quick verity
902 auto quick verity
+903 auto quick verity
--
2.23.0.444.g18eeb5a265-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v4 7/8] generic: test using fs-verity and fscrypt simultaneously
2019-09-30 21:15 [PATCH v4 0/8] xfstests: add fs-verity tests Eric Biggers
` (5 preceding siblings ...)
2019-09-30 21:15 ` [PATCH v4 6/8] generic: test that fs-verity is using the correct measurement values Eric Biggers
@ 2019-09-30 21:15 ` Eric Biggers
2019-09-30 21:15 ` [PATCH v4 8/8] generic: test the fs-verity built-in signature verification support Eric Biggers
7 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2019-09-30 21:15 UTC (permalink / raw)
To: fstests
Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel, Jaegeuk Kim,
Theodore Y . Ts'o
From: Eric Biggers <ebiggers@google.com>
This primarily verifies correct ordering of the hooks for each feature:
fscrypt needs to be first.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
tests/generic/904 | 80 +++++++++++++++++++++++++++++++++++++++++++
tests/generic/904.out | 12 +++++++
tests/generic/group | 1 +
3 files changed, 93 insertions(+)
create mode 100755 tests/generic/904
create mode 100644 tests/generic/904.out
diff --git a/tests/generic/904 b/tests/generic/904
new file mode 100755
index 00000000..61bdae22
--- /dev/null
+++ b/tests/generic/904
@@ -0,0 +1,80 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2018 Google LLC
+#
+# FS QA Test generic/904
+#
+# Test using fs-verity and fscrypt simultaneously. This primarily verifies
+# correct ordering of the hooks for each feature: fscrypt needs to be first.
+#
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+ cd /
+ rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/verity
+. ./common/encrypt
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+_require_scratch_verity
+_require_scratch_encryption
+_require_command "$KEYCTL_PROG" keyctl
+
+_scratch_mkfs_encrypted_verity &>> $seqres.full
+_scratch_mount
+
+fsv_orig_file=$tmp.file
+edir=$SCRATCH_MNT/edir
+fsv_file=$edir/file.fsv
+
+# Set up an encrypted directory.
+_new_session_keyring
+keydesc=$(_generate_encryption_key)
+mkdir $edir
+_set_encpolicy $edir $keydesc
+
+# Create a file within the encrypted directory and enable verity on it.
+# Then check that it has an encryption policy as well.
+head -c 100000 /dev/zero > $fsv_orig_file
+cp $fsv_orig_file $fsv_file
+_fsv_enable $fsv_file
+echo
+$XFS_IO_PROG -r -c "get_encpolicy" $fsv_file | _filter_scratch \
+ | sed 's/Master key descriptor:.*/Master key descriptor: 0000000000000000/'
+echo
+
+# Verify that the file contents are as expected. This should be going through
+# both the decryption and verity I/O paths.
+cmp $fsv_orig_file $fsv_file && echo "Files matched"
+
+# Just in case, try again after a mount cycle to empty the page cache.
+_scratch_cycle_mount
+cmp $fsv_orig_file $fsv_file && echo "Files matched"
+
+# Corrupt some bytes as a sanity check that fs-verity is really working.
+# This also verifies that the data on-disk is really encrypted, since otherwise
+# the data being written here would be identical to the old data.
+head -c 1000 /dev/zero | _fsv_scratch_corrupt_bytes $fsv_file 50000
+md5sum $fsv_file |& _filter_scratch
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/904.out b/tests/generic/904.out
new file mode 100644
index 00000000..5f4e249a
--- /dev/null
+++ b/tests/generic/904.out
@@ -0,0 +1,12 @@
+QA output created by 904
+
+Encryption policy for SCRATCH_MNT/edir/file.fsv:
+ Policy version: 0
+ Master key descriptor: 0000000000000000
+ Contents encryption mode: 1 (AES-256-XTS)
+ Filenames encryption mode: 4 (AES-256-CTS)
+ Flags: 0x02
+
+Files matched
+Files matched
+md5sum: SCRATCH_MNT/edir/file.fsv: Input/output error
diff --git a/tests/generic/group b/tests/generic/group
index 864bab46..c996542a 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -574,3 +574,4 @@
901 auto quick verity
902 auto quick verity
903 auto quick verity
+904 auto quick verity encrypt
--
2.23.0.444.g18eeb5a265-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v4 8/8] generic: test the fs-verity built-in signature verification support
2019-09-30 21:15 [PATCH v4 0/8] xfstests: add fs-verity tests Eric Biggers
` (6 preceding siblings ...)
2019-09-30 21:15 ` [PATCH v4 7/8] generic: test using fs-verity and fscrypt simultaneously Eric Biggers
@ 2019-09-30 21:15 ` Eric Biggers
7 siblings, 0 replies; 9+ messages in thread
From: Eric Biggers @ 2019-09-30 21:15 UTC (permalink / raw)
To: fstests
Cc: linux-fscrypt, linux-ext4, linux-f2fs-devel, Jaegeuk Kim,
Theodore Y . Ts'o
From: Eric Biggers <ebiggers@google.com>
Add a basic test for the fs-verity built-in signature verification
support, which is an optional feature where the kernel can be configured
to enforce that all verity files are accompanied with a valid signature
by a key that has been loaded into the fs-verity keyring.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/config | 1 +
common/verity | 16 +++++
tests/generic/905 | 150 ++++++++++++++++++++++++++++++++++++++++++
tests/generic/905.out | 42 ++++++++++++
tests/generic/group | 1 +
5 files changed, 210 insertions(+)
create mode 100755 tests/generic/905
create mode 100644 tests/generic/905.out
diff --git a/common/config b/common/config
index fb4097b8..c7a1c61c 100644
--- a/common/config
+++ b/common/config
@@ -214,6 +214,7 @@ export XFS_INFO_PROG="$(type -P xfs_info)"
export DUPEREMOVE_PROG="$(type -P duperemove)"
export CC_PROG="$(type -P cc)"
export FSVERITY_PROG="$(type -P fsverity)"
+export OPENSSL_PROG="$(type -P openssl)"
# use 'udevadm settle' or 'udevsettle' to wait for lv to be settled.
# newer systems have udevadm command but older systems like RHEL5 don't.
diff --git a/common/verity b/common/verity
index a8aae51e..bcb5670d 100644
--- a/common/verity
+++ b/common/verity
@@ -45,6 +45,17 @@ _require_scratch_verity()
FSV_BLOCK_SIZE=$(get_page_size)
}
+# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y.
+_require_fsverity_builtin_signatures()
+{
+ if [ ! -e /proc/keys ]; then
+ _notrun "kernel doesn't support keyrings"
+ fi
+ if ! awk '{print $9}' /proc/keys | grep -q '^\.fs-verity:$'; then
+ _notrun "kernel doesn't support fs-verity builtin signatures"
+ fi
+}
+
_scratch_mkfs_verity()
{
case $FSTYP in
@@ -92,6 +103,11 @@ _fsv_measure()
$FSVERITY_PROG measure "$@" | awk '{print $1}'
}
+_fsv_sign()
+{
+ $FSVERITY_PROG sign "$@"
+}
+
# Generate a file, then enable verity on it.
_fsv_create_enable_file()
{
diff --git a/tests/generic/905 b/tests/generic/905
new file mode 100755
index 00000000..e42b012d
--- /dev/null
+++ b/tests/generic/905
@@ -0,0 +1,150 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2019 Google LLC
+#
+# FS QA Test generic/905
+#
+# Test the fs-verity built-in signature verification support.
+#
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+ sysctl -w fs.verity.require_signatures=0 &>/dev/null
+ cd /
+ rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/verity
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+_require_scratch_verity
+_require_fsverity_builtin_signatures
+_require_command "$OPENSSL_PROG" openssl
+_require_command "$KEYCTL_PROG" keyctl
+
+_scratch_mkfs_verity &>> $seqres.full
+_scratch_mount
+
+fsv_file=$SCRATCH_MNT/file.fsv
+fsv_orig_file=$SCRATCH_MNT/file
+keyfile=$tmp.key.pem
+certfile=$tmp.cert.pem
+certfileder=$tmp.cert.der
+sigfile=$tmp.sig
+otherfile=$SCRATCH_MNT/otherfile
+othersigfile=$tmp.othersig
+
+# Setup
+
+echo -e "\n# Generating certificates and private keys"
+for suffix in '' '.2'; do
+ if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
+ -keyout $keyfile$suffix -out $certfile$suffix \
+ &>> $seqres.full; then
+ _fail "Failed to generate certificate and private key (see $seqres.full)"
+ fi
+ $OPENSSL_PROG x509 -in $certfile$suffix -out $certfileder$suffix \
+ -outform der
+done
+
+echo -e "\n# Clearing fs-verity keyring"
+$KEYCTL_PROG clear %keyring:.fs-verity
+
+echo -e "\n# Loading first certificate into fs-verity keyring"
+$KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
+ < $certfileder >> $seqres.full
+
+echo -e "\n# Enabling fs.verity.require_signatures"
+sysctl -w fs.verity.require_signatures=1
+
+echo -e "\n# Generating file and signing it for fs-verity"
+head -c 100000 /dev/zero > $fsv_orig_file
+for suffix in '' '.2'; do
+ _fsv_sign $fsv_orig_file $sigfile$suffix --key=$keyfile$suffix \
+ --cert=$certfile$suffix | _filter_scratch
+done
+
+echo -e "\n# Signing a different file for fs-verity"
+head -c 100000 /dev/zero | tr '\0' 'X' > $otherfile
+_fsv_sign $otherfile $othersigfile --key=$keyfile --cert=$certfile \
+ | _filter_scratch
+
+# Actual tests
+
+reset_fsv_file()
+{
+ rm -f $fsv_file
+ cp $fsv_orig_file $fsv_file
+}
+
+echo -e "\n# Enabling verity with valid signature (should succeed)"
+reset_fsv_file
+_fsv_enable $fsv_file --signature=$sigfile
+cmp $fsv_file $fsv_orig_file
+
+echo -e "\n# Enabling verity without signature (should fail)"
+reset_fsv_file
+_fsv_enable $fsv_file |& _filter_scratch
+
+echo -e "\n# Opening verity file without signature (should fail)"
+reset_fsv_file
+sysctl -w fs.verity.require_signatures=0 &>> $seqres.full
+_fsv_enable $fsv_file
+sysctl -w fs.verity.require_signatures=1 &>> $seqres.full
+_scratch_cycle_mount
+md5sum $fsv_file |& _filter_scratch
+
+echo -e "\n# Enabling verity with untrusted signature (should fail)"
+reset_fsv_file
+_fsv_enable $fsv_file --signature=$sigfile.2 |& _filter_scratch
+
+echo -e "\n# Enabling verity with wrong file's signature (should fail)"
+reset_fsv_file
+_fsv_enable $fsv_file --signature=$othersigfile |& _filter_scratch
+
+echo -e "\n# Enabling verity with malformed signature (should fail)"
+echo foobarbaz > $tmp.malformed_sig
+reset_fsv_file
+_fsv_enable $fsv_file --signature=$tmp.malformed_sig |& _filter_scratch
+
+echo -e "\n# Testing salt"
+reset_fsv_file
+_fsv_sign $fsv_orig_file $sigfile.salted --key=$keyfile --cert=$certfile \
+ --salt=abcd | _filter_scratch
+_fsv_enable $fsv_file --signature=$sigfile.salted --salt=abcd
+cmp $fsv_file $fsv_orig_file
+
+echo -e "\n# Testing non-default hash algorithm"
+if _fsv_have_hash_algorithm sha512 $fsv_file; then
+ reset_fsv_file
+ _fsv_sign $fsv_orig_file $sigfile.sha512 --key=$keyfile \
+ --cert=$certfile --hash-alg=sha512 > /dev/null
+ _fsv_enable $fsv_file --signature=$sigfile.sha512 --hash-alg=sha512
+ cmp $fsv_file $fsv_orig_file
+fi
+
+echo -e "\n# Testing empty file"
+echo -n > $fsv_file
+_fsv_sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile | \
+ _filter_scratch
+_fsv_enable $fsv_file --signature=$sigfile.emptyfile
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/905.out b/tests/generic/905.out
new file mode 100644
index 00000000..4b28757a
--- /dev/null
+++ b/tests/generic/905.out
@@ -0,0 +1,42 @@
+QA output created by 905
+
+# Generating certificates and private keys
+
+# Clearing fs-verity keyring
+
+# Loading first certificate into fs-verity keyring
+
+# Enabling fs.verity.require_signatures
+fs.verity.require_signatures = 1
+
+# Generating file and signing it for fs-verity
+Signed file 'SCRATCH_MNT/file' (sha256:ecabbfca4efd69a721be824965da10d27900b109549f96687b35a4d91d810dac)
+Signed file 'SCRATCH_MNT/file' (sha256:ecabbfca4efd69a721be824965da10d27900b109549f96687b35a4d91d810dac)
+
+# Signing a different file for fs-verity
+Signed file 'SCRATCH_MNT/otherfile' (sha256:b2a419c5a8c767a78c6275d6729794bf51e52ddf8713e31d12a93d61d961f49f)
+
+# Enabling verity with valid signature (should succeed)
+
+# Enabling verity without signature (should fail)
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted
+
+# Opening verity file without signature (should fail)
+md5sum: SCRATCH_MNT/file.fsv: Operation not permitted
+
+# Enabling verity with untrusted signature (should fail)
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Required key not available
+
+# Enabling verity with wrong file's signature (should fail)
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Key was rejected by service
+
+# Enabling verity with malformed signature (should fail)
+ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Bad message
+
+# Testing salt
+Signed file 'SCRATCH_MNT/file' (sha256:1cb173bcd199133eb80e9ea4f0f741001b9e73227aa8812685156f2bc8ff45f5)
+
+# Testing non-default hash algorithm
+
+# Testing empty file
+Signed file 'SCRATCH_MNT/file.fsv' (sha256:3d248ca542a24fc62d1c43b916eae5016878e2533c88238480b26128a1f1af95)
diff --git a/tests/generic/group b/tests/generic/group
index c996542a..78aba1e7 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -575,3 +575,4 @@
902 auto quick verity
903 auto quick verity
904 auto quick verity encrypt
+905 auto quick verity
--
2.23.0.444.g18eeb5a265-goog
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-09-30 21:19 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-30 21:15 [PATCH v4 0/8] xfstests: add fs-verity tests Eric Biggers
2019-09-30 21:15 ` [PATCH v4 1/8] common/filter: add _filter_xfs_io_fiemap() Eric Biggers
2019-09-30 21:15 ` [PATCH v4 2/8] common/verity: add common functions for testing fs-verity Eric Biggers
2019-09-30 21:15 ` [PATCH v4 3/8] generic: test general behavior of verity files Eric Biggers
2019-09-30 21:15 ` [PATCH v4 4/8] generic: test access controls on the fs-verity ioctls Eric Biggers
2019-09-30 21:15 ` [PATCH v4 5/8] generic: test corrupting verity files Eric Biggers
2019-09-30 21:15 ` [PATCH v4 6/8] generic: test that fs-verity is using the correct measurement values Eric Biggers
2019-09-30 21:15 ` [PATCH v4 7/8] generic: test using fs-verity and fscrypt simultaneously Eric Biggers
2019-09-30 21:15 ` [PATCH v4 8/8] generic: test the fs-verity built-in signature verification support Eric Biggers
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).