From: Eric Biggers <ebiggers@kernel.org>
To: fstests@vger.kernel.org
Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
Theodore Ts'o <tytso@mit.edu>, Jaegeuk Kim <jaegeuk@kernel.org>,
Victor Hsieh <victorhsieh@google.com>
Subject: [xfstests RFC PATCH 1/4] generic: factor out helpers for fs-verity built-in signatures
Date: Fri, 15 Jan 2021 10:28:34 -0800 [thread overview]
Message-ID: <20210115182837.36333-2-ebiggers@kernel.org> (raw)
In-Reply-To: <20210115182837.36333-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
The test for retrieving a verity file's built-in signature using
FS_IOC_READ_VERITY_METADATA will need to set up a file with a built-in
signature, which requires the same commands that generic/577 does.
Factor this out into helper functions in common/verity.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/verity | 37 ++++++++++++++++++++++++++++++++++++-
tests/generic/577 | 15 +++------------
2 files changed, 39 insertions(+), 13 deletions(-)
diff --git a/common/verity b/common/verity
index a8d3de06..9a182240 100644
--- a/common/verity
+++ b/common/verity
@@ -48,12 +48,47 @@ _require_scratch_verity()
FSV_BLOCK_SIZE=$(get_page_size)
}
-# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y.
+# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y, as well as the userspace
+# commands needed to generate certificates and add them to the kernel.
_require_fsverity_builtin_signatures()
{
if [ ! -e /proc/sys/fs/verity/require_signatures ]; then
_notrun "kernel doesn't support fs-verity builtin signatures"
fi
+ _require_command "$OPENSSL_PROG" openssl
+ _require_command "$KEYCTL_PROG" keyctl
+}
+
+# Use the openssl program to generate a private key and a X.509 certificate for
+# use with fs-verity built-in signature verification, and convert the
+# certificate to DER format.
+_fsv_generate_cert()
+{
+ local keyfile=$1
+ local certfile=$2
+ local certfileder=$3
+
+ if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
+ -keyout $keyfile -out $certfile &>> $seqres.full; then
+ _fail "Failed to generate certificate and private key (see $seqres.full)"
+ fi
+ $OPENSSL_PROG x509 -in $certfile -out $certfileder -outform der
+}
+
+# Clear the .fs-verity keyring.
+_fsv_clear_keyring()
+{
+ $KEYCTL_PROG clear %keyring:.fs-verity
+}
+
+# Load the given X.509 certificate in DER format into the .fs-verity keyring so
+# that the kernel can use it to verify built-in signatures.
+_fsv_load_cert()
+{
+ local certfileder=$1
+
+ $KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
+ < $certfileder >> $seqres.full
}
# Disable mandatory signatures for fs-verity files, if they are supported.
diff --git a/tests/generic/577 b/tests/generic/577
index 0e945942..114463be 100755
--- a/tests/generic/577
+++ b/tests/generic/577
@@ -34,8 +34,6 @@ rm -f $seqres.full
_supported_fs generic
_require_scratch_verity
_require_fsverity_builtin_signatures
-_require_command "$OPENSSL_PROG" openssl
-_require_command "$KEYCTL_PROG" keyctl
_scratch_mkfs_verity &>> $seqres.full
_scratch_mount
@@ -53,21 +51,14 @@ othersigfile=$tmp.othersig
echo -e "\n# Generating certificates and private keys"
for suffix in '' '.2'; do
- if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
- -keyout $keyfile$suffix -out $certfile$suffix \
- &>> $seqres.full; then
- _fail "Failed to generate certificate and private key (see $seqres.full)"
- fi
- $OPENSSL_PROG x509 -in $certfile$suffix -out $certfileder$suffix \
- -outform der
+ _fsv_generate_cert $keyfile$suffix $certfile$suffix $certfileder$suffix
done
echo -e "\n# Clearing fs-verity keyring"
-$KEYCTL_PROG clear %keyring:.fs-verity
+_fsv_clear_keyring
echo -e "\n# Loading first certificate into fs-verity keyring"
-$KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
- < $certfileder >> $seqres.full
+_fsv_load_cert $certfileder
echo -e "\n# Enabling fs.verity.require_signatures"
_enable_fsverity_signatures
--
2.30.0
next prev parent reply other threads:[~2021-01-15 18:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-15 18:28 [xfstests RFC PATCH 0/4] Test the FS_IOC_READ_VERITY_METADATA ioctl Eric Biggers
2021-01-15 18:28 ` Eric Biggers [this message]
2021-01-15 18:28 ` [xfstests RFC PATCH 2/4] generic: add helpers for dumping fs-verity metadata Eric Biggers
2021-01-15 18:28 ` [xfstests RFC PATCH 3/4] generic: test retrieving verity Merkle tree and descriptor Eric Biggers
2021-01-15 18:28 ` [xfstests RFC PATCH 4/4] generic: test retrieving verity signature Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210115182837.36333-2-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=fstests@vger.kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=victorhsieh@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).