From: Eric Biggers <ebiggers@kernel.org>
To: fstests@vger.kernel.org
Cc: linux-fscrypt@vger.kernel.org, Jaegeuk Kim <jaegeuk@kernel.org>,
Theodore Ts'o <tytso@mit.edu>,
Victor Hsieh <victorhsieh@google.com>
Subject: [PATCH v2 1/4] generic: factor out helpers for fs-verity built-in signatures
Date: Wed, 24 Feb 2021 14:35:34 -0800 [thread overview]
Message-ID: <20210224223537.110491-2-ebiggers@kernel.org> (raw)
In-Reply-To: <20210224223537.110491-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
The test for retrieving a verity file's built-in signature using
FS_IOC_READ_VERITY_METADATA will need to set up a file with a built-in
signature, which requires the same commands that generic/577 does.
Factor this out into helper functions in common/verity.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/verity | 37 ++++++++++++++++++++++++++++++++++++-
tests/generic/577 | 15 +++------------
2 files changed, 39 insertions(+), 13 deletions(-)
diff --git a/common/verity b/common/verity
index a8d3de06..9a182240 100644
--- a/common/verity
+++ b/common/verity
@@ -48,12 +48,47 @@ _require_scratch_verity()
FSV_BLOCK_SIZE=$(get_page_size)
}
-# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y.
+# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y, as well as the userspace
+# commands needed to generate certificates and add them to the kernel.
_require_fsverity_builtin_signatures()
{
if [ ! -e /proc/sys/fs/verity/require_signatures ]; then
_notrun "kernel doesn't support fs-verity builtin signatures"
fi
+ _require_command "$OPENSSL_PROG" openssl
+ _require_command "$KEYCTL_PROG" keyctl
+}
+
+# Use the openssl program to generate a private key and a X.509 certificate for
+# use with fs-verity built-in signature verification, and convert the
+# certificate to DER format.
+_fsv_generate_cert()
+{
+ local keyfile=$1
+ local certfile=$2
+ local certfileder=$3
+
+ if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
+ -keyout $keyfile -out $certfile &>> $seqres.full; then
+ _fail "Failed to generate certificate and private key (see $seqres.full)"
+ fi
+ $OPENSSL_PROG x509 -in $certfile -out $certfileder -outform der
+}
+
+# Clear the .fs-verity keyring.
+_fsv_clear_keyring()
+{
+ $KEYCTL_PROG clear %keyring:.fs-verity
+}
+
+# Load the given X.509 certificate in DER format into the .fs-verity keyring so
+# that the kernel can use it to verify built-in signatures.
+_fsv_load_cert()
+{
+ local certfileder=$1
+
+ $KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
+ < $certfileder >> $seqres.full
}
# Disable mandatory signatures for fs-verity files, if they are supported.
diff --git a/tests/generic/577 b/tests/generic/577
index 0e945942..114463be 100755
--- a/tests/generic/577
+++ b/tests/generic/577
@@ -34,8 +34,6 @@ rm -f $seqres.full
_supported_fs generic
_require_scratch_verity
_require_fsverity_builtin_signatures
-_require_command "$OPENSSL_PROG" openssl
-_require_command "$KEYCTL_PROG" keyctl
_scratch_mkfs_verity &>> $seqres.full
_scratch_mount
@@ -53,21 +51,14 @@ othersigfile=$tmp.othersig
echo -e "\n# Generating certificates and private keys"
for suffix in '' '.2'; do
- if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
- -keyout $keyfile$suffix -out $certfile$suffix \
- &>> $seqres.full; then
- _fail "Failed to generate certificate and private key (see $seqres.full)"
- fi
- $OPENSSL_PROG x509 -in $certfile$suffix -out $certfileder$suffix \
- -outform der
+ _fsv_generate_cert $keyfile$suffix $certfile$suffix $certfileder$suffix
done
echo -e "\n# Clearing fs-verity keyring"
-$KEYCTL_PROG clear %keyring:.fs-verity
+_fsv_clear_keyring
echo -e "\n# Loading first certificate into fs-verity keyring"
-$KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
- < $certfileder >> $seqres.full
+_fsv_load_cert $certfileder
echo -e "\n# Enabling fs.verity.require_signatures"
_enable_fsverity_signatures
--
2.30.1
next prev parent reply other threads:[~2021-02-24 22:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-24 22:35 [PATCH v2 0/4] Test the FS_IOC_READ_VERITY_METADATA ioctl Eric Biggers
2021-02-24 22:35 ` Eric Biggers [this message]
2021-02-24 22:35 ` [PATCH v2 2/4] generic: add helpers for dumping fs-verity metadata Eric Biggers
2021-02-24 22:35 ` [PATCH v2 3/4] generic: test retrieving verity Merkle tree and descriptor Eric Biggers
2021-02-24 22:35 ` [PATCH v2 4/4] generic: test retrieving verity signature Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210224223537.110491-2-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=fstests@vger.kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=victorhsieh@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.