2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright 2018 Google LLC
5 # FS QA Test generic/572
7 # This is a basic fs-verity test which verifies:
9 # - conditions for enabling verity
10 # - verity files have correct contents and size
11 # - can't change contents of verity files, but can change metadata
12 # - can retrieve a verity file's measurement via FS_IOC_MEASURE_VERITY
15 _begin_fstest auto quick verity
17 # Override the default cleanup function.
21 _restore_fsverity_signatures
25 # Import common functions.
29 # real QA test starts here
31 _require_scratch_verity
32 _disable_fsverity_signatures
34 _scratch_mkfs_verity &>> $seqres.full
36 fsv_orig_file=$SCRATCH_MNT/file
37 fsv_file=$SCRATCH_MNT/file.fsv
41 _filter_bash | _filter_scratch
44 verify_data_readable()
48 md5sum $file > /dev/null
51 verify_data_unreadable()
55 # try both reading just the first data block, and reading until EOF
56 head -c $FSV_BLOCK_SIZE $file 2>&1 >/dev/null | filter_output
57 md5sum $file |& filter_output
60 _fsv_scratch_begin_subtest "Enabling verity on file with verity already enabled fails with EEXIST"
61 _fsv_create_enable_file $fsv_file
63 _fsv_enable $fsv_file |& filter_output
65 _fsv_scratch_begin_subtest "Enabling verity with invalid hash algorithm fails with EINVAL"
66 _fsv_create_enable_file $fsv_file --hash-alg=257 |& filter_output
67 verify_data_readable $fsv_file
69 _fsv_scratch_begin_subtest "Enabling verity with invalid block size fails with EINVAL"
70 _fsv_create_enable_file $fsv_file --block-size=1 |& filter_output
71 verify_data_readable $fsv_file
73 _fsv_scratch_begin_subtest "Enabling verity on directory fails with EISDIR"
74 mkdir $SCRATCH_MNT/dir
75 _fsv_enable $SCRATCH_MNT/dir |& filter_output
77 _fsv_scratch_begin_subtest "Enabling verity with too-long salt fails with EMSGSIZE"
78 _fsv_create_enable_file $fsv_file --salt=$(perl -e 'print "A" x 1000') |& filter_output
79 verify_data_readable $fsv_file
81 _fsv_scratch_begin_subtest "Enabling verity on file on read-only filesystem fails with EROFS"
84 _fsv_enable $fsv_file |& filter_output
87 _fsv_scratch_begin_subtest "Enabling verity on file open for writing fails with ETXTBSY"
90 _fsv_enable $fsv_file |& filter_output
92 verify_data_readable $fsv_file
94 _fsv_scratch_begin_subtest "Enabling verity can be interrupted"
95 dd if=/dev/zero of=$fsv_file bs=1 count=0 seek=$((1 << 34)) status=none
96 start_time=$(date +%s)
97 $FSVERITY_PROG enable $fsv_file &
101 elapsed=$(( $(date +%s) - start_time ))
102 if (( elapsed > 5 )); then
103 echo "Failed to interrupt FS_IOC_ENABLE_VERITY ($elapsed seconds elapsed)"
106 _fsv_scratch_begin_subtest "Enabling verity on file with verity already being enabled fails with EBUSY"
107 dd if=/dev/zero of=$fsv_file bs=1 count=0 seek=$((1 << 34)) status=none
108 start_time=$(date +%s)
109 $FSVERITY_PROG enable $fsv_file &
111 _fsv_enable $fsv_file |& filter_output
115 _fsv_scratch_begin_subtest "verity file can't be opened for writing"
116 _fsv_create_enable_file $fsv_file >> $seqres.full
118 $XFS_IO_PROG -r $fsv_file -c ''
119 echo "* xfs_io writing, should be O_RDWR"
120 $XFS_IO_PROG $fsv_file -c '' |& filter_output
121 echo "* bash >>, should be O_APPEND"
122 bash -c "echo >> $fsv_file" |& filter_output
123 echo "* bash >, should be O_WRONLY|O_CREAT|O_TRUNC"
124 bash -c "echo > $fsv_file" |& filter_output
126 _fsv_scratch_begin_subtest "verity file can be read"
127 _fsv_create_enable_file $fsv_file >> $seqres.full
128 verify_data_readable $fsv_file
130 _fsv_scratch_begin_subtest "verity file can be measured"
131 _fsv_create_enable_file $fsv_file >> $seqres.full
132 _fsv_measure $fsv_file
134 _fsv_scratch_begin_subtest "verity file can be renamed"
135 _fsv_create_enable_file $fsv_file
136 mv $fsv_file $fsv_file.newname
138 _fsv_scratch_begin_subtest "verity file can be unlinked"
139 _fsv_create_enable_file $fsv_file
142 _fsv_scratch_begin_subtest "verity file can be linked to"
143 _fsv_create_enable_file $fsv_file
144 ln $fsv_file $fsv_file.newname
146 _fsv_scratch_begin_subtest "verity file can be chmodded"
147 _fsv_create_enable_file $fsv_file
151 _fsv_scratch_begin_subtest "verity file can be chowned"
152 _fsv_create_enable_file $fsv_file
156 _fsv_scratch_begin_subtest "verity file has correct contents and size"
157 head -c 100000 /dev/urandom > $fsv_orig_file
158 cp $fsv_orig_file $fsv_file
159 _fsv_enable $fsv_file >> $seqres.full
160 cmp $fsv_file $fsv_orig_file
161 _get_filesize $fsv_file
163 cmp $fsv_file $fsv_orig_file
164 _get_filesize $fsv_file
166 _fsv_scratch_begin_subtest "Trying to measure non-verity file fails with ENODATA"
168 _fsv_measure $fsv_file |& filter_output
169 verify_data_readable $fsv_file
171 # Test files <= 1 block in size. These are a bit of a special case since there
172 # are no hash blocks; the root hash is calculated directly over the data block.
173 for size in 1 $((FSV_BLOCK_SIZE - 1)) $FSV_BLOCK_SIZE; do
174 _fsv_scratch_begin_subtest "verity on $size-byte file"
175 head -c $size /dev/urandom > $fsv_orig_file
176 cp $fsv_orig_file $fsv_file
177 _fsv_enable $fsv_file
178 cmp $fsv_orig_file $fsv_file && echo "Files matched"
182 _fsv_scratch_begin_subtest "verity on 100M file (multiple levels in hash tree)"
183 head -c 100000000 /dev/urandom > $fsv_orig_file
184 cp $fsv_orig_file $fsv_file
185 _fsv_enable $fsv_file
186 cmp $fsv_orig_file $fsv_file && echo "Files matched"
188 _fsv_scratch_begin_subtest "verity on sparse file"
189 dd if=/dev/zero of=$fsv_orig_file bs=1 count=1 seek=1000000 status=none
190 cp $fsv_orig_file $fsv_file
191 _fsv_enable $fsv_file
192 cmp $fsv_orig_file $fsv_file && echo "Files matched"