2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright 2018 Google LLC
5 # FS QA Test generic/576
7 # Test using fs-verity and fscrypt simultaneously. This primarily verifies
8 # correct ordering of the hooks for each feature: fscrypt needs to be first.
11 _begin_fstest auto quick verity encrypt
13 # Override the default cleanup function.
17 _restore_fsverity_signatures
21 # Import common functions.
26 # real QA test starts here
28 _require_scratch_verity
29 _require_scratch_encryption
30 _require_command "$KEYCTL_PROG" keyctl
31 _disable_fsverity_signatures
33 _scratch_mkfs_encrypted_verity &>> $seqres.full
36 fsv_orig_file=$tmp.file
37 edir=$SCRATCH_MNT/edir
38 fsv_file=$edir/file.fsv
40 # Set up an encrypted directory.
42 keydesc=$(_generate_session_encryption_key)
44 _set_encpolicy $edir $keydesc
46 # Create a file within the encrypted directory and enable verity on it.
47 # Then check that it has an encryption policy as well.
48 head -c 100000 /dev/zero > $fsv_orig_file
49 cp $fsv_orig_file $fsv_file
52 $XFS_IO_PROG -r -c "get_encpolicy" $fsv_file | _filter_scratch \
53 | sed 's/Master key descriptor:.*/Master key descriptor: 0000000000000000/'
56 # Verify that the file contents are as expected. This should be going through
57 # both the decryption and verity I/O paths.
58 cmp $fsv_orig_file $fsv_file && echo "Files matched"
60 # Just in case, try again after a mount cycle to empty the page cache.
62 cmp $fsv_orig_file $fsv_file && echo "Files matched"
64 # Corrupt some bytes as a sanity check that fs-verity is really working.
65 # This also verifies that the data on-disk is really encrypted, since otherwise
66 # the data being written here would be identical to the old data.
67 head -c 1000 /dev/zero | _fsv_scratch_corrupt_bytes $fsv_file 50000
68 md5sum $fsv_file |& _filter_scratch