2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright 2019 Google LLC
5 # FS QA Test generic/577
7 # Test the fs-verity built-in signature verification support.
10 seqres=$RESULT_DIR/$seq
11 echo "QA output created by $seq"
15 status=1 # failure is the default!
16 trap "_cleanup; exit \$status" 0 1 2 3 15
21 _restore_fsverity_signatures
25 # get standard environment, filters and checks
30 # remove previous $seqres.full before test
33 # real QA test starts here
35 _require_scratch_verity
36 _require_fsverity_builtin_signatures
38 _scratch_mkfs_verity &>> $seqres.full
41 fsv_file=$SCRATCH_MNT/file.fsv
42 fsv_orig_file=$SCRATCH_MNT/file
44 certfile=$tmp.cert.pem
45 certfileder=$tmp.cert.der
47 otherfile=$SCRATCH_MNT/otherfile
48 othersigfile=$tmp.othersig
52 echo -e "\n# Generating certificates and private keys"
53 for suffix in '' '.2'; do
54 _fsv_generate_cert $keyfile$suffix $certfile$suffix $certfileder$suffix
57 echo -e "\n# Clearing fs-verity keyring"
60 echo -e "\n# Loading first certificate into fs-verity keyring"
61 _fsv_load_cert $certfileder
63 echo -e "\n# Enabling fs.verity.require_signatures"
64 _enable_fsverity_signatures
66 echo -e "\n# Generating file and signing it for fs-verity"
67 head -c 100000 /dev/zero > $fsv_orig_file
68 for suffix in '' '.2'; do
69 _fsv_sign $fsv_orig_file $sigfile$suffix --key=$keyfile$suffix \
70 --cert=$certfile$suffix | _filter_scratch
73 echo -e "\n# Signing a different file for fs-verity"
74 head -c 100000 /dev/zero | tr '\0' 'X' > $otherfile
75 _fsv_sign $otherfile $othersigfile --key=$keyfile --cert=$certfile \
83 cp $fsv_orig_file $fsv_file
86 echo -e "\n# Enabling verity with valid signature (should succeed)"
88 _fsv_enable $fsv_file --signature=$sigfile
89 cmp $fsv_file $fsv_orig_file
91 echo -e "\n# Enabling verity without signature (should fail)"
93 _fsv_enable $fsv_file |& _filter_scratch
95 echo -e "\n# Opening verity file without signature (should fail)"
97 _disable_fsverity_signatures
99 _enable_fsverity_signatures
101 md5sum $fsv_file |& _filter_scratch
103 echo -e "\n# Enabling verity with untrusted signature (should fail)"
105 _fsv_enable $fsv_file --signature=$sigfile.2 |& _filter_scratch
107 echo -e "\n# Enabling verity with wrong file's signature (should fail)"
109 _fsv_enable $fsv_file --signature=$othersigfile |& _filter_scratch
111 echo -e "\n# Enabling verity with malformed signature (should fail)"
112 echo foobarbaz > $tmp.malformed_sig
114 _fsv_enable $fsv_file --signature=$tmp.malformed_sig |& _filter_scratch
116 echo -e "\n# Testing salt"
118 _fsv_sign $fsv_orig_file $sigfile.salted --key=$keyfile --cert=$certfile \
119 --salt=abcd | _filter_scratch
120 _fsv_enable $fsv_file --signature=$sigfile.salted --salt=abcd
121 cmp $fsv_file $fsv_orig_file
123 echo -e "\n# Testing non-default hash algorithm"
124 if _fsv_have_hash_algorithm sha512 $fsv_file; then
126 _fsv_sign $fsv_orig_file $sigfile.sha512 --key=$keyfile \
127 --cert=$certfile --hash-alg=sha512 > /dev/null
128 _fsv_enable $fsv_file --signature=$sigfile.sha512 --hash-alg=sha512
129 cmp $fsv_file $fsv_orig_file
132 echo -e "\n# Testing empty file"
134 _fsv_sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile | \
136 _fsv_enable $fsv_file --signature=$sigfile.emptyfile