2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright 2019 Google LLC
5 # FS QA Test generic/577
7 # Test the fs-verity built-in signature verification support.
10 seqres=$RESULT_DIR/$seq
11 echo "QA output created by $seq"
15 status=1 # failure is the default!
16 trap "_cleanup; exit \$status" 0 1 2 3 15
20 sysctl -w fs.verity.require_signatures=0 &>/dev/null
25 # get standard environment, filters and checks
30 # remove previous $seqres.full before test
33 # real QA test starts here
36 _require_scratch_verity
37 _require_fsverity_builtin_signatures
38 _require_command "$OPENSSL_PROG" openssl
39 _require_command "$KEYCTL_PROG" keyctl
41 _scratch_mkfs_verity &>> $seqres.full
44 fsv_file=$SCRATCH_MNT/file.fsv
45 fsv_orig_file=$SCRATCH_MNT/file
47 certfile=$tmp.cert.pem
48 certfileder=$tmp.cert.der
50 otherfile=$SCRATCH_MNT/otherfile
51 othersigfile=$tmp.othersig
55 echo -e "\n# Generating certificates and private keys"
56 for suffix in '' '.2'; do
57 if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
58 -keyout $keyfile$suffix -out $certfile$suffix \
59 &>> $seqres.full; then
60 _fail "Failed to generate certificate and private key (see $seqres.full)"
62 $OPENSSL_PROG x509 -in $certfile$suffix -out $certfileder$suffix \
66 echo -e "\n# Clearing fs-verity keyring"
67 $KEYCTL_PROG clear %keyring:.fs-verity
69 echo -e "\n# Loading first certificate into fs-verity keyring"
70 $KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
71 < $certfileder >> $seqres.full
73 echo -e "\n# Enabling fs.verity.require_signatures"
74 sysctl -w fs.verity.require_signatures=1
76 echo -e "\n# Generating file and signing it for fs-verity"
77 head -c 100000 /dev/zero > $fsv_orig_file
78 for suffix in '' '.2'; do
79 _fsv_sign $fsv_orig_file $sigfile$suffix --key=$keyfile$suffix \
80 --cert=$certfile$suffix | _filter_scratch
83 echo -e "\n# Signing a different file for fs-verity"
84 head -c 100000 /dev/zero | tr '\0' 'X' > $otherfile
85 _fsv_sign $otherfile $othersigfile --key=$keyfile --cert=$certfile \
93 cp $fsv_orig_file $fsv_file
96 echo -e "\n# Enabling verity with valid signature (should succeed)"
98 _fsv_enable $fsv_file --signature=$sigfile
99 cmp $fsv_file $fsv_orig_file
101 echo -e "\n# Enabling verity without signature (should fail)"
103 _fsv_enable $fsv_file |& _filter_scratch
105 echo -e "\n# Opening verity file without signature (should fail)"
107 sysctl -w fs.verity.require_signatures=0 &>> $seqres.full
108 _fsv_enable $fsv_file
109 sysctl -w fs.verity.require_signatures=1 &>> $seqres.full
111 md5sum $fsv_file |& _filter_scratch
113 echo -e "\n# Enabling verity with untrusted signature (should fail)"
115 _fsv_enable $fsv_file --signature=$sigfile.2 |& _filter_scratch
117 echo -e "\n# Enabling verity with wrong file's signature (should fail)"
119 _fsv_enable $fsv_file --signature=$othersigfile |& _filter_scratch
121 echo -e "\n# Enabling verity with malformed signature (should fail)"
122 echo foobarbaz > $tmp.malformed_sig
124 _fsv_enable $fsv_file --signature=$tmp.malformed_sig |& _filter_scratch
126 echo -e "\n# Testing salt"
128 _fsv_sign $fsv_orig_file $sigfile.salted --key=$keyfile --cert=$certfile \
129 --salt=abcd | _filter_scratch
130 _fsv_enable $fsv_file --signature=$sigfile.salted --salt=abcd
131 cmp $fsv_file $fsv_orig_file
133 echo -e "\n# Testing non-default hash algorithm"
134 if _fsv_have_hash_algorithm sha512 $fsv_file; then
136 _fsv_sign $fsv_orig_file $sigfile.sha512 --key=$keyfile \
137 --cert=$certfile --hash-alg=sha512 > /dev/null
138 _fsv_enable $fsv_file --signature=$sigfile.sha512 --hash-alg=sha512
139 cmp $fsv_file $fsv_orig_file
142 echo -e "\n# Testing empty file"
144 _fsv_sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile | \
146 _fsv_enable $fsv_file --signature=$sigfile.emptyfile