2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright 2019 Google LLC
5 # FS QA Test generic/577
7 # Test the fs-verity built-in signature verification support.
10 _begin_fstest auto quick verity
12 # Override the default cleanup function.
16 _restore_fsverity_signatures
20 # Import common functions.
24 # real QA test starts here
26 _require_scratch_verity
27 _require_fsverity_builtin_signatures
29 _scratch_mkfs_verity &>> $seqres.full
32 fsv_file=$SCRATCH_MNT/file.fsv
33 fsv_orig_file=$SCRATCH_MNT/file
35 certfile=$tmp.cert.pem
36 certfileder=$tmp.cert.der
38 otherfile=$SCRATCH_MNT/otherfile
39 othersigfile=$tmp.othersig
43 echo -e "\n# Generating certificates and private keys"
44 for suffix in '' '.2'; do
45 _fsv_generate_cert $keyfile$suffix $certfile$suffix $certfileder$suffix
48 echo -e "\n# Clearing fs-verity keyring"
51 echo -e "\n# Loading first certificate into fs-verity keyring"
52 _fsv_load_cert $certfileder
54 echo -e "\n# Enabling fs.verity.require_signatures"
55 _enable_fsverity_signatures
57 echo -e "\n# Generating file and signing it for fs-verity"
58 head -c 100000 /dev/zero > $fsv_orig_file
59 for suffix in '' '.2'; do
60 _fsv_sign $fsv_orig_file $sigfile$suffix --key=$keyfile$suffix \
61 --cert=$certfile$suffix | _filter_scratch
64 echo -e "\n# Signing a different file for fs-verity"
65 head -c 100000 /dev/zero | tr '\0' 'X' > $otherfile
66 _fsv_sign $otherfile $othersigfile --key=$keyfile --cert=$certfile \
74 cp $fsv_orig_file $fsv_file
77 echo -e "\n# Enabling verity with valid signature (should succeed)"
79 _fsv_enable $fsv_file --signature=$sigfile
80 cmp $fsv_file $fsv_orig_file
82 echo -e "\n# Enabling verity without signature (should fail)"
84 _fsv_enable $fsv_file |& _filter_scratch
86 echo -e "\n# Opening verity file without signature (should fail)"
88 _disable_fsverity_signatures
90 _enable_fsverity_signatures
92 md5sum $fsv_file |& _filter_scratch
94 echo -e "\n# Enabling verity with untrusted signature (should fail)"
96 _fsv_enable $fsv_file --signature=$sigfile.2 |& _filter_scratch
98 echo -e "\n# Enabling verity with wrong file's signature (should fail)"
100 _fsv_enable $fsv_file --signature=$othersigfile |& _filter_scratch
102 echo -e "\n# Enabling verity with malformed signature (should fail)"
103 echo foobarbaz > $tmp.malformed_sig
105 _fsv_enable $fsv_file --signature=$tmp.malformed_sig |& _filter_scratch
107 echo -e "\n# Testing salt"
109 _fsv_sign $fsv_orig_file $sigfile.salted --key=$keyfile --cert=$certfile \
110 --salt=abcd | _filter_scratch
111 _fsv_enable $fsv_file --signature=$sigfile.salted --salt=abcd
112 cmp $fsv_file $fsv_orig_file
114 echo -e "\n# Testing non-default hash algorithm"
115 if _fsv_have_hash_algorithm sha512 $fsv_file; then
117 _fsv_sign $fsv_orig_file $sigfile.sha512 --key=$keyfile \
118 --cert=$certfile --hash-alg=sha512 > /dev/null
119 _fsv_enable $fsv_file --signature=$sigfile.sha512 --hash-alg=sha512
120 cmp $fsv_file $fsv_orig_file
123 echo -e "\n# Testing empty file"
125 _fsv_sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile | \
127 _fsv_enable $fsv_file --signature=$sigfile.emptyfile