# default. E.g., ext4 only supports verity on extent-based files, so it
# doesn't work on ext3-style filesystems. So, try actually using it.
echo foo > $SCRATCH_MNT/tmpfile
+ _disable_fsverity_signatures
if ! _fsv_enable $SCRATCH_MNT/tmpfile; then
+ _restore_fsverity_signatures
_notrun "$FSTYP verity isn't usable by default with these mkfs options"
fi
+ _restore_fsverity_signatures
rm -f $SCRATCH_MNT/tmpfile
_scratch_unmount
FSV_BLOCK_SIZE=$(get_page_size)
}
-# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y.
+# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y, as well as the userspace
+# commands needed to generate certificates and add them to the kernel.
_require_fsverity_builtin_signatures()
{
- if [ ! -e /proc/keys ]; then
- _notrun "kernel doesn't support keyrings"
- fi
- if ! awk '{print $9}' /proc/keys | grep -q '^\.fs-verity:$'; then
+ if [ ! -e /proc/sys/fs/verity/require_signatures ]; then
_notrun "kernel doesn't support fs-verity builtin signatures"
fi
+ _require_command "$OPENSSL_PROG" openssl
+ _require_command "$KEYCTL_PROG" keyctl
+}
+
+# Use the openssl program to generate a private key and a X.509 certificate for
+# use with fs-verity built-in signature verification, and convert the
+# certificate to DER format.
+_fsv_generate_cert()
+{
+ local keyfile=$1
+ local certfile=$2
+ local certfileder=$3
+
+ if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
+ -keyout $keyfile -out $certfile &>> $seqres.full; then
+ _fail "Failed to generate certificate and private key (see $seqres.full)"
+ fi
+ $OPENSSL_PROG x509 -in $certfile -out $certfileder -outform der
+}
+
+# Clear the .fs-verity keyring.
+_fsv_clear_keyring()
+{
+ $KEYCTL_PROG clear %keyring:.fs-verity
+}
+
+# Load the given X.509 certificate in DER format into the .fs-verity keyring so
+# that the kernel can use it to verify built-in signatures.
+_fsv_load_cert()
+{
+ local certfileder=$1
+
+ $KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
+ < $certfileder >> $seqres.full
+}
+
+# Disable mandatory signatures for fs-verity files, if they are supported.
+_disable_fsverity_signatures()
+{
+ if [ -e /proc/sys/fs/verity/require_signatures ]; then
+ if [ -z "$FSVERITY_SIG_CTL_ORIG" ]; then
+ FSVERITY_SIG_CTL_ORIG=$(</proc/sys/fs/verity/require_signatures)
+ fi
+ echo 0 > /proc/sys/fs/verity/require_signatures
+ fi
+}
+
+# Enable mandatory signatures for fs-verity files.
+# This assumes that _require_fsverity_builtin_signatures() was called.
+_enable_fsverity_signatures()
+{
+ if [ -z "$FSVERITY_SIG_CTL_ORIG" ]; then
+ FSVERITY_SIG_CTL_ORIG=$(</proc/sys/fs/verity/require_signatures)
+ fi
+ echo 1 > /proc/sys/fs/verity/require_signatures
+}
+
+# Restore the original signature verification setting.
+_restore_fsverity_signatures()
+{
+ if [ -n "$FSVERITY_SIG_CTL_ORIG" ]; then
+ echo "$FSVERITY_SIG_CTL_ORIG" > /proc/sys/fs/verity/require_signatures
+ fi
+}
+
+# Require userspace and kernel support for 'fsverity dump_metadata'.
+# $1 must be a file with fs-verity enabled.
+_require_fsverity_dump_metadata()
+{
+ local verity_file=$1
+ local tmpfile=$tmp.require_fsverity_dump_metadata
+
+ if _fsv_dump_merkle_tree "$verity_file" 2>"$tmpfile" >/dev/null; then
+ return
+ fi
+ if grep -q "^ERROR: unrecognized command: 'dump_metadata'$" "$tmpfile"
+ then
+ _notrun "Missing 'fsverity dump_metadata' command"
+ fi
+ if grep -q "^ERROR: FS_IOC_READ_VERITY_METADATA failed on '.*': Inappropriate ioctl for device$" "$tmpfile"
+ then
+ _notrun "Kernel doesn't support FS_IOC_READ_VERITY_METADATA"
+ fi
+ _fail "Unexpected output from 'fsverity dump_metadata': $(<"$tmpfile")"
}
_scratch_mkfs_verity()
echo -e "\n# $msg"
}
+_fsv_dump_merkle_tree()
+{
+ $FSVERITY_PROG dump_metadata merkle_tree "$@"
+}
+
+_fsv_dump_descriptor()
+{
+ $FSVERITY_PROG dump_metadata descriptor "$@"
+}
+
+_fsv_dump_signature()
+{
+ $FSVERITY_PROG dump_metadata signature "$@"
+}
+
_fsv_enable()
{
$FSVERITY_PROG enable "$@"
sync # Sync to avoid unwritten extents
cat > $tmp.bytes
- local end=$(( offset + $(stat -c %s $tmp.bytes ) ))
+ local end=$(( offset + $(_get_filesize $tmp.bytes ) ))
# For each extent that intersects the requested range in order, add a
# command that writes the next part of the data to that extent.
ext4|f2fs)
# ext4 and f2fs store the Merkle tree after the file contents
# itself, starting at the next 65536-byte aligned boundary.
- (( offset += ($(stat -c %s $file) + 65535) & ~65535 ))
+ (( offset += ($(_get_filesize $file) + 65535) & ~65535 ))
_fsv_scratch_corrupt_bytes $file $offset
;;
*)