# default. E.g., ext4 only supports verity on extent-based files, so it
# doesn't work on ext3-style filesystems. So, try actually using it.
echo foo > $SCRATCH_MNT/tmpfile
+ _disable_fsverity_signatures
if ! _fsv_enable $SCRATCH_MNT/tmpfile; then
+ _restore_fsverity_signatures
_notrun "$FSTYP verity isn't usable by default with these mkfs options"
fi
+ _restore_fsverity_signatures
rm -f $SCRATCH_MNT/tmpfile
_scratch_unmount
# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y.
_require_fsverity_builtin_signatures()
{
- if [ ! -e /proc/keys ]; then
- _notrun "kernel doesn't support keyrings"
- fi
- if ! awk '{print $9}' /proc/keys | grep -q '^\.fs-verity:$'; then
+ if [ ! -e /proc/sys/fs/verity/require_signatures ]; then
_notrun "kernel doesn't support fs-verity builtin signatures"
fi
}
+# Disable mandatory signatures for fs-verity files, if they are supported.
+_disable_fsverity_signatures()
+{
+ if [ -e /proc/sys/fs/verity/require_signatures ]; then
+ if [ -z "$FSVERITY_SIG_CTL_ORIG" ]; then
+ FSVERITY_SIG_CTL_ORIG=$(</proc/sys/fs/verity/require_signatures)
+ fi
+ echo 0 > /proc/sys/fs/verity/require_signatures
+ fi
+}
+
+# Enable mandatory signatures for fs-verity files.
+# This assumes that _require_fsverity_builtin_signatures() was called.
+_enable_fsverity_signatures()
+{
+ if [ -z "$FSVERITY_SIG_CTL_ORIG" ]; then
+ FSVERITY_SIG_CTL_ORIG=$(</proc/sys/fs/verity/require_signatures)
+ fi
+ echo 1 > /proc/sys/fs/verity/require_signatures
+}
+
+# Restore the original signature verification setting.
+_restore_fsverity_signatures()
+{
+ if [ -n "$FSVERITY_SIG_CTL_ORIG" ]; then
+ echo "$FSVERITY_SIG_CTL_ORIG" > /proc/sys/fs/verity/require_signatures
+ fi
+}
+
_scratch_mkfs_verity()
{
case $FSTYP in
_cleanup()
{
cd /
+ _restore_fsverity_signatures
rm -f $tmp.*
}
_supported_fs generic
_supported_os Linux
_require_scratch_verity
+_disable_fsverity_signatures
_scratch_mkfs_verity &>> $seqres.full
_scratch_mount
_cleanup()
{
cd /
+ _restore_fsverity_signatures
rm -f $tmp.*
}
_require_scratch_verity
_require_user
_require_chattr ia
+_disable_fsverity_signatures
_scratch_mkfs_verity &>> $seqres.full
_scratch_mount
_cleanup()
{
cd /
+ _restore_fsverity_signatures
rm -f $tmp.*
}
_supported_fs generic
_supported_os Linux
_require_scratch_verity
+_disable_fsverity_signatures
_scratch_mkfs_verity &>> $seqres.full
_scratch_mount
_cleanup()
{
cd /
+ _restore_fsverity_signatures
rm -f $tmp.*
}
if [ $FSV_BLOCK_SIZE != 4096 ]; then
_notrun "4096-byte verity block size not supported on this platform"
fi
+_disable_fsverity_signatures
_scratch_mkfs_verity &>> $seqres.full
_scratch_mount
_cleanup()
{
cd /
+ _restore_fsverity_signatures
rm -f $tmp.*
}
_require_scratch_verity
_require_scratch_encryption
_require_command "$KEYCTL_PROG" keyctl
+_disable_fsverity_signatures
_scratch_mkfs_encrypted_verity &>> $seqres.full
_scratch_mount
_cleanup()
{
- sysctl -w fs.verity.require_signatures=0 &>/dev/null
cd /
+ _restore_fsverity_signatures
rm -f $tmp.*
}
< $certfileder >> $seqres.full
echo -e "\n# Enabling fs.verity.require_signatures"
-sysctl -w fs.verity.require_signatures=1
+_enable_fsverity_signatures
echo -e "\n# Generating file and signing it for fs-verity"
head -c 100000 /dev/zero > $fsv_orig_file
echo -e "\n# Opening verity file without signature (should fail)"
reset_fsv_file
-sysctl -w fs.verity.require_signatures=0 &>> $seqres.full
+_disable_fsverity_signatures
_fsv_enable $fsv_file
-sysctl -w fs.verity.require_signatures=1 &>> $seqres.full
+_enable_fsverity_signatures
_scratch_cycle_mount
md5sum $fsv_file |& _filter_scratch
# Loading first certificate into fs-verity keyring
# Enabling fs.verity.require_signatures
-fs.verity.require_signatures = 1
# Generating file and signing it for fs-verity
Signed file 'SCRATCH_MNT/file' (sha256:ecabbfca4efd69a721be824965da10d27900b109549f96687b35a4d91d810dac)
touch $tmp.done
wait
+ _restore_fsverity_signatures
rm -f $tmp.*
}
_supported_os Linux
_require_scratch_verity
_require_command "$KILLALL_PROG" killall
+_disable_fsverity_signatures
_scratch_mkfs_verity &>> $seqres.full
_scratch_mount