From patchwork Thu Jun 20 21:36:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11008223 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1284776 for ; Thu, 20 Jun 2019 21:38:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 054EB287E9 for ; Thu, 20 Jun 2019 21:38:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EDD5B28837; Thu, 20 Jun 2019 21:38:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 98AD7287E9 for ; Thu, 20 Jun 2019 21:38:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726127AbfFTVii (ORCPT ); Thu, 20 Jun 2019 17:38:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:47138 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726008AbfFTVii (ORCPT ); Thu, 20 Jun 2019 17:38:38 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3094A2084A; Thu, 20 Jun 2019 21:38:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561066717; bh=/TqjxXaacZLBl0M7a8866fUvjTCYt+qsAku09GMwzaU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rG3C7MUEr0Yhda6R/BLbL+18hBUT5WtHy9dhgeZ8rhA2v8aHrgWvC3wU8TDuVHB57 +pQdh2GSzulC1jBiaAmlKER/6HHFRZkyycwG0hJXACVd+ePZAORoVRWAnz8ATsSQhs 48SM6gkjmgFqR0b7+jWPDrDXrOEgx5q5ap4N2y8A= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v2 1/8] common/filter: add _filter_xfs_io_fiemap() Date: Thu, 20 Jun 2019 14:36:07 -0700 Message-Id: <20190620213614.113685-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190620213614.113685-1-ebiggers@kernel.org> References: <20190620213614.113685-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Add _filter_xfs_io_fiemap() to clean up the output of 'xfs_io -c fiemap'. This will be used by a function in common/verity. Signed-off-by: Eric Biggers --- common/filter | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/common/filter b/common/filter index ed082d24..9ad43ff4 100644 --- a/common/filter +++ b/common/filter @@ -541,6 +541,30 @@ _filter_filefrag() $flags, "\n"' } +# Clean up the extents list output of 'xfs_io -c fiemap', e.g. +# +# file: +# 0: [0..79]: 628365312..628365391 +# 1: [80..159]: hole +# 2: [160..319]: 628365472..628365631 +# => +# 0 79 628365312 628365391 +# 160 319 628365472 628365631 +# +# The fields are: +# +# first_logical_block last_logical_block first_physical_block last_physical_block +# +# Blocks are 512 bytes, and holes are omitted. +# +_filter_xfs_io_fiemap() +{ + grep -E '^[[:space:]]+[0-9]+:' \ + | grep -v '\' \ + | sed -E 's/^[[:space:]]+[0-9]+://' \ + | tr '][.:' ' ' +} + # We generate WARNINGs on purpose when applications mix buffered/mmap IO with # direct IO on the same file. This is a helper for _check_dmesg() to filter out # such warnings. From patchwork Thu Jun 20 21:36:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11008233 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 03294924 for ; Thu, 20 Jun 2019 21:38:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E73B5287E9 for ; Thu, 20 Jun 2019 21:38:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DB23B288ED; Thu, 20 Jun 2019 21:38:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0E8B3287FA for ; Thu, 20 Jun 2019 21:38:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726571AbfFTVik (ORCPT ); Thu, 20 Jun 2019 17:38:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:47154 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726032AbfFTVij (ORCPT ); Thu, 20 Jun 2019 17:38:39 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8F1302085A; Thu, 20 Jun 2019 21:38:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561066717; bh=HeWLaZx8vNDd7SwrPn4f5AIlPq+mBHnG456nIkYnQjs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rfIKpazNDw1bB4C0/XZpZm2Dww4Ln3wetmFc7WOjsnOQ1Sq6/yvmvnVxmNPqBtTJD xmP+5sfHRul6vItjTbM4Kl5tXBl997Ahf/M1u//ASjVYxdgU6N7dkNeV5LB2I1Sjhi q31wKs8W1kkDNx3SwhIpdTpis6qnIJqwMrzKKZL8= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v2 2/8] common/verity: add common functions for testing fs-verity Date: Thu, 20 Jun 2019 14:36:08 -0700 Message-Id: <20190620213614.113685-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190620213614.113685-1-ebiggers@kernel.org> References: <20190620213614.113685-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Add common functions for setting up and testing fs-verity, a new feature for read-only file-based authenticity protection. fs-verity will be supported by ext4 and f2fs, and perhaps by other filesystems later. Running the fs-verity tests requires: - A kernel with the fs-verity patches from https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git branch "fsverity" and configured with CONFIG_FS_VERITY. - The fsverity utility program from https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git - e2fsprogs v1.45.2 or later for ext4 tests, or f2fs-tools v1.11.0 or later for f2fs tests. See the file Documentation/filesystems/fsverity.rst in the kernel tree for more information about fs-verity. Signed-off-by: Eric Biggers --- common/config | 1 + common/verity | 189 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 common/verity diff --git a/common/config b/common/config index bd64be62..001ddc45 100644 --- a/common/config +++ b/common/config @@ -212,6 +212,7 @@ export CHECKBASHISMS_PROG="$(type -P checkbashisms)" export XFS_INFO_PROG="$(type -P xfs_info)" export DUPEREMOVE_PROG="$(type -P duperemove)" export CC_PROG="$(type -P cc)" +export FSVERITY_PROG="$(type -P fsverity)" # use 'udevadm settle' or 'udevsettle' to wait for lv to be settled. # newer systems have udevadm command but older systems like RHEL5 don't. diff --git a/common/verity b/common/verity new file mode 100644 index 00000000..86fb6585 --- /dev/null +++ b/common/verity @@ -0,0 +1,189 @@ +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# Functions for setting up and testing fs-verity + +_require_scratch_verity() +{ + _require_scratch + _require_command "$FSVERITY_PROG" fsverity + + if ! _scratch_mkfs_verity &>>$seqres.full; then + # ext4: need e2fsprogs v1.44.5 or later (but actually v1.45.2+ + # is needed for some tests to pass, due to an e2fsck bug) + # f2fs: need f2fs-tools v1.11.0 or later + _notrun "$FSTYP userspace tools don't support fs-verity" + fi + + # Try to mount the filesystem. If this fails then either the kernel + # isn't aware of fs-verity, or the mkfs options were not compatible with + # verity (e.g. ext4 with block size != PAGE_SIZE). + if ! _try_scratch_mount &>>$seqres.full; then + _notrun "kernel is unaware of $FSTYP verity feature," \ + "or mkfs options are not compatible with verity" + fi + _scratch_unmount + + # The filesystem may be aware of fs-verity but have it disabled by + # CONFIG_FS_VERITY=n. Detect support via sysfs. + if [ ! -e /sys/fs/$FSTYP/features/verity ]; then + _notrun "kernel $FSTYP isn't configured with verity support" + fi + + # Merkle tree block size. Currently all filesystems only support + # PAGE_SIZE for this. This is also the default for 'fsverity enable'. + FSV_BLOCK_SIZE=$(get_page_size) +} + +_scratch_mkfs_verity() +{ + case $FSTYP in + ext4|f2fs) + _scratch_mkfs -O verity + ;; + *) + _notrun "No verity support for $FSTYP" + ;; + esac +} + +_scratch_mkfs_encrypted_verity() +{ + case $FSTYP in + ext4) + _scratch_mkfs -O encrypt,verity + ;; + f2fs) + # f2fs-tools as of v1.11.0 doesn't allow comma-separated + # features with -O. Instead -O must be supplied multiple times. + _scratch_mkfs -O encrypt -O verity + ;; + *) + _notrun "$FSTYP not supported in _scratch_mkfs_encrypted_verity" + ;; + esac +} + +_fsv_scratch_begin_subtest() +{ + local msg=$1 + + rm -rf "${SCRATCH_MNT:?}"/* + echo -e "\n# $msg" +} + +_fsv_enable() +{ + $FSVERITY_PROG enable "$@" +} + +_fsv_measure() +{ + $FSVERITY_PROG measure "$@" | awk '{print $1}' +} + +# Generate a file, then enable verity on it. +_fsv_create_enable_file() +{ + local file=$1 + shift + + head -c $((FSV_BLOCK_SIZE * 2)) /dev/zero > "$file" + _fsv_enable "$file" "$@" +} + +_fsv_have_hash_algorithm() +{ + local hash_alg=$1 + local test_file=$2 + + rm -f $test_file + head -c 4096 /dev/zero > $test_file + if ! _fsv_enable --hash-alg=$hash_alg $test_file &>> $seqres.full; then + # no kernel support + return 1 + fi + rm -f $test_file + return 0 +} + +# +# _fsv_scratch_corrupt_bytes - Write some bytes to a file, bypassing the filesystem +# +# Write the bytes sent on stdin to the given offset in the given file, but do so +# by writing directly to the extents on the block device, with the filesystem +# unmounted. This can be used to corrupt a verity file for testing purposes, +# bypassing the restrictions imposed by the filesystem. +# +# The file is assumed to be located on $SCRATCH_DEV. +# +_fsv_scratch_corrupt_bytes() +{ + local file=$1 + local offset=$2 + local lstart lend pstart pend + local dd_cmds=() + local cmd + + sync # Sync to avoid unwritten extents + + cat > $tmp.bytes + local end=$(( offset + $(stat -c %s $tmp.bytes ) )) + + # For each extent that intersects the requested range in order, add a + # command that writes the next part of the data to that extent. + while read -r lstart lend pstart pend; do + lstart=$((lstart * 512)) + lend=$(((lend + 1) * 512)) + pstart=$((pstart * 512)) + pend=$(((pend + 1) * 512)) + + if (( lend - lstart != pend - pstart )); then + _fail "Logical and physical extent lengths differ for file '$file'" + elif (( offset < lstart )); then + _fail "Hole in file '$file' at byte $offset. Next extent begins at byte $lstart" + elif (( offset < lend )); then + local len=$((lend - offset)) + local seek=$((pstart + (offset - lstart))) + dd_cmds+=("head -c $len | dd of=$SCRATCH_DEV oflag=seek_bytes seek=$seek status=none") + (( offset += len )) + fi + done < <($XFS_IO_PROG -r -c "fiemap $offset $((end - offset))" "$file" \ + | _filter_xfs_io_fiemap) + + if (( offset < end )); then + _fail "Extents of file '$file' ended at byte $offset, but needed until $end" + fi + + # Execute the commands to write the data + _scratch_unmount + for cmd in "${dd_cmds[@]}"; do + eval "$cmd" + done < $tmp.bytes + sync # Sync to flush the block device's pagecache + _scratch_mount +} + +# +# _fsv_scratch_corrupt_merkle_tree - Corrupt a file's Merkle tree +# +# Like _fsv_scratch_corrupt_bytes(), but this corrupts the file's fs-verity +# Merkle tree. The offset is given as a byte offset into the Merkle tree. +# +_fsv_scratch_corrupt_merkle_tree() +{ + local file=$1 + local offset=$2 + + case $FSTYP in + ext4|f2fs) + # ext4 and f2fs store the Merkle tree after the file contents + # itself, starting at the next 65536-byte aligned boundary. + (( offset += ($(stat -c %s $file) + 65535) & ~65535 )) + _fsv_scratch_corrupt_bytes $file $offset + ;; + *) + _fail "_fsv_scratch_corrupt_merkle_tree() unimplemented on $FSTYP" + ;; + esac +} From patchwork Thu Jun 20 21:36:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11008247 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E8BF176 for ; Thu, 20 Jun 2019 21:38:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD393287FA for ; Thu, 20 Jun 2019 21:38:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CFB0928837; Thu, 20 Jun 2019 21:38:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E678A287FA for ; Thu, 20 Jun 2019 21:38:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726583AbfFTVik (ORCPT ); Thu, 20 Jun 2019 17:38:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:47164 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726067AbfFTVij (ORCPT ); Thu, 20 Jun 2019 17:38:39 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ED56A2089C; Thu, 20 Jun 2019 21:38:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561066718; bh=IYsyDgSnJLA1mNtcvPo7zQzyr25/CSKA7zsaC7jd6Jc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bz5zEEudf2hhKT6/lkvAkkKdXGbtKd76mV7MELR0xqdzYuyzl94bG/i//ynm0U+E5 2LVYroRhE9utcovyb5sl6IwCRtIWbxcDyqGiOGVXYRxU+/c9mWL0AbycSU+LE1B8mz YMV6bk0CFVqQmyHL5HjAuU5Bn35wK0cZWBhA0WO8= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v2 3/8] generic: test general behavior of verity files Date: Thu, 20 Jun 2019 14:36:09 -0700 Message-Id: <20190620213614.113685-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190620213614.113685-1-ebiggers@kernel.org> References: <20190620213614.113685-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers This is a basic fs-verity test which verifies: - conditions for enabling verity - verity files have expected contents and size - can't change contents of verity files, but can change metadata - can retrieve a verity file's measurement via FS_IOC_MEASURE_VERITY Signed-off-by: Eric Biggers --- tests/generic/900 | 190 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/900.out | 71 ++++++++++++++++ tests/generic/group | 1 + 3 files changed, 262 insertions(+) create mode 100755 tests/generic/900 create mode 100644 tests/generic/900.out diff --git a/tests/generic/900 b/tests/generic/900 new file mode 100755 index 00000000..144870a6 --- /dev/null +++ b/tests/generic/900 @@ -0,0 +1,190 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/900 +# +# This is a basic fs-verity test which verifies: +# +# - conditions for enabling verity +# - verity files have correct contents and size +# - can't change contents of verity files, but can change metadata +# - can retrieve a verity file's measurement via FS_IOC_MEASURE_VERITY +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_orig_file=$SCRATCH_MNT/file +fsv_file=$SCRATCH_MNT/file.fsv + +verify_data_readable() +{ + local file=$1 + + md5sum $file > /dev/null +} + +verify_data_unreadable() +{ + local file=$1 + + # try both reading just the first data block, and reading until EOF + head -c $FSV_BLOCK_SIZE $file 2>&1 >/dev/null | _filter_scratch + md5sum $file |& _filter_scratch +} + +_fsv_scratch_begin_subtest "Enabling verity on file with verity already enabled fails with EEXIST" +_fsv_create_enable_file $fsv_file +echo "(trying again)" +_fsv_enable $fsv_file |& _filter_scratch + +_fsv_scratch_begin_subtest "Enabling verity with invalid hash algorithm fails with EINVAL" +_fsv_create_enable_file $fsv_file --hash-alg=257 |& _filter_scratch +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity with invalid block size fails with EINVAL" +_fsv_create_enable_file $fsv_file --block-size=1 |& _filter_scratch +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity on directory fails with EISDIR" +mkdir $SCRATCH_MNT/dir +_fsv_enable $SCRATCH_MNT/dir |& _filter_scratch + +_fsv_scratch_begin_subtest "Enabling verity with too-long salt fails with EMSGSIZE" +_fsv_create_enable_file $fsv_file --salt=$(perl -e 'print "A" x 1000') |& _filter_scratch +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity on file on read-only filesystem fails with EROFS" +echo foo > $fsv_file +_scratch_remount ro +_fsv_enable $fsv_file |& _filter_scratch +_scratch_remount rw + +_fsv_scratch_begin_subtest "Enabling verity on file open for writing fails with ETXTBSY" +echo foo > $fsv_file +exec 3<> $fsv_file +_fsv_enable $fsv_file |& _filter_scratch +exec 3<&- +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity can be interrupted" +dd if=/dev/zero of=$fsv_file bs=1 count=0 seek=$((1 << 34)) status=none +start_time=$(date +%s) +$FSVERITY_PROG enable $fsv_file & +sleep 0.5 +kill %1 +wait +elapsed=$(( $(date +%s) - start_time )) +if (( elapsed > 5 )); then + echo "Failed to interrupt FS_IOC_ENABLE_VERITY ($elapsed seconds elapsed)" +fi + +_fsv_scratch_begin_subtest "verity file can't be opened for writing" +_fsv_create_enable_file $fsv_file >> $seqres.full +echo "* reading" +$XFS_IO_PROG -r $fsv_file -c '' +echo "* xfs_io writing, should be O_RDWR" +$XFS_IO_PROG $fsv_file -c '' |& _filter_scratch +echo "* bash >>, should be O_APPEND" +bash -c "echo >> $fsv_file" |& _filter_scratch +echo "* bash >, should be O_WRONLY|O_CREAT|O_TRUNC" +bash -c "echo > $fsv_file" |& _filter_scratch + +_fsv_scratch_begin_subtest "verity file can be read" +_fsv_create_enable_file $fsv_file >> $seqres.full +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "verity file can be measured" +_fsv_create_enable_file $fsv_file >> $seqres.full +_fsv_measure $fsv_file + +_fsv_scratch_begin_subtest "verity file can be renamed" +_fsv_create_enable_file $fsv_file +mv $fsv_file $fsv_file.newname + +_fsv_scratch_begin_subtest "verity file can be unlinked" +_fsv_create_enable_file $fsv_file +rm $fsv_file + +_fsv_scratch_begin_subtest "verity file can be linked to" +_fsv_create_enable_file $fsv_file +ln $fsv_file $fsv_file.newname + +_fsv_scratch_begin_subtest "verity file can be chmodded" +_fsv_create_enable_file $fsv_file +chmod 777 $fsv_file +chmod 444 $fsv_file + +_fsv_scratch_begin_subtest "verity file can be chowned" +_fsv_create_enable_file $fsv_file +chown 1:1 $fsv_file +chown 0:0 $fsv_file + +_fsv_scratch_begin_subtest "verity file has correct contents and size" +head -c 100000 /dev/urandom > $fsv_orig_file +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file >> $seqres.full +cmp $fsv_file $fsv_orig_file +stat -c %s $fsv_file +_scratch_cycle_mount +cmp $fsv_file $fsv_orig_file +stat -c %s $fsv_file + +_fsv_scratch_begin_subtest "Trying to measure non-verity file fails with ENODATA" +echo foo > $fsv_file +_fsv_measure $fsv_file |& _filter_scratch +verify_data_readable $fsv_file + +# Test files <= 1 block in size. These are a bit of a special case since there +# are no hash blocks; the root hash is calculated directly over the data block. +for size in 1 $((FSV_BLOCK_SIZE - 1)) $FSV_BLOCK_SIZE; do + _fsv_scratch_begin_subtest "verity on $size-byte file" + head -c $size /dev/urandom > $fsv_orig_file + cp $fsv_orig_file $fsv_file + _fsv_enable $fsv_file + cmp $fsv_orig_file $fsv_file && echo "Files matched" + rm -f $fsv_file +done + +_fsv_scratch_begin_subtest "verity on 100M file (multiple levels in hash tree)" +head -c 100000000 /dev/urandom > $fsv_orig_file +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +_fsv_scratch_begin_subtest "verity on sparse file" +dd if=/dev/zero of=$fsv_orig_file bs=1 count=1 seek=1000000 status=none +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +# success, all done +status=0 +exit diff --git a/tests/generic/900.out b/tests/generic/900.out new file mode 100644 index 00000000..ff5162f3 --- /dev/null +++ b/tests/generic/900.out @@ -0,0 +1,71 @@ +QA output created by 900 + +# Enabling verity on file with verity already enabled fails with EEXIST +(trying again) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': File exists + +# Enabling verity with invalid hash algorithm fails with EINVAL +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Invalid argument + +# Enabling verity with invalid block size fails with EINVAL +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Invalid argument + +# Enabling verity on directory fails with EISDIR +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/dir': Is a directory + +# Enabling verity with too-long salt fails with EMSGSIZE +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Message too long + +# Enabling verity on file on read-only filesystem fails with EROFS +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Read-only file system + +# Enabling verity on file open for writing fails with ETXTBSY +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Text file busy + +# Enabling verity can be interrupted + +# verity file can't be opened for writing +* reading +* xfs_io writing, should be O_RDWR +SCRATCH_MNT/file.fsv: Operation not permitted +* bash >>, should be O_APPEND +bash: SCRATCH_MNT/file.fsv: Operation not permitted +* bash >, should be O_WRONLY|O_CREAT|O_TRUNC +bash: SCRATCH_MNT/file.fsv: Operation not permitted + +# verity file can be read + +# verity file can be measured +sha256:be54121da3877f8852c65136d731784f134c4dd9d95071502e80d7be9f99b263 + +# verity file can be renamed + +# verity file can be unlinked + +# verity file can be linked to + +# verity file can be chmodded + +# verity file can be chowned + +# verity file has correct contents and size +100000 +100000 + +# Trying to measure non-verity file fails with ENODATA +ERROR: FS_IOC_MEASURE_VERITY failed on 'SCRATCH_MNT/file.fsv': No data available + +# verity on 1-byte file +Files matched + +# verity on 4095-byte file +Files matched + +# verity on 4096-byte file +Files matched + +# verity on 100M file (multiple levels in hash tree) +Files matched + +# verity on sparse file +Files matched diff --git a/tests/generic/group b/tests/generic/group index 0867e455..ed6839a9 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -559,3 +559,4 @@ 554 auto quick copy_range swap 555 auto quick cap 556 auto quick casefold +900 auto quick verity From patchwork Thu Jun 20 21:36:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11008235 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6F83F1932 for ; Thu, 20 Jun 2019 21:38:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 60CCE2880C for ; Thu, 20 Jun 2019 21:38:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5569D287FA; Thu, 20 Jun 2019 21:38:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5CCEE2880C for ; Thu, 20 Jun 2019 21:38:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726586AbfFTVil (ORCPT ); Thu, 20 Jun 2019 17:38:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:47170 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725815AbfFTVij (ORCPT ); Thu, 20 Jun 2019 17:38:39 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5EC62208CA; Thu, 20 Jun 2019 21:38:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561066718; bh=V+X0j3RoLIP9jo4cD1boHW7vIrMRQP3jzr1LIyfiC1o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l5uaXOLnXZ7BVz0SR+lMxutRxGT9kQR4NtPCc4ImsyliGwgBguSUrnk0yamwMrvOT HAaR/ghHC9Mhl2igYOslTHCoq0GsN/WdIUpdbH1BOXjE9C4uNfT+D2Jn5jDIZtc9XL A1d6AiWbIzxxO/s0xhlra+IPhfw9W+SY2/N7wCgY= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v2 4/8] generic: test access controls on the fs-verity ioctls Date: Thu, 20 Jun 2019 14:36:10 -0700 Message-Id: <20190620213614.113685-5-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190620213614.113685-1-ebiggers@kernel.org> References: <20190620213614.113685-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access. Signed-off-by: Eric Biggers --- tests/generic/901 | 73 +++++++++++++++++++++++++++++++++++++++++++ tests/generic/901.out | 14 +++++++++ tests/generic/group | 1 + 3 files changed, 88 insertions(+) create mode 100755 tests/generic/901 create mode 100644 tests/generic/901.out diff --git a/tests/generic/901 b/tests/generic/901 new file mode 100755 index 00000000..56dab587 --- /dev/null +++ b/tests/generic/901 @@ -0,0 +1,73 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/901 +# +# Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is +# allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +_require_user +_require_chattr ia + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_file=$SCRATCH_MNT/file.fsv + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY doesn't require root" +echo foo > $fsv_file +chmod 666 $fsv_file +_user_do "$FSVERITY_PROG enable $fsv_file" + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires write access" +echo foo > $fsv_file >> $seqres.full +chmod 444 $fsv_file +_user_do "$FSVERITY_PROG enable $fsv_file" |& _filter_scratch + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !append-only" +echo foo > $fsv_file >> $seqres.full +$CHATTR_PROG +a $fsv_file +$FSVERITY_PROG enable $fsv_file |& _filter_scratch +$CHATTR_PROG -a $fsv_file + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !immutable" +echo foo > $fsv_file >> $seqres.full +$CHATTR_PROG +i $fsv_file +$FSVERITY_PROG enable $fsv_file |& _filter_scratch +$CHATTR_PROG -i $fsv_file + +_fsv_scratch_begin_subtest "FS_IOC_MEASURE_VERITY doesn't require root" +_fsv_create_enable_file $fsv_file >> $seqres.full +chmod 444 $fsv_file +su $qa_user -c "$FSVERITY_PROG measure $fsv_file" >> $seqres.full + +# success, all done +status=0 +exit diff --git a/tests/generic/901.out b/tests/generic/901.out new file mode 100644 index 00000000..a9e4c364 --- /dev/null +++ b/tests/generic/901.out @@ -0,0 +1,14 @@ +QA output created by 901 + +# FS_IOC_ENABLE_VERITY doesn't require root + +# FS_IOC_ENABLE_VERITY requires write access +Permission denied + +# FS_IOC_ENABLE_VERITY requires !append-only +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted + +# FS_IOC_ENABLE_VERITY requires !immutable +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted + +# FS_IOC_MEASURE_VERITY doesn't require root diff --git a/tests/generic/group b/tests/generic/group index ed6839a9..003fbff4 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -560,3 +560,4 @@ 555 auto quick cap 556 auto quick casefold 900 auto quick verity +901 auto quick verity From patchwork Thu Jun 20 21:36:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11008249 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 01CE728DC for ; Thu, 20 Jun 2019 21:38:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E9729287E9 for ; Thu, 20 Jun 2019 21:38:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DD79A288FA; Thu, 20 Jun 2019 21:38:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 116912880C for ; Thu, 20 Jun 2019 21:38:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726556AbfFTVik (ORCPT ); Thu, 20 Jun 2019 17:38:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:47190 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726008AbfFTVij (ORCPT ); Thu, 20 Jun 2019 17:38:39 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BD29820B1F; Thu, 20 Jun 2019 21:38:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561066719; bh=d27p70Gr0QEAejavj4m8KjtHSwoT83LH9uhHi+Iuvmw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uhj3bYfZOl448KVcMoiYVX4H+lxzjWdO1NvnxLgW1UhgvdhtKr4YYli2lj0vt7vF+ vhrGZWOTzYW+H+4O0/2w+J/ftirIAiZzZYsqMDNoZhKQJQmMDdqn97NsnKjkECKh9l IFPEwTK+6Iug/tSEFZPNWqMB3lPD5QWoOeZRaXR4= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v2 5/8] generic: test corrupting verity files Date: Thu, 20 Jun 2019 14:36:11 -0700 Message-Id: <20190620213614.113685-6-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190620213614.113685-1-ebiggers@kernel.org> References: <20190620213614.113685-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers This test corrupts various parts of the contents of a verity file, or parts of its Merkle tree, by writing directly to the block device. It verifies that this causes I/O errors when the relevant part of the contents is later read by any means. Signed-off-by: Eric Biggers --- tests/generic/902 | 154 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/902.out | 91 +++++++++++++++++++++++++ tests/generic/group | 1 + 3 files changed, 246 insertions(+) create mode 100755 tests/generic/902 create mode 100644 tests/generic/902.out diff --git a/tests/generic/902 b/tests/generic/902 new file mode 100755 index 00000000..5ef2cca1 --- /dev/null +++ b/tests/generic/902 @@ -0,0 +1,154 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/902 +# +# Test corrupting verity files. This test corrupts various parts of the +# contents of a verity file, or parts of its Merkle tree, by writing directly to +# the block device. It verifies that this causes I/O errors when the relevant +# part of the contents is later read by any means. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_orig_file=$SCRATCH_MNT/file +fsv_file=$SCRATCH_MNT/file.fsv + +setup_zeroed_file() +{ + local len=$1 + local sparse=$2 + + if $sparse; then + dd if=/dev/zero of=$fsv_orig_file bs=1 count=0 seek=$len \ + status=none + else + head -c $len /dev/zero > $fsv_orig_file + fi + cp $fsv_orig_file $fsv_file + _fsv_enable $fsv_file + md5sum $fsv_file |& _filter_scratch +} + +filter_sigbus() +{ + sed -e 's/.*Bus error.*/Bus error/' +} + +round_up_to_page_boundary() +{ + local n=$1 + local page_size=$(get_page_size) + + echo $(( (n + page_size - 1) & ~(page_size - 1) )) +} + +corruption_test() +{ + local file_len=$1 + local zap_offset=$2 + local zap_len=$3 + local is_merkle_tree=${4:-false} # if true, zap tree instead of data + local use_sparse_file=${5:-false} + local page_aligned_eof=$(round_up_to_page_boundary $file_len) + local measurement + + if $is_merkle_tree; then + local corrupt_func=_fsv_scratch_corrupt_merkle_tree + else + local corrupt_func=_fsv_scratch_corrupt_bytes + fi + + local msg="Corruption test:" + msg+=" file_len=$file_len" + if $use_sparse_file; then + msg+=" (sparse)" + fi + msg+=" zap_offset=$zap_offset" + if $is_merkle_tree; then + msg+=" (in Merkle tree)" + fi + msg+=" zap_len=$zap_len" + + _fsv_scratch_begin_subtest "$msg" + setup_zeroed_file $file_len $use_sparse_file + cmp $fsv_file $fsv_orig_file + echo "Corrupting bytes..." + head -c $zap_len /dev/zero | tr '\0' X \ + | $corrupt_func $fsv_file $zap_offset + + echo "Validating corruption (reading full file)..." + _scratch_cycle_mount + md5sum $fsv_file |& _filter_scratch + + echo "Validating corruption (direct I/O)..." + _scratch_cycle_mount + dd if=$fsv_file bs=$FSV_BLOCK_SIZE iflag=direct status=none \ + of=/dev/null |& _filter_scratch + + if ! $is_merkle_tree; then + echo "Validating corruption (reading just corrupted part)..." + dd if=$fsv_file bs=1 skip=$zap_offset count=$zap_len \ + of=/dev/null status=none |& _filter_scratch + fi + + echo "Validating corruption (reading full file via mmap)..." + bash -c "trap '' SIGBUS; $XFS_IO_PROG -r $fsv_file \ + -c 'mmap -r 0 $page_aligned_eof' \ + -c 'mread 0 $file_len'" |& filter_sigbus + + if ! $is_merkle_tree; then + echo "Validating corruption (reading just corrupted part via mmap)..." + bash -c "trap '' SIGBUS; $XFS_IO_PROG -r $fsv_file \ + -c 'mmap -r 0 $page_aligned_eof' \ + -c 'mread $zap_offset $zap_len'" |& filter_sigbus + fi +} + +corruption_test 131072 0 1 +corruption_test 131072 4095 1 +corruption_test 131072 65536 65536 +corruption_test 131072 131071 1 + +# Non-zeroed bytes in the final partial block beyond EOF should cause reads to +# fail too. Such bytes would be visible via mmap(). +corruption_test 130999 131000 72 + +# Merkle tree corruption. +corruption_test 200000 100 10 true + +# Sparse file. Corrupting the Merkle tree should still cause reads to fail, +# i.e. the filesystem must verify holes. +corruption_test 200000 100 10 true true + +# success, all done +status=0 +exit diff --git a/tests/generic/902.out b/tests/generic/902.out new file mode 100644 index 00000000..15fe691e --- /dev/null +++ b/tests/generic/902.out @@ -0,0 +1,91 @@ +QA output created by 902 + +# Corruption test: file_len=131072 zap_offset=0 zap_len=1 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=131072 zap_offset=4095 zap_len=1 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=131072 zap_offset=65536 zap_len=65536 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=131072 zap_offset=131071 zap_len=1 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=130999 zap_offset=131000 zap_len=72 +f5cca0d7fbb8b02bc6118a9954d5d306 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=200000 zap_offset=100 (in Merkle tree) zap_len=10 +4a1e4325031b13f933ac4f1db9ecb63f SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error + +# Corruption test: file_len=200000 (sparse) zap_offset=100 (in Merkle tree) zap_len=10 +4a1e4325031b13f933ac4f1db9ecb63f SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error diff --git a/tests/generic/group b/tests/generic/group index 003fbff4..ffdc7640 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -561,3 +561,4 @@ 556 auto quick casefold 900 auto quick verity 901 auto quick verity +902 auto quick verity From patchwork Thu Jun 20 21:36:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11008237 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7BD921986 for ; Thu, 20 Jun 2019 21:38:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6FDB9287E9 for ; Thu, 20 Jun 2019 21:38:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 642F8288ED; Thu, 20 Jun 2019 21:38:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F088A288FA for ; Thu, 20 Jun 2019 21:38:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726032AbfFTVil (ORCPT ); Thu, 20 Jun 2019 17:38:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:47206 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726525AbfFTVik (ORCPT ); Thu, 20 Jun 2019 17:38:40 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 27522215EA; Thu, 20 Jun 2019 21:38:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561066719; bh=5CM983t566SpUFL1OYw+Q9AJLEmW5fX4XcdwmQ5M32Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F0AW4GOhOUWI7+lfy2qlw36rAS9/dND8eokd1WdzuWs5AjH60tQcPWmvp12koGVk8 h72mVFhWcqc2BthwBYyKdPcPeD91ECdKmAjcTEfX0Cl5m1fTvx5h+ADyh6dNW9ZBf9 NE+mBDSEiRSOkrLu4VL3jgZAYs7lJsHaQA+b4sho= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v2 6/8] generic: test that fs-verity is using the correct measurement values Date: Thu, 20 Jun 2019 14:36:12 -0700 Message-Id: <20190620213614.113685-7-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190620213614.113685-1-ebiggers@kernel.org> References: <20190620213614.113685-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers This test verifies that fs-verity is doing its Merkle tree-based hashing correctly, i.e. that it hasn't been broken by a change. Signed-off-by: Eric Biggers --- tests/generic/903 | 112 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/903.out | 5 ++ tests/generic/group | 1 + 3 files changed, 118 insertions(+) create mode 100755 tests/generic/903 create mode 100644 tests/generic/903.out diff --git a/tests/generic/903 b/tests/generic/903 new file mode 100755 index 00000000..55f4a3ba --- /dev/null +++ b/tests/generic/903 @@ -0,0 +1,112 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/903 +# +# Test that fs-verity is using the correct measurement values. This test +# verifies that fs-verity is doing its Merkle tree-based hashing correctly, +# i.e. that it hasn't been broken by a change. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +if [ $FSV_BLOCK_SIZE != 4096 ]; then + _notrun "4096-byte verity block size not supported on this platform" +fi + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_orig_file=$SCRATCH_MNT/file +fsv_file=$SCRATCH_MNT/file.fsv + +algs=(sha256 sha512) + +# Try files with 0, 1, and multiple Merkle tree levels. +file_sizes=(0 4096 65536 65536 100000000) + +# Try both unsalted and salted, and check that empty salt is the same as no salt +salts=('' '' '' '--salt=' '--salt=f3c93fa6fb828c0e1587e5714ecf6f56') + +# The expected file measurements are here rather than in the expected output +# file because not all hash algorithms may be available. +sha256_vals=( +sha256:3d248ca542a24fc62d1c43b916eae5016878e2533c88238480b26128a1f1af95 +sha256:babc284ee4ffe7f449377fbf6692715b43aec7bc39c094a95878904d34bac97e +sha256:011e3f2b1dc89b75d78cddcc2a1b85cd8a64b2883e5f20f277ae4c0617e0404f +sha256:011e3f2b1dc89b75d78cddcc2a1b85cd8a64b2883e5f20f277ae4c0617e0404f +sha256:9d33cab743468fcbe4edab91a275b30dd543c12dd5e6ce6f2f737f66a1558f06 +) +sha512_vals=( +sha512:ccf9e5aea1c2a64efa2f2354a6024b90dffde6bbc017825045dce374474e13d10adb9dadcc6ca8e17a3c075fbd31336e8f266ae6fa93a6c3bed66f9e784e5abf +sha512:928922686c4caf32175f5236a7f964e9925d10a74dc6d8344a8bd08b23c228ff5792573987d7895f628f39c4f4ebe39a7367d7aeb16aaa0cd324ac1d53664e61 +sha512:eab7224ce374a0a4babcb2db25e24836247f38b87806ad9be9e5ba4daac2f5b814fc0cbdfd9f1f8499b3c9a6c1b38fe08974cce49883ab4ccd04462fd2f9507f +sha512:eab7224ce374a0a4babcb2db25e24836247f38b87806ad9be9e5ba4daac2f5b814fc0cbdfd9f1f8499b3c9a6c1b38fe08974cce49883ab4ccd04462fd2f9507f +sha512:f7083a38644880d25539488313e9e5b41a4d431a0e383945129ad2c36e3c1d0f28928a424641bb1363c12b6e770578102566acea73baf1ce8ee15336f5ba2446 +) + +test_alg() +{ + local alg=$1 + local -n vals=${alg}_vals + local i + local file_size + local expected actual salt_arg + + _fsv_scratch_begin_subtest "Check for expected measurement values ($alg)" + + if ! _fsv_have_hash_algorithm $alg $fsv_file; then + if [ "$alg" = sha256 ]; then + _fail "Something is wrong - sha256 hash should always be available" + fi + return 0 + fi + + for i in ${!file_sizes[@]}; do + file_size=${file_sizes[$i]} + expected=${vals[$i]} + salt_arg=${salts[$i]} + + head -c $file_size /dev/zero > $fsv_orig_file + cp $fsv_orig_file $fsv_file + _fsv_enable --hash-alg=$alg $salt_arg $fsv_file + actual=$(_fsv_measure $fsv_file) + if [ "$actual" != "$expected" ]; then + echo "Mismatch: expected $expected, kernel calculated $actual (file_size=$file_size)" + fi + cmp $fsv_orig_file $fsv_file + rm -f $fsv_file + done +} + +for alg in ${algs[@]}; do + test_alg $alg +done + +# success, all done +status=0 +exit diff --git a/tests/generic/903.out b/tests/generic/903.out new file mode 100644 index 00000000..02508828 --- /dev/null +++ b/tests/generic/903.out @@ -0,0 +1,5 @@ +QA output created by 903 + +# Check for expected measurement values (sha256) + +# Check for expected measurement values (sha512) diff --git a/tests/generic/group b/tests/generic/group index ffdc7640..3927f779 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -562,3 +562,4 @@ 900 auto quick verity 901 auto quick verity 902 auto quick verity +903 auto quick verity From patchwork Thu Jun 20 21:36:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11008253 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D3AB11932 for ; Thu, 20 Jun 2019 21:38:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C7340287E9 for ; Thu, 20 Jun 2019 21:38:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BB6A5288FA; Thu, 20 Jun 2019 21:38:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F31D287FA for ; Thu, 20 Jun 2019 21:38:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726554AbfFTVip (ORCPT ); Thu, 20 Jun 2019 17:38:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:47218 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726551AbfFTVik (ORCPT ); Thu, 20 Jun 2019 17:38:40 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 86187214AF; Thu, 20 Jun 2019 21:38:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561066719; bh=fZRcCueYWlIUE+x9dYmZJUdxrmHOPyZEN3htnAyEhTU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rvmexbB6szRvVaiWTEj3W9AkIUBUiWayaOoN1gOpNATayH+V68NpSBXFp7tCmKAXt 94p5kJ1NcTHN9KCcF86H3+lOVI/qfIvu37eNRy17ZuoprCj6fj/dSoBrlJNxqbH6pU WgVmfKQJCmHvglPMPJwUaSTSiv/u0FsMiYKYWxm0= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v2 7/8] generic: test using fs-verity and fscrypt simultaneously Date: Thu, 20 Jun 2019 14:36:13 -0700 Message-Id: <20190620213614.113685-8-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190620213614.113685-1-ebiggers@kernel.org> References: <20190620213614.113685-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers This primarily verifies correct ordering of the hooks for each feature: fscrypt needs to be first. Signed-off-by: Eric Biggers --- tests/generic/904 | 80 +++++++++++++++++++++++++++++++++++++++++++ tests/generic/904.out | 12 +++++++ tests/generic/group | 1 + 3 files changed, 93 insertions(+) create mode 100755 tests/generic/904 create mode 100644 tests/generic/904.out diff --git a/tests/generic/904 b/tests/generic/904 new file mode 100755 index 00000000..61bdae22 --- /dev/null +++ b/tests/generic/904 @@ -0,0 +1,80 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/904 +# +# Test using fs-verity and fscrypt simultaneously. This primarily verifies +# correct ordering of the hooks for each feature: fscrypt needs to be first. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity +. ./common/encrypt + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +_require_scratch_encryption +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_encrypted_verity &>> $seqres.full +_scratch_mount + +fsv_orig_file=$tmp.file +edir=$SCRATCH_MNT/edir +fsv_file=$edir/file.fsv + +# Set up an encrypted directory. +_new_session_keyring +keydesc=$(_generate_encryption_key) +mkdir $edir +_set_encpolicy $edir $keydesc + +# Create a file within the encrypted directory and enable verity on it. +# Then check that it has an encryption policy as well. +head -c 100000 /dev/zero > $fsv_orig_file +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file +echo +$XFS_IO_PROG -r -c "get_encpolicy" $fsv_file | _filter_scratch \ + | sed 's/Master key descriptor:.*/Master key descriptor: 0000000000000000/' +echo + +# Verify that the file contents are as expected. This should be going through +# both the decryption and verity I/O paths. +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +# Just in case, try again after a mount cycle to empty the page cache. +_scratch_cycle_mount +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +# Corrupt some bytes as a sanity check that fs-verity is really working. +# This also verifies that the data on-disk is really encrypted, since otherwise +# the data being written here would be identical to the old data. +head -c 1000 /dev/zero | _fsv_scratch_corrupt_bytes $fsv_file 50000 +md5sum $fsv_file |& _filter_scratch + +# success, all done +status=0 +exit diff --git a/tests/generic/904.out b/tests/generic/904.out new file mode 100644 index 00000000..5f4e249a --- /dev/null +++ b/tests/generic/904.out @@ -0,0 +1,12 @@ +QA output created by 904 + +Encryption policy for SCRATCH_MNT/edir/file.fsv: + Policy version: 0 + Master key descriptor: 0000000000000000 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 + +Files matched +Files matched +md5sum: SCRATCH_MNT/edir/file.fsv: Input/output error diff --git a/tests/generic/group b/tests/generic/group index 3927f779..5b4c32ff 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -563,3 +563,4 @@ 901 auto quick verity 902 auto quick verity 903 auto quick verity +904 auto quick verity encrypt From patchwork Thu Jun 20 21:36:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11008241 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AEEF41932 for ; Thu, 20 Jun 2019 21:38:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A26FE287E9 for ; Thu, 20 Jun 2019 21:38:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 93DDD287FA; Thu, 20 Jun 2019 21:38:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 08AA5287FA for ; Thu, 20 Jun 2019 21:38:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726059AbfFTVim (ORCPT ); Thu, 20 Jun 2019 17:38:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:47234 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726554AbfFTVil (ORCPT ); Thu, 20 Jun 2019 17:38:41 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E485521530; Thu, 20 Jun 2019 21:38:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561066720; bh=tD13SQPiq6U//Di45+l/aLXBU1zkuW4qczDAR3KDkUg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OHRKAUozrSLQsYLc+Vn9OWH/pKZWtrUwNpbkGoIc6ngnZUxSmkx0Cv0OzmA4eYuPL zc6dpyYI7P1ohPcYsAgLTsfxsQ42hQdtrcuAJbw7txyT+3r4HlfINrFI3CioLYXPtC bhnYKW4PJKS/lur1AfMSSKKpCkvvwLtfFcL6u8Fs= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v2 8/8] generic: test the fs-verity built-in signature verification support Date: Thu, 20 Jun 2019 14:36:14 -0700 Message-Id: <20190620213614.113685-9-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190620213614.113685-1-ebiggers@kernel.org> References: <20190620213614.113685-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Add a basic test for the fs-verity built-in signature verification support, which is an optional feature where the kernel can be configured to enforce that all verity files are accompanied with a valid signature by a key that has been loaded into the fs-verity keyring. Signed-off-by: Eric Biggers --- common/config | 1 + common/verity | 11 ++++ tests/generic/905 | 141 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/905.out | 34 ++++++++++ tests/generic/group | 1 + 5 files changed, 188 insertions(+) create mode 100755 tests/generic/905 create mode 100644 tests/generic/905.out diff --git a/common/config b/common/config index 001ddc45..1aaf0a75 100644 --- a/common/config +++ b/common/config @@ -213,6 +213,7 @@ export XFS_INFO_PROG="$(type -P xfs_info)" export DUPEREMOVE_PROG="$(type -P duperemove)" export CC_PROG="$(type -P cc)" export FSVERITY_PROG="$(type -P fsverity)" +export OPENSSL_PROG="$(type -P openssl)" # use 'udevadm settle' or 'udevsettle' to wait for lv to be settled. # newer systems have udevadm command but older systems like RHEL5 don't. diff --git a/common/verity b/common/verity index 86fb6585..edd7e523 100644 --- a/common/verity +++ b/common/verity @@ -35,6 +35,17 @@ _require_scratch_verity() FSV_BLOCK_SIZE=$(get_page_size) } +# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y. +_require_fsverity_builtin_signatures() +{ + if [ ! -e /proc/keys ]; then + _notrun "kernel doesn't support keyrings" + fi + if ! awk '{print $9}' /proc/keys | grep -q '^\.fs-verity:$'; then + _notrun "kernel doesn't support fs-verity builtin signatures" + fi +} + _scratch_mkfs_verity() { case $FSTYP in diff --git a/tests/generic/905 b/tests/generic/905 new file mode 100755 index 00000000..db83d221 --- /dev/null +++ b/tests/generic/905 @@ -0,0 +1,141 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2019 Google LLC +# +# FS QA Test generic/905 +# +# Test the fs-verity built-in signature verification support. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + sysctl -w fs.verity.require_signatures=0 &>/dev/null + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +_require_fsverity_builtin_signatures +_require_command "$OPENSSL_PROG" openssl +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount + +fsv_file=$SCRATCH_MNT/file.fsv +fsv_orig_file=$SCRATCH_MNT/file +keyfile=$tmp.key.pem +certfile=$tmp.cert.pem +certfileder=$tmp.cert.der +sigfile=$tmp.sig +othersigfile=$tmp.othersig +tmpfile=$tmp.tmp + +# Setup + +echo -e "\n# Generating certificates and private keys" +for suffix in '' '.2'; do + if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \ + -keyout $keyfile$suffix -out $certfile$suffix \ + &>> $seqres.full; then + _fail "Failed to generate certificate and private key (see $seqres.full)" + fi + $OPENSSL_PROG x509 -in $certfile$suffix -out $certfileder$suffix \ + -outform der +done + +echo -e "\n# Clearing fs-verity keyring" +$KEYCTL_PROG clear %keyring:.fs-verity + +echo -e "\n# Loading first certificate into fs-verity keyring" +$KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \ + < $certfileder >> $seqres.full + +echo -e "\n# Enabling fs.verity.require_signatures" +sysctl -w fs.verity.require_signatures=1 + +echo -e "\n# Generating file and signing it for fs-verity" +head -c 100000 /dev/urandom > $fsv_orig_file +for suffix in '' '.2'; do + $FSVERITY_PROG sign $fsv_orig_file $sigfile$suffix \ + --key=$keyfile$suffix --cert=$certfile$suffix +done + +echo -e "\n# Signing a different file for fs-verity" +head -c 100000 /dev/zero > $tmpfile +$FSVERITY_PROG sign $tmpfile $othersigfile --key=$keyfile --cert=$certfile + +# Actual tests + +reset_fsv_file() +{ + rm -f $fsv_file + cp $fsv_orig_file $fsv_file +} + +echo -e "\n# Enabling verity with valid signature (should succeed)" +reset_fsv_file +_fsv_enable $fsv_file --signature=$sigfile +cmp $fsv_file $fsv_orig_file + +echo -e "\n# Enabling verity without signature (should fail)" +reset_fsv_file +_fsv_enable $fsv_file |& _filter_scratch + +echo -e "\n# Opening verity file without signature (should fail)" +reset_fsv_file +sysctl -w fs.verity.require_signatures=0 &>> $seqres.full +_fsv_enable $fsv_file +sysctl -w fs.verity.require_signatures=1 &>> $seqres.full +_scratch_cycle_mount +md5sum $fsv_file |& _filter_scratch + +echo -e "\n# Enabling verity with wrong file's signature (should fail)" +reset_fsv_file +_fsv_enable $fsv_file --signature=$othersigfile |& _filter_scratch + +echo -e "\n# Enabling verity with untrusted signature (should fail)" +reset_fsv_file +_fsv_enable $fsv_file --signature=$sigfile.2 |& _filter_scratch + +echo -e "\n# Testing salt" +reset_fsv_file +$FSVERITY_PROG sign $fsv_orig_file $sigfile.salted \ + --key=$keyfile --cert=$certfile --salt=abcd +_fsv_enable $fsv_file --signature=$sigfile.salted --salt=abcd + +echo -e "\n# Testing non-default hash algorithm" +if _fsv_have_hash_algorithm sha512 $fsv_file; then + reset_fsv_file + $FSVERITY_PROG sign $fsv_orig_file $sigfile.sha512 \ + --key=$keyfile --cert=$certfile --hash-alg=sha512 + _fsv_enable $fsv_file --signature=$sigfile.sha512 --hash-alg=sha512 +fi + +echo -e "\n# Testing empty file" +echo -n > $fsv_file +$FSVERITY_PROG sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile +_fsv_enable $fsv_file --signature=$sigfile.emptyfile + +# success, all done +status=0 +exit diff --git a/tests/generic/905.out b/tests/generic/905.out new file mode 100644 index 00000000..76707b5c --- /dev/null +++ b/tests/generic/905.out @@ -0,0 +1,34 @@ +QA output created by 905 + +# Generating certificates and private keys + +# Clearing fs-verity keyring + +# Loading first certificate into fs-verity keyring + +# Enabling fs.verity.require_signatures +fs.verity.require_signatures = 1 + +# Generating file and signing it for fs-verity + +# Signing a different file for fs-verity + +# Enabling verity with valid signature (should succeed) + +# Enabling verity without signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Bad message + +# Opening verity file without signature (should fail) +md5sum: SCRATCH_MNT/file.fsv: Bad message + +# Enabling verity with wrong file's signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Bad message + +# Enabling verity with untrusted signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Required key not available + +# Testing salt + +# Testing non-default hash algorithm + +# Testing empty file diff --git a/tests/generic/group b/tests/generic/group index 5b4c32ff..bfbb4957 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -564,3 +564,4 @@ 902 auto quick verity 903 auto quick verity 904 auto quick verity encrypt +905 auto quick verity