From patchwork Mon Jul 1 18:25:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11026581 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 79CD8138B for ; Mon, 1 Jul 2019 18:27:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6661F1FE8D for ; Mon, 1 Jul 2019 18:27:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 57C9E25E13; Mon, 1 Jul 2019 18:27:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 492AD1FE8D for ; Mon, 1 Jul 2019 18:27:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726563AbfGAS13 (ORCPT ); Mon, 1 Jul 2019 14:27:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:42056 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726329AbfGAS12 (ORCPT ); Mon, 1 Jul 2019 14:27:28 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D2A0A2173E; Mon, 1 Jul 2019 18:27:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562005648; bh=/TqjxXaacZLBl0M7a8866fUvjTCYt+qsAku09GMwzaU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dQxxnHv37PKpFTpe8HW/se53kzv2A74FRRJO7BSy/a5dyvDMNuJrBMDsVO8W0NWUB JHKyMofa2PmzzQfBIwHsfTqtGv2KnbDstYHG4UTyPTAha3d9pfK6WCvzhZnqKNFUXP EZA20sZJxUFH5y3OMwpTwzqY7+Y+7H4LjaHU0mmc= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v3 1/8] common/filter: add _filter_xfs_io_fiemap() Date: Mon, 1 Jul 2019 11:25:40 -0700 Message-Id: <20190701182547.165856-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190701182547.165856-1-ebiggers@kernel.org> References: <20190701182547.165856-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Add _filter_xfs_io_fiemap() to clean up the output of 'xfs_io -c fiemap'. This will be used by a function in common/verity. Signed-off-by: Eric Biggers --- common/filter | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/common/filter b/common/filter index ed082d24..9ad43ff4 100644 --- a/common/filter +++ b/common/filter @@ -541,6 +541,30 @@ _filter_filefrag() $flags, "\n"' } +# Clean up the extents list output of 'xfs_io -c fiemap', e.g. +# +# file: +# 0: [0..79]: 628365312..628365391 +# 1: [80..159]: hole +# 2: [160..319]: 628365472..628365631 +# => +# 0 79 628365312 628365391 +# 160 319 628365472 628365631 +# +# The fields are: +# +# first_logical_block last_logical_block first_physical_block last_physical_block +# +# Blocks are 512 bytes, and holes are omitted. +# +_filter_xfs_io_fiemap() +{ + grep -E '^[[:space:]]+[0-9]+:' \ + | grep -v '\' \ + | sed -E 's/^[[:space:]]+[0-9]+://' \ + | tr '][.:' ' ' +} + # We generate WARNINGs on purpose when applications mix buffered/mmap IO with # direct IO on the same file. This is a helper for _check_dmesg() to filter out # such warnings. From patchwork Mon Jul 1 18:25:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11026615 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EEABE1921 for ; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E1DF71FE8D for ; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D631225E13; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4642626CFF for ; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726702AbfGAS1a (ORCPT ); Mon, 1 Jul 2019 14:27:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:42070 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726442AbfGAS13 (ORCPT ); Mon, 1 Jul 2019 14:27:29 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2DF0321841; Mon, 1 Jul 2019 18:27:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562005648; bh=h8X5PV0gURpdX3fp8i8QmUWNau3EZlWkadg+5EMJTw8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1wTKmYV16nhawJp+A/nsuDx+zHyhaR3fOXdx7SSvs80cI8J61FDYtNk4KstfEMRem u7g5SYngIfgKdnyl7A1V4s4eracmGn96Zjjd2lfkri8YOX0IEfKh+tXIrwnfv64WHg ssEh2++KpxUCS0YUkv0YEpYcUNCu1LKtSh3KbkWA= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v3 2/8] common/verity: add common functions for testing fs-verity Date: Mon, 1 Jul 2019 11:25:41 -0700 Message-Id: <20190701182547.165856-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190701182547.165856-1-ebiggers@kernel.org> References: <20190701182547.165856-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Add common functions for setting up and testing fs-verity, a new feature for read-only file-based authenticity protection. fs-verity will be supported by ext4 and f2fs, and perhaps by other filesystems later. Running the fs-verity tests requires: - A kernel with the fs-verity patches from https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git branch "fsverity" and configured with CONFIG_FS_VERITY. - The fsverity utility program from https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git - e2fsprogs v1.45.2 or later for ext4 tests, or f2fs-tools v1.11.0 or later for f2fs tests. See the file Documentation/filesystems/fsverity.rst in the kernel tree for more information about fs-verity. Signed-off-by: Eric Biggers --- common/config | 1 + common/verity | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 200 insertions(+) create mode 100644 common/verity diff --git a/common/config b/common/config index bd64be62..001ddc45 100644 --- a/common/config +++ b/common/config @@ -212,6 +212,7 @@ export CHECKBASHISMS_PROG="$(type -P checkbashisms)" export XFS_INFO_PROG="$(type -P xfs_info)" export DUPEREMOVE_PROG="$(type -P duperemove)" export CC_PROG="$(type -P cc)" +export FSVERITY_PROG="$(type -P fsverity)" # use 'udevadm settle' or 'udevsettle' to wait for lv to be settled. # newer systems have udevadm command but older systems like RHEL5 don't. diff --git a/common/verity b/common/verity new file mode 100644 index 00000000..a8aae51e --- /dev/null +++ b/common/verity @@ -0,0 +1,199 @@ +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# Functions for setting up and testing fs-verity + +_require_scratch_verity() +{ + _require_scratch + _require_command "$FSVERITY_PROG" fsverity + + if ! _scratch_mkfs_verity &>>$seqres.full; then + # ext4: need e2fsprogs v1.44.5 or later (but actually v1.45.2+ + # is needed for some tests to pass, due to an e2fsck bug) + # f2fs: need f2fs-tools v1.11.0 or later + _notrun "$FSTYP userspace tools don't support fs-verity" + fi + + # Try to mount the filesystem. If this fails then either the kernel + # isn't aware of fs-verity, or the mkfs options were not compatible with + # verity (e.g. ext4 with block size != PAGE_SIZE). + if ! _try_scratch_mount &>>$seqres.full; then + _notrun "kernel is unaware of $FSTYP verity feature," \ + "or mkfs options are not compatible with verity" + fi + + # The filesystem may be aware of fs-verity but have it disabled by + # CONFIG_FS_VERITY=n. Detect support via sysfs. + if [ ! -e /sys/fs/$FSTYP/features/verity ]; then + _notrun "kernel $FSTYP isn't configured with verity support" + fi + + # The filesystem may have fs-verity enabled but not actually usable by + # default. E.g., ext4 only supports verity on extent-based files, so it + # doesn't work on ext3-style filesystems. So, try actually using it. + echo foo > $SCRATCH_MNT/tmpfile + if ! _fsv_enable $SCRATCH_MNT/tmpfile; then + _notrun "$FSTYP verity isn't usable by default with these mkfs options" + fi + rm -f $SCRATCH_MNT/tmpfile + + _scratch_unmount + + # Merkle tree block size. Currently all filesystems only support + # PAGE_SIZE for this. This is also the default for 'fsverity enable'. + FSV_BLOCK_SIZE=$(get_page_size) +} + +_scratch_mkfs_verity() +{ + case $FSTYP in + ext4|f2fs) + _scratch_mkfs -O verity + ;; + *) + _notrun "No verity support for $FSTYP" + ;; + esac +} + +_scratch_mkfs_encrypted_verity() +{ + case $FSTYP in + ext4) + _scratch_mkfs -O encrypt,verity + ;; + f2fs) + # f2fs-tools as of v1.11.0 doesn't allow comma-separated + # features with -O. Instead -O must be supplied multiple times. + _scratch_mkfs -O encrypt -O verity + ;; + *) + _notrun "$FSTYP not supported in _scratch_mkfs_encrypted_verity" + ;; + esac +} + +_fsv_scratch_begin_subtest() +{ + local msg=$1 + + rm -rf "${SCRATCH_MNT:?}"/* + echo -e "\n# $msg" +} + +_fsv_enable() +{ + $FSVERITY_PROG enable "$@" +} + +_fsv_measure() +{ + $FSVERITY_PROG measure "$@" | awk '{print $1}' +} + +# Generate a file, then enable verity on it. +_fsv_create_enable_file() +{ + local file=$1 + shift + + head -c $((FSV_BLOCK_SIZE * 2)) /dev/zero > "$file" + _fsv_enable "$file" "$@" +} + +_fsv_have_hash_algorithm() +{ + local hash_alg=$1 + local test_file=$2 + + rm -f $test_file + head -c 4096 /dev/zero > $test_file + if ! _fsv_enable --hash-alg=$hash_alg $test_file &>> $seqres.full; then + # no kernel support + return 1 + fi + rm -f $test_file + return 0 +} + +# +# _fsv_scratch_corrupt_bytes - Write some bytes to a file, bypassing the filesystem +# +# Write the bytes sent on stdin to the given offset in the given file, but do so +# by writing directly to the extents on the block device, with the filesystem +# unmounted. This can be used to corrupt a verity file for testing purposes, +# bypassing the restrictions imposed by the filesystem. +# +# The file is assumed to be located on $SCRATCH_DEV. +# +_fsv_scratch_corrupt_bytes() +{ + local file=$1 + local offset=$2 + local lstart lend pstart pend + local dd_cmds=() + local cmd + + sync # Sync to avoid unwritten extents + + cat > $tmp.bytes + local end=$(( offset + $(stat -c %s $tmp.bytes ) )) + + # For each extent that intersects the requested range in order, add a + # command that writes the next part of the data to that extent. + while read -r lstart lend pstart pend; do + lstart=$((lstart * 512)) + lend=$(((lend + 1) * 512)) + pstart=$((pstart * 512)) + pend=$(((pend + 1) * 512)) + + if (( lend - lstart != pend - pstart )); then + _fail "Logical and physical extent lengths differ for file '$file'" + elif (( offset < lstart )); then + _fail "Hole in file '$file' at byte $offset. Next extent begins at byte $lstart" + elif (( offset < lend )); then + local len=$((lend - offset)) + local seek=$((pstart + (offset - lstart))) + dd_cmds+=("head -c $len | dd of=$SCRATCH_DEV oflag=seek_bytes seek=$seek status=none") + (( offset += len )) + fi + done < <($XFS_IO_PROG -r -c "fiemap $offset $((end - offset))" "$file" \ + | _filter_xfs_io_fiemap) + + if (( offset < end )); then + _fail "Extents of file '$file' ended at byte $offset, but needed until $end" + fi + + # Execute the commands to write the data + _scratch_unmount + for cmd in "${dd_cmds[@]}"; do + eval "$cmd" + done < $tmp.bytes + sync # Sync to flush the block device's pagecache + _scratch_mount +} + +# +# _fsv_scratch_corrupt_merkle_tree - Corrupt a file's Merkle tree +# +# Like _fsv_scratch_corrupt_bytes(), but this corrupts the file's fs-verity +# Merkle tree. The offset is given as a byte offset into the Merkle tree. +# +_fsv_scratch_corrupt_merkle_tree() +{ + local file=$1 + local offset=$2 + + case $FSTYP in + ext4|f2fs) + # ext4 and f2fs store the Merkle tree after the file contents + # itself, starting at the next 65536-byte aligned boundary. + (( offset += ($(stat -c %s $file) + 65535) & ~65535 )) + _fsv_scratch_corrupt_bytes $file $offset + ;; + *) + _fail "_fsv_scratch_corrupt_merkle_tree() unimplemented on $FSTYP" + ;; + esac +} From patchwork Mon Jul 1 18:25:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11026611 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9590B18E8 for ; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8B0861FE8E for ; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7F81C205FB; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B9623219AC for ; Mon, 1 Jul 2019 18:27:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726442AbfGAS1a (ORCPT ); Mon, 1 Jul 2019 14:27:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:42080 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726462AbfGAS1a (ORCPT ); Mon, 1 Jul 2019 14:27:30 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7CF632183F; Mon, 1 Jul 2019 18:27:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562005648; bh=GgHe2pDOgx2EgjfzSjYlGCopRfHCgOnwQBH27hbteQI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Wuu3Qe5UC89mrLrDKaaD/ZdViFqspX4r1cPm7P7RgtWnyKU5stvaIHrc6kexImXU4 XoO6KgsUlVc/2IGl4IEOWV5TJv95dlZ4Eh/slqnTZ8MjuzRKbL33mLjRJbtMvqmU9p S99hpv84mvvnhQ6jf3CmDTbDoTXdlEWyLUrfzlgk= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v3 3/8] generic: test general behavior of verity files Date: Mon, 1 Jul 2019 11:25:42 -0700 Message-Id: <20190701182547.165856-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190701182547.165856-1-ebiggers@kernel.org> References: <20190701182547.165856-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers This is a basic fs-verity test which verifies: - conditions for enabling verity - verity files have expected contents and size - can't change contents of verity files, but can change metadata - can retrieve a verity file's measurement via FS_IOC_MEASURE_VERITY Signed-off-by: Eric Biggers --- tests/generic/900 | 190 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/900.out | 71 ++++++++++++++++ tests/generic/group | 1 + 3 files changed, 262 insertions(+) create mode 100755 tests/generic/900 create mode 100644 tests/generic/900.out diff --git a/tests/generic/900 b/tests/generic/900 new file mode 100755 index 00000000..144870a6 --- /dev/null +++ b/tests/generic/900 @@ -0,0 +1,190 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/900 +# +# This is a basic fs-verity test which verifies: +# +# - conditions for enabling verity +# - verity files have correct contents and size +# - can't change contents of verity files, but can change metadata +# - can retrieve a verity file's measurement via FS_IOC_MEASURE_VERITY +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_orig_file=$SCRATCH_MNT/file +fsv_file=$SCRATCH_MNT/file.fsv + +verify_data_readable() +{ + local file=$1 + + md5sum $file > /dev/null +} + +verify_data_unreadable() +{ + local file=$1 + + # try both reading just the first data block, and reading until EOF + head -c $FSV_BLOCK_SIZE $file 2>&1 >/dev/null | _filter_scratch + md5sum $file |& _filter_scratch +} + +_fsv_scratch_begin_subtest "Enabling verity on file with verity already enabled fails with EEXIST" +_fsv_create_enable_file $fsv_file +echo "(trying again)" +_fsv_enable $fsv_file |& _filter_scratch + +_fsv_scratch_begin_subtest "Enabling verity with invalid hash algorithm fails with EINVAL" +_fsv_create_enable_file $fsv_file --hash-alg=257 |& _filter_scratch +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity with invalid block size fails with EINVAL" +_fsv_create_enable_file $fsv_file --block-size=1 |& _filter_scratch +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity on directory fails with EISDIR" +mkdir $SCRATCH_MNT/dir +_fsv_enable $SCRATCH_MNT/dir |& _filter_scratch + +_fsv_scratch_begin_subtest "Enabling verity with too-long salt fails with EMSGSIZE" +_fsv_create_enable_file $fsv_file --salt=$(perl -e 'print "A" x 1000') |& _filter_scratch +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity on file on read-only filesystem fails with EROFS" +echo foo > $fsv_file +_scratch_remount ro +_fsv_enable $fsv_file |& _filter_scratch +_scratch_remount rw + +_fsv_scratch_begin_subtest "Enabling verity on file open for writing fails with ETXTBSY" +echo foo > $fsv_file +exec 3<> $fsv_file +_fsv_enable $fsv_file |& _filter_scratch +exec 3<&- +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity can be interrupted" +dd if=/dev/zero of=$fsv_file bs=1 count=0 seek=$((1 << 34)) status=none +start_time=$(date +%s) +$FSVERITY_PROG enable $fsv_file & +sleep 0.5 +kill %1 +wait +elapsed=$(( $(date +%s) - start_time )) +if (( elapsed > 5 )); then + echo "Failed to interrupt FS_IOC_ENABLE_VERITY ($elapsed seconds elapsed)" +fi + +_fsv_scratch_begin_subtest "verity file can't be opened for writing" +_fsv_create_enable_file $fsv_file >> $seqres.full +echo "* reading" +$XFS_IO_PROG -r $fsv_file -c '' +echo "* xfs_io writing, should be O_RDWR" +$XFS_IO_PROG $fsv_file -c '' |& _filter_scratch +echo "* bash >>, should be O_APPEND" +bash -c "echo >> $fsv_file" |& _filter_scratch +echo "* bash >, should be O_WRONLY|O_CREAT|O_TRUNC" +bash -c "echo > $fsv_file" |& _filter_scratch + +_fsv_scratch_begin_subtest "verity file can be read" +_fsv_create_enable_file $fsv_file >> $seqres.full +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "verity file can be measured" +_fsv_create_enable_file $fsv_file >> $seqres.full +_fsv_measure $fsv_file + +_fsv_scratch_begin_subtest "verity file can be renamed" +_fsv_create_enable_file $fsv_file +mv $fsv_file $fsv_file.newname + +_fsv_scratch_begin_subtest "verity file can be unlinked" +_fsv_create_enable_file $fsv_file +rm $fsv_file + +_fsv_scratch_begin_subtest "verity file can be linked to" +_fsv_create_enable_file $fsv_file +ln $fsv_file $fsv_file.newname + +_fsv_scratch_begin_subtest "verity file can be chmodded" +_fsv_create_enable_file $fsv_file +chmod 777 $fsv_file +chmod 444 $fsv_file + +_fsv_scratch_begin_subtest "verity file can be chowned" +_fsv_create_enable_file $fsv_file +chown 1:1 $fsv_file +chown 0:0 $fsv_file + +_fsv_scratch_begin_subtest "verity file has correct contents and size" +head -c 100000 /dev/urandom > $fsv_orig_file +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file >> $seqres.full +cmp $fsv_file $fsv_orig_file +stat -c %s $fsv_file +_scratch_cycle_mount +cmp $fsv_file $fsv_orig_file +stat -c %s $fsv_file + +_fsv_scratch_begin_subtest "Trying to measure non-verity file fails with ENODATA" +echo foo > $fsv_file +_fsv_measure $fsv_file |& _filter_scratch +verify_data_readable $fsv_file + +# Test files <= 1 block in size. These are a bit of a special case since there +# are no hash blocks; the root hash is calculated directly over the data block. +for size in 1 $((FSV_BLOCK_SIZE - 1)) $FSV_BLOCK_SIZE; do + _fsv_scratch_begin_subtest "verity on $size-byte file" + head -c $size /dev/urandom > $fsv_orig_file + cp $fsv_orig_file $fsv_file + _fsv_enable $fsv_file + cmp $fsv_orig_file $fsv_file && echo "Files matched" + rm -f $fsv_file +done + +_fsv_scratch_begin_subtest "verity on 100M file (multiple levels in hash tree)" +head -c 100000000 /dev/urandom > $fsv_orig_file +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +_fsv_scratch_begin_subtest "verity on sparse file" +dd if=/dev/zero of=$fsv_orig_file bs=1 count=1 seek=1000000 status=none +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +# success, all done +status=0 +exit diff --git a/tests/generic/900.out b/tests/generic/900.out new file mode 100644 index 00000000..ff5162f3 --- /dev/null +++ b/tests/generic/900.out @@ -0,0 +1,71 @@ +QA output created by 900 + +# Enabling verity on file with verity already enabled fails with EEXIST +(trying again) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': File exists + +# Enabling verity with invalid hash algorithm fails with EINVAL +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Invalid argument + +# Enabling verity with invalid block size fails with EINVAL +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Invalid argument + +# Enabling verity on directory fails with EISDIR +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/dir': Is a directory + +# Enabling verity with too-long salt fails with EMSGSIZE +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Message too long + +# Enabling verity on file on read-only filesystem fails with EROFS +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Read-only file system + +# Enabling verity on file open for writing fails with ETXTBSY +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Text file busy + +# Enabling verity can be interrupted + +# verity file can't be opened for writing +* reading +* xfs_io writing, should be O_RDWR +SCRATCH_MNT/file.fsv: Operation not permitted +* bash >>, should be O_APPEND +bash: SCRATCH_MNT/file.fsv: Operation not permitted +* bash >, should be O_WRONLY|O_CREAT|O_TRUNC +bash: SCRATCH_MNT/file.fsv: Operation not permitted + +# verity file can be read + +# verity file can be measured +sha256:be54121da3877f8852c65136d731784f134c4dd9d95071502e80d7be9f99b263 + +# verity file can be renamed + +# verity file can be unlinked + +# verity file can be linked to + +# verity file can be chmodded + +# verity file can be chowned + +# verity file has correct contents and size +100000 +100000 + +# Trying to measure non-verity file fails with ENODATA +ERROR: FS_IOC_MEASURE_VERITY failed on 'SCRATCH_MNT/file.fsv': No data available + +# verity on 1-byte file +Files matched + +# verity on 4095-byte file +Files matched + +# verity on 4096-byte file +Files matched + +# verity on 100M file (multiple levels in hash tree) +Files matched + +# verity on sparse file +Files matched diff --git a/tests/generic/group b/tests/generic/group index 543c0627..7f72b304 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -560,3 +560,4 @@ 555 auto quick cap 556 auto quick casefold 557 auto quick log +900 auto quick verity From patchwork Mon Jul 1 18:25:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11026589 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6EC7313A4 for ; Mon, 1 Jul 2019 18:27:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 62F151FE8D for ; Mon, 1 Jul 2019 18:27:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 577701FE8E; Mon, 1 Jul 2019 18:27:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DBE4D219AC for ; Mon, 1 Jul 2019 18:27:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726316AbfGAS1a (ORCPT ); Mon, 1 Jul 2019 14:27:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:42084 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726329AbfGAS1a (ORCPT ); Mon, 1 Jul 2019 14:27:30 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D28192184B; Mon, 1 Jul 2019 18:27:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562005649; bh=U7Gh8ir4OCdfKq36Q2cZ7i6ciRgLXwzUMHrcALWwhtg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fdeR3+53dALQlSrstHrhaTNzqTtQy+1qRhfWxu06cMjNADYvl7kiGR6dfeeV9+3Fp JprVUMqM9SPxZ55N0ffcX6d9TYMdmfvX/mUB1/hu29zJhfv7YgiuRCMz/QJ3qslrN2 N42qnZa+sUDixEp+Owwo4UmjjXf5I4I8+UQVs1kU= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v3 4/8] generic: test access controls on the fs-verity ioctls Date: Mon, 1 Jul 2019 11:25:43 -0700 Message-Id: <20190701182547.165856-5-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190701182547.165856-1-ebiggers@kernel.org> References: <20190701182547.165856-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access. Signed-off-by: Eric Biggers --- tests/generic/901 | 73 +++++++++++++++++++++++++++++++++++++++++++ tests/generic/901.out | 14 +++++++++ tests/generic/group | 1 + 3 files changed, 88 insertions(+) create mode 100755 tests/generic/901 create mode 100644 tests/generic/901.out diff --git a/tests/generic/901 b/tests/generic/901 new file mode 100755 index 00000000..56dab587 --- /dev/null +++ b/tests/generic/901 @@ -0,0 +1,73 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/901 +# +# Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is +# allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +_require_user +_require_chattr ia + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_file=$SCRATCH_MNT/file.fsv + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY doesn't require root" +echo foo > $fsv_file +chmod 666 $fsv_file +_user_do "$FSVERITY_PROG enable $fsv_file" + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires write access" +echo foo > $fsv_file >> $seqres.full +chmod 444 $fsv_file +_user_do "$FSVERITY_PROG enable $fsv_file" |& _filter_scratch + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !append-only" +echo foo > $fsv_file >> $seqres.full +$CHATTR_PROG +a $fsv_file +$FSVERITY_PROG enable $fsv_file |& _filter_scratch +$CHATTR_PROG -a $fsv_file + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !immutable" +echo foo > $fsv_file >> $seqres.full +$CHATTR_PROG +i $fsv_file +$FSVERITY_PROG enable $fsv_file |& _filter_scratch +$CHATTR_PROG -i $fsv_file + +_fsv_scratch_begin_subtest "FS_IOC_MEASURE_VERITY doesn't require root" +_fsv_create_enable_file $fsv_file >> $seqres.full +chmod 444 $fsv_file +su $qa_user -c "$FSVERITY_PROG measure $fsv_file" >> $seqres.full + +# success, all done +status=0 +exit diff --git a/tests/generic/901.out b/tests/generic/901.out new file mode 100644 index 00000000..a9e4c364 --- /dev/null +++ b/tests/generic/901.out @@ -0,0 +1,14 @@ +QA output created by 901 + +# FS_IOC_ENABLE_VERITY doesn't require root + +# FS_IOC_ENABLE_VERITY requires write access +Permission denied + +# FS_IOC_ENABLE_VERITY requires !append-only +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted + +# FS_IOC_ENABLE_VERITY requires !immutable +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted + +# FS_IOC_MEASURE_VERITY doesn't require root diff --git a/tests/generic/group b/tests/generic/group index 7f72b304..df074d86 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -561,3 +561,4 @@ 556 auto quick casefold 557 auto quick log 900 auto quick verity +901 auto quick verity From patchwork Mon Jul 1 18:25:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11026601 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F05D313A4 for ; Mon, 1 Jul 2019 18:27:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E22381FE8D for ; Mon, 1 Jul 2019 18:27:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C715E205FB; Mon, 1 Jul 2019 18:27:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 115B01FE8E for ; Mon, 1 Jul 2019 18:27:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726829AbfGAS1d (ORCPT ); Mon, 1 Jul 2019 14:27:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:42096 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726620AbfGAS1b (ORCPT ); Mon, 1 Jul 2019 14:27:31 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2D9692184C; Mon, 1 Jul 2019 18:27:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562005649; bh=TZXXa+PLg7r5gUyoyZp8H7wv2/+Krrn1/M9sbKwixZs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LdmORnyBV+3s4LaeYWnZy0D9DG4WiF05DUhjS53s/RfAPhm17LJCa7Oeo+kOxvNOZ p36Mpm/sXHeD8Q08PSn5CndBprvyY/atNa9qQI+7Wp6t4xPpOMlbdWkoQ/FVEMkxtC Ry+0cyG4dxYQconfhBhrCZEI2ZFyBshBU9St9X9E= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v3 5/8] generic: test corrupting verity files Date: Mon, 1 Jul 2019 11:25:44 -0700 Message-Id: <20190701182547.165856-6-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190701182547.165856-1-ebiggers@kernel.org> References: <20190701182547.165856-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers This test corrupts various parts of the contents of a verity file, or parts of its Merkle tree, by writing directly to the block device. It verifies that this causes I/O errors when the relevant part of the contents is later read by any means. Signed-off-by: Eric Biggers --- tests/generic/902 | 154 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/902.out | 91 +++++++++++++++++++++++++ tests/generic/group | 1 + 3 files changed, 246 insertions(+) create mode 100755 tests/generic/902 create mode 100644 tests/generic/902.out diff --git a/tests/generic/902 b/tests/generic/902 new file mode 100755 index 00000000..5ef2cca1 --- /dev/null +++ b/tests/generic/902 @@ -0,0 +1,154 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/902 +# +# Test corrupting verity files. This test corrupts various parts of the +# contents of a verity file, or parts of its Merkle tree, by writing directly to +# the block device. It verifies that this causes I/O errors when the relevant +# part of the contents is later read by any means. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_orig_file=$SCRATCH_MNT/file +fsv_file=$SCRATCH_MNT/file.fsv + +setup_zeroed_file() +{ + local len=$1 + local sparse=$2 + + if $sparse; then + dd if=/dev/zero of=$fsv_orig_file bs=1 count=0 seek=$len \ + status=none + else + head -c $len /dev/zero > $fsv_orig_file + fi + cp $fsv_orig_file $fsv_file + _fsv_enable $fsv_file + md5sum $fsv_file |& _filter_scratch +} + +filter_sigbus() +{ + sed -e 's/.*Bus error.*/Bus error/' +} + +round_up_to_page_boundary() +{ + local n=$1 + local page_size=$(get_page_size) + + echo $(( (n + page_size - 1) & ~(page_size - 1) )) +} + +corruption_test() +{ + local file_len=$1 + local zap_offset=$2 + local zap_len=$3 + local is_merkle_tree=${4:-false} # if true, zap tree instead of data + local use_sparse_file=${5:-false} + local page_aligned_eof=$(round_up_to_page_boundary $file_len) + local measurement + + if $is_merkle_tree; then + local corrupt_func=_fsv_scratch_corrupt_merkle_tree + else + local corrupt_func=_fsv_scratch_corrupt_bytes + fi + + local msg="Corruption test:" + msg+=" file_len=$file_len" + if $use_sparse_file; then + msg+=" (sparse)" + fi + msg+=" zap_offset=$zap_offset" + if $is_merkle_tree; then + msg+=" (in Merkle tree)" + fi + msg+=" zap_len=$zap_len" + + _fsv_scratch_begin_subtest "$msg" + setup_zeroed_file $file_len $use_sparse_file + cmp $fsv_file $fsv_orig_file + echo "Corrupting bytes..." + head -c $zap_len /dev/zero | tr '\0' X \ + | $corrupt_func $fsv_file $zap_offset + + echo "Validating corruption (reading full file)..." + _scratch_cycle_mount + md5sum $fsv_file |& _filter_scratch + + echo "Validating corruption (direct I/O)..." + _scratch_cycle_mount + dd if=$fsv_file bs=$FSV_BLOCK_SIZE iflag=direct status=none \ + of=/dev/null |& _filter_scratch + + if ! $is_merkle_tree; then + echo "Validating corruption (reading just corrupted part)..." + dd if=$fsv_file bs=1 skip=$zap_offset count=$zap_len \ + of=/dev/null status=none |& _filter_scratch + fi + + echo "Validating corruption (reading full file via mmap)..." + bash -c "trap '' SIGBUS; $XFS_IO_PROG -r $fsv_file \ + -c 'mmap -r 0 $page_aligned_eof' \ + -c 'mread 0 $file_len'" |& filter_sigbus + + if ! $is_merkle_tree; then + echo "Validating corruption (reading just corrupted part via mmap)..." + bash -c "trap '' SIGBUS; $XFS_IO_PROG -r $fsv_file \ + -c 'mmap -r 0 $page_aligned_eof' \ + -c 'mread $zap_offset $zap_len'" |& filter_sigbus + fi +} + +corruption_test 131072 0 1 +corruption_test 131072 4095 1 +corruption_test 131072 65536 65536 +corruption_test 131072 131071 1 + +# Non-zeroed bytes in the final partial block beyond EOF should cause reads to +# fail too. Such bytes would be visible via mmap(). +corruption_test 130999 131000 72 + +# Merkle tree corruption. +corruption_test 200000 100 10 true + +# Sparse file. Corrupting the Merkle tree should still cause reads to fail, +# i.e. the filesystem must verify holes. +corruption_test 200000 100 10 true true + +# success, all done +status=0 +exit diff --git a/tests/generic/902.out b/tests/generic/902.out new file mode 100644 index 00000000..15fe691e --- /dev/null +++ b/tests/generic/902.out @@ -0,0 +1,91 @@ +QA output created by 902 + +# Corruption test: file_len=131072 zap_offset=0 zap_len=1 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=131072 zap_offset=4095 zap_len=1 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=131072 zap_offset=65536 zap_len=65536 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=131072 zap_offset=131071 zap_len=1 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=130999 zap_offset=131000 zap_len=72 +f5cca0d7fbb8b02bc6118a9954d5d306 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=200000 zap_offset=100 (in Merkle tree) zap_len=10 +4a1e4325031b13f933ac4f1db9ecb63f SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error + +# Corruption test: file_len=200000 (sparse) zap_offset=100 (in Merkle tree) zap_len=10 +4a1e4325031b13f933ac4f1db9ecb63f SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error diff --git a/tests/generic/group b/tests/generic/group index df074d86..62fc73fa 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -562,3 +562,4 @@ 557 auto quick log 900 auto quick verity 901 auto quick verity +902 auto quick verity From patchwork Mon Jul 1 18:25:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11026593 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9CA6F13A4 for ; Mon, 1 Jul 2019 18:27:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 929031FE8D for ; Mon, 1 Jul 2019 18:27:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 86EB7205FB; Mon, 1 Jul 2019 18:27:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 206501FE8D for ; Mon, 1 Jul 2019 18:27:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726787AbfGAS1b (ORCPT ); Mon, 1 Jul 2019 14:27:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:42114 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726652AbfGAS1b (ORCPT ); Mon, 1 Jul 2019 14:27:31 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7C16821851; Mon, 1 Jul 2019 18:27:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562005649; bh=LFrGT1iwmeY9I51yPhoLeorTghMaFfwgfEhKM8SuBCc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1zMx86pNqhRCpfpeK9DK1yqycB0XgEK01Rx6kc+Gy9juq3z9XiJoBRNChEi4YjBZV XTAW/g98YLlu8BOcZOA3RcSw92PxfAVzgj+ykuUW0oZmnMTXEFRWZgosDgFak+jU+O bOSxFv6mqFZxnQHa6Mqi0UPktA4CtFdIHWnLsbwk= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v3 6/8] generic: test that fs-verity is using the correct measurement values Date: Mon, 1 Jul 2019 11:25:45 -0700 Message-Id: <20190701182547.165856-7-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190701182547.165856-1-ebiggers@kernel.org> References: <20190701182547.165856-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers This test verifies that fs-verity is doing its Merkle tree-based hashing correctly, i.e. that it hasn't been broken by a change. Signed-off-by: Eric Biggers --- tests/generic/903 | 112 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/903.out | 5 ++ tests/generic/group | 1 + 3 files changed, 118 insertions(+) create mode 100755 tests/generic/903 create mode 100644 tests/generic/903.out diff --git a/tests/generic/903 b/tests/generic/903 new file mode 100755 index 00000000..55f4a3ba --- /dev/null +++ b/tests/generic/903 @@ -0,0 +1,112 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/903 +# +# Test that fs-verity is using the correct measurement values. This test +# verifies that fs-verity is doing its Merkle tree-based hashing correctly, +# i.e. that it hasn't been broken by a change. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +if [ $FSV_BLOCK_SIZE != 4096 ]; then + _notrun "4096-byte verity block size not supported on this platform" +fi + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_orig_file=$SCRATCH_MNT/file +fsv_file=$SCRATCH_MNT/file.fsv + +algs=(sha256 sha512) + +# Try files with 0, 1, and multiple Merkle tree levels. +file_sizes=(0 4096 65536 65536 100000000) + +# Try both unsalted and salted, and check that empty salt is the same as no salt +salts=('' '' '' '--salt=' '--salt=f3c93fa6fb828c0e1587e5714ecf6f56') + +# The expected file measurements are here rather than in the expected output +# file because not all hash algorithms may be available. +sha256_vals=( +sha256:3d248ca542a24fc62d1c43b916eae5016878e2533c88238480b26128a1f1af95 +sha256:babc284ee4ffe7f449377fbf6692715b43aec7bc39c094a95878904d34bac97e +sha256:011e3f2b1dc89b75d78cddcc2a1b85cd8a64b2883e5f20f277ae4c0617e0404f +sha256:011e3f2b1dc89b75d78cddcc2a1b85cd8a64b2883e5f20f277ae4c0617e0404f +sha256:9d33cab743468fcbe4edab91a275b30dd543c12dd5e6ce6f2f737f66a1558f06 +) +sha512_vals=( +sha512:ccf9e5aea1c2a64efa2f2354a6024b90dffde6bbc017825045dce374474e13d10adb9dadcc6ca8e17a3c075fbd31336e8f266ae6fa93a6c3bed66f9e784e5abf +sha512:928922686c4caf32175f5236a7f964e9925d10a74dc6d8344a8bd08b23c228ff5792573987d7895f628f39c4f4ebe39a7367d7aeb16aaa0cd324ac1d53664e61 +sha512:eab7224ce374a0a4babcb2db25e24836247f38b87806ad9be9e5ba4daac2f5b814fc0cbdfd9f1f8499b3c9a6c1b38fe08974cce49883ab4ccd04462fd2f9507f +sha512:eab7224ce374a0a4babcb2db25e24836247f38b87806ad9be9e5ba4daac2f5b814fc0cbdfd9f1f8499b3c9a6c1b38fe08974cce49883ab4ccd04462fd2f9507f +sha512:f7083a38644880d25539488313e9e5b41a4d431a0e383945129ad2c36e3c1d0f28928a424641bb1363c12b6e770578102566acea73baf1ce8ee15336f5ba2446 +) + +test_alg() +{ + local alg=$1 + local -n vals=${alg}_vals + local i + local file_size + local expected actual salt_arg + + _fsv_scratch_begin_subtest "Check for expected measurement values ($alg)" + + if ! _fsv_have_hash_algorithm $alg $fsv_file; then + if [ "$alg" = sha256 ]; then + _fail "Something is wrong - sha256 hash should always be available" + fi + return 0 + fi + + for i in ${!file_sizes[@]}; do + file_size=${file_sizes[$i]} + expected=${vals[$i]} + salt_arg=${salts[$i]} + + head -c $file_size /dev/zero > $fsv_orig_file + cp $fsv_orig_file $fsv_file + _fsv_enable --hash-alg=$alg $salt_arg $fsv_file + actual=$(_fsv_measure $fsv_file) + if [ "$actual" != "$expected" ]; then + echo "Mismatch: expected $expected, kernel calculated $actual (file_size=$file_size)" + fi + cmp $fsv_orig_file $fsv_file + rm -f $fsv_file + done +} + +for alg in ${algs[@]}; do + test_alg $alg +done + +# success, all done +status=0 +exit diff --git a/tests/generic/903.out b/tests/generic/903.out new file mode 100644 index 00000000..02508828 --- /dev/null +++ b/tests/generic/903.out @@ -0,0 +1,5 @@ +QA output created by 903 + +# Check for expected measurement values (sha256) + +# Check for expected measurement values (sha512) diff --git a/tests/generic/group b/tests/generic/group index 62fc73fa..97fd5a32 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -563,3 +563,4 @@ 900 auto quick verity 901 auto quick verity 902 auto quick verity +903 auto quick verity From patchwork Mon Jul 1 18:25:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11026607 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 45AE0138B for ; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3CFFB205FB for ; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3163A2675C; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 879E8205FB for ; Mon, 1 Jul 2019 18:27:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726803AbfGAS1d (ORCPT ); Mon, 1 Jul 2019 14:27:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:42118 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726664AbfGAS1b (ORCPT ); Mon, 1 Jul 2019 14:27:31 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CA5A121850; Mon, 1 Jul 2019 18:27:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562005650; bh=RmiFi9tzptxJ/Z6+W7fN3Dap7wQkvqwPSafCyDX4i/U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Oe5fbBDPIAdyID+5Xi/P0Dr1zN2RHZhC41movJiM1sFaXIZETwG85Jcu6ySi41NZA 1+8YNNkqBO2I9avjZGmsR23YSGChQilOuEVdVMON+5ZoKHDxeBYVoyAblXidoe6Svv 46rRYR27TKVawylFIOJyyQtCDYCqrWo+YBvHG/jY= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v3 7/8] generic: test using fs-verity and fscrypt simultaneously Date: Mon, 1 Jul 2019 11:25:46 -0700 Message-Id: <20190701182547.165856-8-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190701182547.165856-1-ebiggers@kernel.org> References: <20190701182547.165856-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers This primarily verifies correct ordering of the hooks for each feature: fscrypt needs to be first. Signed-off-by: Eric Biggers --- tests/generic/904 | 80 +++++++++++++++++++++++++++++++++++++++++++ tests/generic/904.out | 12 +++++++ tests/generic/group | 1 + 3 files changed, 93 insertions(+) create mode 100755 tests/generic/904 create mode 100644 tests/generic/904.out diff --git a/tests/generic/904 b/tests/generic/904 new file mode 100755 index 00000000..61bdae22 --- /dev/null +++ b/tests/generic/904 @@ -0,0 +1,80 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/904 +# +# Test using fs-verity and fscrypt simultaneously. This primarily verifies +# correct ordering of the hooks for each feature: fscrypt needs to be first. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity +. ./common/encrypt + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +_require_scratch_encryption +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_encrypted_verity &>> $seqres.full +_scratch_mount + +fsv_orig_file=$tmp.file +edir=$SCRATCH_MNT/edir +fsv_file=$edir/file.fsv + +# Set up an encrypted directory. +_new_session_keyring +keydesc=$(_generate_encryption_key) +mkdir $edir +_set_encpolicy $edir $keydesc + +# Create a file within the encrypted directory and enable verity on it. +# Then check that it has an encryption policy as well. +head -c 100000 /dev/zero > $fsv_orig_file +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file +echo +$XFS_IO_PROG -r -c "get_encpolicy" $fsv_file | _filter_scratch \ + | sed 's/Master key descriptor:.*/Master key descriptor: 0000000000000000/' +echo + +# Verify that the file contents are as expected. This should be going through +# both the decryption and verity I/O paths. +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +# Just in case, try again after a mount cycle to empty the page cache. +_scratch_cycle_mount +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +# Corrupt some bytes as a sanity check that fs-verity is really working. +# This also verifies that the data on-disk is really encrypted, since otherwise +# the data being written here would be identical to the old data. +head -c 1000 /dev/zero | _fsv_scratch_corrupt_bytes $fsv_file 50000 +md5sum $fsv_file |& _filter_scratch + +# success, all done +status=0 +exit diff --git a/tests/generic/904.out b/tests/generic/904.out new file mode 100644 index 00000000..5f4e249a --- /dev/null +++ b/tests/generic/904.out @@ -0,0 +1,12 @@ +QA output created by 904 + +Encryption policy for SCRATCH_MNT/edir/file.fsv: + Policy version: 0 + Master key descriptor: 0000000000000000 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 + +Files matched +Files matched +md5sum: SCRATCH_MNT/edir/file.fsv: Input/output error diff --git a/tests/generic/group b/tests/generic/group index 97fd5a32..cc30a30b 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -564,3 +564,4 @@ 901 auto quick verity 902 auto quick verity 903 auto quick verity +904 auto quick verity encrypt From patchwork Mon Jul 1 18:25:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11026605 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1A5EA14C0 for ; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1036F25E13 for ; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 043601FE8D; Mon, 1 Jul 2019 18:27:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 67DC11FE8E for ; Mon, 1 Jul 2019 18:27:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726816AbfGAS1d (ORCPT ); Mon, 1 Jul 2019 14:27:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:42084 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726731AbfGAS1b (ORCPT ); Mon, 1 Jul 2019 14:27:31 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 24C862184E; Mon, 1 Jul 2019 18:27:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562005650; bh=LW1cLobwlu4UZ3TbH32CQVjHGPAq9KW+Q1sSn2ZIHfM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ER7i0UGRYJcqw70OZO3ohEnIpncPf/uDVCzrZJtupa1tWPxqE+gtRCtIIVdKtFDx2 sALnx7XFGq1Ke8LdI1Ry099fMJcJaUUavCK7eewRi6aA1BYvla/anFaD+h62/s1pWF FbxZLRzoeex7cystlPieHWUHNLn8JR4mEC8H4EOg= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" , Victor Hsieh Subject: [RFC PATCH v3 8/8] generic: test the fs-verity built-in signature verification support Date: Mon, 1 Jul 2019 11:25:47 -0700 Message-Id: <20190701182547.165856-9-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190701182547.165856-1-ebiggers@kernel.org> References: <20190701182547.165856-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Add a basic test for the fs-verity built-in signature verification support, which is an optional feature where the kernel can be configured to enforce that all verity files are accompanied with a valid signature by a key that has been loaded into the fs-verity keyring. Signed-off-by: Eric Biggers --- common/config | 1 + common/verity | 16 +++++ tests/generic/905 | 150 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/905.out | 42 ++++++++++++ tests/generic/group | 1 + 5 files changed, 210 insertions(+) create mode 100755 tests/generic/905 create mode 100644 tests/generic/905.out diff --git a/common/config b/common/config index 001ddc45..1aaf0a75 100644 --- a/common/config +++ b/common/config @@ -213,6 +213,7 @@ export XFS_INFO_PROG="$(type -P xfs_info)" export DUPEREMOVE_PROG="$(type -P duperemove)" export CC_PROG="$(type -P cc)" export FSVERITY_PROG="$(type -P fsverity)" +export OPENSSL_PROG="$(type -P openssl)" # use 'udevadm settle' or 'udevsettle' to wait for lv to be settled. # newer systems have udevadm command but older systems like RHEL5 don't. diff --git a/common/verity b/common/verity index a8aae51e..bcb5670d 100644 --- a/common/verity +++ b/common/verity @@ -45,6 +45,17 @@ _require_scratch_verity() FSV_BLOCK_SIZE=$(get_page_size) } +# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y. +_require_fsverity_builtin_signatures() +{ + if [ ! -e /proc/keys ]; then + _notrun "kernel doesn't support keyrings" + fi + if ! awk '{print $9}' /proc/keys | grep -q '^\.fs-verity:$'; then + _notrun "kernel doesn't support fs-verity builtin signatures" + fi +} + _scratch_mkfs_verity() { case $FSTYP in @@ -92,6 +103,11 @@ _fsv_measure() $FSVERITY_PROG measure "$@" | awk '{print $1}' } +_fsv_sign() +{ + $FSVERITY_PROG sign "$@" +} + # Generate a file, then enable verity on it. _fsv_create_enable_file() { diff --git a/tests/generic/905 b/tests/generic/905 new file mode 100755 index 00000000..e42b012d --- /dev/null +++ b/tests/generic/905 @@ -0,0 +1,150 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2019 Google LLC +# +# FS QA Test generic/905 +# +# Test the fs-verity built-in signature verification support. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + sysctl -w fs.verity.require_signatures=0 &>/dev/null + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +_require_fsverity_builtin_signatures +_require_command "$OPENSSL_PROG" openssl +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount + +fsv_file=$SCRATCH_MNT/file.fsv +fsv_orig_file=$SCRATCH_MNT/file +keyfile=$tmp.key.pem +certfile=$tmp.cert.pem +certfileder=$tmp.cert.der +sigfile=$tmp.sig +otherfile=$SCRATCH_MNT/otherfile +othersigfile=$tmp.othersig + +# Setup + +echo -e "\n# Generating certificates and private keys" +for suffix in '' '.2'; do + if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \ + -keyout $keyfile$suffix -out $certfile$suffix \ + &>> $seqres.full; then + _fail "Failed to generate certificate and private key (see $seqres.full)" + fi + $OPENSSL_PROG x509 -in $certfile$suffix -out $certfileder$suffix \ + -outform der +done + +echo -e "\n# Clearing fs-verity keyring" +$KEYCTL_PROG clear %keyring:.fs-verity + +echo -e "\n# Loading first certificate into fs-verity keyring" +$KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \ + < $certfileder >> $seqres.full + +echo -e "\n# Enabling fs.verity.require_signatures" +sysctl -w fs.verity.require_signatures=1 + +echo -e "\n# Generating file and signing it for fs-verity" +head -c 100000 /dev/zero > $fsv_orig_file +for suffix in '' '.2'; do + _fsv_sign $fsv_orig_file $sigfile$suffix --key=$keyfile$suffix \ + --cert=$certfile$suffix | _filter_scratch +done + +echo -e "\n# Signing a different file for fs-verity" +head -c 100000 /dev/zero | tr '\0' 'X' > $otherfile +_fsv_sign $otherfile $othersigfile --key=$keyfile --cert=$certfile \ + | _filter_scratch + +# Actual tests + +reset_fsv_file() +{ + rm -f $fsv_file + cp $fsv_orig_file $fsv_file +} + +echo -e "\n# Enabling verity with valid signature (should succeed)" +reset_fsv_file +_fsv_enable $fsv_file --signature=$sigfile +cmp $fsv_file $fsv_orig_file + +echo -e "\n# Enabling verity without signature (should fail)" +reset_fsv_file +_fsv_enable $fsv_file |& _filter_scratch + +echo -e "\n# Opening verity file without signature (should fail)" +reset_fsv_file +sysctl -w fs.verity.require_signatures=0 &>> $seqres.full +_fsv_enable $fsv_file +sysctl -w fs.verity.require_signatures=1 &>> $seqres.full +_scratch_cycle_mount +md5sum $fsv_file |& _filter_scratch + +echo -e "\n# Enabling verity with untrusted signature (should fail)" +reset_fsv_file +_fsv_enable $fsv_file --signature=$sigfile.2 |& _filter_scratch + +echo -e "\n# Enabling verity with wrong file's signature (should fail)" +reset_fsv_file +_fsv_enable $fsv_file --signature=$othersigfile |& _filter_scratch + +echo -e "\n# Enabling verity with malformed signature (should fail)" +echo foobarbaz > $tmp.malformed_sig +reset_fsv_file +_fsv_enable $fsv_file --signature=$tmp.malformed_sig |& _filter_scratch + +echo -e "\n# Testing salt" +reset_fsv_file +_fsv_sign $fsv_orig_file $sigfile.salted --key=$keyfile --cert=$certfile \ + --salt=abcd | _filter_scratch +_fsv_enable $fsv_file --signature=$sigfile.salted --salt=abcd +cmp $fsv_file $fsv_orig_file + +echo -e "\n# Testing non-default hash algorithm" +if _fsv_have_hash_algorithm sha512 $fsv_file; then + reset_fsv_file + _fsv_sign $fsv_orig_file $sigfile.sha512 --key=$keyfile \ + --cert=$certfile --hash-alg=sha512 > /dev/null + _fsv_enable $fsv_file --signature=$sigfile.sha512 --hash-alg=sha512 + cmp $fsv_file $fsv_orig_file +fi + +echo -e "\n# Testing empty file" +echo -n > $fsv_file +_fsv_sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile | \ + _filter_scratch +_fsv_enable $fsv_file --signature=$sigfile.emptyfile + +# success, all done +status=0 +exit diff --git a/tests/generic/905.out b/tests/generic/905.out new file mode 100644 index 00000000..4b28757a --- /dev/null +++ b/tests/generic/905.out @@ -0,0 +1,42 @@ +QA output created by 905 + +# Generating certificates and private keys + +# Clearing fs-verity keyring + +# Loading first certificate into fs-verity keyring + +# Enabling fs.verity.require_signatures +fs.verity.require_signatures = 1 + +# Generating file and signing it for fs-verity +Signed file 'SCRATCH_MNT/file' (sha256:ecabbfca4efd69a721be824965da10d27900b109549f96687b35a4d91d810dac) +Signed file 'SCRATCH_MNT/file' (sha256:ecabbfca4efd69a721be824965da10d27900b109549f96687b35a4d91d810dac) + +# Signing a different file for fs-verity +Signed file 'SCRATCH_MNT/otherfile' (sha256:b2a419c5a8c767a78c6275d6729794bf51e52ddf8713e31d12a93d61d961f49f) + +# Enabling verity with valid signature (should succeed) + +# Enabling verity without signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted + +# Opening verity file without signature (should fail) +md5sum: SCRATCH_MNT/file.fsv: Operation not permitted + +# Enabling verity with untrusted signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Required key not available + +# Enabling verity with wrong file's signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Key was rejected by service + +# Enabling verity with malformed signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Bad message + +# Testing salt +Signed file 'SCRATCH_MNT/file' (sha256:1cb173bcd199133eb80e9ea4f0f741001b9e73227aa8812685156f2bc8ff45f5) + +# Testing non-default hash algorithm + +# Testing empty file +Signed file 'SCRATCH_MNT/file.fsv' (sha256:3d248ca542a24fc62d1c43b916eae5016878e2533c88238480b26128a1f1af95) diff --git a/tests/generic/group b/tests/generic/group index cc30a30b..a24fc997 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -565,3 +565,4 @@ 902 auto quick verity 903 auto quick verity 904 auto quick verity encrypt +905 auto quick verity