From patchwork Mon Sep 30 21:15:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11167629 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6922516C1 for ; Mon, 30 Sep 2019 21:19:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3E6B621D7B for ; Mon, 30 Sep 2019 21:19:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878367; bh=vrx6r+SGfrTyFSiHE5OHRltvBYxK9kX4SHueCOiMXmE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=GgVwphdGvAMWLXGJ9KxTGgh/m5WOxe5Tj6Yrm/0pX813Dd3rFE54FDBHIAyDsWWD8 mdn0ZVBykRQez3qqPpHmKdkGnD206BElbzJaQ/ZNDAZYVZ3tDvCMv7sdzJioey2mFk HgVsVBb7NA4AZax2o9lSG/VCJRXtkdoCIAezwm10= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731997AbfI3VT0 (ORCPT ); Mon, 30 Sep 2019 17:19:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:47220 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731206AbfI3VT0 (ORCPT ); Mon, 30 Sep 2019 17:19:26 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 92FA921855; Mon, 30 Sep 2019 21:19:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878365; bh=vrx6r+SGfrTyFSiHE5OHRltvBYxK9kX4SHueCOiMXmE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kCBgjUOHkr02WThgME0Yy4+Mefza47yGqPOkgp0zAnQ81ZR2EO+TnpIV1GHfcLbYf Efmkgpwee/BTVol0SZaCHPrapw8opKPbne2URif9cU6ddGj2kMbenTS84x6BhVFRcz fOLPsFLVKsDXtF3gLEovbn5YoJ+VvakO+A0vXVng= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" Subject: [PATCH v4 1/8] common/filter: add _filter_xfs_io_fiemap() Date: Mon, 30 Sep 2019 14:15:46 -0700 Message-Id: <20190930211553.64208-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.23.0.444.g18eeb5a265-goog In-Reply-To: <20190930211553.64208-1-ebiggers@kernel.org> References: <20190930211553.64208-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers Add _filter_xfs_io_fiemap() to clean up the output of 'xfs_io -c fiemap'. This will be used by a function in common/verity. Signed-off-by: Eric Biggers --- common/filter | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/common/filter b/common/filter index 26fc2132..2477f386 100644 --- a/common/filter +++ b/common/filter @@ -541,6 +541,30 @@ _filter_filefrag() $flags, "\n"' } +# Clean up the extents list output of 'xfs_io -c fiemap', e.g. +# +# file: +# 0: [0..79]: 628365312..628365391 +# 1: [80..159]: hole +# 2: [160..319]: 628365472..628365631 +# => +# 0 79 628365312 628365391 +# 160 319 628365472 628365631 +# +# The fields are: +# +# first_logical_block last_logical_block first_physical_block last_physical_block +# +# Blocks are 512 bytes, and holes are omitted. +# +_filter_xfs_io_fiemap() +{ + grep -E '^[[:space:]]+[0-9]+:' \ + | grep -v '\' \ + | sed -E 's/^[[:space:]]+[0-9]+://' \ + | tr '][.:' ' ' +} + # We generate WARNINGs on purpose when applications mix buffered/mmap IO with # direct IO on the same file. This is a helper for _check_dmesg() to filter out # such warnings. From patchwork Mon Sep 30 21:15:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11167641 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DBB0A1920 for ; Mon, 30 Sep 2019 21:19:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BAF7A21D7B for ; Mon, 30 Sep 2019 21:19:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878368; bh=w0eG8OHvLX9hX9jqfcfhWWWjTXO75ag0H25Oobm4RoE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=zWs0Qu1w/ehvkRmrdT8Jb4tTcABMxxD32GHJbAiwLJyAv5qhDrXCTcQnx+KZmmbqo xie1+QRbS8FKCGR32nKwaAOaBeBnq+PhGiRddwO7r05wKBcpL7Dbm6vZl3Eeeb8Z+B FarRgJuLmpv+HVEpTTEi4uo+qNL/H1fVIVOkPPEY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732360AbfI3VT2 (ORCPT ); Mon, 30 Sep 2019 17:19:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:47228 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731761AbfI3VT1 (ORCPT ); Mon, 30 Sep 2019 17:19:27 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E5CD5218DE; Mon, 30 Sep 2019 21:19:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878366; bh=w0eG8OHvLX9hX9jqfcfhWWWjTXO75ag0H25Oobm4RoE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fdxtnJmjGiVC+ZYnP/T5civFuJBBnP4Lq6lM8Ptp4w1S8bnFWGTKHyd65By+ttKG8 hIZbvGLtBQTlUmoyhuNcQkvox9B/rxMPmXyF9QxDuKoJj44XSEBPO4rdfHZMATkDtf mi2Kf/5qcWdO8XDosIdjyNfUQnkR4aZxCHYGv1kQ= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" Subject: [PATCH v4 2/8] common/verity: add common functions for testing fs-verity Date: Mon, 30 Sep 2019 14:15:47 -0700 Message-Id: <20190930211553.64208-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.23.0.444.g18eeb5a265-goog In-Reply-To: <20190930211553.64208-1-ebiggers@kernel.org> References: <20190930211553.64208-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers Add common functions for setting up and testing fs-verity. fs-verity is an ext4 and f2fs filesystem feature which provides Merkle tree based hashing (similar to dm-verity) for individual read-only files, mainly for the purpose of efficient authenticity verification. Other filesystems may add fs-verity support later, using the same API. Running the fs-verity tests will require: - Kernel v5.4-rc1 or later configured with CONFIG_FS_VERITY=y - The 'fsverity' utility program from https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git - e2fsprogs v1.45.2 or later for ext4 tests, or f2fs-tools v1.11.0 or later for f2fs tests Some individual tests will have additional requirements. For more information about fs-verity, see https://www.kernel.org/doc/html/latest/filesystems/fsverity.html Signed-off-by: Eric Biggers --- common/config | 1 + common/verity | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 200 insertions(+) create mode 100644 common/verity diff --git a/common/config b/common/config index 4c86a492..fb4097b8 100644 --- a/common/config +++ b/common/config @@ -213,6 +213,7 @@ export CHECKBASHISMS_PROG="$(type -P checkbashisms)" export XFS_INFO_PROG="$(type -P xfs_info)" export DUPEREMOVE_PROG="$(type -P duperemove)" export CC_PROG="$(type -P cc)" +export FSVERITY_PROG="$(type -P fsverity)" # use 'udevadm settle' or 'udevsettle' to wait for lv to be settled. # newer systems have udevadm command but older systems like RHEL5 don't. diff --git a/common/verity b/common/verity new file mode 100644 index 00000000..a8aae51e --- /dev/null +++ b/common/verity @@ -0,0 +1,199 @@ +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# Functions for setting up and testing fs-verity + +_require_scratch_verity() +{ + _require_scratch + _require_command "$FSVERITY_PROG" fsverity + + if ! _scratch_mkfs_verity &>>$seqres.full; then + # ext4: need e2fsprogs v1.44.5 or later (but actually v1.45.2+ + # is needed for some tests to pass, due to an e2fsck bug) + # f2fs: need f2fs-tools v1.11.0 or later + _notrun "$FSTYP userspace tools don't support fs-verity" + fi + + # Try to mount the filesystem. If this fails then either the kernel + # isn't aware of fs-verity, or the mkfs options were not compatible with + # verity (e.g. ext4 with block size != PAGE_SIZE). + if ! _try_scratch_mount &>>$seqres.full; then + _notrun "kernel is unaware of $FSTYP verity feature," \ + "or mkfs options are not compatible with verity" + fi + + # The filesystem may be aware of fs-verity but have it disabled by + # CONFIG_FS_VERITY=n. Detect support via sysfs. + if [ ! -e /sys/fs/$FSTYP/features/verity ]; then + _notrun "kernel $FSTYP isn't configured with verity support" + fi + + # The filesystem may have fs-verity enabled but not actually usable by + # default. E.g., ext4 only supports verity on extent-based files, so it + # doesn't work on ext3-style filesystems. So, try actually using it. + echo foo > $SCRATCH_MNT/tmpfile + if ! _fsv_enable $SCRATCH_MNT/tmpfile; then + _notrun "$FSTYP verity isn't usable by default with these mkfs options" + fi + rm -f $SCRATCH_MNT/tmpfile + + _scratch_unmount + + # Merkle tree block size. Currently all filesystems only support + # PAGE_SIZE for this. This is also the default for 'fsverity enable'. + FSV_BLOCK_SIZE=$(get_page_size) +} + +_scratch_mkfs_verity() +{ + case $FSTYP in + ext4|f2fs) + _scratch_mkfs -O verity + ;; + *) + _notrun "No verity support for $FSTYP" + ;; + esac +} + +_scratch_mkfs_encrypted_verity() +{ + case $FSTYP in + ext4) + _scratch_mkfs -O encrypt,verity + ;; + f2fs) + # f2fs-tools as of v1.11.0 doesn't allow comma-separated + # features with -O. Instead -O must be supplied multiple times. + _scratch_mkfs -O encrypt -O verity + ;; + *) + _notrun "$FSTYP not supported in _scratch_mkfs_encrypted_verity" + ;; + esac +} + +_fsv_scratch_begin_subtest() +{ + local msg=$1 + + rm -rf "${SCRATCH_MNT:?}"/* + echo -e "\n# $msg" +} + +_fsv_enable() +{ + $FSVERITY_PROG enable "$@" +} + +_fsv_measure() +{ + $FSVERITY_PROG measure "$@" | awk '{print $1}' +} + +# Generate a file, then enable verity on it. +_fsv_create_enable_file() +{ + local file=$1 + shift + + head -c $((FSV_BLOCK_SIZE * 2)) /dev/zero > "$file" + _fsv_enable "$file" "$@" +} + +_fsv_have_hash_algorithm() +{ + local hash_alg=$1 + local test_file=$2 + + rm -f $test_file + head -c 4096 /dev/zero > $test_file + if ! _fsv_enable --hash-alg=$hash_alg $test_file &>> $seqres.full; then + # no kernel support + return 1 + fi + rm -f $test_file + return 0 +} + +# +# _fsv_scratch_corrupt_bytes - Write some bytes to a file, bypassing the filesystem +# +# Write the bytes sent on stdin to the given offset in the given file, but do so +# by writing directly to the extents on the block device, with the filesystem +# unmounted. This can be used to corrupt a verity file for testing purposes, +# bypassing the restrictions imposed by the filesystem. +# +# The file is assumed to be located on $SCRATCH_DEV. +# +_fsv_scratch_corrupt_bytes() +{ + local file=$1 + local offset=$2 + local lstart lend pstart pend + local dd_cmds=() + local cmd + + sync # Sync to avoid unwritten extents + + cat > $tmp.bytes + local end=$(( offset + $(stat -c %s $tmp.bytes ) )) + + # For each extent that intersects the requested range in order, add a + # command that writes the next part of the data to that extent. + while read -r lstart lend pstart pend; do + lstart=$((lstart * 512)) + lend=$(((lend + 1) * 512)) + pstart=$((pstart * 512)) + pend=$(((pend + 1) * 512)) + + if (( lend - lstart != pend - pstart )); then + _fail "Logical and physical extent lengths differ for file '$file'" + elif (( offset < lstart )); then + _fail "Hole in file '$file' at byte $offset. Next extent begins at byte $lstart" + elif (( offset < lend )); then + local len=$((lend - offset)) + local seek=$((pstart + (offset - lstart))) + dd_cmds+=("head -c $len | dd of=$SCRATCH_DEV oflag=seek_bytes seek=$seek status=none") + (( offset += len )) + fi + done < <($XFS_IO_PROG -r -c "fiemap $offset $((end - offset))" "$file" \ + | _filter_xfs_io_fiemap) + + if (( offset < end )); then + _fail "Extents of file '$file' ended at byte $offset, but needed until $end" + fi + + # Execute the commands to write the data + _scratch_unmount + for cmd in "${dd_cmds[@]}"; do + eval "$cmd" + done < $tmp.bytes + sync # Sync to flush the block device's pagecache + _scratch_mount +} + +# +# _fsv_scratch_corrupt_merkle_tree - Corrupt a file's Merkle tree +# +# Like _fsv_scratch_corrupt_bytes(), but this corrupts the file's fs-verity +# Merkle tree. The offset is given as a byte offset into the Merkle tree. +# +_fsv_scratch_corrupt_merkle_tree() +{ + local file=$1 + local offset=$2 + + case $FSTYP in + ext4|f2fs) + # ext4 and f2fs store the Merkle tree after the file contents + # itself, starting at the next 65536-byte aligned boundary. + (( offset += ($(stat -c %s $file) + 65535) & ~65535 )) + _fsv_scratch_corrupt_bytes $file $offset + ;; + *) + _fail "_fsv_scratch_corrupt_merkle_tree() unimplemented on $FSTYP" + ;; + esac +} From patchwork Mon Sep 30 21:15:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11167653 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1284217E1 for ; Mon, 30 Sep 2019 21:19:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E5D392190F for ; Mon, 30 Sep 2019 21:19:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878371; bh=OMTHCwqwJ1GzMSx0iOVcEh3EWgyzdmHyM9IeuQTR06A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=xvW1C0xLP+GFgAaQfHaGXGucpWMN96IjeAVBnJ5DFwYb1lxonIEMXsnfNDFtzP4mj Yu4YGbwdkQxfpjm/P8br6lIdUHL2rWlTixezN7NOHTvt6MfahyWHw9asZ1N0m0H8eX q/Wwt/BMucneCgYWytSUXYKbkFXWfbv8wxaBcZcc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732425AbfI3VT2 (ORCPT ); Mon, 30 Sep 2019 17:19:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:47244 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731206AbfI3VT1 (ORCPT ); Mon, 30 Sep 2019 17:19:27 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4AA9C215EA; Mon, 30 Sep 2019 21:19:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878366; bh=OMTHCwqwJ1GzMSx0iOVcEh3EWgyzdmHyM9IeuQTR06A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=x+C0V9AgkHApWBc7Zd0/S46nAK+WxBm3gSSITjDRw+pfsdfk+9nrcTF9qPv8OjYO9 mLTmssgk/z4fcHbKiMsY4vHhZ0b3xn5hynPLOOIgT0QfEQETyl8V9YhIWa29EthIO7 VbNABAzQ6njz0tOTng2dZQzRNbGVcri/sp6Y7n1o= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" Subject: [PATCH v4 3/8] generic: test general behavior of verity files Date: Mon, 30 Sep 2019 14:15:48 -0700 Message-Id: <20190930211553.64208-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.23.0.444.g18eeb5a265-goog In-Reply-To: <20190930211553.64208-1-ebiggers@kernel.org> References: <20190930211553.64208-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers This is a basic fs-verity test which verifies: - conditions for enabling verity - verity files have expected contents and size - can't change contents of verity files, but can change metadata - can retrieve a verity file's measurement via FS_IOC_MEASURE_VERITY Signed-off-by: Eric Biggers --- tests/generic/900 | 199 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/900.out | 74 ++++++++++++++++ tests/generic/group | 1 + 3 files changed, 274 insertions(+) create mode 100755 tests/generic/900 create mode 100644 tests/generic/900.out diff --git a/tests/generic/900 b/tests/generic/900 new file mode 100755 index 00000000..04cbcfdf --- /dev/null +++ b/tests/generic/900 @@ -0,0 +1,199 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/900 +# +# This is a basic fs-verity test which verifies: +# +# - conditions for enabling verity +# - verity files have correct contents and size +# - can't change contents of verity files, but can change metadata +# - can retrieve a verity file's measurement via FS_IOC_MEASURE_VERITY +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_orig_file=$SCRATCH_MNT/file +fsv_file=$SCRATCH_MNT/file.fsv + +verify_data_readable() +{ + local file=$1 + + md5sum $file > /dev/null +} + +verify_data_unreadable() +{ + local file=$1 + + # try both reading just the first data block, and reading until EOF + head -c $FSV_BLOCK_SIZE $file 2>&1 >/dev/null | _filter_scratch + md5sum $file |& _filter_scratch +} + +_fsv_scratch_begin_subtest "Enabling verity on file with verity already enabled fails with EEXIST" +_fsv_create_enable_file $fsv_file +echo "(trying again)" +_fsv_enable $fsv_file |& _filter_scratch + +_fsv_scratch_begin_subtest "Enabling verity with invalid hash algorithm fails with EINVAL" +_fsv_create_enable_file $fsv_file --hash-alg=257 |& _filter_scratch +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity with invalid block size fails with EINVAL" +_fsv_create_enable_file $fsv_file --block-size=1 |& _filter_scratch +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity on directory fails with EISDIR" +mkdir $SCRATCH_MNT/dir +_fsv_enable $SCRATCH_MNT/dir |& _filter_scratch + +_fsv_scratch_begin_subtest "Enabling verity with too-long salt fails with EMSGSIZE" +_fsv_create_enable_file $fsv_file --salt=$(perl -e 'print "A" x 1000') |& _filter_scratch +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity on file on read-only filesystem fails with EROFS" +echo foo > $fsv_file +_scratch_remount ro +_fsv_enable $fsv_file |& _filter_scratch +_scratch_remount rw + +_fsv_scratch_begin_subtest "Enabling verity on file open for writing fails with ETXTBSY" +echo foo > $fsv_file +exec 3<> $fsv_file +_fsv_enable $fsv_file |& _filter_scratch +exec 3<&- +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "Enabling verity can be interrupted" +dd if=/dev/zero of=$fsv_file bs=1 count=0 seek=$((1 << 34)) status=none +start_time=$(date +%s) +$FSVERITY_PROG enable $fsv_file & +sleep 0.5 +kill %1 +wait +elapsed=$(( $(date +%s) - start_time )) +if (( elapsed > 5 )); then + echo "Failed to interrupt FS_IOC_ENABLE_VERITY ($elapsed seconds elapsed)" +fi + +_fsv_scratch_begin_subtest "Enabling verity on file with verity already being enabled fails with EBUSY" +dd if=/dev/zero of=$fsv_file bs=1 count=0 seek=$((1 << 34)) status=none +start_time=$(date +%s) +$FSVERITY_PROG enable $fsv_file & +sleep 0.5 +_fsv_enable $fsv_file |& _filter_scratch +kill %1 +wait + +_fsv_scratch_begin_subtest "verity file can't be opened for writing" +_fsv_create_enable_file $fsv_file >> $seqres.full +echo "* reading" +$XFS_IO_PROG -r $fsv_file -c '' +echo "* xfs_io writing, should be O_RDWR" +$XFS_IO_PROG $fsv_file -c '' |& _filter_scratch +echo "* bash >>, should be O_APPEND" +bash -c "echo >> $fsv_file" |& _filter_scratch +echo "* bash >, should be O_WRONLY|O_CREAT|O_TRUNC" +bash -c "echo > $fsv_file" |& _filter_scratch + +_fsv_scratch_begin_subtest "verity file can be read" +_fsv_create_enable_file $fsv_file >> $seqres.full +verify_data_readable $fsv_file + +_fsv_scratch_begin_subtest "verity file can be measured" +_fsv_create_enable_file $fsv_file >> $seqres.full +_fsv_measure $fsv_file + +_fsv_scratch_begin_subtest "verity file can be renamed" +_fsv_create_enable_file $fsv_file +mv $fsv_file $fsv_file.newname + +_fsv_scratch_begin_subtest "verity file can be unlinked" +_fsv_create_enable_file $fsv_file +rm $fsv_file + +_fsv_scratch_begin_subtest "verity file can be linked to" +_fsv_create_enable_file $fsv_file +ln $fsv_file $fsv_file.newname + +_fsv_scratch_begin_subtest "verity file can be chmodded" +_fsv_create_enable_file $fsv_file +chmod 777 $fsv_file +chmod 444 $fsv_file + +_fsv_scratch_begin_subtest "verity file can be chowned" +_fsv_create_enable_file $fsv_file +chown 1:1 $fsv_file +chown 0:0 $fsv_file + +_fsv_scratch_begin_subtest "verity file has correct contents and size" +head -c 100000 /dev/urandom > $fsv_orig_file +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file >> $seqres.full +cmp $fsv_file $fsv_orig_file +stat -c %s $fsv_file +_scratch_cycle_mount +cmp $fsv_file $fsv_orig_file +stat -c %s $fsv_file + +_fsv_scratch_begin_subtest "Trying to measure non-verity file fails with ENODATA" +echo foo > $fsv_file +_fsv_measure $fsv_file |& _filter_scratch +verify_data_readable $fsv_file + +# Test files <= 1 block in size. These are a bit of a special case since there +# are no hash blocks; the root hash is calculated directly over the data block. +for size in 1 $((FSV_BLOCK_SIZE - 1)) $FSV_BLOCK_SIZE; do + _fsv_scratch_begin_subtest "verity on $size-byte file" + head -c $size /dev/urandom > $fsv_orig_file + cp $fsv_orig_file $fsv_file + _fsv_enable $fsv_file + cmp $fsv_orig_file $fsv_file && echo "Files matched" + rm -f $fsv_file +done + +_fsv_scratch_begin_subtest "verity on 100M file (multiple levels in hash tree)" +head -c 100000000 /dev/urandom > $fsv_orig_file +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +_fsv_scratch_begin_subtest "verity on sparse file" +dd if=/dev/zero of=$fsv_orig_file bs=1 count=1 seek=1000000 status=none +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +# success, all done +status=0 +exit diff --git a/tests/generic/900.out b/tests/generic/900.out new file mode 100644 index 00000000..93f91f27 --- /dev/null +++ b/tests/generic/900.out @@ -0,0 +1,74 @@ +QA output created by 900 + +# Enabling verity on file with verity already enabled fails with EEXIST +(trying again) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': File exists + +# Enabling verity with invalid hash algorithm fails with EINVAL +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Invalid argument + +# Enabling verity with invalid block size fails with EINVAL +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Invalid argument + +# Enabling verity on directory fails with EISDIR +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/dir': Is a directory + +# Enabling verity with too-long salt fails with EMSGSIZE +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Message too long + +# Enabling verity on file on read-only filesystem fails with EROFS +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Read-only file system + +# Enabling verity on file open for writing fails with ETXTBSY +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Text file busy + +# Enabling verity can be interrupted + +# Enabling verity on file with verity already being enabled fails with EBUSY +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Device or resource busy + +# verity file can't be opened for writing +* reading +* xfs_io writing, should be O_RDWR +SCRATCH_MNT/file.fsv: Operation not permitted +* bash >>, should be O_APPEND +bash: SCRATCH_MNT/file.fsv: Operation not permitted +* bash >, should be O_WRONLY|O_CREAT|O_TRUNC +bash: SCRATCH_MNT/file.fsv: Operation not permitted + +# verity file can be read + +# verity file can be measured +sha256:be54121da3877f8852c65136d731784f134c4dd9d95071502e80d7be9f99b263 + +# verity file can be renamed + +# verity file can be unlinked + +# verity file can be linked to + +# verity file can be chmodded + +# verity file can be chowned + +# verity file has correct contents and size +100000 +100000 + +# Trying to measure non-verity file fails with ENODATA +ERROR: FS_IOC_MEASURE_VERITY failed on 'SCRATCH_MNT/file.fsv': No data available + +# verity on 1-byte file +Files matched + +# verity on 4095-byte file +Files matched + +# verity on 4096-byte file +Files matched + +# verity on 100M file (multiple levels in hash tree) +Files matched + +# verity on sparse file +Files matched diff --git a/tests/generic/group b/tests/generic/group index 7cf4f6c4..8c5212a1 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -570,3 +570,4 @@ 565 auto quick copy_range 566 auto quick quota metadata 567 auto quick rw punch +900 auto quick verity From patchwork Mon Sep 30 21:15:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11167635 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 369A616C1 for ; Mon, 30 Sep 2019 21:19:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 151F32190F for ; Mon, 30 Sep 2019 21:19:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878368; bh=dyCnripIsjEVmHuZJlobi5OhaH25lW82kB16iOK9684=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=fclut93uARrejigExvohD8phXk5SkLbaLCUa1zjFb0I9eR0x8sgUTXexUFwqbKshb kbJsXG5lE/P1LaWIP0xUGEjuoxPkmhqktpEYjKFtjDQvYtwxIZC3SYgLq+VtwfrZAj vmejeNJwKoQUHw7hi1E6OVS8qWeJLsfvBfEmn/rY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732353AbfI3VT1 (ORCPT ); Mon, 30 Sep 2019 17:19:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:47258 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732128AbfI3VT1 (ORCPT ); Mon, 30 Sep 2019 17:19:27 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9F9FB21906; Mon, 30 Sep 2019 21:19:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878366; bh=dyCnripIsjEVmHuZJlobi5OhaH25lW82kB16iOK9684=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GJ4Nic2RSFH12uHK4YrEmr1z/lxBhM1r0H1TO+dzY0N1GdBAa+SJ9MoZHMfwr8to0 ocqZQeM7rKfowS9vKuRe/Wp1R6kHbvVy8HQBSfb5AQQNGMXZMdDwQL5lxiPgSbj87a jyvV659v5CEXFRVQOTL7ErAsC3UYrhrbkPlxZ8I8= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" Subject: [PATCH v4 4/8] generic: test access controls on the fs-verity ioctls Date: Mon, 30 Sep 2019 14:15:49 -0700 Message-Id: <20190930211553.64208-5-ebiggers@kernel.org> X-Mailer: git-send-email 2.23.0.444.g18eeb5a265-goog In-Reply-To: <20190930211553.64208-1-ebiggers@kernel.org> References: <20190930211553.64208-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access. Signed-off-by: Eric Biggers --- tests/generic/901 | 73 +++++++++++++++++++++++++++++++++++++++++++ tests/generic/901.out | 14 +++++++++ tests/generic/group | 1 + 3 files changed, 88 insertions(+) create mode 100755 tests/generic/901 create mode 100644 tests/generic/901.out diff --git a/tests/generic/901 b/tests/generic/901 new file mode 100755 index 00000000..56dab587 --- /dev/null +++ b/tests/generic/901 @@ -0,0 +1,73 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/901 +# +# Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is +# allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +_require_user +_require_chattr ia + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_file=$SCRATCH_MNT/file.fsv + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY doesn't require root" +echo foo > $fsv_file +chmod 666 $fsv_file +_user_do "$FSVERITY_PROG enable $fsv_file" + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires write access" +echo foo > $fsv_file >> $seqres.full +chmod 444 $fsv_file +_user_do "$FSVERITY_PROG enable $fsv_file" |& _filter_scratch + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !append-only" +echo foo > $fsv_file >> $seqres.full +$CHATTR_PROG +a $fsv_file +$FSVERITY_PROG enable $fsv_file |& _filter_scratch +$CHATTR_PROG -a $fsv_file + +_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !immutable" +echo foo > $fsv_file >> $seqres.full +$CHATTR_PROG +i $fsv_file +$FSVERITY_PROG enable $fsv_file |& _filter_scratch +$CHATTR_PROG -i $fsv_file + +_fsv_scratch_begin_subtest "FS_IOC_MEASURE_VERITY doesn't require root" +_fsv_create_enable_file $fsv_file >> $seqres.full +chmod 444 $fsv_file +su $qa_user -c "$FSVERITY_PROG measure $fsv_file" >> $seqres.full + +# success, all done +status=0 +exit diff --git a/tests/generic/901.out b/tests/generic/901.out new file mode 100644 index 00000000..a9e4c364 --- /dev/null +++ b/tests/generic/901.out @@ -0,0 +1,14 @@ +QA output created by 901 + +# FS_IOC_ENABLE_VERITY doesn't require root + +# FS_IOC_ENABLE_VERITY requires write access +Permission denied + +# FS_IOC_ENABLE_VERITY requires !append-only +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted + +# FS_IOC_ENABLE_VERITY requires !immutable +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted + +# FS_IOC_MEASURE_VERITY doesn't require root diff --git a/tests/generic/group b/tests/generic/group index 8c5212a1..a0450d42 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -571,3 +571,4 @@ 566 auto quick quota metadata 567 auto quick rw punch 900 auto quick verity +901 auto quick verity From patchwork Mon Sep 30 21:15:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11167649 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B0A991920 for ; Mon, 30 Sep 2019 21:19:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8F5F32190F for ; Mon, 30 Sep 2019 21:19:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878370; bh=AMDvMUxHbc7BlvkjtIaFkKhE6Cd5lcHwTQo1pPRNo/Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=GXUc6tulgY/TyMokefnsonmVYE+qeM7UzNBtItSZMkX2biOBLjZ4ujndJTLJY+7Va PK+LQIJZPWqkO6TOpSh7qNFIauLaH0psng7AjZBdZJhpoZD+cspxq9GgWblUMSmOen sgo028z7Oq7yYoxybdBNlvVdq2yrA+0s1q4B2k2Y= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732427AbfI3VT3 (ORCPT ); Mon, 30 Sep 2019 17:19:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:47300 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729880AbfI3VT2 (ORCPT ); Mon, 30 Sep 2019 17:19:28 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F255721A4A; Mon, 30 Sep 2019 21:19:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878367; bh=AMDvMUxHbc7BlvkjtIaFkKhE6Cd5lcHwTQo1pPRNo/Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uB0xtTS1aIv1/FSjpYLoJGgwF4OqSt3yqFeujVF4uKEFRLWL1fCMJkF711AQVGqkc uWN8/YoWRWtrQGhMol6emuqnAA7l8bE5sIAiRpoe/dbXS51P2NsNtincyjKlvVrRZQ zN8vokcJzyjIFyImheo3FQ8NOENCAnRmUcLN7tjk= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" Subject: [PATCH v4 5/8] generic: test corrupting verity files Date: Mon, 30 Sep 2019 14:15:50 -0700 Message-Id: <20190930211553.64208-6-ebiggers@kernel.org> X-Mailer: git-send-email 2.23.0.444.g18eeb5a265-goog In-Reply-To: <20190930211553.64208-1-ebiggers@kernel.org> References: <20190930211553.64208-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers This test corrupts various parts of the contents of a verity file, or parts of its Merkle tree, by writing directly to the block device. It verifies that this causes I/O errors when the relevant part of the contents is later read by any means. Signed-off-by: Eric Biggers --- tests/generic/902 | 154 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/902.out | 91 +++++++++++++++++++++++++ tests/generic/group | 1 + 3 files changed, 246 insertions(+) create mode 100755 tests/generic/902 create mode 100644 tests/generic/902.out diff --git a/tests/generic/902 b/tests/generic/902 new file mode 100755 index 00000000..5ef2cca1 --- /dev/null +++ b/tests/generic/902 @@ -0,0 +1,154 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/902 +# +# Test corrupting verity files. This test corrupts various parts of the +# contents of a verity file, or parts of its Merkle tree, by writing directly to +# the block device. It verifies that this causes I/O errors when the relevant +# part of the contents is later read by any means. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_orig_file=$SCRATCH_MNT/file +fsv_file=$SCRATCH_MNT/file.fsv + +setup_zeroed_file() +{ + local len=$1 + local sparse=$2 + + if $sparse; then + dd if=/dev/zero of=$fsv_orig_file bs=1 count=0 seek=$len \ + status=none + else + head -c $len /dev/zero > $fsv_orig_file + fi + cp $fsv_orig_file $fsv_file + _fsv_enable $fsv_file + md5sum $fsv_file |& _filter_scratch +} + +filter_sigbus() +{ + sed -e 's/.*Bus error.*/Bus error/' +} + +round_up_to_page_boundary() +{ + local n=$1 + local page_size=$(get_page_size) + + echo $(( (n + page_size - 1) & ~(page_size - 1) )) +} + +corruption_test() +{ + local file_len=$1 + local zap_offset=$2 + local zap_len=$3 + local is_merkle_tree=${4:-false} # if true, zap tree instead of data + local use_sparse_file=${5:-false} + local page_aligned_eof=$(round_up_to_page_boundary $file_len) + local measurement + + if $is_merkle_tree; then + local corrupt_func=_fsv_scratch_corrupt_merkle_tree + else + local corrupt_func=_fsv_scratch_corrupt_bytes + fi + + local msg="Corruption test:" + msg+=" file_len=$file_len" + if $use_sparse_file; then + msg+=" (sparse)" + fi + msg+=" zap_offset=$zap_offset" + if $is_merkle_tree; then + msg+=" (in Merkle tree)" + fi + msg+=" zap_len=$zap_len" + + _fsv_scratch_begin_subtest "$msg" + setup_zeroed_file $file_len $use_sparse_file + cmp $fsv_file $fsv_orig_file + echo "Corrupting bytes..." + head -c $zap_len /dev/zero | tr '\0' X \ + | $corrupt_func $fsv_file $zap_offset + + echo "Validating corruption (reading full file)..." + _scratch_cycle_mount + md5sum $fsv_file |& _filter_scratch + + echo "Validating corruption (direct I/O)..." + _scratch_cycle_mount + dd if=$fsv_file bs=$FSV_BLOCK_SIZE iflag=direct status=none \ + of=/dev/null |& _filter_scratch + + if ! $is_merkle_tree; then + echo "Validating corruption (reading just corrupted part)..." + dd if=$fsv_file bs=1 skip=$zap_offset count=$zap_len \ + of=/dev/null status=none |& _filter_scratch + fi + + echo "Validating corruption (reading full file via mmap)..." + bash -c "trap '' SIGBUS; $XFS_IO_PROG -r $fsv_file \ + -c 'mmap -r 0 $page_aligned_eof' \ + -c 'mread 0 $file_len'" |& filter_sigbus + + if ! $is_merkle_tree; then + echo "Validating corruption (reading just corrupted part via mmap)..." + bash -c "trap '' SIGBUS; $XFS_IO_PROG -r $fsv_file \ + -c 'mmap -r 0 $page_aligned_eof' \ + -c 'mread $zap_offset $zap_len'" |& filter_sigbus + fi +} + +corruption_test 131072 0 1 +corruption_test 131072 4095 1 +corruption_test 131072 65536 65536 +corruption_test 131072 131071 1 + +# Non-zeroed bytes in the final partial block beyond EOF should cause reads to +# fail too. Such bytes would be visible via mmap(). +corruption_test 130999 131000 72 + +# Merkle tree corruption. +corruption_test 200000 100 10 true + +# Sparse file. Corrupting the Merkle tree should still cause reads to fail, +# i.e. the filesystem must verify holes. +corruption_test 200000 100 10 true true + +# success, all done +status=0 +exit diff --git a/tests/generic/902.out b/tests/generic/902.out new file mode 100644 index 00000000..15fe691e --- /dev/null +++ b/tests/generic/902.out @@ -0,0 +1,91 @@ +QA output created by 902 + +# Corruption test: file_len=131072 zap_offset=0 zap_len=1 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=131072 zap_offset=4095 zap_len=1 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=131072 zap_offset=65536 zap_len=65536 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=131072 zap_offset=131071 zap_len=1 +0dfbe8aa4c20b52e1b8bf3cb6cbdf193 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=130999 zap_offset=131000 zap_len=72 +f5cca0d7fbb8b02bc6118a9954d5d306 SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading just corrupted part)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error +Validating corruption (reading just corrupted part via mmap)... +Bus error + +# Corruption test: file_len=200000 zap_offset=100 (in Merkle tree) zap_len=10 +4a1e4325031b13f933ac4f1db9ecb63f SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error + +# Corruption test: file_len=200000 (sparse) zap_offset=100 (in Merkle tree) zap_len=10 +4a1e4325031b13f933ac4f1db9ecb63f SCRATCH_MNT/file.fsv +Corrupting bytes... +Validating corruption (reading full file)... +md5sum: SCRATCH_MNT/file.fsv: Input/output error +Validating corruption (direct I/O)... +dd: error reading 'SCRATCH_MNT/file.fsv': Input/output error +Validating corruption (reading full file via mmap)... +Bus error diff --git a/tests/generic/group b/tests/generic/group index a0450d42..22df626f 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -572,3 +572,4 @@ 567 auto quick rw punch 900 auto quick verity 901 auto quick verity +902 auto quick verity From patchwork Mon Sep 30 21:15:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11167659 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1866117E1 for ; Mon, 30 Sep 2019 21:19:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EAF9B2190F for ; Mon, 30 Sep 2019 21:19:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878372; bh=MoLkKFDi6H3PkhE7APy4ytIKLYmhd3II2QQd3Uz9NpY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=AlILJS7aVNupXIkau6Mll9DCzTw7qwTR9wWvhfmsGmP4SUwNuBzNJr2oUKrfD5aH0 ScjEY880JJ//O2PefbSSgz2hNB71sIQaSoEHyHoqH5RnS72JDW6RQYxpQ95uoEfZIz b0BN3iqWjyAkW9Q3mGn9HpsPQik3C1FMC6mbkLVU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732409AbfI3VT2 (ORCPT ); Mon, 30 Sep 2019 17:19:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:47326 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732351AbfI3VT2 (ORCPT ); Mon, 30 Sep 2019 17:19:28 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 51AC121D82; Mon, 30 Sep 2019 21:19:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878367; bh=MoLkKFDi6H3PkhE7APy4ytIKLYmhd3II2QQd3Uz9NpY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ijRStMnLlOcvdbBxDyhecOBD1imTvYa80M4IUOQAfo84g9FL066EBs4d78XmEef90 CAZzjifxrR4/xXnGdi/QkAYBIZ9nqWpe3EfICLFwGFwugpnq/KE4WT49TC8FkNisps Fd8EOa01Tct2SDZaOhnKcYGKh29ajHV2SXKdcS/s= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" Subject: [PATCH v4 6/8] generic: test that fs-verity is using the correct measurement values Date: Mon, 30 Sep 2019 14:15:51 -0700 Message-Id: <20190930211553.64208-7-ebiggers@kernel.org> X-Mailer: git-send-email 2.23.0.444.g18eeb5a265-goog In-Reply-To: <20190930211553.64208-1-ebiggers@kernel.org> References: <20190930211553.64208-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers This test verifies that fs-verity is doing its Merkle tree-based hashing correctly, i.e. that it hasn't been broken by a change. Signed-off-by: Eric Biggers --- tests/generic/903 | 112 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/903.out | 5 ++ tests/generic/group | 1 + 3 files changed, 118 insertions(+) create mode 100755 tests/generic/903 create mode 100644 tests/generic/903.out diff --git a/tests/generic/903 b/tests/generic/903 new file mode 100755 index 00000000..55f4a3ba --- /dev/null +++ b/tests/generic/903 @@ -0,0 +1,112 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/903 +# +# Test that fs-verity is using the correct measurement values. This test +# verifies that fs-verity is doing its Merkle tree-based hashing correctly, +# i.e. that it hasn't been broken by a change. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +if [ $FSV_BLOCK_SIZE != 4096 ]; then + _notrun "4096-byte verity block size not supported on this platform" +fi + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount +fsv_orig_file=$SCRATCH_MNT/file +fsv_file=$SCRATCH_MNT/file.fsv + +algs=(sha256 sha512) + +# Try files with 0, 1, and multiple Merkle tree levels. +file_sizes=(0 4096 65536 65536 100000000) + +# Try both unsalted and salted, and check that empty salt is the same as no salt +salts=('' '' '' '--salt=' '--salt=f3c93fa6fb828c0e1587e5714ecf6f56') + +# The expected file measurements are here rather than in the expected output +# file because not all hash algorithms may be available. +sha256_vals=( +sha256:3d248ca542a24fc62d1c43b916eae5016878e2533c88238480b26128a1f1af95 +sha256:babc284ee4ffe7f449377fbf6692715b43aec7bc39c094a95878904d34bac97e +sha256:011e3f2b1dc89b75d78cddcc2a1b85cd8a64b2883e5f20f277ae4c0617e0404f +sha256:011e3f2b1dc89b75d78cddcc2a1b85cd8a64b2883e5f20f277ae4c0617e0404f +sha256:9d33cab743468fcbe4edab91a275b30dd543c12dd5e6ce6f2f737f66a1558f06 +) +sha512_vals=( +sha512:ccf9e5aea1c2a64efa2f2354a6024b90dffde6bbc017825045dce374474e13d10adb9dadcc6ca8e17a3c075fbd31336e8f266ae6fa93a6c3bed66f9e784e5abf +sha512:928922686c4caf32175f5236a7f964e9925d10a74dc6d8344a8bd08b23c228ff5792573987d7895f628f39c4f4ebe39a7367d7aeb16aaa0cd324ac1d53664e61 +sha512:eab7224ce374a0a4babcb2db25e24836247f38b87806ad9be9e5ba4daac2f5b814fc0cbdfd9f1f8499b3c9a6c1b38fe08974cce49883ab4ccd04462fd2f9507f +sha512:eab7224ce374a0a4babcb2db25e24836247f38b87806ad9be9e5ba4daac2f5b814fc0cbdfd9f1f8499b3c9a6c1b38fe08974cce49883ab4ccd04462fd2f9507f +sha512:f7083a38644880d25539488313e9e5b41a4d431a0e383945129ad2c36e3c1d0f28928a424641bb1363c12b6e770578102566acea73baf1ce8ee15336f5ba2446 +) + +test_alg() +{ + local alg=$1 + local -n vals=${alg}_vals + local i + local file_size + local expected actual salt_arg + + _fsv_scratch_begin_subtest "Check for expected measurement values ($alg)" + + if ! _fsv_have_hash_algorithm $alg $fsv_file; then + if [ "$alg" = sha256 ]; then + _fail "Something is wrong - sha256 hash should always be available" + fi + return 0 + fi + + for i in ${!file_sizes[@]}; do + file_size=${file_sizes[$i]} + expected=${vals[$i]} + salt_arg=${salts[$i]} + + head -c $file_size /dev/zero > $fsv_orig_file + cp $fsv_orig_file $fsv_file + _fsv_enable --hash-alg=$alg $salt_arg $fsv_file + actual=$(_fsv_measure $fsv_file) + if [ "$actual" != "$expected" ]; then + echo "Mismatch: expected $expected, kernel calculated $actual (file_size=$file_size)" + fi + cmp $fsv_orig_file $fsv_file + rm -f $fsv_file + done +} + +for alg in ${algs[@]}; do + test_alg $alg +done + +# success, all done +status=0 +exit diff --git a/tests/generic/903.out b/tests/generic/903.out new file mode 100644 index 00000000..02508828 --- /dev/null +++ b/tests/generic/903.out @@ -0,0 +1,5 @@ +QA output created by 903 + +# Check for expected measurement values (sha256) + +# Check for expected measurement values (sha512) diff --git a/tests/generic/group b/tests/generic/group index 22df626f..864bab46 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -573,3 +573,4 @@ 900 auto quick verity 901 auto quick verity 902 auto quick verity +903 auto quick verity From patchwork Mon Sep 30 21:15:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11167655 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AD36513B1 for ; Mon, 30 Sep 2019 21:19:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8C7FC2190F for ; Mon, 30 Sep 2019 21:19:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878371; bh=/nijVK2X95EdSUBcvPcGNqMcXm+CeLTfUBbQWRKzFtY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=qnrrqyjTYxddaqOvBQxdrVd+ok47N0zc0fKI920cPNXz0mXQxfI0rUso2GcEgGrGz maP8F81HvmPDimRsyVWGwdxLdI+Ei47XO64HwSURcduPbWH/9iiaHV76FJlThqG+nH g9IMl1YuNQcruCtliLNTycDOe0wC4APPT8h5VVms= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732438AbfI3VTa (ORCPT ); Mon, 30 Sep 2019 17:19:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:47258 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732358AbfI3VT3 (ORCPT ); Mon, 30 Sep 2019 17:19:29 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A837D21924; Mon, 30 Sep 2019 21:19:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878367; bh=/nijVK2X95EdSUBcvPcGNqMcXm+CeLTfUBbQWRKzFtY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rugqRfXLtRKIwDASm1yNdKfcC1tlIOjeF8g3C5wwUkheaXJg3dvI6MIOLQp7vV9Ib wCAOqvknvaftHA4YFkuJQYK0Gekn9S2ifGAEuu+ZDuVB+M5Bw/9NY+qCaRtyQt48VN iAeMIugbBX/DTf5tP2oQ/sH7a2LQHyizYtKavZU0= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" Subject: [PATCH v4 7/8] generic: test using fs-verity and fscrypt simultaneously Date: Mon, 30 Sep 2019 14:15:52 -0700 Message-Id: <20190930211553.64208-8-ebiggers@kernel.org> X-Mailer: git-send-email 2.23.0.444.g18eeb5a265-goog In-Reply-To: <20190930211553.64208-1-ebiggers@kernel.org> References: <20190930211553.64208-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers This primarily verifies correct ordering of the hooks for each feature: fscrypt needs to be first. Signed-off-by: Eric Biggers --- tests/generic/904 | 80 +++++++++++++++++++++++++++++++++++++++++++ tests/generic/904.out | 12 +++++++ tests/generic/group | 1 + 3 files changed, 93 insertions(+) create mode 100755 tests/generic/904 create mode 100644 tests/generic/904.out diff --git a/tests/generic/904 b/tests/generic/904 new file mode 100755 index 00000000..61bdae22 --- /dev/null +++ b/tests/generic/904 @@ -0,0 +1,80 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2018 Google LLC +# +# FS QA Test generic/904 +# +# Test using fs-verity and fscrypt simultaneously. This primarily verifies +# correct ordering of the hooks for each feature: fscrypt needs to be first. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity +. ./common/encrypt + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +_require_scratch_encryption +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_encrypted_verity &>> $seqres.full +_scratch_mount + +fsv_orig_file=$tmp.file +edir=$SCRATCH_MNT/edir +fsv_file=$edir/file.fsv + +# Set up an encrypted directory. +_new_session_keyring +keydesc=$(_generate_encryption_key) +mkdir $edir +_set_encpolicy $edir $keydesc + +# Create a file within the encrypted directory and enable verity on it. +# Then check that it has an encryption policy as well. +head -c 100000 /dev/zero > $fsv_orig_file +cp $fsv_orig_file $fsv_file +_fsv_enable $fsv_file +echo +$XFS_IO_PROG -r -c "get_encpolicy" $fsv_file | _filter_scratch \ + | sed 's/Master key descriptor:.*/Master key descriptor: 0000000000000000/' +echo + +# Verify that the file contents are as expected. This should be going through +# both the decryption and verity I/O paths. +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +# Just in case, try again after a mount cycle to empty the page cache. +_scratch_cycle_mount +cmp $fsv_orig_file $fsv_file && echo "Files matched" + +# Corrupt some bytes as a sanity check that fs-verity is really working. +# This also verifies that the data on-disk is really encrypted, since otherwise +# the data being written here would be identical to the old data. +head -c 1000 /dev/zero | _fsv_scratch_corrupt_bytes $fsv_file 50000 +md5sum $fsv_file |& _filter_scratch + +# success, all done +status=0 +exit diff --git a/tests/generic/904.out b/tests/generic/904.out new file mode 100644 index 00000000..5f4e249a --- /dev/null +++ b/tests/generic/904.out @@ -0,0 +1,12 @@ +QA output created by 904 + +Encryption policy for SCRATCH_MNT/edir/file.fsv: + Policy version: 0 + Master key descriptor: 0000000000000000 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 + +Files matched +Files matched +md5sum: SCRATCH_MNT/edir/file.fsv: Input/output error diff --git a/tests/generic/group b/tests/generic/group index 864bab46..c996542a 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -574,3 +574,4 @@ 901 auto quick verity 902 auto quick verity 903 auto quick verity +904 auto quick verity encrypt From patchwork Mon Sep 30 21:15:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11167647 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 856E11747 for ; Mon, 30 Sep 2019 21:19:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5B2DF2190F for ; Mon, 30 Sep 2019 21:19:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878370; bh=9UhgddTaavLuhdplB1poq3TFBlFYIObQrc+iqLwnCDk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=bTwPxRaWlcJu9O2ZfCzo86N3D2Sy0iD6Y3BgmAFDI+A92DuOl/Z+6Sks0XgSStpxJ qfg1Cq0f81pNmu0evKgxshfw9x10ikgsCORLXI1AeZ6jDHgD+kRSTtnB0TKGtKzzRB ysRShSy6pOqJf1QTfk/I9GdbzqWrhzB2Plrg1f10= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732430AbfI3VT3 (ORCPT ); Mon, 30 Sep 2019 17:19:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:47244 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732362AbfI3VT3 (ORCPT ); Mon, 30 Sep 2019 17:19:29 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0775821A4C; Mon, 30 Sep 2019 21:19:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569878368; bh=9UhgddTaavLuhdplB1poq3TFBlFYIObQrc+iqLwnCDk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OEUf6GR7sHRbWgy7UrYMF81xx6PGyl3AADS8DiDNKM7SCJzB3mrliZ7I8E8LzwkYX fVGWbRMqQO6PjCK+J/myYivWJlxC0KqCYEHGICCmA7eWeZhaHpl3Mqy4FAg/jXOQgc LdRCF/rSi9wKNczospIq7W0ROJibS15KC8/WSkT8= From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Jaegeuk Kim , "Theodore Y . Ts'o" Subject: [PATCH v4 8/8] generic: test the fs-verity built-in signature verification support Date: Mon, 30 Sep 2019 14:15:53 -0700 Message-Id: <20190930211553.64208-9-ebiggers@kernel.org> X-Mailer: git-send-email 2.23.0.444.g18eeb5a265-goog In-Reply-To: <20190930211553.64208-1-ebiggers@kernel.org> References: <20190930211553.64208-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers Add a basic test for the fs-verity built-in signature verification support, which is an optional feature where the kernel can be configured to enforce that all verity files are accompanied with a valid signature by a key that has been loaded into the fs-verity keyring. Signed-off-by: Eric Biggers --- common/config | 1 + common/verity | 16 +++++ tests/generic/905 | 150 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/905.out | 42 ++++++++++++ tests/generic/group | 1 + 5 files changed, 210 insertions(+) create mode 100755 tests/generic/905 create mode 100644 tests/generic/905.out diff --git a/common/config b/common/config index fb4097b8..c7a1c61c 100644 --- a/common/config +++ b/common/config @@ -214,6 +214,7 @@ export XFS_INFO_PROG="$(type -P xfs_info)" export DUPEREMOVE_PROG="$(type -P duperemove)" export CC_PROG="$(type -P cc)" export FSVERITY_PROG="$(type -P fsverity)" +export OPENSSL_PROG="$(type -P openssl)" # use 'udevadm settle' or 'udevsettle' to wait for lv to be settled. # newer systems have udevadm command but older systems like RHEL5 don't. diff --git a/common/verity b/common/verity index a8aae51e..bcb5670d 100644 --- a/common/verity +++ b/common/verity @@ -45,6 +45,17 @@ _require_scratch_verity() FSV_BLOCK_SIZE=$(get_page_size) } +# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y. +_require_fsverity_builtin_signatures() +{ + if [ ! -e /proc/keys ]; then + _notrun "kernel doesn't support keyrings" + fi + if ! awk '{print $9}' /proc/keys | grep -q '^\.fs-verity:$'; then + _notrun "kernel doesn't support fs-verity builtin signatures" + fi +} + _scratch_mkfs_verity() { case $FSTYP in @@ -92,6 +103,11 @@ _fsv_measure() $FSVERITY_PROG measure "$@" | awk '{print $1}' } +_fsv_sign() +{ + $FSVERITY_PROG sign "$@" +} + # Generate a file, then enable verity on it. _fsv_create_enable_file() { diff --git a/tests/generic/905 b/tests/generic/905 new file mode 100755 index 00000000..e42b012d --- /dev/null +++ b/tests/generic/905 @@ -0,0 +1,150 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2019 Google LLC +# +# FS QA Test generic/905 +# +# Test the fs-verity built-in signature verification support. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + sysctl -w fs.verity.require_signatures=0 &>/dev/null + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/verity + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_verity +_require_fsverity_builtin_signatures +_require_command "$OPENSSL_PROG" openssl +_require_command "$KEYCTL_PROG" keyctl + +_scratch_mkfs_verity &>> $seqres.full +_scratch_mount + +fsv_file=$SCRATCH_MNT/file.fsv +fsv_orig_file=$SCRATCH_MNT/file +keyfile=$tmp.key.pem +certfile=$tmp.cert.pem +certfileder=$tmp.cert.der +sigfile=$tmp.sig +otherfile=$SCRATCH_MNT/otherfile +othersigfile=$tmp.othersig + +# Setup + +echo -e "\n# Generating certificates and private keys" +for suffix in '' '.2'; do + if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \ + -keyout $keyfile$suffix -out $certfile$suffix \ + &>> $seqres.full; then + _fail "Failed to generate certificate and private key (see $seqres.full)" + fi + $OPENSSL_PROG x509 -in $certfile$suffix -out $certfileder$suffix \ + -outform der +done + +echo -e "\n# Clearing fs-verity keyring" +$KEYCTL_PROG clear %keyring:.fs-verity + +echo -e "\n# Loading first certificate into fs-verity keyring" +$KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \ + < $certfileder >> $seqres.full + +echo -e "\n# Enabling fs.verity.require_signatures" +sysctl -w fs.verity.require_signatures=1 + +echo -e "\n# Generating file and signing it for fs-verity" +head -c 100000 /dev/zero > $fsv_orig_file +for suffix in '' '.2'; do + _fsv_sign $fsv_orig_file $sigfile$suffix --key=$keyfile$suffix \ + --cert=$certfile$suffix | _filter_scratch +done + +echo -e "\n# Signing a different file for fs-verity" +head -c 100000 /dev/zero | tr '\0' 'X' > $otherfile +_fsv_sign $otherfile $othersigfile --key=$keyfile --cert=$certfile \ + | _filter_scratch + +# Actual tests + +reset_fsv_file() +{ + rm -f $fsv_file + cp $fsv_orig_file $fsv_file +} + +echo -e "\n# Enabling verity with valid signature (should succeed)" +reset_fsv_file +_fsv_enable $fsv_file --signature=$sigfile +cmp $fsv_file $fsv_orig_file + +echo -e "\n# Enabling verity without signature (should fail)" +reset_fsv_file +_fsv_enable $fsv_file |& _filter_scratch + +echo -e "\n# Opening verity file without signature (should fail)" +reset_fsv_file +sysctl -w fs.verity.require_signatures=0 &>> $seqres.full +_fsv_enable $fsv_file +sysctl -w fs.verity.require_signatures=1 &>> $seqres.full +_scratch_cycle_mount +md5sum $fsv_file |& _filter_scratch + +echo -e "\n# Enabling verity with untrusted signature (should fail)" +reset_fsv_file +_fsv_enable $fsv_file --signature=$sigfile.2 |& _filter_scratch + +echo -e "\n# Enabling verity with wrong file's signature (should fail)" +reset_fsv_file +_fsv_enable $fsv_file --signature=$othersigfile |& _filter_scratch + +echo -e "\n# Enabling verity with malformed signature (should fail)" +echo foobarbaz > $tmp.malformed_sig +reset_fsv_file +_fsv_enable $fsv_file --signature=$tmp.malformed_sig |& _filter_scratch + +echo -e "\n# Testing salt" +reset_fsv_file +_fsv_sign $fsv_orig_file $sigfile.salted --key=$keyfile --cert=$certfile \ + --salt=abcd | _filter_scratch +_fsv_enable $fsv_file --signature=$sigfile.salted --salt=abcd +cmp $fsv_file $fsv_orig_file + +echo -e "\n# Testing non-default hash algorithm" +if _fsv_have_hash_algorithm sha512 $fsv_file; then + reset_fsv_file + _fsv_sign $fsv_orig_file $sigfile.sha512 --key=$keyfile \ + --cert=$certfile --hash-alg=sha512 > /dev/null + _fsv_enable $fsv_file --signature=$sigfile.sha512 --hash-alg=sha512 + cmp $fsv_file $fsv_orig_file +fi + +echo -e "\n# Testing empty file" +echo -n > $fsv_file +_fsv_sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile | \ + _filter_scratch +_fsv_enable $fsv_file --signature=$sigfile.emptyfile + +# success, all done +status=0 +exit diff --git a/tests/generic/905.out b/tests/generic/905.out new file mode 100644 index 00000000..4b28757a --- /dev/null +++ b/tests/generic/905.out @@ -0,0 +1,42 @@ +QA output created by 905 + +# Generating certificates and private keys + +# Clearing fs-verity keyring + +# Loading first certificate into fs-verity keyring + +# Enabling fs.verity.require_signatures +fs.verity.require_signatures = 1 + +# Generating file and signing it for fs-verity +Signed file 'SCRATCH_MNT/file' (sha256:ecabbfca4efd69a721be824965da10d27900b109549f96687b35a4d91d810dac) +Signed file 'SCRATCH_MNT/file' (sha256:ecabbfca4efd69a721be824965da10d27900b109549f96687b35a4d91d810dac) + +# Signing a different file for fs-verity +Signed file 'SCRATCH_MNT/otherfile' (sha256:b2a419c5a8c767a78c6275d6729794bf51e52ddf8713e31d12a93d61d961f49f) + +# Enabling verity with valid signature (should succeed) + +# Enabling verity without signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Operation not permitted + +# Opening verity file without signature (should fail) +md5sum: SCRATCH_MNT/file.fsv: Operation not permitted + +# Enabling verity with untrusted signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Required key not available + +# Enabling verity with wrong file's signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Key was rejected by service + +# Enabling verity with malformed signature (should fail) +ERROR: FS_IOC_ENABLE_VERITY failed on 'SCRATCH_MNT/file.fsv': Bad message + +# Testing salt +Signed file 'SCRATCH_MNT/file' (sha256:1cb173bcd199133eb80e9ea4f0f741001b9e73227aa8812685156f2bc8ff45f5) + +# Testing non-default hash algorithm + +# Testing empty file +Signed file 'SCRATCH_MNT/file.fsv' (sha256:3d248ca542a24fc62d1c43b916eae5016878e2533c88238480b26128a1f1af95) diff --git a/tests/generic/group b/tests/generic/group index c996542a..78aba1e7 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -575,3 +575,4 @@ 902 auto quick verity 903 auto quick verity 904 auto quick verity encrypt +905 auto quick verity