| #! /bin/bash |
| # SPDX-License-Identifier: GPL-2.0 |
| # Copyright 2019 Google LLC |
| # |
| # FS QA Test generic/577 |
| # |
| # Test the fs-verity built-in signature verification support. |
| # |
| . ./common/preamble |
| _begin_fstest auto quick verity |
| |
| # Override the default cleanup function. |
| _cleanup() |
| { |
| cd / |
| _restore_fsverity_signatures |
| rm -f $tmp.* |
| } |
| |
| # Import common functions. |
| . ./common/filter |
| . ./common/verity |
| |
| _require_scratch_verity |
| _require_fsverity_builtin_signatures |
| |
| _scratch_mkfs_verity &>> $seqres.full |
| _scratch_mount |
| |
| fsv_file=$SCRATCH_MNT/file.fsv |
| fsv_orig_file=$SCRATCH_MNT/file |
| keyfile=$tmp.key.pem |
| certfile=$tmp.cert.pem |
| certfileder=$tmp.cert.der |
| sigfile=$tmp.sig |
| otherfile=$SCRATCH_MNT/otherfile |
| othersigfile=$tmp.othersig |
| |
| sign() |
| { |
| _fsv_sign "$@" | _filter_scratch | _filter_fsverity_digest |
| } |
| |
| # Setup |
| |
| echo -e "\n# Generating certificates and private keys" |
| for suffix in '' '.2'; do |
| _fsv_generate_cert $keyfile$suffix $certfile$suffix $certfileder$suffix |
| done |
| |
| echo -e "\n# Clearing fs-verity keyring" |
| _fsv_clear_keyring |
| |
| echo -e "\n# Loading first certificate into fs-verity keyring" |
| _fsv_load_cert $certfileder |
| |
| echo -e "\n# Enabling fs.verity.require_signatures" |
| _enable_fsverity_signatures |
| |
| echo -e "\n# Generating file and signing it for fs-verity" |
| head -c 100000 /dev/zero > $fsv_orig_file |
| for suffix in '' '.2'; do |
| sign $fsv_orig_file $sigfile$suffix --key=$keyfile$suffix \ |
| --cert=$certfile$suffix |
| done |
| |
| echo -e "\n# Signing a different file for fs-verity" |
| head -c 100000 /dev/zero | tr '\0' 'X' > $otherfile |
| sign $otherfile $othersigfile --key=$keyfile --cert=$certfile |
| |
| # Actual tests |
| |
| reset_fsv_file() |
| { |
| rm -f $fsv_file |
| cp $fsv_orig_file $fsv_file |
| } |
| |
| echo -e "\n# Enabling verity with valid signature (should succeed)" |
| reset_fsv_file |
| _fsv_enable $fsv_file --signature=$sigfile |
| cmp $fsv_file $fsv_orig_file |
| |
| echo -e "\n# Enabling verity without signature (should fail)" |
| reset_fsv_file |
| _fsv_enable $fsv_file |& _filter_scratch |
| |
| echo -e "\n# Opening verity file without signature (should fail)" |
| reset_fsv_file |
| _disable_fsverity_signatures |
| _fsv_enable $fsv_file |
| _enable_fsverity_signatures |
| _scratch_cycle_mount |
| md5sum $fsv_file |& _filter_scratch |
| |
| echo -e "\n# Enabling verity with untrusted signature (should fail)" |
| reset_fsv_file |
| _fsv_enable $fsv_file --signature=$sigfile.2 |& _filter_scratch |
| |
| echo -e "\n# Enabling verity with wrong file's signature (should fail)" |
| reset_fsv_file |
| _fsv_enable $fsv_file --signature=$othersigfile |& _filter_scratch |
| |
| echo -e "\n# Enabling verity with malformed signature (should fail)" |
| echo foobarbaz > $tmp.malformed_sig |
| reset_fsv_file |
| _fsv_enable $fsv_file --signature=$tmp.malformed_sig |& _filter_scratch |
| |
| echo -e "\n# Testing salt" |
| reset_fsv_file |
| sign $fsv_orig_file $sigfile.salted --key=$keyfile --cert=$certfile --salt=abcd |
| _fsv_enable $fsv_file --signature=$sigfile.salted --salt=abcd |
| cmp $fsv_file $fsv_orig_file |
| |
| echo -e "\n# Testing non-default hash algorithm" |
| if _fsv_can_enable $fsv_file --hash-alg=sha512; then |
| reset_fsv_file |
| sign $fsv_orig_file $sigfile.sha512 --key=$keyfile --cert=$certfile \ |
| --hash-alg=sha512 > /dev/null |
| _fsv_enable $fsv_file --signature=$sigfile.sha512 --hash-alg=sha512 |
| cmp $fsv_file $fsv_orig_file |
| fi |
| |
| echo -e "\n# Testing empty file" |
| rm -f $fsv_file |
| echo -n > $fsv_file |
| sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile |
| _fsv_enable $fsv_file --signature=$sigfile.emptyfile |
| |
| # success, all done |
| status=0 |
| exit |
