diff options
| author | Alexander Larsson <alexl@redhat.com> | 2023-07-10 11:07:13 +0200 |
|---|---|---|
| committer | Zorro Lang <zlang@kernel.org> | 2023-07-23 12:56:22 +0800 |
| commit | f2c9af189a76ecd0920466fb4afd8e542a5dc5e9 (patch) | |
| tree | 9af56cf0facdc913fbaedd2c9745ef4442aa7d36 /common | |
| parent | 019122400875a59b02e35dc5d49e31c9b7b704e0 (diff) | |
overlay: Add test coverage for fs-verity support
This tests that the right xattrs are set during copy-up, and
that we properly fail on missing of erronous fs-verity digests
when validating.
We also ensure that verity=require fails if a metacopy has not
fs-verity, and doesn't do a meta-coopy-up if the base file lacks
verity.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Zorro Lang <zlang@kernel.org>
Diffstat (limited to 'common')
| -rw-r--r-- | common/overlay | 14 | ||||
| -rw-r--r-- | common/verity | 16 |
2 files changed, 25 insertions, 5 deletions
diff --git a/common/overlay b/common/overlay index 816ed66d..7004187f 100644 --- a/common/overlay +++ b/common/overlay @@ -201,6 +201,20 @@ _require_scratch_overlay_features() _scratch_unmount } +_require_scratch_overlay_verity() +{ + local lowerdirs="$OVL_BASE_SCRATCH_MNT/$OVL_UPPER:$OVL_BASE_SCRATCH_MNT/$OVL_LOWER" + + _require_scratch_verity "$OVL_BASE_FSTYP" "$OVL_BASE_SCRATCH_MNT" + + _scratch_mkfs > /dev/null 2>&1 + _overlay_scratch_mount_dirs "$lowerdirs" "-" "-" \ + -o ro,redirect_dir=follow,metacopy=on,verity=on > /dev/null 2>&1 || \ + _notrun "overlay verity not supported on ${SCRATCH_DEV}" + + _scratch_unmount +} + # Check kernel support for <lowerdirs>::<lowerdatadir> format _require_scratch_overlay_lowerdata_layers() { diff --git a/common/verity b/common/verity index 77c257d3..e0937717 100644 --- a/common/verity +++ b/common/verity @@ -38,10 +38,13 @@ _require_scratch_verity() "or mkfs options are not compatible with verity" fi + local fstyp=${1:-$FSTYP} + local scratch_mnt=${2:-$SCRATCH_MNT} + # The filesystem may be aware of fs-verity but have it disabled by # CONFIG_FS_VERITY=n. Detect support via sysfs. - if [ ! -e /sys/fs/$FSTYP/features/verity ]; then - _notrun "kernel $FSTYP isn't configured with verity support" + if [ ! -e /sys/fs/$fstyp/features/verity ]; then + _notrun "kernel $fstyp isn't configured with verity support" fi # Select a default Merkle tree block size for when tests don't @@ -57,7 +60,7 @@ _require_scratch_verity() # # Therefore, we default to merkle_tree_block_size == min(fs_block_size, # page_size). That maximizes the chance of verity actually working. - local fs_block_size=$(_get_block_size $SCRATCH_MNT) + local fs_block_size=$(_get_block_size $scratch_mnt) local page_size=$(get_page_size) if (( fs_block_size <= page_size )); then FSV_BLOCK_SIZE=$fs_block_size @@ -68,8 +71,8 @@ _require_scratch_verity() # The filesystem may have fs-verity enabled but not actually usable by # default. E.g., ext4 only supports verity on extent-based files, so it # doesn't work on ext3-style filesystems. So, try actually using it. - if ! _fsv_can_enable $SCRATCH_MNT/tmpfile; then - _notrun "$FSTYP verity isn't usable by default with these mkfs options" + if ! _fsv_can_enable $scratch_mnt/tmpfile; then + _notrun "$fstyp verity isn't usable by default with these mkfs options" fi _scratch_unmount @@ -201,6 +204,9 @@ _scratch_mkfs_verity() btrfs) _scratch_mkfs ;; + overlay) + _scratch_mkfs # This relies on the scratch fs supporting verity + ;; *) _notrun "No verity support for $FSTYP" ;; |