blob: 9770e1c1cc9788734f34e1724a0968163b7fa85e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
#! /bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright (c) 2022 Meta, Inc. All Rights Reserved.
#
# FS QA Test 277
#
# Test sendstreams involving fs-verity enabled files.
#
. ./common/preamble
_begin_fstest auto quick verity send
# Override the default cleanup function.
_cleanup()
{
cd /
_restore_fsverity_signatures
rm -r -f $tmp.*
}
. ./common/filter
. ./common/verity
_supported_fs btrfs
_require_scratch_verity
_require_fsverity_builtin_signatures
_require_command "$SETCAP_PROG" setcap
_require_command "$GETCAP_PROG" getcap
_require_btrfs_send_version 3
subv=$SCRATCH_MNT/subv
fsv_file=$subv/file.fsv
keyfile=$tmp.key.pem
certfile=$tmp.cert.pem
certfileder=$tmp.cert.der
sigfile=$tmp.sig
stream=$tmp.fsv.ss
_test_send_verity() {
local sig=$1
local salt=$2
local extra_args=""
_scratch_mkfs >> $seqres.full
_scratch_mount
echo -e "\nverity send/recv test: sig: $sig salt: $salt"
_disable_fsverity_signatures
echo "create subvolume"
$BTRFS_UTIL_PROG subvolume create $subv >> $seqres.full
echo "create file"
$XFS_IO_PROG -fc "pwrite -q -S 0x58 0 12288" $fsv_file
if $salt; then
extra_args+=" --salt=deadbeef"
fi
if $sig; then
echo "generate keys and cert"
_fsv_generate_cert $keyfile $certfile $certfileder
echo "clear keyring"
_fsv_clear_keyring
echo "load cert into keyring"
_fsv_load_cert $certfileder
echo "require signatures"
_enable_fsverity_signatures
echo "sign file digest"
_fsv_sign $fsv_file $sigfile --key=$keyfile --cert=$certfile \
$extra_args | _filter_scratch >> $seqres.full
extra_args+=" --signature=$sigfile"
fi
echo "enable verity"
_fsv_enable $fsv_file $extra_args
cat $fsv_file > $tmp.file-before
_fsv_measure $fsv_file > $tmp.digest-before
# ensure send plays nice with other properties that are set when
# finishing the file during send, like chmod and capabilities.
echo "modify other properties"
chmod a+x $fsv_file
$SETCAP_PROG "cap_sys_ptrace+ep cap_sys_nice+ep" $fsv_file
$GETCAP_PROG $fsv_file > $tmp.cap-before
echo "set subvolume read only"
$BTRFS_UTIL_PROG property set $subv ro true
echo "send subvolume"
$BTRFS_UTIL_PROG send $subv -f $stream -q --proto=3 >> $seqres.full
echo "blow away fs"
_scratch_unmount
_scratch_mkfs >> $seqres.full
_scratch_mount
echo "receive sendstream"
$BTRFS_UTIL_PROG receive $SCRATCH_MNT -f $stream -q >> $seqres.full
echo "check received subvolume..."
_scratch_cycle_mount
_fsv_measure $fsv_file > $tmp.digest-after
$GETCAP_PROG $fsv_file > $tmp.cap-after
diff $tmp.file-before $fsv_file
diff $tmp.digest-before $tmp.digest-after
diff $tmp.cap-before $tmp.cap-after
_scratch_unmount
echo OK
}
_test_send_verity false false # no sig; no salt
_test_send_verity false true # no sig; salt
_test_send_verity true false # sig; no salt
_test_send_verity true true # sig; salt
# success, all done
status=0
exit
|
