lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 15 Jan 2021 10:28:34 -0800
From:   Eric Biggers <ebiggers@...nel.org>
To:     fstests@...r.kernel.org
Cc:     linux-fscrypt@...r.kernel.org, linux-ext4@...r.kernel.org,
        linux-f2fs-devel@...ts.sourceforge.net,
        Theodore Ts'o <tytso@....edu>,
        Jaegeuk Kim <jaegeuk@...nel.org>,
        Victor Hsieh <victorhsieh@...gle.com>
Subject: [xfstests RFC PATCH 1/4] generic: factor out helpers for fs-verity built-in signatures

From: Eric Biggers <ebiggers@...gle.com>

The test for retrieving a verity file's built-in signature using
FS_IOC_READ_VERITY_METADATA will need to set up a file with a built-in
signature, which requires the same commands that generic/577 does.
Factor this out into helper functions in common/verity.

Signed-off-by: Eric Biggers <ebiggers@...gle.com>
---
 common/verity     | 37 ++++++++++++++++++++++++++++++++++++-
 tests/generic/577 | 15 +++------------
 2 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/common/verity b/common/verity
index a8d3de06..9a182240 100644
--- a/common/verity
+++ b/common/verity
@@ -48,12 +48,47 @@ _require_scratch_verity()
 	FSV_BLOCK_SIZE=$(get_page_size)
 }
 
-# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y.
+# Check for CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y, as well as the userspace
+# commands needed to generate certificates and add them to the kernel.
 _require_fsverity_builtin_signatures()
 {
 	if [ ! -e /proc/sys/fs/verity/require_signatures ]; then
 		_notrun "kernel doesn't support fs-verity builtin signatures"
 	fi
+	_require_command "$OPENSSL_PROG" openssl
+	_require_command "$KEYCTL_PROG" keyctl
+}
+
+# Use the openssl program to generate a private key and a X.509 certificate for
+# use with fs-verity built-in signature verification, and convert the
+# certificate to DER format.
+_fsv_generate_cert()
+{
+	local keyfile=$1
+	local certfile=$2
+	local certfileder=$3
+
+	if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
+			-keyout $keyfile -out $certfile &>> $seqres.full; then
+		_fail "Failed to generate certificate and private key (see $seqres.full)"
+	fi
+	$OPENSSL_PROG x509 -in $certfile -out $certfileder -outform der
+}
+
+# Clear the .fs-verity keyring.
+_fsv_clear_keyring()
+{
+	$KEYCTL_PROG clear %keyring:.fs-verity
+}
+
+# Load the given X.509 certificate in DER format into the .fs-verity keyring so
+# that the kernel can use it to verify built-in signatures.
+_fsv_load_cert()
+{
+	local certfileder=$1
+
+	$KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
+		< $certfileder >> $seqres.full
 }
 
 # Disable mandatory signatures for fs-verity files, if they are supported.
diff --git a/tests/generic/577 b/tests/generic/577
index 0e945942..114463be 100755
--- a/tests/generic/577
+++ b/tests/generic/577
@@ -34,8 +34,6 @@ rm -f $seqres.full
 _supported_fs generic
 _require_scratch_verity
 _require_fsverity_builtin_signatures
-_require_command "$OPENSSL_PROG" openssl
-_require_command "$KEYCTL_PROG" keyctl
 
 _scratch_mkfs_verity &>> $seqres.full
 _scratch_mount
@@ -53,21 +51,14 @@ othersigfile=$tmp.othersig
 
 echo -e "\n# Generating certificates and private keys"
 for suffix in '' '.2'; do
-	if ! $OPENSSL_PROG req -newkey rsa:4096 -nodes -batch -x509 \
-			-keyout $keyfile$suffix -out $certfile$suffix \
-			&>> $seqres.full; then
-		_fail "Failed to generate certificate and private key (see $seqres.full)"
-	fi
-	$OPENSSL_PROG x509 -in $certfile$suffix -out $certfileder$suffix \
-		-outform der
+	_fsv_generate_cert $keyfile$suffix $certfile$suffix $certfileder$suffix
 done
 
 echo -e "\n# Clearing fs-verity keyring"
-$KEYCTL_PROG clear %keyring:.fs-verity
+_fsv_clear_keyring
 
 echo -e "\n# Loading first certificate into fs-verity keyring"
-$KEYCTL_PROG padd asymmetric '' %keyring:.fs-verity \
-	< $certfileder >> $seqres.full
+_fsv_load_cert $certfileder
 
 echo -e "\n# Enabling fs.verity.require_signatures"
 _enable_fsverity_signatures
-- 
2.30.0

Powered by blists - more mailing lists