[PATCH v2 0/2] generic/577: fix hash check and add metadata cleaning

[PATCH v2 0/2] generic/577: fix hash check and add metadata cleaning

[Andrey Albershteyn]

Hi all,

This patchset has two fixes for generic/577. The first one is fix of
common helper _fsv_have_hash_algorithm which didn't work correctly in
generic/577 as that test requires signing. The second patch fixes issue
which is uncovered when first patch is applied. The test fails to write to file
with already enabled verity.

v1 -> v2:
- add first patch as proper fix

Andrey Albershteyn (2):
  common/verity: disable signature verification on hash alg check
  generic/577: add missing fsverity metadata cleaning

 common/verity     | 3 +++
 tests/generic/577 | 1 +
 2 files changed, 4 insertions(+)

-- 
2.31.1

[PATCH v2 1/2] common/verity: disable signature verification on hash alg check

[Andrey Albershteyn]

When the fs.verity.require_signatures is set to 1 the file with fsverity
enabled need to be signed. The generic/577 needs require_signatures
enabled as it test signing. The _fsv_have_hash_algorithm tries to enable
verity on a file without signing it.

Temporarily disable require_signatures for the check and restore it to
previous state afterwards.

Signed-off-by: Andrey Albershteyn <aalbersh@redhat.com>
---
 common/verity | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/common/verity b/common/verity
index 897a7f0b..aad6728f 100644
--- a/common/verity
+++ b/common/verity
@@ -254,10 +254,13 @@ _fsv_have_hash_algorithm()
 
 	rm -f $test_file
 	head -c 4096 /dev/zero > $test_file
+	_disable_fsverity_signatures
 	if ! _fsv_enable --hash-alg=$hash_alg $test_file &>> $seqres.full; then
+		_restore_fsverity_signatures
 		# no kernel support
 		return 1
 	fi
+	_restore_fsverity_signatures
 	rm -f $test_file
 	return 0
 }
-- 
2.31.1

[PATCH v2 2/2] generic/577: add missing fsverity metadata cleaning

[Andrey Albershteyn]

When fs-verity is enabled on the file, file becomes read-only. In last
check, test tries to empty the file. However, fs-verity denies
opening/writing to file.

Remove file beforehand as in other checks.

Signed-off-by: Andrey Albershteyn <aalbersh@redhat.com>
---
 tests/generic/577 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/generic/577 b/tests/generic/577
index 98c3888f..916f3be3 100755
--- a/tests/generic/577
+++ b/tests/generic/577
@@ -121,6 +121,7 @@ if _fsv_have_hash_algorithm sha512 $fsv_file; then
 fi
 
 echo -e "\n# Testing empty file"
+reset_fsv_file
 echo -n > $fsv_file
 _fsv_sign $fsv_file $sigfile.emptyfile --key=$keyfile --cert=$certfile | \
 		_filter_scratch
-- 
2.31.1

Re: [PATCH v2 0/2] generic/577: fix hash check and add metadata cleaning

[Eric Biggers]

On Thu, Nov 03, 2022 at 08:14:18PM +0100, Andrey Albershteyn wrote:
> Hi all,
> 
> This patchset has two fixes for generic/577. The first one is fix of
> common helper _fsv_have_hash_algorithm which didn't work correctly in
> generic/577 as that test requires signing. The second patch fixes issue
> which is uncovered when first patch is applied. The test fails to write to file
> with already enabled verity.
> 
> v1 -> v2:
> - add first patch as proper fix
> 
> Andrey Albershteyn (2):
>   common/verity: disable signature verification on hash alg check
>   generic/577: add missing fsverity metadata cleaning
> 
>  common/verity     | 3 +++
>  tests/generic/577 | 1 +
>  2 files changed, 4 insertions(+)
> 

Thanks Andrey!  One thing that you overlooked is that _fsv_have_hash_algorithm()
needs to restore the previous value of fs.verity.require_signatures, not the
value that existed at the beginning of the test.

Also, I found that some of the newer tests don't work properly on systems where
fs.verity.require_signatures=1.  I'd like to fix that too.

Can you take a look at the patchset
https://lore.kernel.org/fstests/20221104064742.167326-1-ebiggers@kernel.org/T/#u
I just sent out?  It should take care of everything...

- Eric