[PATCH] fstests: add btrfs fs-verity send/recv test

[PATCH] fstests: add btrfs fs-verity send/recv test

[Boris Burkov]

Test btrfs send/recv support for fs-verity. Includes tests for
signatures, salts, and interaction with chmod/caps. The last of those is
to ensure the various features that go in during inode_finalize interact
properly.

This depends on the kernel patch adding support for send:
btrfs: send: add support for fs-verity

And the btrfs-progs patch adding support for recv:
btrfs-progs: receive: add support for fs-verity

Signed-off-by: Boris Burkov <boris@bur.io>
---
 tests/btrfs/271     | 114 ++++++++++++++++++++++++++++++++++++++++++++
 tests/btrfs/271.out |  59 +++++++++++++++++++++++
 2 files changed, 173 insertions(+)
 create mode 100755 tests/btrfs/271
 create mode 100644 tests/btrfs/271.out

diff --git a/tests/btrfs/271 b/tests/btrfs/271
new file mode 100755
index 00000000..93b34540
--- /dev/null
+++ b/tests/btrfs/271
@@ -0,0 +1,114 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2022 YOUR NAME HERE.  All Rights Reserved.
+#
+# FS QA Test 271
+#
+# Test sendstreams involving fs-verity enabled files
+#
+. ./common/preamble
+_begin_fstest auto quick verity send
+
+# Override the default cleanup function.
+_cleanup()
+{
+	cd /
+	_restore_fsverity_signatures
+	rm -r -f $tmp.*
+}
+
+# Import common functions.
+. ./common/filter
+. ./common/verity
+
+# real QA test starts here
+
+# Modify as appropriate.
+_supported_fs btrfs
+_require_scratch_verity
+_require_fsverity_builtin_signatures
+_require_command "$SETCAP_PROG" setcap
+_require_command "$GETCAP_PROG" getcap
+_require_test
+
+subv=$SCRATCH_MNT/subv
+fsv_file=$subv/file.fsv
+keyfile=$tmp.key.pem
+certfile=$tmp.cert.pem
+certfileder=$tmp.cert.der
+sigfile=$tmp.sig
+stream=$tmp.fsv.ss
+
+_test_send_verity() {
+	local sig=$1
+	local salt=$2
+	local extra_args=""
+
+	_scratch_mkfs >> $seqres.full
+	_scratch_mount
+	echo -e "\nverity send/recv test: sig: $sig salt: $salt"
+	_disable_fsverity_signatures
+
+	echo "create subvolume"
+	$BTRFS_UTIL_PROG subv create $subv >> $seqres.full
+	echo "create file"
+	$XFS_IO_PROG -fc "pwrite -q -S 0x58 0 12288" $fsv_file
+	if [ $salt -eq 1 ]; then
+		extra_args+=" --salt=deadbeef"
+	fi
+	if [ $sig -eq 1 ]; then
+		echo "generate keys and cert"
+		_fsv_generate_cert $keyfile $certfile $certfileder
+		echo "clear keyring"
+		_fsv_clear_keyring
+		echo "load cert into keyring"
+		_fsv_load_cert $certfileder
+		echo "require signatures"
+		_enable_fsverity_signatures
+		echo "sign file digest"
+		_fsv_sign $fsv_file $sigfile --key=$keyfile --cert=$certfile \
+			$extra_args | _filter_scratch >> $seqres.full
+		extra_args+=" --signature=$sigfile"
+	fi
+	echo "enable verity"
+	_fsv_enable $fsv_file $extra_args
+	_fsv_measure $fsv_file > $tmp.digest-before
+
+	# ensure send plays nice with other properties that are set when
+	# finishing the file during send, like chmod and capabilities.
+	echo "modify other properties"
+	chmod a+x $fsv_file
+	$SETCAP_PROG "cap_sys_ptrace+ep cap_sys_nice+ep" $fsv_file
+	$GETCAP_PROG $fsv_file > $tmp.cap-before
+
+	echo "set subvolume read only"
+	$BTRFS_UTIL_PROG property set $subv ro true
+	echo "send subvolume"
+	$BTRFS_UTIL_PROG send $subv -f $stream -q >> $seqres.full
+
+	echo "blow away fs"
+	_scratch_unmount
+	_scratch_mkfs >> $seqres.full
+	_scratch_mount
+
+	echo "receive sendstream"
+	$BTRFS_UTIL_PROG receive $SCRATCH_MNT -f $stream -q >> $seqres.full
+
+	echo "check received subvolume..."
+	echo 3 > /proc/sys/vm/drop_caches
+	_fsv_measure $fsv_file > $tmp.digest-after
+	$GETCAP_PROG $fsv_file > $tmp.cap-after
+	diff $tmp.digest-before $tmp.digest-after
+	diff $tmp.cap-before $tmp.cap-after
+	_scratch_unmount
+	echo OK
+}
+
+_test_send_verity 0 0
+_test_send_verity 0 1
+_test_send_verity 1 0
+_test_send_verity 1 1
+
+# success, all done
+status=0
+exit
diff --git a/tests/btrfs/271.out b/tests/btrfs/271.out
new file mode 100644
index 00000000..9a484404
--- /dev/null
+++ b/tests/btrfs/271.out
@@ -0,0 +1,59 @@
+QA output created by 271
+
+verity send/recv test: sig: 0 salt: 0
+create subvolume
+create file
+enable verity
+modify other properties
+set subvolume read only
+send subvolume
+blow away fs
+receive sendstream
+check received subvolume...
+OK
+
+verity send/recv test: sig: 0 salt: 1
+create subvolume
+create file
+enable verity
+modify other properties
+set subvolume read only
+send subvolume
+blow away fs
+receive sendstream
+check received subvolume...
+OK
+
+verity send/recv test: sig: 1 salt: 0
+create subvolume
+create file
+generate keys and cert
+clear keyring
+load cert into keyring
+require signatures
+sign file digest
+enable verity
+modify other properties
+set subvolume read only
+send subvolume
+blow away fs
+receive sendstream
+check received subvolume...
+OK
+
+verity send/recv test: sig: 1 salt: 1
+create subvolume
+create file
+generate keys and cert
+clear keyring
+load cert into keyring
+require signatures
+sign file digest
+enable verity
+modify other properties
+set subvolume read only
+send subvolume
+blow away fs
+receive sendstream
+check received subvolume...
+OK
-- 
2.37.1

Re: [PATCH] fstests: add btrfs fs-verity send/recv test

[Eric Biggers]

On Mon, Aug 15, 2022 at 01:57:56PM -0700, Boris Burkov wrote:
> diff --git a/tests/btrfs/271 b/tests/btrfs/271
> new file mode 100755
> index 00000000..93b34540
> --- /dev/null
> +++ b/tests/btrfs/271

There is already a btrfs/271, so this patch doesn't apply anymore.  Best to use
a higher number and let the maintainer renumber the test when applying.

> @@ -0,0 +1,114 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (c) 2022 YOUR NAME HERE.  All Rights Reserved.

YOUR NAME HERE is a great company to work for :-)

> +_require_test

I don't see where this uses the test filesystem; it seems to use scratch only.

> +	if [ $salt -eq 1 ]; then
> +		extra_args+=" --salt=deadbeef"
> +	fi

I like to use true and false for this sort of thing so you can just do:

	if $salt; then

> +	echo "check received subvolume..."
> +	echo 3 > /proc/sys/vm/drop_caches

A comment explaining why the drop_caches is needed would be helpful.
And should there be a sync before it, and should it be _scratch_cycle_mount?

> +	_fsv_measure $fsv_file > $tmp.digest-after
> +	$GETCAP_PROG $fsv_file > $tmp.cap-after
> +	diff $tmp.digest-before $tmp.digest-after
> +	diff $tmp.cap-before $tmp.cap-after
> +	_scratch_unmount
> +	echo OK

Should this compare the file's contents too?

- Eric

Re: [PATCH] fstests: add btrfs fs-verity send/recv test

[Boris Burkov]

On Wed, Aug 17, 2022 at 10:12:06PM -0700, Eric Biggers wrote:
> On Mon, Aug 15, 2022 at 01:57:56PM -0700, Boris Burkov wrote:
> > diff --git a/tests/btrfs/271 b/tests/btrfs/271
> > new file mode 100755
> > index 00000000..93b34540
> > --- /dev/null
> > +++ b/tests/btrfs/271
> 
> There is already a btrfs/271, so this patch doesn't apply anymore.  Best to use
> a higher number and let the maintainer renumber the test when applying.

I thought that, but now it looks like we have btrfs/290 and 291 from the
last tests I added :/

Will fix, though!

> 
> > @@ -0,0 +1,114 @@
> > +#! /bin/bash
> > +# SPDX-License-Identifier: GPL-2.0
> > +# Copyright (c) 2022 YOUR NAME HERE.  All Rights Reserved.
> 
> YOUR NAME HERE is a great company to work for :-)
> 
> > +_require_test
> 
> I don't see where this uses the test filesystem; it seems to use scratch only.
> 
> > +	if [ $salt -eq 1 ]; then
> > +		extra_args+=" --salt=deadbeef"
> > +	fi
> 
> I like to use true and false for this sort of thing so you can just do:
> 
> 	if $salt; then
> 
> > +	echo "check received subvolume..."
> > +	echo 3 > /proc/sys/vm/drop_caches
> 
> A comment explaining why the drop_caches is needed would be helpful.
> And should there be a sync before it, and should it be _scratch_cycle_mount?
> 
> > +	_fsv_measure $fsv_file > $tmp.digest-after
> > +	$GETCAP_PROG $fsv_file > $tmp.cap-after
> > +	diff $tmp.digest-before $tmp.digest-after
> > +	diff $tmp.cap-before $tmp.cap-after
> > +	_scratch_unmount
> > +	echo OK
> 
> Should this compare the file's contents too?
> 
> - Eric

[PATCH] fstests: add btrfs fs-verity send/recv test

[Boris Burkov]

Test btrfs send/recv support for fs-verity. Includes tests for
signatures, salts, and interaction with chmod/caps. The last of those is
to ensure the various features that go in during inode_finalize interact
properly.

This depends on the kernel patch adding support for send:
btrfs: send: add support for fs-verity

And the btrfs-progs patch adding support for recv:
btrfs-progs: receive: add support for fs-verity

Signed-off-by: Boris Burkov <boris@bur.io>
---
 tests/btrfs/271     | 114 ++++++++++++++++++++++++++++++++++++++++++++
 tests/btrfs/271.out |  59 +++++++++++++++++++++++
 2 files changed, 173 insertions(+)
 create mode 100755 tests/btrfs/271
 create mode 100644 tests/btrfs/271.out

diff --git a/tests/btrfs/271 b/tests/btrfs/271
new file mode 100755
index 00000000..93b34540
--- /dev/null
+++ b/tests/btrfs/271
@@ -0,0 +1,114 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2022 YOUR NAME HERE.  All Rights Reserved.
+#
+# FS QA Test 271
+#
+# Test sendstreams involving fs-verity enabled files
+#
+. ./common/preamble
+_begin_fstest auto quick verity send
+
+# Override the default cleanup function.
+_cleanup()
+{
+	cd /
+	_restore_fsverity_signatures
+	rm -r -f $tmp.*
+}
+
+# Import common functions.
+. ./common/filter
+. ./common/verity
+
+# real QA test starts here
+
+# Modify as appropriate.
+_supported_fs btrfs
+_require_scratch_verity
+_require_fsverity_builtin_signatures
+_require_command "$SETCAP_PROG" setcap
+_require_command "$GETCAP_PROG" getcap
+_require_test
+
+subv=$SCRATCH_MNT/subv
+fsv_file=$subv/file.fsv
+keyfile=$tmp.key.pem
+certfile=$tmp.cert.pem
+certfileder=$tmp.cert.der
+sigfile=$tmp.sig
+stream=$tmp.fsv.ss
+
+_test_send_verity() {
+	local sig=$1
+	local salt=$2
+	local extra_args=""
+
+	_scratch_mkfs >> $seqres.full
+	_scratch_mount
+	echo -e "\nverity send/recv test: sig: $sig salt: $salt"
+	_disable_fsverity_signatures
+
+	echo "create subvolume"
+	$BTRFS_UTIL_PROG subv create $subv >> $seqres.full
+	echo "create file"
+	$XFS_IO_PROG -fc "pwrite -q -S 0x58 0 12288" $fsv_file
+	if [ $salt -eq 1 ]; then
+		extra_args+=" --salt=deadbeef"
+	fi
+	if [ $sig -eq 1 ]; then
+		echo "generate keys and cert"
+		_fsv_generate_cert $keyfile $certfile $certfileder
+		echo "clear keyring"
+		_fsv_clear_keyring
+		echo "load cert into keyring"
+		_fsv_load_cert $certfileder
+		echo "require signatures"
+		_enable_fsverity_signatures
+		echo "sign file digest"
+		_fsv_sign $fsv_file $sigfile --key=$keyfile --cert=$certfile \
+			$extra_args | _filter_scratch >> $seqres.full
+		extra_args+=" --signature=$sigfile"
+	fi
+	echo "enable verity"
+	_fsv_enable $fsv_file $extra_args
+	_fsv_measure $fsv_file > $tmp.digest-before
+
+	# ensure send plays nice with other properties that are set when
+	# finishing the file during send, like chmod and capabilities.
+	echo "modify other properties"
+	chmod a+x $fsv_file
+	$SETCAP_PROG "cap_sys_ptrace+ep cap_sys_nice+ep" $fsv_file
+	$GETCAP_PROG $fsv_file > $tmp.cap-before
+
+	echo "set subvolume read only"
+	$BTRFS_UTIL_PROG property set $subv ro true
+	echo "send subvolume"
+	$BTRFS_UTIL_PROG send $subv -f $stream -q >> $seqres.full
+
+	echo "blow away fs"
+	_scratch_unmount
+	_scratch_mkfs >> $seqres.full
+	_scratch_mount
+
+	echo "receive sendstream"
+	$BTRFS_UTIL_PROG receive $SCRATCH_MNT -f $stream -q >> $seqres.full
+
+	echo "check received subvolume..."
+	echo 3 > /proc/sys/vm/drop_caches
+	_fsv_measure $fsv_file > $tmp.digest-after
+	$GETCAP_PROG $fsv_file > $tmp.cap-after
+	diff $tmp.digest-before $tmp.digest-after
+	diff $tmp.cap-before $tmp.cap-after
+	_scratch_unmount
+	echo OK
+}
+
+_test_send_verity 0 0
+_test_send_verity 0 1
+_test_send_verity 1 0
+_test_send_verity 1 1
+
+# success, all done
+status=0
+exit
diff --git a/tests/btrfs/271.out b/tests/btrfs/271.out
new file mode 100644
index 00000000..9a484404
--- /dev/null
+++ b/tests/btrfs/271.out
@@ -0,0 +1,59 @@
+QA output created by 271
+
+verity send/recv test: sig: 0 salt: 0
+create subvolume
+create file
+enable verity
+modify other properties
+set subvolume read only
+send subvolume
+blow away fs
+receive sendstream
+check received subvolume...
+OK
+
+verity send/recv test: sig: 0 salt: 1
+create subvolume
+create file
+enable verity
+modify other properties
+set subvolume read only
+send subvolume
+blow away fs
+receive sendstream
+check received subvolume...
+OK
+
+verity send/recv test: sig: 1 salt: 0
+create subvolume
+create file
+generate keys and cert
+clear keyring
+load cert into keyring
+require signatures
+sign file digest
+enable verity
+modify other properties
+set subvolume read only
+send subvolume
+blow away fs
+receive sendstream
+check received subvolume...
+OK
+
+verity send/recv test: sig: 1 salt: 1
+create subvolume
+create file
+generate keys and cert
+clear keyring
+load cert into keyring
+require signatures
+sign file digest
+enable verity
+modify other properties
+set subvolume read only
+send subvolume
+blow away fs
+receive sendstream
+check received subvolume...
+OK
-- 
2.37.1