tools/testing/selftests/bpf/verify_sig_setup.sh

   1 #!/bin/bash
   2 # SPDX-License-Identifier: GPL-2.0
   3
   4 set -e
   5 set -u
   6 set -o pipefail
   7
   8 VERBOSE="${SELFTESTS_VERBOSE:=0}"
   9 LOG_FILE="$(mktemp /tmp/verify_sig_setup.log.XXXXXX)"
  10
  11 x509_genkey_content="\
  12 [ req ]
  13 default_bits = 2048
  14 distinguished_name = req_distinguished_name
  15 prompt = no
  16 string_mask = utf8only
  17 x509_extensions = myexts
  18
  19 [ req_distinguished_name ]
  20 CN = eBPF Signature Verification Testing Key
  21
  22 [ myexts ]
  23 basicConstraints=critical,CA:FALSE
  24 keyUsage=digitalSignature
  25 subjectKeyIdentifier=hash
  26 authorityKeyIdentifier=keyid
  27 "
  28
  29 usage()
  30 {
  31         echo "Usage: $0 <setup|cleanup <existing_tmp_dir>"
  32         exit 1
  33 }
  34
  35 setup()
  36 {
  37         local tmp_dir="$1"
  38
  39         echo "${x509_genkey_content}" > ${tmp_dir}/x509.genkey
  40
  41         openssl req -new -nodes -utf8 -sha256 -days 36500 \
  42                         -batch -x509 -config ${tmp_dir}/x509.genkey \
  43                         -outform PEM -out ${tmp_dir}/signing_key.pem \
  44                         -keyout ${tmp_dir}/signing_key.pem 2>&1
  45
  46         openssl x509 -in ${tmp_dir}/signing_key.pem -out \
  47                 ${tmp_dir}/signing_key.der -outform der
  48
  49         key_id=$(cat ${tmp_dir}/signing_key.der | keyctl padd asymmetric ebpf_testing_key @s)
  50
  51         keyring_id=$(keyctl newring ebpf_testing_keyring @s)
  52         keyctl link $key_id $keyring_id
  53 }
  54
  55 cleanup() {
  56         local tmp_dir="$1"
  57
  58         keyctl unlink $(keyctl search @s asymmetric ebpf_testing_key) @s
  59         keyctl unlink $(keyctl search @s keyring ebpf_testing_keyring) @s
  60         rm -rf ${tmp_dir}
  61 }
  62
  63 fsverity_create_sign_file() {
  64         local tmp_dir="$1"
  65
  66         data_file=${tmp_dir}/data-file
  67         sig_file=${tmp_dir}/sig-file
  68         dd if=/dev/urandom of=$data_file bs=1 count=12345 2> /dev/null
  69         fsverity sign --key ${tmp_dir}/signing_key.pem $data_file $sig_file
  70
  71         # We do not want to enable fsverity on $data_file yet. Try whether
  72         # the file system support fsverity on a different file.
  73         touch ${tmp_dir}/tmp-file
  74         fsverity enable ${tmp_dir}/tmp-file
  75 }
  76
  77 fsverity_enable_file() {
  78         local tmp_dir="$1"
  79
  80         data_file=${tmp_dir}/data-file
  81         fsverity enable $data_file
  82 }
  83
  84 catch()
  85 {
  86         local exit_code="$1"
  87         local log_file="$2"
  88
  89         if [[ "${exit_code}" -ne 0 ]]; then
  90                 cat "${log_file}" >&3
  91         fi
  92
  93         rm -f "${log_file}"
  94         exit ${exit_code}
  95 }
  96
  97 main()
  98 {
  99         [[ $# -ne 2 ]] && usage
 100
 101         local action="$1"
 102         local tmp_dir="$2"
 103
 104         [[ ! -d "${tmp_dir}" ]] && echo "Directory ${tmp_dir} doesn't exist" && exit 1
 105
 106         if [[ "${action}" == "setup" ]]; then
 107                 setup "${tmp_dir}"
 108         elif [[ "${action}" == "cleanup" ]]; then
 109                 cleanup "${tmp_dir}"
 110         elif [[ "${action}" == "fsverity-create-sign" ]]; then
 111                 fsverity_create_sign_file "${tmp_dir}"
 112         elif [[ "${action}" == "fsverity-enable" ]]; then
 113                 fsverity_enable_file "${tmp_dir}"
 114         else
 115                 echo "Unknown action: ${action}"
 116                 exit 1
 117         fi
 118 }
 119
 120 trap 'catch "$?" "${LOG_FILE}"' EXIT
 121
 122 if [[ "${VERBOSE}" -eq 0 ]]; then
 123         # Save the stderr to 3 so that we can output back to
 124         # it incase of an error.
 125         exec 3>&2 1>"${LOG_FILE}" 2>&1
 126 fi
 127
 128 main "$@"
 129 rm -f "${LOG_FILE}"