2020-05-29 19:51:20 +03:00
#!/usr/bin/env bash
2021-10-17 19:13:06 +03:00
# SPDX-License-Identifier: LGPL-2.1-or-later
2021-04-09 20:39:41 +03:00
set -eux
2020-05-29 19:51:20 +03:00
set -o pipefail
2024-04-15 20:44:23 +03:00
# shellcheck source=test/units/test-control.sh
. " $( dirname " $0 " ) " /test-control.sh
2024-01-23 18:20:10 +03:00
2024-04-24 22:21:34 +03:00
# shellcheck source=test/units/util.sh
. " $( dirname " $0 " ) " /util.sh
2024-04-15 20:44:23 +03:00
# Setup shared stuff & run all subtests
at_exit( ) {
set +e
2020-07-20 18:43:18 +03:00
2024-04-15 20:44:23 +03:00
if [ [ -z " ${ IMAGE_DIR :- } " ] ] ; then
2020-07-10 12:30:33 +03:00
return
fi
2024-02-15 17:32:43 +03:00
2024-04-15 20:44:23 +03:00
while read -r dir; do
if mountpoint -q " $dir " ; then
umount -Rv " $dir "
2024-02-15 17:32:43 +03:00
fi
2024-04-15 20:44:23 +03:00
done < <( find " ${ IMAGE_DIR } " -mindepth 1 -maxdepth 1 -type d)
2024-02-15 17:32:43 +03:00
2024-04-15 20:44:23 +03:00
rm -rf " $IMAGE_DIR "
}
2024-02-15 17:32:43 +03:00
2024-04-15 20:44:23 +03:00
trap at_exit EXIT
2020-07-10 12:30:33 +03:00
2024-04-15 20:44:23 +03:00
: "Setup base images"
2022-08-26 18:52:04 +03:00
2024-04-15 20:44:23 +03:00
export SYSTEMD_LOG_LEVEL = debug
export ARCHITECTURE
export IMAGE_DIR
export MACHINE
export MINIMAL_IMAGE
export MINIMAL_IMAGE_ROOTHASH
export OPENSSL_CONFIG
export OS_RELEASE
export ROOT_GUID
export SIGNATURE_GUID
export VERITY_GUID
2020-05-29 19:51:20 +03:00
2024-04-15 20:44:23 +03:00
machine = " $( uname -m) "
if [ [ " $machine " = = "x86_64" ] ] ; then
ROOT_GUID = 4f68bce3-e8cd-4db1-96e7-fbcaf984b709
VERITY_GUID = 2c7357ed-ebd2-46d9-aec1-23d437ec2bf5
SIGNATURE_GUID = 41092b05-9fc8-4523-994f-2def0408b176
ARCHITECTURE = "x86-64"
elif [ [ " $machine " = ~ ^( i386| i686| x86) $ ] ] ; then
ROOT_GUID = 44479540-f297-41b2-9af7-d131d5f0458a
VERITY_GUID = d13c5d3b-b5d1-422a-b29f-9454fdc89d76
SIGNATURE_GUID = 5996fc05-109c-48de-808b-23fa0830b676
ARCHITECTURE = "x86"
elif [ [ " $machine " = ~ ^( aarch64| aarch64_be| armv8b| armv8l) $ ] ] ; then
ROOT_GUID = b921b045-1df0-41c3-af44-4c6f280d3fae
VERITY_GUID = df3300ce-d69f-4c92-978c-9bfb0f38d820
SIGNATURE_GUID = 6db69de6-29f4-4758-a7a5-962190f00ce3
ARCHITECTURE = "arm64"
elif [ [ " $machine " = = "arm" ] ] ; then
ROOT_GUID = 69dad710-2ce4-4e3c-b16c-21a1d49abed3
VERITY_GUID = 7386cdf2-203c-47a9-a498-f2ecce45a2d6
SIGNATURE_GUID = 42b0455f-eb11-491d-98d3-56145ba9d037
ARCHITECTURE = "arm"
elif [ [ " $machine " = = "ia64" ] ] ; then
ROOT_GUID = 993d8d3d-f80e-4225-855a-9daf8ed7ea97
VERITY_GUID = 86ed10d5-b607-45bb-8957-d350f23d0571
SIGNATURE_GUID = e98b36ee-32ba-4882-9b12-0ce14655f46a
ARCHITECTURE = "ia64"
elif [ [ " $machine " = = "loongarch64" ] ] ; then
ROOT_GUID = 77055800-792c-4f94-b39a-98c91b762bb6
VERITY_GUID = f3393b22-e9af-4613-a948-9d3bfbd0c535
SIGNATURE_GUID = 5afb67eb-ecc8-4f85-ae8e-ac1e7c50e7d0
ARCHITECTURE = "loongarch64"
elif [ [ " $machine " = = "s390x" ] ] ; then
ROOT_GUID = 5eead9a9-fe09-4a1e-a1d7-520d00531306
VERITY_GUID = b325bfbe-c7be-4ab8-8357-139e652d2f6b
SIGNATURE_GUID = c80187a5-73a3-491a-901a-017c3fa953e9
ARCHITECTURE = "s390x"
elif [ [ " $machine " = = "ppc64le" ] ] ; then
ROOT_GUID = c31c45e6-3f39-412e-80fb-4809c4980599
VERITY_GUID = 906bd944-4589-4aae-a4e4-dd983917446a
SIGNATURE_GUID = d4a236e7-e873-4c07-bf1d-bf6cf7f1c3c6
ARCHITECTURE = "ppc64-le"
elif [ [ " $machine " = = "riscv64" ] ] ; then
ROOT_GUID = 72ec70a6-cf74-40e6-bd49-4bda08e8f224
VERITY_GUID = b6ed5582-440b-4209-b8da-5ff7c419ea3d
SIGNATURE_GUID = efe0f087-ea8d-4469-821a-4c2a96a8386a
ARCHITECTURE = "riscv64"
elif [ [ " $machine " = = "riscv32" ] ] ; then
ROOT_GUID = 60d5a7fe-8e7d-435c-b714-3dd8162144e1
VERITY_GUID = ae0253be-1167-4007-ac68-43926c14c5de
SIGNATURE_GUID = 3a112a75-8729-4380-b4cf-764d79934448
ARCHITECTURE = "riscv32"
else
2024-05-11 20:17:13 +03:00
echo " Unexpected uname -m: $machine in TEST-50-DISSECT.sh, please fix me "
2020-07-10 12:30:33 +03:00
exit 1
2020-05-29 19:51:20 +03:00
fi
2024-04-15 20:44:23 +03:00
udevadm control --log-level= debug
2020-05-29 19:51:20 +03:00
2024-04-15 20:44:23 +03:00
IMAGE_DIR = " $( mktemp -d --tmpdir= "" TEST-50-IMAGES.XXX) "
cp -v /usr/share/minimal* " $IMAGE_DIR / "
MINIMAL_IMAGE = " $IMAGE_DIR /minimal_0 "
MINIMAL_IMAGE_ROOTHASH = " $( <" $MINIMAL_IMAGE .roothash " ) "
2020-07-15 19:54:12 +03:00
2024-04-24 22:21:34 +03:00
install_extension_images
2024-04-15 20:44:23 +03:00
OS_RELEASE = " $( test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os-release) "
2021-09-28 17:49:16 +03:00
2021-10-07 02:26:26 +03:00
if systemctl --version | grep -q -- +OPENSSL ; then
2024-04-15 20:44:23 +03:00
# The openssl binary is installed conditionally. If we have OpenSSL support enabled and openssl is
# missing, fail early with a proper error message.
if ! command -v openssl & >/dev/null; then
echo "openssl binary is missing" >/failed
2021-12-16 21:18:28 +03:00
exit 1
fi
2023-10-09 11:35:08 +03:00
OPENSSL_CONFIG = " $( mktemp) "
2021-10-07 02:26:26 +03:00
# Unfortunately OpenSSL insists on reading some config file, hence provide one with mostly placeholder contents
2023-10-09 11:35:08 +03:00
cat >" ${ OPENSSL_CONFIG : ? } " <<EOF
2021-09-28 17:49:16 +03:00
[ req ]
prompt = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = DE
ST = Test State
L = Test Locality
O = Org Name
OU = Org Unit Name
CN = Common Name
emailAddress = test@email.com
EOF
2024-04-15 20:44:23 +03:00
fi
# Make a GPT disk on the fly, with the squashfs as partition 1 and the verity hash tree as partition 2
#
# du rounds up to block size, which is more helpful for partitioning
2024-04-24 00:16:29 +03:00
root_size = " $( du --apparent-size -k " $MINIMAL_IMAGE .raw " | cut -f1) "
verity_size = " $( du --apparent-size -k " $MINIMAL_IMAGE .verity " | cut -f1) "
2024-04-15 20:44:23 +03:00
signature_size = 4
# 4MB seems to be the minimum size blkid will accept, below that probing fails
dd if = /dev/zero of = " $MINIMAL_IMAGE .gpt " bs = 512 count = $(( 8192 + root_size*2+verity_size*2+signature_size*2))
# sfdisk seems unhappy if the size overflows into the next unit, eg: 1580KiB will be interpreted as 1MiB
# so do some basic rounding up if the minimal image is more than 1 MB
if [ [ " $root_size " -ge 1024 ] ] ; then
root_size = " $(( root_size/1024 + 1 )) MiB "
else
root_size = " ${ root_size } KiB "
fi
verity_size = " $(( verity_size * 2 )) KiB "
signature_size = " $(( signature_size * 2 )) KiB "
2021-09-28 17:49:16 +03:00
2024-04-15 20:44:23 +03:00
if [ [ -n " ${ OPENSSL_CONFIG :- } " ] ] ; then
2021-10-07 02:26:26 +03:00
# Create key pair
2024-04-15 20:44:23 +03:00
openssl req -config " $OPENSSL_CONFIG " -new -x509 -newkey rsa:1024 \
-keyout " $MINIMAL_IMAGE .key " -out " $MINIMAL_IMAGE .crt " -days 365 -nodes
2021-10-07 02:26:26 +03:00
# Sign Verity root hash with it
2024-04-15 20:44:23 +03:00
openssl smime -sign -nocerts -noattr -binary \
-in " $MINIMAL_IMAGE .roothash " \
-inkey " $MINIMAL_IMAGE .key " \
-signer " $MINIMAL_IMAGE .crt " \
-outform der \
-out " $MINIMAL_IMAGE .roothash.p7s "
2021-10-07 02:26:26 +03:00
# Generate signature partition JSON data
2024-04-15 20:44:23 +03:00
echo '{"rootHash":"' " $MINIMAL_IMAGE_ROOTHASH " '","signature":"' " $( base64 -w 0 <" $MINIMAL_IMAGE .roothash.p7s " ) " '"}' >" $MINIMAL_IMAGE .verity-sig "
2021-10-07 02:26:26 +03:00
# Pad it
2024-04-15 20:44:23 +03:00
truncate -s " $signature_size " " $MINIMAL_IMAGE .verity-sig "
2021-10-07 02:26:26 +03:00
# Register certificate in the (userspace) verity key ring
mkdir -p /run/verity.d
2024-04-15 20:44:23 +03:00
ln -s " $MINIMAL_IMAGE .crt " /run/verity.d/ok.crt
2021-10-07 02:26:26 +03:00
fi
2021-09-28 17:49:16 +03:00
2021-04-09 20:49:32 +03:00
# Construct a UUID from hash
# input: 11111111222233334444555566667777
# output: 11111111-2222-3333-4444-555566667777
2024-04-15 20:44:23 +03:00
uuid = " $( head -c 32 " $MINIMAL_IMAGE .roothash " | sed -r 's/(.{8})(.{4})(.{4})(.{4})(.+)/\1-\2-\3-\4-\5/' ) "
echo -e " label: gpt\nsize= $root_size , type= $ROOT_GUID , uuid= $uuid " | sfdisk " $MINIMAL_IMAGE .gpt "
uuid = " $( tail -c 32 " $MINIMAL_IMAGE .roothash " | sed -r 's/(.{8})(.{4})(.{4})(.{4})(.+)/\1-\2-\3-\4-\5/' ) "
echo -e " size= $verity_size , type= $VERITY_GUID , uuid= $uuid " | sfdisk " $MINIMAL_IMAGE .gpt " --append
if [ [ -n " ${ OPENSSL_CONFIG :- } " ] ] ; then
echo -e " size= $signature_size , type= $SIGNATURE_GUID " | sfdisk " $MINIMAL_IMAGE .gpt " --append
2021-10-07 02:26:26 +03:00
fi
2024-04-15 20:44:23 +03:00
sfdisk --part-label " $MINIMAL_IMAGE .gpt " 1 "Root Partition"
sfdisk --part-label " $MINIMAL_IMAGE .gpt " 2 "Verity Partition"
if [ [ -n " ${ OPENSSL_CONFIG :- } " ] ] ; then
sfdisk --part-label " $MINIMAL_IMAGE .gpt " 3 "Signature Partition"
2021-10-07 02:26:26 +03:00
fi
2024-04-15 20:44:23 +03:00
loop = " $( losetup --show -P -f " $MINIMAL_IMAGE .gpt " ) "
2022-08-27 10:13:27 +03:00
partitions = (
" ${ loop : ? } p1 "
" ${ loop : ? } p2 "
)
2024-04-15 20:44:23 +03:00
if [ [ -n " ${ OPENSSL_CONFIG :- } " ] ] ; then
partitions += ( " ${ loop : ? } p3 " )
2022-08-27 10:13:27 +03:00
fi
# The kernel sometimes(?) does not emit "add" uevent for loop block partition devices.
# Let's not expect the devices to be initialized.
udevadm wait --timeout 60 --settle --initialized= no " ${ partitions [@] } "
2024-04-15 20:44:23 +03:00
udevadm lock --device= " ${ loop } p1 " dd if = " $MINIMAL_IMAGE .raw " of = " ${ loop } p1 "
udevadm lock --device= " ${ loop } p2 " dd if = " $MINIMAL_IMAGE .verity " of = " ${ loop } p2 "
if [ [ -n " ${ OPENSSL_CONFIG :- } " ] ] ; then
udevadm lock --device= " ${ loop } p3 " dd if = " $MINIMAL_IMAGE .verity-sig " of = " ${ loop } p3 "
2024-01-23 18:20:10 +03:00
fi
2024-04-15 20:44:23 +03:00
losetup -d " $loop "
2024-01-23 18:20:10 +03:00
2024-04-15 20:44:23 +03:00
: "Run subtests"
2024-02-15 17:32:43 +03:00
2024-04-15 20:44:23 +03:00
run_subtests
2024-02-15 17:32:43 +03:00
2023-07-12 16:49:55 +03:00
touch /testok