xref: /linux/tools/testing/selftests/bpf/verify_sig_setup.sh (revision ae28ed4578e6d5a481e39c5a9827f27048661fdd) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4set -e
5set -u
6set -o pipefail
7
8VERBOSE="${SELFTESTS_VERBOSE:=0}"
9LOG_FILE="$(mktemp /tmp/verify_sig_setup.log.XXXXXX)"
10
11x509_genkey_content="\
12[ req ]
13default_bits = 2048
14distinguished_name = req_distinguished_name
15prompt = no
16string_mask = utf8only
17x509_extensions = myexts
18
19[ req_distinguished_name ]
20CN = eBPF Signature Verification Testing Key
21
22[ myexts ]
23basicConstraints=critical,CA:FALSE
24keyUsage=digitalSignature
25subjectKeyIdentifier=hash
26authorityKeyIdentifier=keyid
27"
28
29usage()
30{
31	echo "Usage: $0 <setup|cleanup <existing_tmp_dir>"
32	exit 1
33}
34
35genkey()
36{
37	local tmp_dir="$1"
38
39	echo "${x509_genkey_content}" > ${tmp_dir}/x509.genkey
40
41	openssl req -new -nodes -utf8 -sha256 -days 36500 \
42			-batch -x509 -config ${tmp_dir}/x509.genkey \
43			-outform PEM -out ${tmp_dir}/signing_key.pem \
44			-keyout ${tmp_dir}/signing_key.pem 2>&1
45
46	openssl x509 -in ${tmp_dir}/signing_key.pem -out \
47		${tmp_dir}/signing_key.der -outform der
48}
49
50setup()
51{
52	local tmp_dir="$1"
53
54	genkey "${tmp_dir}"
55	key_id=$(cat ${tmp_dir}/signing_key.der | keyctl padd asymmetric ebpf_testing_key @s)
56	keyring_id=$(keyctl newring ebpf_testing_keyring @s)
57	keyctl link $key_id $keyring_id
58}
59
60cleanup() {
61	local tmp_dir="$1"
62
63	keyctl unlink $(keyctl search @s asymmetric ebpf_testing_key) @s
64	keyctl unlink $(keyctl search @s keyring ebpf_testing_keyring) @s
65	rm -rf ${tmp_dir}
66}
67
68fsverity_create_sign_file() {
69	local tmp_dir="$1"
70
71	data_file=${tmp_dir}/data-file
72	sig_file=${tmp_dir}/sig-file
73	dd if=/dev/urandom of=$data_file bs=1 count=12345 2> /dev/null
74	fsverity sign --key ${tmp_dir}/signing_key.pem $data_file $sig_file
75
76	# We do not want to enable fsverity on $data_file yet. Try whether
77	# the file system support fsverity on a different file.
78	touch ${tmp_dir}/tmp-file
79	fsverity enable ${tmp_dir}/tmp-file
80}
81
82fsverity_enable_file() {
83	local tmp_dir="$1"
84
85	data_file=${tmp_dir}/data-file
86	fsverity enable $data_file
87}
88
89catch()
90{
91	local exit_code="$1"
92	local log_file="$2"
93
94	if [[ "${exit_code}" -ne 0 ]]; then
95		cat "${log_file}" >&3
96	fi
97
98	rm -f "${log_file}"
99	exit ${exit_code}
100}
101
102main()
103{
104	[[ $# -ne 2 ]] && usage
105
106	local action="$1"
107	local tmp_dir="$2"
108
109	[[ ! -d "${tmp_dir}" ]] && echo "Directory ${tmp_dir} doesn't exist" && exit 1
110
111	if [[ "${action}" == "setup" ]]; then
112		setup "${tmp_dir}"
113	elif [[ "${action}" == "genkey" ]]; then
114		genkey "${tmp_dir}"
115	elif [[ "${action}" == "cleanup" ]]; then
116		cleanup "${tmp_dir}"
117	elif [[ "${action}" == "fsverity-create-sign" ]]; then
118		fsverity_create_sign_file "${tmp_dir}"
119	elif [[ "${action}" == "fsverity-enable" ]]; then
120		fsverity_enable_file "${tmp_dir}"
121	else
122		echo "Unknown action: ${action}"
123		exit 1
124	fi
125}
126
127trap 'catch "$?" "${LOG_FILE}"' EXIT
128
129if [[ "${VERBOSE}" -eq 0 ]]; then
130	# Save the stderr to 3 so that we can output back to
131	# it incase of an error.
132	exec 3>&2 1>"${LOG_FILE}" 2>&1
133fi
134
135main "$@"
136rm -f "${LOG_FILE}"
137