verify_sig_setup.sh - tools/testing/selftests/bpf/verify_sig_setup.sh - Linux source code v6.13.7

Note: File does not exist in v5.4.
  1#!/bin/bash
  2# SPDX-License-Identifier: GPL-2.0
  3
  4set -e
  5set -u
  6set -o pipefail
  7
  8VERBOSE="${SELFTESTS_VERBOSE:=0}"
  9LOG_FILE="$(mktemp /tmp/verify_sig_setup.log.XXXXXX)"
 10
 11x509_genkey_content="\
 12[ req ]
 13default_bits = 2048
 14distinguished_name = req_distinguished_name
 15prompt = no
 16string_mask = utf8only
 17x509_extensions = myexts
 18
 19[ req_distinguished_name ]
 20CN = eBPF Signature Verification Testing Key
 21
 22[ myexts ]
 23basicConstraints=critical,CA:FALSE
 24keyUsage=digitalSignature
 25subjectKeyIdentifier=hash
 26authorityKeyIdentifier=keyid
 27"
 28
 29usage()
 30{
 31	echo "Usage: $0 <setup|cleanup <existing_tmp_dir>"
 32	exit 1
 33}
 34
 35setup()
 36{
 37	local tmp_dir="$1"
 38
 39	echo "${x509_genkey_content}" > ${tmp_dir}/x509.genkey
 40
 41	openssl req -new -nodes -utf8 -sha256 -days 36500 \
 42			-batch -x509 -config ${tmp_dir}/x509.genkey \
 43			-outform PEM -out ${tmp_dir}/signing_key.pem \
 44			-keyout ${tmp_dir}/signing_key.pem 2>&1
 45
 46	openssl x509 -in ${tmp_dir}/signing_key.pem -out \
 47		${tmp_dir}/signing_key.der -outform der
 48
 49	key_id=$(cat ${tmp_dir}/signing_key.der | keyctl padd asymmetric ebpf_testing_key @s)
 50
 51	keyring_id=$(keyctl newring ebpf_testing_keyring @s)
 52	keyctl link $key_id $keyring_id
 53}
 54
 55cleanup() {
 56	local tmp_dir="$1"
 57
 58	keyctl unlink $(keyctl search @s asymmetric ebpf_testing_key) @s
 59	keyctl unlink $(keyctl search @s keyring ebpf_testing_keyring) @s
 60	rm -rf ${tmp_dir}
 61}
 62
 63fsverity_create_sign_file() {
 64	local tmp_dir="$1"
 65
 66	data_file=${tmp_dir}/data-file
 67	sig_file=${tmp_dir}/sig-file
 68	dd if=/dev/urandom of=$data_file bs=1 count=12345 2> /dev/null
 69	fsverity sign --key ${tmp_dir}/signing_key.pem $data_file $sig_file
 70
 71	# We do not want to enable fsverity on $data_file yet. Try whether
 72	# the file system support fsverity on a different file.
 73	touch ${tmp_dir}/tmp-file
 74	fsverity enable ${tmp_dir}/tmp-file
 75}
 76
 77fsverity_enable_file() {
 78	local tmp_dir="$1"
 79
 80	data_file=${tmp_dir}/data-file
 81	fsverity enable $data_file
 82}
 83
 84catch()
 85{
 86	local exit_code="$1"
 87	local log_file="$2"
 88
 89	if [[ "${exit_code}" -ne 0 ]]; then
 90		cat "${log_file}" >&3
 91	fi
 92
 93	rm -f "${log_file}"
 94	exit ${exit_code}
 95}
 96
 97main()
 98{
 99	[[ $# -ne 2 ]] && usage
100
101	local action="$1"
102	local tmp_dir="$2"
103
104	[[ ! -d "${tmp_dir}" ]] && echo "Directory ${tmp_dir} doesn't exist" && exit 1
105
106	if [[ "${action}" == "setup" ]]; then
107		setup "${tmp_dir}"
108	elif [[ "${action}" == "cleanup" ]]; then
109		cleanup "${tmp_dir}"
110	elif [[ "${action}" == "fsverity-create-sign" ]]; then
111		fsverity_create_sign_file "${tmp_dir}"
112	elif [[ "${action}" == "fsverity-enable" ]]; then
113		fsverity_enable_file "${tmp_dir}"
114	else
115		echo "Unknown action: ${action}"
116		exit 1
117	fi
118}
119
120trap 'catch "$?" "${LOG_FILE}"' EXIT
121
122if [[ "${VERBOSE}" -eq 0 ]]; then
123	# Save the stderr to 3 so that we can output back to
124	# it incase of an error.
125	exec 3>&2 1>"${LOG_FILE}" 2>&1
126fi
127
128main "$@"
129rm -f "${LOG_FILE}"