tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

kernel / tools / testing / selftests / bpf / verify_sig_setup.sh
at master 136 lines 2.9 kB view raw
1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3 4set -e 5set -u 6set -o pipefail 7 8VERBOSE="${SELFTESTS_VERBOSE:=0}" 9LOG_FILE="$(mktemp /tmp/verify_sig_setup.log.XXXXXX)" 10 11x509_genkey_content="\ 12[ req ] 13default_bits = 2048 14distinguished_name = req_distinguished_name 15prompt = no 16string_mask = utf8only 17x509_extensions = myexts 18 19[ req_distinguished_name ] 20CN = eBPF Signature Verification Testing Key 21 22[ myexts ] 23basicConstraints=critical,CA:FALSE 24keyUsage=digitalSignature 25subjectKeyIdentifier=hash 26authorityKeyIdentifier=keyid 27" 28 29usage() 30{ 31 echo "Usage: $0 <setup|cleanup <existing_tmp_dir>" 32 exit 1 33} 34 35genkey() 36{ 37 local tmp_dir="$1" 38 39 echo "${x509_genkey_content}" > ${tmp_dir}/x509.genkey 40 41 openssl req -new -nodes -utf8 -sha256 -days 36500 \ 42 -batch -x509 -config ${tmp_dir}/x509.genkey \ 43 -outform PEM -out ${tmp_dir}/signing_key.pem \ 44 -keyout ${tmp_dir}/signing_key.pem 2>&1 45 46 openssl x509 -in ${tmp_dir}/signing_key.pem -out \ 47 ${tmp_dir}/signing_key.der -outform der 48} 49 50setup() 51{ 52 local tmp_dir="$1" 53 54 genkey "${tmp_dir}" 55 key_id=$(cat ${tmp_dir}/signing_key.der | keyctl padd asymmetric ebpf_testing_key @s) 56 keyring_id=$(keyctl newring ebpf_testing_keyring @s) 57 keyctl link $key_id $keyring_id 58} 59 60cleanup() { 61 local tmp_dir="$1" 62 63 keyctl unlink $(keyctl search @s asymmetric ebpf_testing_key) @s 64 keyctl unlink $(keyctl search @s keyring ebpf_testing_keyring) @s 65 rm -rf ${tmp_dir} 66} 67 68fsverity_create_sign_file() { 69 local tmp_dir="$1" 70 71 data_file=${tmp_dir}/data-file 72 sig_file=${tmp_dir}/sig-file 73 dd if=/dev/urandom of=$data_file bs=1 count=12345 2> /dev/null 74 fsverity sign --key ${tmp_dir}/signing_key.pem $data_file $sig_file 75 76 # We do not want to enable fsverity on $data_file yet. Try whether 77 # the file system support fsverity on a different file. 78 touch ${tmp_dir}/tmp-file 79 fsverity enable ${tmp_dir}/tmp-file 80} 81 82fsverity_enable_file() { 83 local tmp_dir="$1" 84 85 data_file=${tmp_dir}/data-file 86 fsverity enable $data_file 87} 88 89catch() 90{ 91 local exit_code="$1" 92 local log_file="$2" 93 94 if [[ "${exit_code}" -ne 0 ]]; then 95 cat "${log_file}" >&3 96 fi 97 98 rm -f "${log_file}" 99 exit ${exit_code} 100} 101 102main() 103{ 104 [[ $# -ne 2 ]] && usage 105 106 local action="$1" 107 local tmp_dir="$2" 108 109 [[ ! -d "${tmp_dir}" ]] && echo "Directory ${tmp_dir} doesn't exist" && exit 1 110 111 if [[ "${action}" == "setup" ]]; then 112 setup "${tmp_dir}" 113 elif [[ "${action}" == "genkey" ]]; then 114 genkey "${tmp_dir}" 115 elif [[ "${action}" == "cleanup" ]]; then 116 cleanup "${tmp_dir}" 117 elif [[ "${action}" == "fsverity-create-sign" ]]; then 118 fsverity_create_sign_file "${tmp_dir}" 119 elif [[ "${action}" == "fsverity-enable" ]]; then 120 fsverity_enable_file "${tmp_dir}" 121 else 122 echo "Unknown action: ${action}" 123 exit 1 124 fi 125} 126 127trap 'catch "$?" "${LOG_FILE}"' EXIT 128 129if [[ "${VERBOSE}" -eq 0 ]]; then 130 # Save the stderr to 3 so that we can output back to 131 # it incase of an error. 132 exec 3>&2 1>"${LOG_FILE}" 2>&1 133fi 134 135main "$@" 136rm -f "${LOG_FILE}"