[PATCH v14 bpf-next 6/6] selftests/bpf: Add test that uses fsverity and xattr to sign a file

Song Liu song at kernel.org
Wed Nov 29 17:58:07 UTC 2023


On Wed, Nov 29, 2023 at 9:13 AM Song Liu <song at kernel.org> wrote:
>
> On Wed, Nov 29, 2023 at 6:56 AM Alexei Starovoitov
> <alexei.starovoitov at gmail.com> wrote:
> >
> > On Wed, Nov 29, 2023 at 3:20 AM Song Liu <song at kernel.org> wrote:
> > >
> > > On Tue, Nov 28, 2023 at 10:47 PM Alexei Starovoitov
> > > <alexei.starovoitov at gmail.com> wrote:
> > > >
> > > > On Tue, Nov 28, 2023 at 4:37 PM Song Liu <song at kernel.org> wrote:
> > > > > +char digest[MAGIC_SIZE + sizeof(struct fsverity_digest) + SHA256_DIGEST_SIZE];
> > > >
> > > > when vmlinux is built without CONFIG_FS_VERITY the above fails
> > > > in a weird way:
> > > >   CLNG-BPF [test_maps] test_sig_in_xattr.bpf.o
> > > > progs/test_sig_in_xattr.c:36:26: error: invalid application of
> > > > 'sizeof' to an incomplete type 'struct fsverity_digest'
> > > >    36 | char digest[MAGIC_SIZE + sizeof(struct fsverity_digest) +
> > > > SHA256_DIGEST_SIZE];
> > > >       |                          ^     ~~~~~~~~~~~~~~~~~~~~~~~~
> > > >
> > > > Is there a way to somehow print a hint during the build what
> > > > configs users need to enable to pass the build ?
> > >
> > > Patch 5/6 added CONFIG_FS_VERITY to tools/testing/selftests/bpf/config.
> > > This is a more general question for all required CONFIG_* specified in the
> > > file (and the config files for other selftests).
> > >
> > > In selftests/bpf/Makefile, we have logic to find vmlinux. We can add similar
> > > logic to find .config used to build the vmlinux, and grep for each required
> > > CONFIG_* from the .config file. Does this sound like a viable solution?
> >
> > No need for new logic to parse .config.
> > libbpf does it already and
> > extern bool CONFIG_FS_VERITY __kconfig __weak;
> > works.
> >
> > Since you hard code MAGIC_SIZE anyway I'm asking
> > to hard code sizeof(struct fsverity_digest) as well, since the bpf prog
> > doesn't access it directly. It only needs to know its size.
> >
> > While inside:
> > int BPF_PROG(test_file_open, struct file *f)
> > {
> >   if (!CONFIG_FS_VERITY) {
> >      skip_fs_verity_test = true;
> >      return 0;
> >   }
> >
> > and report it as a clean error message in test_progs.
>
> Yeah, this makes sense. Let me update the tests.

Actually, it is easier. We already have skip-test logic for cases
where FS verity is not supported (as we need to enable it in
vmlinux and enable it per filesystem). So we only need to hard
code sizeof(struct fsverity_digest).

Thanks,
Song



More information about the Linux-security-module-archive mailing list