From: Luca Boccassi Date: Wed, 6 Oct 2021 23:26:26 +0000 (+0100) Subject: test: make OpenSSL checks optional in TEST-50-DISSECT X-Git-Tag: v250-rc1~556 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c9d1c37c93b779006d901b13e1c32b79cd03877a;p=thirdparty%2Fsystemd.git test: make OpenSSL checks optional in TEST-50-DISSECT If the packages are built without libssl simply skip the signature checks. Oct 06 21:21:32 H systemd[1]: systemd 249.1249.gcc4df1f787.0 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS -OPENSSL ... Oct 06 21:22:21 H systemd[459]: Activation of signed Verity volume worked neither via the kernel nor in userspace, can't activate. Follow-up for #20691 --- diff --git a/test/TEST-50-DISSECT/test.sh b/test/TEST-50-DISSECT/test.sh index 178300f5e4a..1475659e6ec 100755 --- a/test/TEST-50-DISSECT/test.sh +++ b/test/TEST-50-DISSECT/test.sh @@ -14,7 +14,6 @@ TEST_INSTALL_VERITY_MINIMAL=1 command -v mksquashfs >/dev/null 2>&1 || exit 0 command -v veritysetup >/dev/null 2>&1 || exit 0 command -v sfdisk >/dev/null 2>&1 || exit 0 -command -v openssl >/dev/null 2>&1 || exit 0 # Need loop devices for systemd-dissect test_append_files() { @@ -27,7 +26,9 @@ test_append_files() { generate_module_dependencies inst_binary losetup inst_binary wc - inst_binary openssl + if command -v openssl >/dev/null 2>&1; then + inst_binary openssl + fi install_verity_minimal ) } diff --git a/test/units/testsuite-50.sh b/test/units/testsuite-50.sh index 04abd9a09e3..a8024b32e3b 100755 --- a/test/units/testsuite-50.sh +++ b/test/units/testsuite-50.sh @@ -120,8 +120,11 @@ fi verity_size="$((verity_size * 2))KiB" signature_size="$((signature_size * 2))KiB" -# Unfortunately OpenSSL insists on reading some config file, hence provide one with mostly placeholder contents -cat >> "${image}.openssl.cnf" <> "${image}.openssl.cnf" < "${image}.verity-sig" -# Pad it -truncate -s "${signature_size}" "${image}.verity-sig" -# Register certificate in the (userspace) verity key ring -mkdir -p /run/verity.d -ln -s "${image}.crt" /run/verity.d/ok.crt + # Create key pair + openssl req -config "${image}.openssl.cnf" -new -x509 -newkey rsa:1024 -keyout "${image}.key" -out "${image}.crt" -days 365 -nodes + # Sign Verity root hash with it + openssl smime -sign -nocerts -noattr -binary -in "${image}.roothash" -inkey "${image}.key" -signer "${image}.crt" -outform der -out "${image}.roothash.p7s" + # Generate signature partition JSON data + echo '{"rootHash":"'"${roothash}"'","signature":"'"$(base64 -w 0 < "${image}.roothash.p7s")"'"}' > "${image}.verity-sig" + # Pad it + truncate -s "${signature_size}" "${image}.verity-sig" + # Register certificate in the (userspace) verity key ring + mkdir -p /run/verity.d + ln -s "${image}.crt" /run/verity.d/ok.crt +fi # Construct a UUID from hash # input: 11111111222233334444555566667777 @@ -155,14 +159,20 @@ uuid="$(head -c 32 "${image}.roothash" | sed -r 's/(.{8})(.{4})(.{4})(.{4})(.+)/ echo -e "label: gpt\nsize=${root_size}, type=${root_guid}, uuid=${uuid}" | sfdisk "${image}.gpt" uuid="$(tail -c 32 "${image}.roothash" | sed -r 's/(.{8})(.{4})(.{4})(.{4})(.+)/\1-\2-\3-\4-\5/')" echo -e "size=${verity_size}, type=${verity_guid}, uuid=${uuid}" | sfdisk "${image}.gpt" --append -echo -e "size=${signature_size}, type=${signature_guid}" | sfdisk "${image}.gpt" --append +if [ "${HAVE_OPENSSL}" -eq 1 ]; then + echo -e "size=${signature_size}, type=${signature_guid}" | sfdisk "${image}.gpt" --append +fi sfdisk --part-label "${image}.gpt" 1 "Root Partition" sfdisk --part-label "${image}.gpt" 2 "Verity Partition" -sfdisk --part-label "${image}.gpt" 3 "Signature Partition" +if [ "${HAVE_OPENSSL}" -eq 1 ]; then + sfdisk --part-label "${image}.gpt" 3 "Signature Partition" +fi loop="$(losetup --show -P -f "${image}.gpt")" dd if="${image}.raw" of="${loop}p1" dd if="${image}.verity" of="${loop}p2" -dd if="${image}.verity-sig" of="${loop}p3" +if [ "${HAVE_OPENSSL}" -eq 1 ]; then + dd if="${image}.verity-sig" of="${loop}p3" +fi losetup -d "${loop}" # Derive partition UUIDs from root hash, in UUID syntax