From 0dfeb304ccf33ef7cb0fc66b44c14aa8f8518e57 Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Sat, 13 Feb 2021 18:51:14 +0100 Subject: [PATCH] Fix veritysetup exit code for bad root hash with FEC enabled. If FEC was enabled, the error for bad root hash was replaced by error correction (datga were ok, only root hash was wrong). Do not run recovery test if root hash is incorrect. --- lib/verity/verity_hash.c | 2 +- tests/verity-compat-test | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/lib/verity/verity_hash.c b/lib/verity/verity_hash.c index 2f10f54e..13b4c531 100644 --- a/lib/verity/verity_hash.c +++ b/lib/verity/verity_hash.c @@ -373,7 +373,7 @@ out: log_err(cd, _("Verification of data area failed.")); else { log_dbg(cd, "Verification of data area succeeded."); - r = memcmp(root_hash, calculated_digest, digest_size) ? -EPERM : 0; + r = memcmp(root_hash, calculated_digest, digest_size) ? -EINVAL : 0; if (r) log_err(cd, _("Verification of root hash failed.")); else diff --git a/tests/verity-compat-test b/tests/verity-compat-test index 23052bc8..f41a4f52 100755 --- a/tests/verity-compat-test +++ b/tests/verity-compat-test @@ -86,6 +86,30 @@ function compare_out() # $1 what, $2 expected [ $OPT != $2 ] && fail "$1 differs ($2)" } +function check_root_hash_fail() +{ + echo -n "Root hash check " + ARR=(`$VERITYSETUP format $IMG $IMG_HASH --fec-device $FEC_DEV --fec-roots 2 -h sha256`) + ROOT_HASH=${ARR[28]} + ROOT_HASH_BAD=abcdef0000000000000000000000000000000000000000000000000000000000 + + $VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH || fail + $VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH_BAD >/dev/null 2>&1 && fail + $VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH_BAD --fec-device $FEC_DEV --fec-roots 2 >/dev/null 2>&1 && fail + + $VERITYSETUP open $IMG $DEV_NAME $IMG_HASH $ROOT_HASH || fail + check_exists + dmsetup status $DEV_NAME | grep "verity V" >/dev/null || fail + $VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail + + $VERITYSETUP open $IMG $DEV_NAME $IMG_HASH $ROOT_HASH_BAD >/dev/null 2>&1 || fail + check_exists + dmsetup status $DEV_NAME | grep "verity C" >/dev/null || fail + $VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail + + echo "[OK]" +} + function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset] { if [ -z "$LOOPDEV2" ] ; then @@ -390,6 +414,8 @@ SALT=e48da609055204e89ae53b655ca2216dd983cf3cb829f34f63a297d106d53e2d echo "Verity tests [separate devices]" prepare 8192 1024 +check_root_hash_fail + check_root_hash 512 9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 $SALT 1 sha256 check_root_hash 1024 54d92778750495d1f80832b486ebd007617d746271511bbf0e295e143da2b3df $SALT 1 sha256 check_root_hash 4096 e522df0f97da4febb882ac40f30b37dc0b444bf6df418929463fa25280f09d5c $SALT 1 sha256