diff --git a/cmd/stacker/build.go b/cmd/stacker/build.go index 69763f81..0490543b 100644 --- a/cmd/stacker/build.go +++ b/cmd/stacker/build.go @@ -4,6 +4,7 @@ import ( "fmt" cli "github.com/urfave/cli/v2" + "stackerbuild.io/stacker/pkg/erofs" "stackerbuild.io/stacker/pkg/squashfs" "stackerbuild.io/stacker/pkg/stacker" "stackerbuild.io/stacker/pkg/types" @@ -52,13 +53,17 @@ func initCommonBuildFlags() []cli.Flag { }, &cli.StringSliceFlag{ Name: "layer-type", - Usage: "set the output layer type (supported values: tar, squashfs); can be supplied multiple times", + Usage: "set the output layer type (supported values: tar, squashfs, erofs); can be supplied multiple times", Value: cli.NewStringSlice("tar"), }, &cli.BoolFlag{ Name: "no-squashfs-verity", Usage: "do not append dm-verity data to squashfs archives", }, + &cli.BoolFlag{ + Name: "no-verity", + Usage: "do not append dm-verity data to non-tar archives", + }, &cli.BoolFlag{ Name: "require-hash", Usage: "require all remote imports to have a hash provided in stackerfiles", @@ -105,6 +110,7 @@ func newBuildArgs(ctx *cli.Context) (stacker.BuildArgs, error) { var err error verity := squashfs.VerityMetadata(!ctx.Bool("no-squashfs-verity")) args.LayerTypes, err = types.NewLayerTypes(ctx.StringSlice("layer-type"), verity) + verity := erofs.VerityMetadata(!ctx.Bool("no-erofs-verity")) return args, err } diff --git a/pkg/erofs/erofs.go b/pkg/erofs/erofs.go new file mode 100644 index 00000000..7df27005 --- /dev/null +++ b/pkg/erofs/erofs.go @@ -0,0 +1,182 @@ +// This package is a small go "library" (read: exec wrapper) around the +// mkfs.erofs binary that provides some useful primitives. +package erofs + +import ( + "bytes" + "io" + "os" + "os/exec" + "path" + "path/filepath" + "strings" + "sync" + + "github.com/pkg/errors" +) + +var checkZstdSupported sync.Once +var zstdIsSuspported bool + +// ExcludePaths represents a list of paths to exclude in a erofs listing. +// Users should do something like filepath.Walk() over the whole filesystem, +// calling AddExclude() or AddInclude() based on whether they want to include +// or exclude a particular file. Note that if e.g. /usr is excluded, then +// everyting underneath is also implicitly excluded. The +// AddExclude()/AddInclude() methods do the math to figure out what is the +// correct set of things to exclude or include based on what paths have been +// previously included or excluded. +type ExcludePaths struct { + exclude map[string]bool + include []string +} + +func NewExcludePaths() *ExcludePaths { + return &ExcludePaths{ + exclude: map[string]bool{}, + include: []string{}, + } +} + +func (eps *ExcludePaths) AddExclude(p string) { + for _, inc := range eps.include { + // If /usr/bin/ls has changed but /usr hasn't, we don't want to list + // /usr in the include paths any more, so let's be sure to only + // add things which aren't prefixes. + if strings.HasPrefix(inc, p) { + return + } + } + eps.exclude[p] = true +} + +func (eps *ExcludePaths) AddInclude(orig string, isDir bool) { + // First, remove this thing and all its parents from exclude. + p := orig + + // normalize to the first dir + if !isDir { + p = path.Dir(p) + } + for { + // our paths are all absolute, so this is a base case + if p == "/" { + break + } + + delete(eps.exclude, p) + p = filepath.Dir(p) + } + + // now add it to the list of includes, so we don't accidentally re-add + // anything above. + eps.include = append(eps.include, orig) +} + +func (eps *ExcludePaths) String() (string, error) { + var buf bytes.Buffer + for p := range eps.exclude { + _, err := buf.WriteString(p) + if err != nil { + return "", err + } + _, err = buf.WriteString("\n") + if err != nil { + return "", err + } + } + + _, err := buf.WriteString("\n") + if err != nil { + return "", err + } + + return buf.String(), nil +} + +func MakeErofs(tempdir string, rootfs string, eps *ExcludePaths, verity VerityMetadata) (io.ReadCloser, string, string, error) { + var excludesFile string + var err error + var toExclude string + var rootHash string + + if eps != nil { + toExclude, err = eps.String() + if err != nil { + return nil, "", rootHash, errors.Wrapf(err, "couldn't create exclude path list") + } + } + + if len(toExclude) != 0 { + excludes, err := os.CreateTemp(tempdir, "stacker-erofs-exclude-") + if err != nil { + return nil, "", rootHash, err + } + defer os.Remove(excludes.Name()) + + excludesFile = excludes.Name() + _, err = excludes.WriteString(toExclude) + excludes.Close() + if err != nil { + return nil, "", rootHash, err + } + } + + tmpErofs, err := os.CreateTemp(tempdir, "stacker-erofs-img-") + if err != nil { + return nil, "", rootHash, err + } + tmpErofs.Close() + os.Remove(tmpErofs.Name()) + defer os.Remove(tmpErofs.Name()) + args := []string{rootfs, tmpErofs.Name()} + compression := GzipCompression + if mkerofsSupportsZstd() { + args = append(args, "-z", "zstd") + compression = ZstdCompression + } + if len(toExclude) != 0 { + args = append(args, "--exclude-path", excludesFile) + } + cmd := exec.Command("mkfs.erofs", args...) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err = cmd.Run(); err != nil { + return nil, "", rootHash, errors.Wrap(err, "couldn't build erofs") + } + + if verity { + rootHash, err = appendVerityData(tmpErofs.Name()) + if err != nil { + return nil, "", rootHash, err + } + } + + blob, err := os.Open(tmpErofs.Name()) + if err != nil { + return nil, "", rootHash, errors.WithStack(err) + } + + return blob, GenerateErofsMediaType(compression, verity), rootHash, nil +} + +func mkerofsSupportsZstd() bool { + checkZstdSupported.Do(func() { + var stdoutBuffer strings.Builder + var stderrBuffer strings.Builder + + cmd := exec.Command("mkfs.erofs", "--help") + cmd.Stdout = &stdoutBuffer + cmd.Stderr = &stderrBuffer + + // Ignore errs here as `mkerofs --help` exit status code is 1 + _ = cmd.Run() + + if strings.Contains(stdoutBuffer.String(), "zstd") || + strings.Contains(stderrBuffer.String(), "zstd") { + zstdIsSuspported = true + } + }) + + return zstdIsSuspported +} diff --git a/pkg/erofs/mediatype.go b/pkg/erofs/mediatype.go new file mode 100644 index 00000000..6726ea14 --- /dev/null +++ b/pkg/erofs/mediatype.go @@ -0,0 +1,37 @@ +package erofs + +import ( + "fmt" + "strings" +) + +type ErofsCompression string +type VerityMetadata bool + +const ( + BaseMediaTypeLayerErofs = "application/vnd.stacker.image.layer.erofs" + + GzipCompression ErofsCompression = "gzip" + ZstdCompression ErofsCompression = "zstd" + + veritySuffix = "verity" + + VerityMetadataPresent VerityMetadata = true + VerityMetadataMissing VerityMetadata = false +) + +func IsErofsMediaType(mediaType string) bool { + return strings.HasPrefix(mediaType, BaseMediaTypeLayerErofs) +} + +func GenerateErofsMediaType(comp ErofsCompression, verity VerityMetadata) string { + verityString := "" + if verity { + verityString = fmt.Sprintf("+%s", veritySuffix) + } + return fmt.Sprintf("%s+%s%s", BaseMediaTypeLayerErofs, comp, verityString) +} + +func HasVerityMetadata(mediaType string) VerityMetadata { + return VerityMetadata(strings.HasSuffix(mediaType, veritySuffix)) +} diff --git a/pkg/erofs/superblock.go b/pkg/erofs/superblock.go new file mode 100644 index 00000000..c28b4f82 --- /dev/null +++ b/pkg/erofs/superblock.go @@ -0,0 +1,84 @@ +package erofs + +const ( + // Definitions for superblock. + SuperBlockMagicV1 = 0xe0f5e1e2 + SuperBlockOffset = 1024 + + // Inode slot size in bit shift. + InodeSlotBits = 5 + + // Max file name length. + MaxNameLen = 255 +) + +// Bit definitions for Inode*::Format. +const ( + InodeLayoutBit = 0 + InodeLayoutBits = 1 + + InodeDataLayoutBit = 1 + InodeDataLayoutBits = 3 +) + +// Inode layouts. +const ( + InodeLayoutCompact = 0 + InodeLayoutExtended = 1 +) + +// Inode data layouts. +const ( + InodeDataLayoutFlatPlain = iota + InodeDataLayoutFlatCompressionLegacy + InodeDataLayoutFlatInline + InodeDataLayoutFlatCompression + InodeDataLayoutChunkBased + InodeDataLayoutMax +) + +// Features w/ backward compatibility. +// This is not exhaustive, unused features are not listed. +const ( + FeatureCompatSuperBlockChecksum = 0x00000001 +) + +// Features w/o backward compatibility. +// +// Any features that aren't in FeatureIncompatSupported are incompatible +// with this implementation. +// +// This is not exhaustive, unused features are not listed. +const ( + FeatureIncompatSupported = 0x0 +) + +// Sizes of on-disk structures in bytes. +const ( + SuperBlockSize = 128 + InodeCompactSize = 32 + InodeExtendedSize = 64 + DirentSize = 12 +) + +type superblock struct { + Magic uint32 + Checksum uint32 + FeatureCompat uint32 + BlockSizeBits uint8 + ExtSlots uint8 + RootNid uint16 + Inodes uint64 + BuildTime uint64 + BuildTimeNsec uint32 + Blocks uint32 + MetaBlockAddr uint32 + XattrBlockAddr uint32 + UUID [16]uint8 + VolumeName [16]uint8 + FeatureIncompat uint32 + Union1 uint16 + ExtraDevices uint16 + DevTableSlotOff uint16 + Reserved [38]uint8 +} diff --git a/pkg/erofs/verity.go b/pkg/erofs/verity.go new file mode 100644 index 00000000..506446a5 --- /dev/null +++ b/pkg/erofs/verity.go @@ -0,0 +1,515 @@ +package erofs + +// #cgo pkg-config: libcryptsetup devmapper --static +// #include +// #include +// #include +// #include +/* +int get_verity_params(char *device, char **params) +{ + struct dm_task *dmt; + struct dm_info dmi; + int r; + uint64_t start, length; + char *type, *tmpParams; + + dmt = dm_task_create(DM_DEVICE_TABLE); + if (!dmt) + return 1; + + r = 2; + if (!dm_task_secure_data(dmt)) + goto out; + + r = 3; + if (!dm_task_set_name(dmt, device)) + goto out; + + r = 4; + if (!dm_task_run(dmt)) + goto out; + + r = 5; + if (!dm_task_get_info(dmt, &dmi)) + goto out; + + r = 6; + if (!dmi.exists) + goto out; + + r = 7; + if (dmi.target_count <= 0) + goto out; + + r = 8; + dm_get_next_target(dmt, NULL, &start, &length, &type, &tmpParams); + if (!type) + goto out; + + r = 9; + if (strcasecmp(type, CRYPT_VERITY)) { + fprintf(stderr, "type: %s (%s) %d\n", type, CRYPT_VERITY, strcmp(type, CRYPT_VERITY)); + goto out; + } + *params = strdup(tmpParams); + + r = 0; +out: + dm_task_destroy(dmt); + return r; +} +*/ +import "C" + +import ( + "encoding/hex" + "fmt" + "os" + "path" + "path/filepath" + "strconv" + "strings" + "syscall" + "unsafe" + + "github.com/freddierice/go-losetup" + "github.com/martinjungblut/go-cryptsetup" + "github.com/pkg/errors" + "golang.org/x/sys/unix" + "stackerbuild.io/stacker/pkg/mount" +) + +const VerityRootHashAnnotation = "io.stackeroci.stacker.erofs_verity_root_hash" + +type verityDeviceType struct { + Flags uint + DataDevice string + HashOffset uint64 +} + +func (verity verityDeviceType) Name() string { + return C.CRYPT_VERITY +} + +func (verity verityDeviceType) Unmanaged() (unsafe.Pointer, func()) { + var cParams C.struct_crypt_params_verity + + cParams.hash_name = C.CString("sha256") + cParams.data_device = C.CString(verity.DataDevice) + cParams.fec_device = nil + cParams.fec_roots = 0 + + cParams.salt_size = 32 // DEFAULT_VERITY_SALT_SIZE for x86 + cParams.salt = nil + + // these can't be larger than a page size, but we want them to be as + // big as possible so the hash data is small, so let's set them to a + // page size. + cParams.data_block_size = C.uint(os.Getpagesize()) + cParams.hash_block_size = C.uint(os.Getpagesize()) + + cParams.data_size = C.ulong(verity.HashOffset / uint64(os.Getpagesize())) + cParams.hash_area_offset = C.ulong(verity.HashOffset) + cParams.fec_area_offset = 0 + cParams.hash_type = 1 // use format version 1 (i.e. "modern", non chrome-os) + cParams.flags = C.uint(verity.Flags) + + deallocate := func() { + C.free(unsafe.Pointer(cParams.hash_name)) + C.free(unsafe.Pointer(cParams.data_device)) + } + + return unsafe.Pointer(&cParams), deallocate +} + +func isCryptsetupEINVAL(err error) bool { + cse, ok := err.(*cryptsetup.Error) + return ok && cse.Code() == -22 +} + +var cryptsetupTooOld = errors.Errorf("libcryptsetup not new enough, need >= 2.3.0") + +func appendVerityData(file string) (string, error) { + fi, err := os.Lstat(file) + if err != nil { + return "", errors.WithStack(err) + } + + verityOffset := fi.Size() + + // we expect mkerofs to have padded the file to the nearest 4k + // (dm-verity requires device block size, which is 512 for loopback, + // which is a multiple of 4k), let's check that here + if verityOffset%512 != 0 { + return "", errors.Errorf("bad verity file size %d", verityOffset) + } + + verityDevice, err := cryptsetup.Init(file) + if err != nil { + return "", errors.WithStack(err) + } + + verityType := verityDeviceType{ + Flags: cryptsetup.CRYPT_VERITY_CREATE_HASH, + DataDevice: file, + HashOffset: uint64(verityOffset), + } + err = verityDevice.Format(verityType, cryptsetup.GenericParams{}) + if err != nil { + return "", errors.WithStack(err) + } + + // a bit ugly, but this is the only API for querying the root + // hash (short of invoking the veritysetup binary), and it was + // added in libcryptsetup commit 188cb114af94 ("Add support for + // verity in crypt_volume_key_get and use it in status"), which + // is relatively recent (ubuntu 20.04 does not have this patch, + // for example). + // + // before that, we get a -22. so, let's test for that and + // render a special error message. + rootHash, _, err := verityDevice.VolumeKeyGet(cryptsetup.CRYPT_ANY_SLOT, "") + if isCryptsetupEINVAL(err) { + return "", cryptsetupTooOld + } else if err != nil { + return "", err + } + + return fmt.Sprintf("%x", rootHash), errors.WithStack(err) +} + +func verityDataLocation(sblock *superblock) (uint64, error) { + return SuperBlockSize, nil +} + +func verityName(p string) string { + return fmt.Sprintf("%s-%s", p, veritySuffix) +} + +func fileChanged(a os.FileInfo, path string) bool { + b, err := os.Lstat(path) + if err != nil { + return true + } + return !os.SameFile(a, b) +} + +// Mount a filesystem as container root, without host root +// privileges. We do this using squashfuse. +func GuestMount(squashFile string, mountpoint string) error { + if isMountpoint(mountpoint) { + return errors.Errorf("%s is already mounted", mountpoint) + } + + abs, err := filepath.Abs(squashFile) + if err != nil { + return errors.Errorf("Failed to get absolute path for %s: %v", squashFile, err) + } + squashFile = abs + + abs, err = filepath.Abs(mountpoint) + if err != nil { + return errors.Errorf("Failed to get absolute path for %s: %v", mountpoint, err) + } + mountpoint = abs + + cmd, err := squashFuse(squashFile, mountpoint) + if err != nil { + return err + } + if err := cmd.Process.Release(); err != nil { + return errors.Errorf("Failed to release process after guestmount %s: %v", squashFile, err) + } + return nil +} + +func isMountpoint(dest string) bool { + mounted, err := mount.IsMountpoint(dest) + return err == nil && mounted +} + +// Takes /proc/self/uid_map contents as one string +// Returns true if this is a uidmap representing the whole host +// uid range. +func uidmapIsHost(oneline string) bool { + oneline = strings.TrimSuffix(oneline, "\n") + if len(oneline) == 0 { + return false + } + lines := strings.Split(oneline, "\n") + if len(lines) != 1 { + return false + } + words := strings.Fields(lines[0]) + if len(words) != 3 || words[0] != "0" || words[1] != "0" || words[2] != "4294967295" { + return false + } + + return true +} + +func amHostRoot() bool { + // if not uid 0, not host root + if os.Geteuid() != 0 { + return false + } + // if uid_map doesn't map 0 to 0, not host root + bytes, err := os.ReadFile("/proc/self/uid_map") + if err != nil { + return false + } + return uidmapIsHost(string(bytes)) +} + +func Mount(erofs, mountpoint, rootHash string) error { + if !amHostRoot() { + return GuestMount(erofs, mountpoint) + } + err := HostMount(erofs, mountpoint, rootHash) + if err == nil || rootHash != "" { + return err + } + return GuestMount(erofs, mountpoint) +} + +func HostMount(erofs string, mountpoint string, rootHash string) error { + fi, err := os.Stat(erofs) + if err != nil { + return errors.WithStack(err) + } + + sblock, err := readSuperblock(erofs) + if err != nil { + return err + } + + verityOffset, err := verityDataLocation(sblock) + if err != nil { + return err + } + + if verityOffset == uint64(fi.Size()) && rootHash != "" { + return errors.Errorf("asked for verity but no data present") + } + + if rootHash == "" && verityOffset != uint64(fi.Size()) { + return errors.Errorf("verity data present but no root hash specified") + } + + mountSourcePath := "" + + var verityDevice *cryptsetup.Device + name := verityName(path.Base(erofs)) + + loopDevNeedsClosedOnErr := false + var loopDev losetup.Device + + // set up the verity device if necessary + if rootHash != "" { + verityDevPath := path.Join("/dev/mapper", name) + mountSourcePath = verityDevPath + _, err = os.Stat(verityDevPath) + if err != nil { + if !os.IsNotExist(err) { + return errors.WithStack(err) + } + + loopDev, err = losetup.Attach(erofs, 0, true) + if err != nil { + return errors.WithStack(err) + } + loopDevNeedsClosedOnErr = true + + verityDevice, err = cryptsetup.Init(loopDev.Path()) + if err != nil { + return errors.WithStack(err) + } + + verityType := verityDeviceType{ + Flags: 0, + DataDevice: loopDev.Path(), + HashOffset: verityOffset, + } + + err = verityDevice.Load(verityType) + if err != nil { + loopDev.Detach() + return errors.WithStack(err) + } + + // each string byte hex encodes four bits of info... + volumeKeySizeInBytes := len(rootHash) * 4 / 8 + rootHashBytes, err := hex.DecodeString(rootHash) + if err != nil { + loopDev.Detach() + return errors.WithStack(err) + } + + if len(rootHashBytes) != volumeKeySizeInBytes { + loopDev.Detach() + return errors.Errorf("unexpected key size for %s", rootHash) + } + + err = verityDevice.ActivateByVolumeKey(name, string(rootHashBytes), volumeKeySizeInBytes, cryptsetup.CRYPT_ACTIVATE_READONLY) + if err != nil { + loopDev.Detach() + return errors.WithStack(err) + } + } else { + err = ConfirmExistingVerityDeviceHash(verityDevPath, rootHash, rejectVerityFailure) + if err != nil { + return err + } + } + } else { + loopDev, err = losetup.Attach(erofs, 0, true) + if err != nil { + return errors.WithStack(err) + } + defer loopDev.Detach() + mountSourcePath = loopDev.Path() + + } + + err = errors.WithStack(unix.Mount(mountSourcePath, mountpoint, "erofs", unix.MS_RDONLY, "")) + if err != nil { + if verityDevice != nil { + verityDevice.Deactivate(name) + loopDev.Detach() + } + if loopDevNeedsClosedOnErr { + loopDev.Detach() + } + return err + } + return nil +} + +func findLoopBackingVerity(device string) (int64, error) { + fi, err := os.Stat(device) + if err != nil { + return -1, errors.WithStack(err) + } + + var minor uint32 + switch stat := fi.Sys().(type) { + case *unix.Stat_t: + minor = unix.Minor(uint64(stat.Rdev)) + case *syscall.Stat_t: + minor = unix.Minor(uint64(stat.Rdev)) + default: + return -1, errors.Errorf("unknown stat info type %T", stat) + } + + ents, err := os.ReadDir(fmt.Sprintf("/sys/block/dm-%d/slaves", minor)) + if err != nil { + return -1, errors.WithStack(err) + } + + if len(ents) != 1 { + return -1, errors.Errorf("too many slaves for %v", device) + } + loop := ents[0] + + deviceNo, err := strconv.ParseInt(strings.TrimPrefix(filepath.Base(loop.Name()), "loop"), 10, 64) + if err != nil { + return -1, errors.Wrapf(err, "bad loop dev %v", loop.Name()) + } + + return deviceNo, nil +} + +func Umount(mountpoint string) error { + mounts, err := mount.ParseMounts("/proc/self/mountinfo") + if err != nil { + return err + } + + // first, find the verity device that backs the mount + theMount, found := mounts.FindMount(mountpoint) + if !found { + return errors.Errorf("%s is not a mountpoint", mountpoint) + } + + err = unix.Unmount(mountpoint, 0) + if err != nil { + return errors.Wrapf(err, "failed unmounting %v", mountpoint) + } + + if _, err := os.Stat(theMount.Source); err != nil { + if os.IsNotExist(err) { + return nil + } + return errors.WithStack(err) + } + + // was this a verity mount or a regular loopback mount? (if it's a + // regular loopback mount, we detached it above, so need to do anything + // special here; verity doesn't play as nicely) + if strings.HasSuffix(theMount.Source, veritySuffix) { + // find the loop device that backs the verity device + deviceNo, err := findLoopBackingVerity(theMount.Source) + if err != nil { + return err + } + + loopDev := losetup.New(uint64(deviceNo), 0) + // here, we don't have the loopback device any more (we detached it + // above). the cryptsetup API allows us to pass NULL for the crypt + // device, but go-cryptsetup doesn't have a way to initialize a NULL + // crypt device short of making the struct by hand like this. + err = (&cryptsetup.Device{}).Deactivate(theMount.Source) + if err != nil { + return errors.WithStack(err) + } + + // finally, kill the loop dev + err = loopDev.Detach() + if err != nil { + return errors.Wrapf(err, "failed to detach loop dev for %v", theMount.Source) + } + } + + return nil +} + +// If we are using squashfuse, then we will be unable to get verity has from +// the mount device. This is not a safe thing, we we only allow it when the +// device was mounted originally with AllowMissingVerityData. + +const ( + rejectVerityFailure = false + allowVerityFailure = false +) + +func ConfirmExistingVerityDeviceHash(devicePath string, rootHash string, allowVerityFailure bool) error { + device := filepath.Base(devicePath) + cDevice := C.CString(device) + defer C.free(unsafe.Pointer(cDevice)) + + var cParams *C.char + + rc := C.get_verity_params(cDevice, &cParams) + if rc != 0 { + if allowVerityFailure { + return nil + } + return errors.Errorf("problem getting hash from %v: %v", device, rc) + } + defer C.free(unsafe.Pointer(cParams)) + + params := C.GoString(cParams) + + // https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMVerity + fields := strings.Fields(params) + if len(fields) < 10 { + return errors.Errorf("invalid dm params for %v: %v", device, params) + } + + if rootHash != fields[8] { + return errors.Errorf("invalid root hash for %v: %v (expected: %v)", device, fields[7], rootHash) + } + + return nil +} diff --git a/pkg/erofs/verity_static.go b/pkg/erofs/verity_static.go new file mode 100644 index 00000000..549c5d13 --- /dev/null +++ b/pkg/erofs/verity_static.go @@ -0,0 +1,10 @@ +//go:build static_build +// +build static_build + +package erofs + +// cryptsetup's pkgconfig is broken (it does not set Requires.private or +// Libs.private at all), so we do the LDLIBS for it by hand. + +// #cgo LDFLAGS: -lcryptsetup -lcrypto -lssl -lblkid -luuid -ljson-c -lpthread -ldl +import "C" diff --git a/pkg/erofs/verity_test.go b/pkg/erofs/verity_test.go new file mode 100644 index 00000000..f9ef7c5d --- /dev/null +++ b/pkg/erofs/verity_test.go @@ -0,0 +1,134 @@ +package erofs + +import ( + "fmt" + "io" + "os" + "os/exec" + "path" + "testing" + + "github.com/stretchr/testify/assert" +) + +type uidmapTestcase struct { + uidmap string + expected bool +} + +var uidmapTests = []uidmapTestcase{ + uidmapTestcase{ + uidmap: ` 0 0 4294967295`, + expected: true, + }, + uidmapTestcase{ + uidmap: ` 0 0 1000 +2000 2000 1`, + expected: false, + }, + uidmapTestcase{ + uidmap: ` 0 0 1000`, + expected: false, + }, + uidmapTestcase{ + uidmap: ` 10 0 4294967295`, + expected: false, + }, + uidmapTestcase{ + uidmap: ` 0 10 4294967295`, + expected: false, + }, + uidmapTestcase{ + uidmap: ` 0 0 1`, + expected: false, + }, +} + +func TestAmHostRoot(t *testing.T) { + assert := assert.New(t) + for _, testcase := range uidmapTests { + v := uidmapIsHost(testcase.uidmap) + assert.Equal(v, testcase.expected) + } +} + +func TestVerityMetadata(t *testing.T) { + assert := assert.New(t) + + rootfs, err := os.MkdirTemp("", "stacker_verity_test_rootfs") + assert.NoError(err) + defer os.RemoveAll(rootfs) + + tempdir, err := os.MkdirTemp("", "stacker_verity_test_tempdir") + assert.NoError(err) + defer os.RemoveAll(tempdir) + + err = os.WriteFile(path.Join(rootfs, "foo"), []byte("bar"), 0644) + assert.NoError(err) + + reader, _, rootHash, err := MakeErofs(tempdir, rootfs, nil, VerityMetadataPresent) + if err == cryptsetupTooOld { + t.Skip("libcryptsetup too old") + } + assert.NoError(err) + + content, err := io.ReadAll(reader) + assert.NoError(err) + erofsFile := path.Join(tempdir, "foo.erofs") + err = os.WriteFile(erofsFile, content, 0600) + assert.NoError(err) + + sblock, err := readSuperblock(erofsFile) + assert.NoError(err) + + verityOffset, err := verityDataLocation(sblock) + assert.NoError(err) + + // now let's try to verify it at least in userspace. exec cryptsetup + // because i'm lazy and it's only in tests + cmd := exec.Command("veritysetup", "verify", erofsFile, erofsFile, rootHash, + "--hash-offset", fmt.Sprintf("%d", verityOffset)) + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err = cmd.Run() + assert.NoError(err) + + // what if we fiddle with the verity data? note that we have to fiddle + // with the beginning of the verity block, which will be 4k long for + // our small erofs file, because the stuff at the end of the verity + // block is unused. + const bytesToFlip = 2 + const flipAtOffset = -4087 + + f, err := os.OpenFile(erofsFile, os.O_RDWR, 0644) + assert.NoError(err) + defer f.Close() + _, err = f.Seek(flipAtOffset, os.SEEK_END) + assert.NoError(err) + + buf := make([]byte, bytesToFlip) + n, err := f.Read(buf) + assert.Equal(n, bytesToFlip) + assert.NoError(err) + + for i := range buf { + buf[i] = buf[i] ^ 0xff + } + + _, err = f.Seek(flipAtOffset, os.SEEK_END) + assert.NoError(err) + n, err = f.Write(buf) + assert.Equal(n, bytesToFlip) + assert.NoError(err) + assert.NoError(f.Sync()) + assert.NoError(f.Close()) + + cmd = exec.Command("veritysetup", "verify", erofsFile, erofsFile, rootHash, + "--hash-offset", fmt.Sprintf("%d", verityOffset)) + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err = cmd.Run() + assert.Error(err) +}