On Thu, Jun 22, 2023 at 11:37 AM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
>
> On Wed, Jun 14, 2023 at 10:17 AM Alexander Larsson <alexl@xxxxxxxxxx> wrote:
> >
> > On Wed, Jun 14, 2023 at 8:14 AM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> > >
> > > On Mon, Jun 12, 2023 at 5:54 PM Alexander Larsson <alexl@xxxxxxxxxx> wrote:
> > > >
> > > > On Mon, Jun 12, 2023 at 1:09 PM Alexander Larsson <alexl@xxxxxxxxxx> wrote:
> > > > >
> > > > > On Mon, Jun 12, 2023 at 12:54 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> > > > > >
> > > > > > On Mon, Jun 12, 2023 at 1:27 PM Alexander Larsson <alexl@xxxxxxxxxx> wrote:
> > > > > > >
> > > > > > > This patchset adds support for using fs-verity to validate lowerdata
> > > > > > > files by specifying an overlay.verity xattr on the metacopy
> > > > > > > files.
> > > > > > >
> > > > > > > This is primarily motivated by the Composefs usecase, where there will
> > > > > > > be a read-only EROFS layer that contains redirect into a base data
> > > > > > > layer which has fs-verity enabled on all files. However, it is also
> > > > > > > useful in general if you want to ensure that the lowerdata files
> > > > > > > matches the expected content over time.
> > > > > > >
> > > > > > > I have also added some tests for this feature to xfstests[1].
> > > > > >
> > > > > > I can't remember if there is a good reason why your test does
> > > > > > not include verify in a data-only layer.
> > > > > >
> > > > > > I think this test coverage needs to be added.
> > > > >
> > > > > Yeah. I'll add that.
> > > >
> > > > Updated the git branch with some lowerdata tests.
> > > >
> > >
> > > What do I need to do in order to enable verity on ext4 besides
> > > enabling FS_VERITY in the kernel?
> > >
> > > I'm getting these on verity tests on ext4 in the default 4k config.
> > > _require_scratch_verity() doesn't mention any requirement other
> > > that 4K blocks and extent format files.
> > >
> > > Thanks,
> > > Amir.
> > >
> > > BEGIN TEST 4k (10 tests): Ext4 4k block Wed Jun 14 06:04:25 UTC 2023
> > > DEVICE: /dev/vdb
> > > EXT_MKFS_OPTIONS: -b 4096
> > > EXT_MOUNT_OPTIONS: -o block_validity
> > > FSTYP -- ext4
> > > PLATFORM -- Linux/x86_64 kvm-xfstests
> > > 6.4.0-rc2-xfstests-00026-g35774ba7f07c #1596 SMP PREEMPT_DYNAMIC Tue
> > > Jun 13 18:16:59 IDT 2023
> > > MKFS_OPTIONS -- -F -q -b 4096 /dev/vdc
> > > MOUNT_OPTIONS -- -o acl,user_xattr -o block_validity /dev/vdc /vdc
> > >
> > > generic/572 [06:04:42] [06:04:47] [not run]
> > > generic/572 -- ext4 verity isn't usable by default with these mkfs options
> > > ...
> >
> > You need to "tune2fs -O verity" (or pass -O verity to mkfs.ext4).
> >
>
> That was indeed missing in my setup, but it did not fix the problem.
>
> Turned out that I had a very old version of fsverity installed in my
> kvm-xfstest test VM, where there is no --block-size option to
> fsverity enable would always fail.
>
> Eric,
>
> You may consider adding a check for minimal version of
> fsverity or check for support of --block-size option to make
> this error reason more clear for testers.
>
> Ted,
>
> FYI, FSVERITY_GIT in fstests-bld/config points to an out of date URL
>
> How come there is no ext4/cfg/verity in fstests-bld?
> Are you guys not testing fsverity with fstests-bld?
> Should we just add fsverity config or add verity to ext4/cfg/encrypt
> instead to avoid growing the test matrix?
>
> I can send patches for fstests-bld fixing the above if you like.
>
> Alex,
>
> Verified that your verity-tests2 work as expected with v5 patches.
To be honest I have not validated that my changes to the shared verity
code still works with the non-overlayfs tests. If you have a setup for
it it would be great if you could try the regular ext4 w/ fs-veriy
tests on top of the verity-test2 branch.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl@xxxxxxxxxx alexander.larsson@xxxxxxxxx
