On Thu, Jun 22, 2023 at 12:52 PM Alexander Larsson <alexl@xxxxxxxxxx> wrote:
>
> On Thu, Jun 22, 2023 at 11:37 AM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> >
> > On Wed, Jun 14, 2023 at 10:17 AM Alexander Larsson <alexl@xxxxxxxxxx> wrote:
> > >
> > > On Wed, Jun 14, 2023 at 8:14 AM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> > > >
> > > > On Mon, Jun 12, 2023 at 5:54 PM Alexander Larsson <alexl@xxxxxxxxxx> wrote:
> > > > >
> > > > > On Mon, Jun 12, 2023 at 1:09 PM Alexander Larsson <alexl@xxxxxxxxxx> wrote:
> > > > > >
> > > > > > On Mon, Jun 12, 2023 at 12:54 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> > > > > > >
> > > > > > > On Mon, Jun 12, 2023 at 1:27 PM Alexander Larsson <alexl@xxxxxxxxxx> wrote:
> > > > > > > >
> > > > > > > > This patchset adds support for using fs-verity to validate lowerdata
> > > > > > > > files by specifying an overlay.verity xattr on the metacopy
> > > > > > > > files.
> > > > > > > >
> > > > > > > > This is primarily motivated by the Composefs usecase, where there will
> > > > > > > > be a read-only EROFS layer that contains redirect into a base data
> > > > > > > > layer which has fs-verity enabled on all files. However, it is also
> > > > > > > > useful in general if you want to ensure that the lowerdata files
> > > > > > > > matches the expected content over time.
> > > > > > > >
> > > > > > > > I have also added some tests for this feature to xfstests[1].
> > > > > > >
> > > > > > > I can't remember if there is a good reason why your test does
> > > > > > > not include verify in a data-only layer.
> > > > > > >
> > > > > > > I think this test coverage needs to be added.
> > > > > >
> > > > > > Yeah. I'll add that.
> > > > >
> > > > > Updated the git branch with some lowerdata tests.
> > > > >
> > > >
> > > > What do I need to do in order to enable verity on ext4 besides
> > > > enabling FS_VERITY in the kernel?
> > > >
> > > > I'm getting these on verity tests on ext4 in the default 4k config.
> > > > _require_scratch_verity() doesn't mention any requirement other
> > > > that 4K blocks and extent format files.
> > > >
> > > > Thanks,
> > > > Amir.
> > > >
> > > > BEGIN TEST 4k (10 tests): Ext4 4k block Wed Jun 14 06:04:25 UTC 2023
> > > > DEVICE: /dev/vdb
> > > > EXT_MKFS_OPTIONS: -b 4096
> > > > EXT_MOUNT_OPTIONS: -o block_validity
> > > > FSTYP -- ext4
> > > > PLATFORM -- Linux/x86_64 kvm-xfstests
> > > > 6.4.0-rc2-xfstests-00026-g35774ba7f07c #1596 SMP PREEMPT_DYNAMIC Tue
> > > > Jun 13 18:16:59 IDT 2023
> > > > MKFS_OPTIONS -- -F -q -b 4096 /dev/vdc
> > > > MOUNT_OPTIONS -- -o acl,user_xattr -o block_validity /dev/vdc /vdc
> > > >
> > > > generic/572 [06:04:42] [06:04:47] [not run]
> > > > generic/572 -- ext4 verity isn't usable by default with these mkfs options
> > > > ...
> > >
> > > You need to "tune2fs -O verity" (or pass -O verity to mkfs.ext4).
> > >
> >
> > That was indeed missing in my setup, but it did not fix the problem.
> >
> > Turned out that I had a very old version of fsverity installed in my
> > kvm-xfstest test VM, where there is no --block-size option to
> > fsverity enable would always fail.
> >
> > Eric,
> >
> > You may consider adding a check for minimal version of
> > fsverity or check for support of --block-size option to make
> > this error reason more clear for testers.
> >
> > Ted,
> >
> > FYI, FSVERITY_GIT in fstests-bld/config points to an out of date URL
> >
> > How come there is no ext4/cfg/verity in fstests-bld?
> > Are you guys not testing fsverity with fstests-bld?
> > Should we just add fsverity config or add verity to ext4/cfg/encrypt
> > instead to avoid growing the test matrix?
> >
> > I can send patches for fstests-bld fixing the above if you like.
> >
> > Alex,
> >
> > Verified that your verity-tests2 work as expected with v5 patches.
>
> To be honest I have not validated that my changes to the shared verity
> code still works with the non-overlayfs tests. If you have a setup for
> it it would be great if you could try the regular ext4 w/ fs-veriy
> tests on top of the verity-test2 branch.
>
There is no problem with "./check -g verity" on ext4
those tests pass.
However, "./check -overlay -g generic/verity" fails several test:
Failures: generic/572 generic/573 generic/574 generic/575 generic/577
because _require_scratch_verity falsely claims that overlay (over ext4)
supports verify, but then FS_IOC_ENABLE_VERITY actually fails
during the test.
Instead of changing _require_scratch_verity() as you did,
you should consider passing optional arguments, e.g.:
local fstyp=${1:-$FSTYP}
and calling it from _require_scratch_overlay_verity() with the
$OVL_BASE_* values.
Thanks,
Amir.
