1 files changed, 215 insertions, 0 deletions
diff --git a/test/units/TEST-50-DISSECT.sh b/test/units/TEST-50-DISSECT.sh
new file mode 100755
index 0000000..0e378a8
--- /dev/null
+++ b/test/units/TEST-50-DISSECT.sh
@@ -0,0 +1,215 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/test-control.sh
+. "$(dirname "$0")"/test-control.sh
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+# Setup shared stuff & run all subtests
+
+at_exit() {
+    set +e
+
+    if [[ -z "${IMAGE_DIR:-}" ]]; then
+        return
+    fi
+
+    while read -r dir; do
+        if mountpoint -q "$dir"; then
+            umount -Rv "$dir"
+        fi
+    done < <(find "${IMAGE_DIR}" -mindepth 1 -maxdepth 1 -type d)
+
+    rm -rf "$IMAGE_DIR"
+}
+
+trap at_exit EXIT
+
+: "Setup base images"
+
+export SYSTEMD_LOG_LEVEL=debug
+export ARCHITECTURE
+export IMAGE_DIR
+export MACHINE
+export MINIMAL_IMAGE
+export MINIMAL_IMAGE_ROOTHASH
+export OPENSSL_CONFIG
+export OS_RELEASE
+export ROOT_GUID
+export SIGNATURE_GUID
+export VERITY_GUID
+
+machine="$(uname -m)"
+if [[ "$machine" == "x86_64" ]]; then
+    ROOT_GUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709
+    VERITY_GUID=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5
+    SIGNATURE_GUID=41092b05-9fc8-4523-994f-2def0408b176
+    ARCHITECTURE="x86-64"
+elif [[ "$machine" =~ ^(i386|i686|x86)$ ]]; then
+    ROOT_GUID=44479540-f297-41b2-9af7-d131d5f0458a
+    VERITY_GUID=d13c5d3b-b5d1-422a-b29f-9454fdc89d76
+    SIGNATURE_GUID=5996fc05-109c-48de-808b-23fa0830b676
+    ARCHITECTURE="x86"
+elif [[ "$machine" =~ ^(aarch64|aarch64_be|armv8b|armv8l)$ ]]; then
+    ROOT_GUID=b921b045-1df0-41c3-af44-4c6f280d3fae
+    VERITY_GUID=df3300ce-d69f-4c92-978c-9bfb0f38d820
+    SIGNATURE_GUID=6db69de6-29f4-4758-a7a5-962190f00ce3
+    ARCHITECTURE="arm64"
+elif [[ "$machine" == "arm" ]]; then
+    ROOT_GUID=69dad710-2ce4-4e3c-b16c-21a1d49abed3
+    VERITY_GUID=7386cdf2-203c-47a9-a498-f2ecce45a2d6
+    SIGNATURE_GUID=42b0455f-eb11-491d-98d3-56145ba9d037
+    ARCHITECTURE="arm"
+elif [[ "$machine" == "ia64" ]]; then
+    ROOT_GUID=993d8d3d-f80e-4225-855a-9daf8ed7ea97
+    VERITY_GUID=86ed10d5-b607-45bb-8957-d350f23d0571
+    SIGNATURE_GUID=e98b36ee-32ba-4882-9b12-0ce14655f46a
+    ARCHITECTURE="ia64"
+elif [[ "$machine" == "loongarch64" ]]; then
+    ROOT_GUID=77055800-792c-4f94-b39a-98c91b762bb6
+    VERITY_GUID=f3393b22-e9af-4613-a948-9d3bfbd0c535
+    SIGNATURE_GUID=5afb67eb-ecc8-4f85-ae8e-ac1e7c50e7d0
+    ARCHITECTURE="loongarch64"
+elif [[ "$machine" == "s390x" ]]; then
+    ROOT_GUID=5eead9a9-fe09-4a1e-a1d7-520d00531306
+    VERITY_GUID=b325bfbe-c7be-4ab8-8357-139e652d2f6b
+    SIGNATURE_GUID=c80187a5-73a3-491a-901a-017c3fa953e9
+    ARCHITECTURE="s390x"
+elif [[ "$machine" == "ppc64le" ]]; then
+    ROOT_GUID=c31c45e6-3f39-412e-80fb-4809c4980599
+    VERITY_GUID=906bd944-4589-4aae-a4e4-dd983917446a
+    SIGNATURE_GUID=d4a236e7-e873-4c07-bf1d-bf6cf7f1c3c6
+    ARCHITECTURE="ppc64-le"
+elif [[ "$machine" == "riscv64" ]]; then
+    ROOT_GUID=72ec70a6-cf74-40e6-bd49-4bda08e8f224
+    VERITY_GUID=b6ed5582-440b-4209-b8da-5ff7c419ea3d
+    SIGNATURE_GUID=efe0f087-ea8d-4469-821a-4c2a96a8386a
+    ARCHITECTURE="riscv64"
+elif [[ "$machine" == "riscv32" ]]; then
+    ROOT_GUID=60d5a7fe-8e7d-435c-b714-3dd8162144e1
+    VERITY_GUID=ae0253be-1167-4007-ac68-43926c14c5de
+    SIGNATURE_GUID=3a112a75-8729-4380-b4cf-764d79934448
+    ARCHITECTURE="riscv32"
+else
+    echo "Unexpected uname -m: $machine in TEST-50-DISSECT.sh, please fix me"
+    exit 1
+fi
+
+udevadm control --log-level=debug
+
+IMAGE_DIR="$(mktemp -d --tmpdir="" TEST-50-IMAGES.XXX)"
+cp -v /usr/share/minimal* "$IMAGE_DIR/"
+MINIMAL_IMAGE="$IMAGE_DIR/minimal_0"
+MINIMAL_IMAGE_ROOTHASH="$(<"$MINIMAL_IMAGE.roothash")"
+
+install_extension_images
+
+OS_RELEASE="$(test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os-release)"
+
+if systemctl --version | grep -q -- +OPENSSL ; then
+    # The openssl binary is installed conditionally. If we have OpenSSL support enabled and openssl is
+    # missing, fail early with a proper error message.
+    if ! command -v openssl &>/dev/null; then
+        echo "openssl binary is missing" >/failed
+        exit 1
+    fi
+
+    OPENSSL_CONFIG="$(mktemp)"
+    # Unfortunately OpenSSL insists on reading some config file, hence provide one with mostly placeholder contents
+    cat >"${OPENSSL_CONFIG:?}" <<EOF
+[ req ]
+prompt = no
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+C = DE
+ST = Test State
+L = Test Locality
+O = Org Name
+OU = Org Unit Name
+CN = Common Name
+emailAddress = test@email.com
+EOF
+fi
+
+# Make a GPT disk on the fly, with the squashfs as partition 1 and the verity hash tree as partition 2
+#
+# du rounds up to block size, which is more helpful for partitioning
+root_size="$(du --apparent-size -k "$MINIMAL_IMAGE.raw" | cut -f1)"
+verity_size="$(du --apparent-size -k "$MINIMAL_IMAGE.verity" | cut -f1)"
+signature_size=4
+# 4MB seems to be the minimum size blkid will accept, below that probing fails
+dd if=/dev/zero of="$MINIMAL_IMAGE.gpt" bs=512 count=$((8192+root_size*2+verity_size*2+signature_size*2))
+# sfdisk seems unhappy if the size overflows into the next unit, eg: 1580KiB will be interpreted as 1MiB
+# so do some basic rounding up if the minimal image is more than 1 MB
+if [[ "$root_size" -ge 1024 ]]; then
+    root_size="$((root_size/1024 + 1))MiB"
+else
+    root_size="${root_size}KiB"
+fi
+verity_size="$((verity_size * 2))KiB"
+signature_size="$((signature_size * 2))KiB"
+
+if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
+    # Create key pair
+    openssl req -config "$OPENSSL_CONFIG" -new -x509 -newkey rsa:1024 \
+                -keyout "$MINIMAL_IMAGE.key" -out "$MINIMAL_IMAGE.crt" -days 365 -nodes
+    # Sign Verity root hash with it
+    openssl smime -sign -nocerts -noattr -binary \
+                  -in "$MINIMAL_IMAGE.roothash" \
+                  -inkey "$MINIMAL_IMAGE.key" \
+                  -signer "$MINIMAL_IMAGE.crt" \
+                  -outform der \
+                  -out "$MINIMAL_IMAGE.roothash.p7s"
+    # Generate signature partition JSON data
+    echo '{"rootHash":"'"$MINIMAL_IMAGE_ROOTHASH"'","signature":"'"$(base64 -w 0 <"$MINIMAL_IMAGE.roothash.p7s")"'"}' >"$MINIMAL_IMAGE.verity-sig"
+    # Pad it
+    truncate -s "$signature_size" "$MINIMAL_IMAGE.verity-sig"
+    # Register certificate in the (userspace) verity key ring
+    mkdir -p /run/verity.d
+    ln -s "$MINIMAL_IMAGE.crt" /run/verity.d/ok.crt
+fi
+
+# Construct a UUID from hash
+# input:  11111111222233334444555566667777
+# output: 11111111-2222-3333-4444-555566667777
+uuid="$(head -c 32 "$MINIMAL_IMAGE.roothash" | sed -r 's/(.{8})(.{4})(.{4})(.{4})(.+)/\1-\2-\3-\4-\5/')"
+echo -e "label: gpt\nsize=$root_size, type=$ROOT_GUID, uuid=$uuid" | sfdisk "$MINIMAL_IMAGE.gpt"
+uuid="$(tail -c 32 "$MINIMAL_IMAGE.roothash" | sed -r 's/(.{8})(.{4})(.{4})(.{4})(.+)/\1-\2-\3-\4-\5/')"
+echo -e "size=$verity_size, type=$VERITY_GUID, uuid=$uuid" | sfdisk "$MINIMAL_IMAGE.gpt" --append
+if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
+    echo -e "size=$signature_size, type=$SIGNATURE_GUID" | sfdisk "$MINIMAL_IMAGE.gpt" --append
+fi
+sfdisk --part-label "$MINIMAL_IMAGE.gpt" 1 "Root Partition"
+sfdisk --part-label "$MINIMAL_IMAGE.gpt" 2 "Verity Partition"
+if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
+    sfdisk --part-label "$MINIMAL_IMAGE.gpt" 3 "Signature Partition"
+fi
+loop="$(losetup --show -P -f "$MINIMAL_IMAGE.gpt")"
+partitions=(
+    "${loop:?}p1"
+    "${loop:?}p2"
+)
+if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
+    partitions+=("${loop:?}p3")
+fi
+# The kernel sometimes(?) does not emit "add" uevent for loop block partition devices.
+# Let's not expect the devices to be initialized.
+udevadm wait --timeout 60 --settle --initialized=no "${partitions[@]}"
+udevadm lock --device="${loop}p1" dd if="$MINIMAL_IMAGE.raw" of="${loop}p1"
+udevadm lock --device="${loop}p2" dd if="$MINIMAL_IMAGE.verity" of="${loop}p2"
+if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
+    udevadm lock --device="${loop}p3" dd if="$MINIMAL_IMAGE.verity-sig" of="${loop}p3"
+fi
+losetup -d "$loop"
+udevadm settle --timeout=60
+
+: "Run subtests"
+
+run_subtests
+
+touch /testok