The reverted commit illegitly uses tpm2-tools. External dependencies are
absolutely forbidden from these tests. There is also the problem that
clearing is not necessarily wanted behavior if the test/target computer is
not used only solely for testing.
Fixes: a9920d3bad40 ("tpm: selftest: cleanup after unseal with wrong auth/policy test")
Cc: Tadeusz Struk <tadeusz.struk(a)intel.com>
Cc: stable(a)vger.kernel.org
Cc: linux-integrity(a)vger.kernel.org
Cc: linux-kselftest(a)vger.kernel.org
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com>
---
tools/testing/selftests/tpm2/test_smoke.sh | 5 -----
1 file changed, 5 deletions(-)
diff --git a/tools/testing/selftests/tpm2/test_smoke.sh b/tools/testing/selftests/tpm2/test_smoke.sh
index 663062701d5a..79f8e9da5d21 100755
--- a/tools/testing/selftests/tpm2/test_smoke.sh
+++ b/tools/testing/selftests/tpm2/test_smoke.sh
@@ -8,8 +8,3 @@ ksft_skip=4
python -m unittest -v tpm2_tests.SmokeTest
python -m unittest -v tpm2_tests.AsyncTest
-
-CLEAR_CMD=$(which tpm2_clear)
-if [ -n $CLEAR_CMD ]; then
- tpm2_clear -T device
-fi
--
2.25.1
This patch set adds the new "strict mode" functionality to the Virtual
Routing and Forwarding infrastructure (VRF). Hereafter we discuss the
requirements and the main features of the "strict mode" for VRF.
On VRF creation, it is necessary to specify the associated routing table used
during the lookup operations. Currently, there is no mechanism that avoids
creating multiple VRFs sharing the same routing table. In other words, it is not
possible to force a one-to-one relationship between a specific VRF and the table
associated with it.
The "strict mode" imposes that each VRF can be associated to a routing table
only if such routing table is not already in use by any other VRF.
In particular, the strict mode ensures that:
1) given a specific routing table, the VRF (if exists) is uniquely identified;
2) given a specific VRF, the related table is not shared with any other VRF.
Constraints (1) and (2) force a one-to-one relationship between each VRF and the
corresponding routing table.
The strict mode feature is designed to be network-namespace aware and it can be
directly enabled/disabled acting on the "strict_mode" parameter.
Read and write operations are carried out through the classic sysctl command on
net.vrf.strict_mode path, i.e: sysctl -w net.vrf.strict_mode=1.
Only two distinct values {0,1} are accepted by the strict_mode parameter:
- with strict_mode=0, multiple VRFs can be associated with the same table.
This is the (legacy) default kernel behavior, the same that we experience
when the strict mode patch set is not applied;
- with strict_mode=1, the one-to-one relationship between the VRFs and the
associated tables is guaranteed. In this configuration, the creation of a VRF
which refers to a routing table already associated with another VRF fails and
the error is returned to the user.
The kernel keeps track of the associations between a VRF and the routing table
during the VRF setup, in the "management" plane. Therefore, the strict mode does
not impact the performance or the intrinsic functionality of the data plane in
any way.
When the strict mode is active it is always possible to disable the strict mode,
while the reverse operation is not always allowed.
Setting the strict_mode parameter to 0 is equivalent to removing the one-to-one
constraint between any single VRF and its associated routing table.
Conversely, if the strict mode is disabled and there are multiple VRFs that
refer to the same routing table, then it is prohibited to set the strict_mode
parameter to 1. In this configuration, any attempt to perform the operation will
lead to an error and it will be reported to the user.
To enable strict mode once again (by setting the strict_mode parameter to 1),
you must first remove all the VRFs that share common tables.
There are several use cases which can take advantage from the introduction of
the strict mode feature. In particular, the strict mode allows us to:
i) guarantee the proper functioning of some applications which deal with
routing protocols;
ii) perform some tunneling decap operations which require to use specific
routing tables for segregating and forwarding the traffic.
Considering (i), the creation of different VRFs that point to the same table
leads to the situation where two different routing entities believe they have
exclusive access to the same table. This leads to the situation where different
routing daemons can conflict for gaining routes control due to overlapping
tables. By enabling strict mode it is possible to prevent this situation which
often occurs due to incorrect configurations done by the users.
The ability to enable/disable the strict mode functionality does not depend on
the tool used for configuring the networking. In essence, the strict mode patch
solves, at the kernel level, what some other patches [1] had tried to solve at
the userspace level (using only iproute2) with all the related problems.
Considering (ii), the introduction of the strict mode functionality allows us
implementing the SRv6 End.DT4 behavior. Such behavior terminates a SR tunnel and
it forwards the IPv4 traffic according to the routes present in the routing
table supplied during the configuration. The SRv6 End.DT4 can be realized
exploiting the routing capabilities made available by the VRF infrastructure.
This behavior could leverage a specific VRF for forcing the traffic to be
forwarded in accordance with the routes available in the VRF table.
Anyway, in order to make the End.DT4 properly work, it must be guaranteed that
the table used for the route lookup operations is bound to one and only one VRF.
In this way, it is possible to use the table for uniquely retrieving the
associated VRF and for routing packets.
I would like to thank David Ahern for his constant and valuable support during
the design and development phases of this patch set.
Comments, suggestions and improvements are very welcome!
Thanks,
Andrea Mayer
v1
l3mdev: add infrastructure for table to VRF mapping
- define l3mdev_lock as static, thanks to Jakub Kicinski;
- move lookup_by_table_id_t from l3mdev.c to l3mdev.h and update the
l3mdev_dev_table_lookup_{un}register functions accordingly, thanks to
David Ahern.
vrf: track associations between VRF devices and tables
- change shared_tables type from 'int' to 'u32', thanks to Stephen Hemminger
and David Ahern;
- update comments for share_tables.
vrf: add sysctl parameter for strict mode
- change type 'void __user *buffer' to 'void *buffer' in argument 3 of
vrf_shared_table_handler function, thanks to Jakub Kicinski.
[1] https://lore.kernel.org/netdev/20200307205916.15646-1-sharpd@cumulusnetwork…
Andrea Mayer (5):
l3mdev: add infrastructure for table to VRF mapping
vrf: track associations between VRF devices and tables
vrf: add sysctl parameter for strict mode
vrf: add l3mdev registration for table to VRF device lookup
selftests: add selftest for the VRF strict mode
drivers/net/vrf.c | 450 +++++++++++++++++-
include/net/l3mdev.h | 39 ++
net/l3mdev/l3mdev.c | 93 ++++
.../selftests/net/vrf_strict_mode_test.sh | 390 +++++++++++++++
4 files changed, 963 insertions(+), 9 deletions(-)
create mode 100755 tools/testing/selftests/net/vrf_strict_mode_test.sh
--
2.20.1
Hi Linus,
Please pull the Kunit update for Linux 5.8-rc12.
This Kunit update for Linux 5.8-rc2 consists of:
- Adds a generic kunit_resource API extending it to support
resources that are passed in to kunit in addition kunit
allocated resources. In addition, KUnit resources are now
refcounted to avoid passed in resources being released while
in use by kunit.
- Add support for named resources.
diff is attached.
thanks,
-- Shuah
----------------------------------------------------------------
The following changes since commit b3a9e3b9622ae10064826dccb4f7a52bd88c7407:
Linux 5.8-rc1 (2020-06-14 12:45:04 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
tags/linux-kselftest-kunit-5.8-rc2
for you to fetch changes up to 7bf200b3a4ac10b1b0376c70b8c66ed39eae7cdd:
kunit: add support for named resources (2020-06-15 09:31:23 -0600)
----------------------------------------------------------------
linux-kselftest-kunit-5.8-rc2
This Kunit update for Linux 5.8-rc2 consists of:
- Adds a generic kunit_resource API extending it to support
resources that are passed in to kunit in addition kunit
allocated resources. In addition, KUnit resources are now
refcounted to avoid passed in resources being released while
in use by kunit.
- Add support for named resources.
----------------------------------------------------------------
Alan Maguire (2):
kunit: generalize kunit_resource API beyond allocated resources
kunit: add support for named resources
include/kunit/test.h | 210
+++++++++++++++++++++++++++++++++++++++-------
lib/kunit/kunit-test.c | 111 +++++++++++++++++++-----
lib/kunit/string-stream.c | 14 ++--
lib/kunit/test.c | 171 ++++++++++++++++++++++---------------
4 files changed, 380 insertions(+), 126 deletions(-)
----------------------------------------------------------------
Hi Petr,
Given the realization about kernel log timestamps and partial log
comparison with v2, I respun a final version dropping the dmesg --notime
patch, fixed any rebase conflicts, and added a comment per your
suggestion.
I copied all the ack and review tags from v2 since the patchset is
unchanged otherwise. Hopefully this v3 minimizes any maintainer
fiddling on your end.
I did iterate through the patches and verified that I could run each
multiple times without the dmesg comparison getting confused.
Thanks,
-- Joe
v3:
- when modifying the dmesg comparision to select only new messages in
patch 1, add a comment explaining the importance of timestamps to
accurately pick from where the log left off at start_test [pmladek]
- since Petr determined that the timestamps were in fact very important
to maintain for the dmesg / diff comparision, drop the patch which
added --notime to dmesg invocations [pmladek]
- update the comparision regex filter for 'livepatch:' now that it's
going to be prefixed by '[timestamp] ' and no longer at the start of
the buffer line. This part of the log comparison should now be
unmodified by the patchset.
Joe Lawrence (3):
selftests/livepatch: Don't clear dmesg when running tests
selftests/livepatch: refine dmesg 'taints' in dmesg comparison
selftests/livepatch: add test delimiter to dmesg
tools/testing/selftests/livepatch/README | 16 +++---
.../testing/selftests/livepatch/functions.sh | 37 ++++++++++++-
.../selftests/livepatch/test-callbacks.sh | 55 ++++---------------
.../selftests/livepatch/test-ftrace.sh | 4 +-
.../selftests/livepatch/test-livepatch.sh | 12 +---
.../selftests/livepatch/test-shadow-vars.sh | 4 +-
.../testing/selftests/livepatch/test-state.sh | 21 +++----
7 files changed, 68 insertions(+), 81 deletions(-)
--
2.21.3
Hello!
This is a bit of thread-merge between [1] and [2]. tl;dr: add a way for
a seccomp user_notif process manager to inject files into the managed
process in order to handle emulation of various fd-returning syscalls
across security boundaries. Containers folks and Chrome are in need
of the feature, and investigating this solution uncovered (and fixed)
implementation issues with existing file sending routines.
I intend to carry this in the seccomp tree, unless someone has objections.
:) Please review and test!
-Kees
[1] https://lore.kernel.org/lkml/20200603011044.7972-1-sargun@sargun.me/
[2] https://lore.kernel.org/lkml/20200610045214.1175600-1-keescook@chromium.org/
Kees Cook (9):
net/scm: Regularize compat handling of scm_detach_fds()
fs: Move __scm_install_fd() to __fd_install_received()
fs: Add fd_install_received() wrapper for __fd_install_received()
pidfd: Replace open-coded partial fd_install_received()
fs: Expand __fd_install_received() to accept fd
selftests/seccomp: Make kcmp() less required
selftests/seccomp: Rename user_trap_syscall() to user_notif_syscall()
seccomp: Switch addfd to Extensible Argument ioctl
seccomp: Fix ioctl number for SECCOMP_IOCTL_NOTIF_ID_VALID
Sargun Dhillon (2):
seccomp: Introduce addfd ioctl to seccomp user notifier
selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD
fs/file.c | 65 ++++
include/linux/file.h | 16 +
include/uapi/linux/seccomp.h | 25 +-
kernel/pid.c | 11 +-
kernel/seccomp.c | 181 ++++++++-
net/compat.c | 55 ++-
net/core/scm.c | 50 +--
tools/testing/selftests/seccomp/seccomp_bpf.c | 350 +++++++++++++++---
8 files changed, 618 insertions(+), 135 deletions(-)
--
2.25.1
Commit 8b59cd81dc5 ("kbuild: ensure full rebuild when the compiler
is updated") added the environment variable CC_VERSION_TEXT,
parse_from_string() doesn't expect a string in value field and this
causes the failure below:
[iha@bbking linux]$ tools/testing/kunit/kunit.py run --timeout=60
[00:20:12] Configuring KUnit Kernel ...
Generating .config ...
Traceback (most recent call last):
File "tools/testing/kunit/kunit.py", line 347, in <module>
main(sys.argv[1:])
File "tools/testing/kunit/kunit.py", line 257, in main
result = run_tests(linux, request)
File "tools/testing/kunit/kunit.py", line 134, in run_tests
config_result = config_tests(linux, config_request)
File "tools/testing/kunit/kunit.py", line 64, in config_tests
success = linux.build_reconfig(request.build_dir, request.make_options)
File "/home/iha/lkmp/linux/tools/testing/kunit/kunit_kernel.py", line 161, in build_reconfig
return self.build_config(build_dir, make_options)
File "/home/iha/lkmp/linux/tools/testing/kunit/kunit_kernel.py", line 145, in build_config
return self.validate_config(build_dir)
File "/home/iha/lkmp/linux/tools/testing/kunit/kunit_kernel.py", line 124, in validate_config
validated_kconfig.read_from_file(kconfig_path)
File "/home/iha/lkmp/linux/tools/testing/kunit/kunit_config.py", line 89, in read_from_file
self.parse_from_string(f.read())
File "/home/iha/lkmp/linux/tools/testing/kunit/kunit_config.py", line 85, in parse_from_string
raise KconfigParseError('Failed to parse: ' + line)
kunit_config.KconfigParseError: Failed to parse: CONFIG_CC_VERSION_TEXT="gcc (GCC) 10.1.1 20200507 (Red Hat 10.1.1-1)"
Signed-off-by: Vitor Massaru Iha <vitor(a)massaru.org>
---
v2:
- maintains CC_VERSION_TEXT in the .config file to ensure full rebuild
when the compiler is updated.
---
tools/testing/kunit/kunit_config.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/kunit/kunit_config.py b/tools/testing/kunit/kunit_config.py
index e75063d603b5..c407c7c6a2b0 100644
--- a/tools/testing/kunit/kunit_config.py
+++ b/tools/testing/kunit/kunit_config.py
@@ -81,6 +81,12 @@ class Kconfig(object):
if line[0] == '#':
continue
+
+ if 'CONFIG_CC_VERSION_TEXT' in line:
+ name, value = line.split('=')
+ entry = KconfigEntry(name, value)
+ self.add_entry(entry)
+ continue
else:
raise KconfigParseError('Failed to parse: ' + line)
base-commit: 7bf200b3a4ac10b1b0376c70b8c66ed39eae7cdd
--
2.26.2