- Linux-kselftest-mirror - lists.linaro.org

[PATCH v7 00/26] tcp: Initial support for RFC5925 auth option

by Leonard Crestez

This is similar to TCP-MD5 in functionality but it's sufficiently different that packet formats and interfaces are incompatible. Compared to TCP-MD5 more algorithms are supported and multiple keys can be used on the same connection but there is still no negotiation mechanism. Expected use-case is protecting long-duration BGP/LDP connections between routers using pre-shared keys. The goal of this series is to allow routers using the Linux TCP stack to interoperate with vendors such as Cisco and Juniper. An fully-featured userspace implementation using this patchset exists but it is not going to be published. A completely unrelated series that implements the same features was posted recently: https://lore.kernel.org/netdev/20220818170005.747015-1-dima@arista.com/ Despite receiving a few review comments from the people that worked on that series I had no idea that they had their own implementation. I never ran into an issue of conflicting patches before so don't know what to do about it. Maybe I should have moved faster? I've recently been talking with Phillip Paeps who is working on an BSD implementation of the same standard and he suggested sharing ABI in order to make userspace compatibility easier. The current ABI is entirely made up by me alone. A key difference versus MD5 is that keys are global rather than per-socket. Older versions had per-socket keys but in practice applications want to always use a consistent set of keys for communication with a specific peer and keeping those keys in sync from userspace is difficult and prone to races. The implementation from Arista uses per-socket keys and dumps additional difficulty on userspace, I consider both choices to be valid. Other vendors supporting TCP-AO implement a notion of a "key chain" roughly similar to what is described in RFC8177. The current ABI is sufficient to do the same but it requires a bunch of userspace work to add and delete keys at the appropriate time or mark them as "NOSEND" and "NORECV". Userspace also has to insert a "dummy" key when all other keys are expired in order to prevent unsigned traffic going through. This feature might be considerably easier to use from userspace if validity times were added in the kernel for each key. Here are some known flaws and limitations: * Crypto API is used with buffers on the stack and inside struct sock, this might not work on all arches. I'm currently only testing x64 VMs * Interaction with FASTOPEN not tested and unlikely to work because sequence number assumptions for syn/ack. * Traffic key is not cached (reducing performance) * No caching or hashing for key lookups so this will scale poorly with many keys * Overlaping MKTs can be configured despite what RFC5925 says * Current key can be deleted. RFC says this shouldn't be allowed but enforcing this belongs at an admin shell rather than in the kernel. * If multiple keys are valid for a destination the kernel picks one in an unpredictable manner (this can be overridden). There is deliberately very little code sharing with the TCP_MD5SIG feature because I wanted to avoid complex unrelated refactoring. Some testing support is included in nettest and fcnal-test.sh, similar to the current level of tcp-md5 testing. A more elaborate test suite using pytest and scapy is available out of tree: https://github.com/cdleonard/tcp-authopt-test There is an automatic system that runs that test suite in vagrant in gitlab-ci: https://gitlab.com/cdleonard/vagrantcpao That test suite fully covers the ABI of this patchset. Changes for frr (obsolete): https://github.com/FRRouting/frr/pull/9442 That PR was made early for ABI feedback, it has many issues. Changes for yabgp (obsolete): https://github.com/cdleonard/yabgp/commits/tcp_authopt This was used for interoperability testing with cisco. Would need updates for global keys to avoid leaks. Changes since PATCH v6: * Squash "remove unused noops" patch (forgot to do this before v5 send). * Make TCP_REPAIR_AUTHOPT fail if (!tp->repair) * Add {snd,rcv}_seq to struct tcp_repair_authopt next to {snd,rcv}_sne. The fact that internally snd_sne is maintained as a 64-bit extension of sne_nxt is a problem for TCP_REPAIR implementation in userspace which might not have access to snd_nxt during live traffic. By exposing a full 64-bit “recent sequence number” to userspace it's possible to ignore which exact SEQ number the SNE value is an extension of. * Fix ipv6_addr_is_prefix helper; it was incorrect and dependant on uninitialized stack memory. This was caught by test suite after many rebases. * Implement ipv4-mapped-ipv6 support, request by Eric Dumazet Link: https://lore.kernel.org/netdev/cover.1658815925.git.cdleonard@gmail.com/ Changes since PATCH v5: * Rebased on recent net-next, including recent changes refactoring md5 * Use to skb_drop_reason * Fix using sock_kmalloc for key alloc but regular kfree for free. Use kmalloc because keys are global * Fix mentioning non-existent copy_from_sockopt in doc for _copy_from_sockptr_tolerant * If no valid keys are available for a destination then report a socket error instead of sending unsigned traffic * Remove several noop implementations which are always called from ifdef * Fix build issues in all scenarios, including -Werror at every point. * Split "tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash" into a separate commit. * Add TCP_AUTHOPT_FLAG_ACTIVE to distinguish between "keys configured for socket" and "connection authenticated". A listen socket with authentication enabled will return other sockets with authentication enabled on accept() but if no key is configured for the peer then authentication will be inactive. * Add support for TCP_REPAIR_AUTHOPT new sockopts which loads/saves the AO-specific information. Link: https://lore.kernel.org/netdev/cover.1643026076.git.cdleonard@gmail.com/ Changes since PATCH v4: * Move the traffic_key context_bytes header to stack. If it's a constant string then ahash can fail unexpectedly. * Fix allowing unsigned traffic if all keys are marked norecv. * Fix crashing in __tcp_authopt_alg_init on failure. * Try to respect the rnextkeyid from SYN on SYNACK (new patch) * Fix incorrect check for TCP_AUTHOPT_KEY_DEL in __tcp_authopt_select_key * Improve docs on __tcp_authopt_select_key * Fix build with CONFIG_PROC_FS=n (kernel build robot) * Fix build with CONFIG_IPV6=n (kernel build robot) Link: https://lore.kernel.org/netdev/cover.1640273966.git.cdleonard@gmail.com/ Changes since PATCH v3: * Made keys global (per-netns rather than per-sock). * Add /proc/net/tcp_authopt with a table of keys (not sockets). * Fix part of the shash/ahash conversion having slipped from patch 3 to patch 5 * Fix tcp_parse_sig_options assigning NULL incorrectly when both MD5 and AO are disabled (kernel build robot) * Fix sparse endianness warnings in prefix match (kernel build robot) * Fix several incorrect RCU annotations reported by sparse (kernel build robot) Link: https://lore.kernel.org/netdev/cover.1638962992.git.cdleonard@gmail.com/ Changes since PATCH v2: * Protect tcp_authopt_alg_get/put_tfm with local_bh_disable instead of preempt_disable. This caused signature corruption when send path executing with BH enabled was interrupted by recv. * Fix accepted keyids not configured locally as "unexpected". If any key is configured that matches the peer then traffic MUST be signed. * Fix issues related to sne rollover during handshake itself. (Francesco) * Implement and test prefixlen (David) * Replace shash with ahash and reuse some of the MD5 code (Dmitry) * Parse md5+ao options only once in the same function (Dmitry) * Pass tcp_authopt_info into inbound check path, this avoids second rcu dereference for same packet. * Pass tcp_request_socket into inbound check path instead of just listen socket. This is required for SNE rollover during handshake and clearifies ISN handling. * Do not allow disabling via sysctl after enabling once, this is difficult to support well (David) * Verbose check for sysctl_tcp_authopt (Dmitry) * Use netif_index_is_l3_master (David) * Cleanup ipvx_addr_match (David) * Add a #define tcp_authopt_needed to wrap static key usage because it looks nicer. * Replace rcu_read_lock with rcu_dereference_protected in SNE updates (Eric) * Remove test suite Link: https://lore.kernel.org/netdev/cover.1635784253.git.cdleonard@gmail.com/ Changes since PATCH v1: * Implement Sequence Number Extension * Implement l3index for vrf: TCP_AUTHOPT_KEY_IFINDEX as equivalent of TCP_MD5SIG_FLAG_IFINDEX * Expand TCP-AO tests in fcnal-test.sh to near-parity with md5. * Show addr/port on failure similar to md5 * Remove tox dependency from test suite (create venv directly) * Switch default pytest output format to TAP (kselftest standard) * Fix _copy_from_sockptr_tolerant stack corruption on short sockopts. This was covered in test but error was invisible without STACKPROTECTOR=y * Fix sysctl_tcp_authopt check in tcp_get_authopt_val before memset. This was harmless because error code is checked in getsockopt anyway. * Fix dropping md5 packets on all sockets with AO enabled * Fix checking (key->recv_id & TCP_AUTHOPT_KEY_ADDR_BIND) instead of key->flags in tcp_authopt_key_match_exact * Fix PATCH 1/19 not compiling due to missing "int err" declaration * Add ratelimited message for AO and MD5 both present * Export all symbols required by CONFIG_IPV6=m (again) * Fix compilation with CONFIG_TCP_AUTHOPT=y CONFIG_TCP_MD5SIG=n * Fix checkpatch issues * Pass -rrequirements.txt to tox to avoid dependency variation. Link: https://lore.kernel.org/netdev/cover.1632240523.git.cdleonard@gmail.com/ Changes since RFCv3: * Implement TCP_AUTHOPT handling for timewait and reset replies. Write tests to execute these paths by injecting packets with scapy * Handle combining md5 and authopt: if both are configured use authopt. * Fix locking issues around send_key, introduced in on of the later patches. * Handle IPv4-mapped-IPv6 addresses: it used to be that an ipv4 SYN sent to an ipv6 socket with TCP-AO triggered WARN * Implement un-namespaced sysctl disabled this feature by default * Allocate new key before removing any old one in setsockopt (Dmitry) * Remove tcp_authopt_key_info.local_id because it's no longer used (Dmitry) * Propagate errors from TCP_AUTHOPT getsockopt (Dmitry) * Fix no-longer-correct TCP_AUTHOPT_KEY_DEL docs (Dmitry) * Simplify crypto allocation (Eric) * Use kzmalloc instead of __GFP_ZERO (Eric) * Add static_key_false tcp_authopt_needed (Eric) * Clear authopt_info copied from oldsk in __tcp_authopt_openreq (Eric) * Replace memcmp in ipv4 and ipv6 addr comparisons (Eric) * Export symbols for CONFIG_IPV6=m (kernel test robot) * Mark more functions static (kernel test robot) * Fix build with CONFIG_PROVE_RCU_LIST=y (kernel test robot) Link: https://lore.kernel.org/netdev/cover.1629840814.git.cdleonard@gmail.com/ Changes since RFCv2: * Removed local_id from ABI and match on send_id/recv_id/addr * Add all relevant out-of-tree tests to tools/testing/selftests * Return an error instead of ignoring unknown flags, hopefully this makes it easier to extend. * Check sk_family before __tcp_authopt_info_get_or_create in tcp_set_authopt_key * Use sock_owned_by_me instead of WARN_ON(!lockdep_sock_is_held(sk)) * Fix some intermediate build failures reported by kbuild robot * Improve documentation Link: https://lore.kernel.org/netdev/cover.1628544649.git.cdleonard@gmail.com/ Changes since RFC: * Split into per-topic commits for ease of review. The intermediate commits compile with a few "unused function" warnings and don't do anything useful by themselves. * Add ABI documention including kernel-doc on uapi * Fix lockdep warnings from crypto by creating pools with one shash for each cpu * Accept short options to setsockopt by padding with zeros; this approach allows increasing the size of the structs in the future. * Support for aes-128-cmac-96 * Support for binding addresses to keys in a way similar to old tcp_md5 * Add support for retrieving received keyid/rnextkeyid and controling the keyid/rnextkeyid being sent. Link: https://lore.kernel.org/netdev/01383a8751e97ef826ef2adf93bfde3a08195a43.162… Leonard Crestez (26): tcp: authopt: Initial support and key management docs: Add user documentation for tcp_authopt tcp: authopt: Add crypto initialization tcp: Refactor tcp_sig_hash_skb_data for AO tcp: authopt: Compute packet signatures tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash tcp: authopt: Hook into tcp core tcp: authopt: Disable via sysctl by default tcp: authopt: Implement Sequence Number Extension tcp: ipv6: Add AO signing for tcp_v6_send_response tcp: authopt: Add support for signing skb-less replies tcp: ipv4: Add AO signing for skb-less replies tcp: authopt: Add key selection controls tcp: authopt: Add initial l3index support tcp: authopt: Add NOSEND/NORECV flags tcp: authopt: Add prefixlen support tcp: authopt: Add v4mapped ipv6 address support tcp: authopt: Add /proc/net/tcp_authopt listing all keys selftests: nettest: Rename md5_prefix to key_addr_prefix selftests: nettest: Initial tcp_authopt support selftests: net/fcnal: Initial tcp_authopt support tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK tcp: authopt: tcp_authopt_lookup_send: Add anykey output param tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE tcp: authopt: If no keys are valid for send report an error tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT Documentation/networking/index.rst | 1 + Documentation/networking/ip-sysctl.rst | 6 + Documentation/networking/tcp_authopt.rst | 88 + include/linux/tcp.h | 15 + include/net/dropreason.h | 16 + include/net/net_namespace.h | 4 + include/net/netns/tcp_authopt.h | 12 + include/net/tcp.h | 55 +- include/net/tcp_authopt.h | 264 +++ include/uapi/linux/snmp.h | 1 + include/uapi/linux/tcp.h | 169 ++ net/ipv4/Kconfig | 14 + net/ipv4/Makefile | 1 + net/ipv4/proc.c | 1 + net/ipv4/sysctl_net_ipv4.c | 39 + net/ipv4/tcp.c | 126 +- net/ipv4/tcp_authopt.c | 1980 +++++++++++++++++++++ net/ipv4/tcp_input.c | 55 +- net/ipv4/tcp_ipv4.c | 100 +- net/ipv4/tcp_minisocks.c | 12 + net/ipv4/tcp_output.c | 106 +- net/ipv6/tcp_ipv6.c | 70 +- tools/testing/selftests/net/fcnal-test.sh | 329 +++- tools/testing/selftests/net/nettest.c | 204 ++- 24 files changed, 3580 insertions(+), 88 deletions(-) create mode 100644 Documentation/networking/tcp_authopt.rst create mode 100644 include/net/netns/tcp_authopt.h create mode 100644 include/net/tcp_authopt.h create mode 100644 net/ipv4/tcp_authopt.c -- 2.25.1

2 years, 2 months

1
26
0 0

[PATCH] selftests/vm: fix inability to build any vm tests

by Axel Rasmussen

When we stopped using KSFT_KHDR_INSTALL, a side effect is we also changed the value of `top_srcdir`. This can be seen by looking at the code removed by: 49de12ba06ef ("selftests: drop KSFT_KHDR_INSTALL make target"): (Note though that this commit didn't break this, technically the one before it did since that's the one that stopped KSFT_KHDR_INSTALL from being used, even though the code was still there.) Previously lib.mk reconfigured `top_srcdir` when KSFT_KHDR_INSTALL was being used. Now, that's no longer the case. As a result, the path to gup_test.h in vm/Makefile was wrong, and since it's a dependency of all of the vm binaries none of them could be built. Instead, we'd get an "error" like: make[1]: *** No rule to make target '/[...]/tools/testing/selftests/vm/compaction_test', needed by 'all'. Stop. If we specify the path of gup_test.h relatively using selfdir instead, now it is found correctly, and things work again. Fixes: f2745dc0ba3d ("selftests: stop using KSFT_KHDR_INSTALL") Signed-off-by: Axel Rasmussen <axelrasmussen(a)google.com> --- tools/testing/selftests/vm/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/vm/Makefile b/tools/testing/selftests/vm/Makefile index d9fa6a9ea584..f2a12494f2d8 100644 --- a/tools/testing/selftests/vm/Makefile +++ b/tools/testing/selftests/vm/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 # Makefile for vm selftests -LOCAL_HDRS += $(selfdir)/vm/local_config.h $(top_srcdir)/mm/gup_test.h +LOCAL_HDRS += $(selfdir)/vm/local_config.h $(selfdir)/../../../mm/gup_test.h include local_config.mk -- 2.37.1.595.g718a3a8f04-goog

2 years, 2 months

2
3
0 0

Running kunit tests on platform devices

by Ramon Fried

Hi. I implemented a test suite that checks a platform driver, that's the only way I can test interrupts behavior in the code. Because it's a platform, I can't use kunit_test_suite(), so I call __kunit_test_suites_init() as part of the platform driver probe function. This works fine but has the following problems. "TAP version 14" string is not printed and it's impossible to parse the results using the script. In addition, the suite is not displayed in /sys/kernel/debug/kunit. It would be my pleasure to provide a patch that fixes this, I just wanted to make sure that my testing strategy makes sense. Thanks, Ramon

2 years, 2 months

3
4
0 0

[PATCH 0/4] Documentation: KUnit: minor fixes

by Tales Aparecida

Hi, This is a short series of minor fixes to the Kunit documentation, they probably can be squashed but I suppose it's easier to review them individually. Thanks for any feedbacks, Tales Tales Aparecida (4): Documentation: kunit: fix trivial typo Documentation: Kunit: Fix inconsistent titles Documentation: KUnit: Fix non-uml anchor Documentation: Kunit: Add ref for other kinds of tests Documentation/dev-tools/kunit/architecture.rst | 4 ++-- Documentation/dev-tools/kunit/faq.rst | 8 +++++--- Documentation/dev-tools/kunit/index.rst | 2 ++ Documentation/dev-tools/kunit/run_wrapper.rst | 4 +++- Documentation/dev-tools/kunit/usage.rst | 4 ++-- 5 files changed, 14 insertions(+), 8 deletions(-) -- 2.37.1

2 years, 2 months

5
12
0 0

[PATCH v3 0/4] arm64/sme: ptrace support for TPIDR2_EL0

by Mark Brown

When SME was initially merged we did not add support for TPIDR2_EL0 to the ptrace interface, creating difficulties for debuggers in accessing lazy save state for ZA. This series implements that support, extending the existing NT_ARM_TLS regset to support the register when available, and adds kselftest coverage for the existing and new NT_ARM_TLS functionality. Existing programs that query the size of the register set will be able to observe the increased size of the register set. Programs that assume the register set is single register will see no change. On systems that do not support SME TPIDR2_EL0 will read as 0 and writes will be ignored, support for SME should be queried via hwcaps as normal. v3: - Fix copyright date on test program. v2: - Rebase onto v6.0-rc1. Mark Brown (4): kselftest/arm64: Add test coverage for NT_ARM_TLS arm64/ptrace: Document extension of NT_ARM_TLS to cover TPIDR2_EL0 arm64/ptrace: Support access to TPIDR2_EL0 kselftest/arm64: Add coverage of TPIDR2_EL0 ptrace interface Documentation/arm64/sme.rst | 3 + arch/arm64/kernel/ptrace.c | 25 +- tools/testing/selftests/arm64/abi/.gitignore | 1 + tools/testing/selftests/arm64/abi/Makefile | 2 +- tools/testing/selftests/arm64/abi/ptrace.c | 241 +++++++++++++++++++ 5 files changed, 266 insertions(+), 6 deletions(-) create mode 100644 tools/testing/selftests/arm64/abi/ptrace.c base-commit: 568035b01cfb107af8d2e4bd2fb9aea22cf5b868 -- 2.30.2

2 years, 2 months

1
4
0 0

[PATCH net v4 1/3] selftests: include bonding tests into the kselftest infra

by Jonathan Toppins

This creates a test collection in drivers/net/bonding for bonding specific kernel selftests. The first test is a reproducer that provisions a bond and given the specific order in how the ip-link(8) commands are issued the bond never transmits an LACPDU frame on any of its slaves. Signed-off-by: Jonathan Toppins <jtoppins(a)redhat.com> --- Notes: v2: * fully integrated the test into the kselftests infrastructure * moved the reproducer to under tools/testing/selftests/drivers/net/bonding * reduced the test to its minimial amount and used ip-link(8) for all bond interface configuration v3: * rebase to latest net/master * remove `#set -x` requested by Hangbin v4: * no changes MAINTAINERS | 1 + tools/testing/selftests/Makefile | 1 + .../selftests/drivers/net/bonding/Makefile | 6 ++ .../net/bonding/bond-break-lacpdu-tx.sh | 81 +++++++++++++++++++ .../selftests/drivers/net/bonding/config | 1 + .../selftests/drivers/net/bonding/settings | 1 + 6 files changed, 91 insertions(+) create mode 100644 tools/testing/selftests/drivers/net/bonding/Makefile create mode 100755 tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh create mode 100644 tools/testing/selftests/drivers/net/bonding/config create mode 100644 tools/testing/selftests/drivers/net/bonding/settings diff --git a/MAINTAINERS b/MAINTAINERS index f2d64020399b..e5fb14dc302d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3672,6 +3672,7 @@ F: Documentation/networking/bonding.rst F: drivers/net/bonding/ F: include/net/bond* F: include/uapi/linux/if_bonding.h +F: tools/testing/selftests/net/bonding/ BOSCH SENSORTEC BMA400 ACCELEROMETER IIO DRIVER M: Dan Robertson <dan(a)dlrobertson.com> diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 10b34bb03bc1..c2064a35688b 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -12,6 +12,7 @@ TARGETS += cpu-hotplug TARGETS += damon TARGETS += drivers/dma-buf TARGETS += drivers/s390x/uvdevice +TARGETS += drivers/net/bonding TARGETS += efivarfs TARGETS += exec TARGETS += filesystems diff --git a/tools/testing/selftests/drivers/net/bonding/Makefile b/tools/testing/selftests/drivers/net/bonding/Makefile new file mode 100644 index 000000000000..ab6c54b12098 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0 +# Makefile for net selftests + +TEST_PROGS := bond-break-lacpdu-tx.sh + +include ../../../lib.mk diff --git a/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh new file mode 100755 index 000000000000..47ab90596acb --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh @@ -0,0 +1,81 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Regression Test: +# Verify LACPDUs get transmitted after setting the MAC address of +# the bond. +# +# https://bugzilla.redhat.com/show_bug.cgi?id=2020773 +# +# +---------+ +# | fab-br0 | +# +---------+ +# | +# +---------+ +# | fbond | +# +---------+ +# | | +# +------+ +------+ +# |veth1 | |veth2 | +# +------+ +------+ +# +# We use veths instead of physical interfaces + +set -e +tmp=$(mktemp -q dump.XXXXXX) +cleanup() { + ip link del fab-br0 >/dev/null 2>&1 || : + ip link del fbond >/dev/null 2>&1 || : + ip link del veth1-bond >/dev/null 2>&1 || : + ip link del veth2-bond >/dev/null 2>&1 || : + modprobe -r bonding >/dev/null 2>&1 || : + rm -f -- ${tmp} +} + +trap cleanup 0 1 2 +cleanup +sleep 1 + +# create the bridge +ip link add fab-br0 address 52:54:00:3B:7C:A6 mtu 1500 type bridge \ + forward_delay 15 + +# create the bond +ip link add fbond type bond mode 4 miimon 200 xmit_hash_policy 1 \ + ad_actor_sys_prio 65535 lacp_rate fast + +# set bond address +ip link set fbond address 52:54:00:3B:7C:A6 +ip link set fbond up + +# set again bond sysfs parameters +ip link set fbond type bond ad_actor_sys_prio 65535 + +# create veths +ip link add name veth1-bond type veth peer name veth1-end +ip link add name veth2-bond type veth peer name veth2-end + +# add ports +ip link set fbond master fab-br0 +ip link set veth1-bond down master fbond +ip link set veth2-bond down master fbond + +# bring up +ip link set veth1-end up +ip link set veth2-end up +ip link set fab-br0 up +ip link set fbond up +ip addr add dev fab-br0 10.0.0.3 + +tcpdump -n -i veth1-end -e ether proto 0x8809 >${tmp} 2>&1 & +sleep 15 +pkill tcpdump >/dev/null 2>&1 +rc=0 +num=$(grep "packets captured" ${tmp} | awk '{print $1}') +if test "$num" -gt 0; then + echo "PASS, captured ${num}" +else + echo "FAIL" + rc=1 +fi +exit $rc diff --git a/tools/testing/selftests/drivers/net/bonding/config b/tools/testing/selftests/drivers/net/bonding/config new file mode 100644 index 000000000000..dc1c22de3c92 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/config @@ -0,0 +1 @@ +CONFIG_BONDING=y diff --git a/tools/testing/selftests/drivers/net/bonding/settings b/tools/testing/selftests/drivers/net/bonding/settings new file mode 100644 index 000000000000..867e118223cd --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/settings @@ -0,0 +1 @@ +timeout=60 -- 2.31.1

2 years, 2 months

1
0
0 0

[PATCH v2 0/4] arm64/sme: ptrace support for TPIDR2_EL0

by Mark Brown

When SME was initially merged we did not add support for TPIDR2_EL0 to the ptrace interface, creating difficulties for debuggers in accessing lazy save state for ZA. This series implements that support, extending the existing NT_ARM_TLS regset to support the register when available, and adds kselftest coverage for the existing and new NT_ARM_TLS functionality. Existing programs that query the size of the register set will be able to observe the increased size of the register set. Programs that assume the register set is single register will see no change. On systems that do not support SME TPIDR2_EL0 will read as 0 and writes will be ignored, support for SME should be queried via hwcaps as normal. v2: - Rebase onto v6.0-rc1. Mark Brown (4): kselftest/arm64: Add test coverage for NT_ARM_TLS arm64/ptrace: Document extension of NT_ARM_TLS to cover TPIDR2_EL0 arm64/ptrace: Support access to TPIDR2_EL0 kselftest/arm64: Add coverage of TPIDR2_EL0 ptrace interface Documentation/arm64/sme.rst | 3 + arch/arm64/kernel/ptrace.c | 25 +- tools/testing/selftests/arm64/abi/.gitignore | 1 + tools/testing/selftests/arm64/abi/Makefile | 2 +- tools/testing/selftests/arm64/abi/ptrace.c | 241 +++++++++++++++++++ 5 files changed, 266 insertions(+), 6 deletions(-) create mode 100644 tools/testing/selftests/arm64/abi/ptrace.c base-commit: 568035b01cfb107af8d2e4bd2fb9aea22cf5b868 -- 2.30.2

2 years, 2 months

2
8
0 0

[PATCH v2] selftests/net: Refactor xfrm_fill_key() to use array of structs

by Gautam Menghani

A TODO in net/ipsec.c asks to refactor the code in xfrm_fill_key() to use set/map to avoid manually comparing each algorithm with the "name" parameter passed to the function as an argument. This patch refactors the code to create an array of structs where each struct contains the algorithm name and its corresponding key length. Signed-off-by: Gautam Menghani <gautammenghani201(a)gmail.com> --- changes in v2: 1. Fix the compilation warnings for struct and variable declaration tools/testing/selftests/net/ipsec.c | 108 +++++++++++++--------------- 1 file changed, 49 insertions(+), 59 deletions(-) diff --git a/tools/testing/selftests/net/ipsec.c b/tools/testing/selftests/net/ipsec.c index cc10c10c5ed9..4a0eeb5b71d2 100644 --- a/tools/testing/selftests/net/ipsec.c +++ b/tools/testing/selftests/net/ipsec.c @@ -58,6 +58,8 @@ #define VETH_FMT "ktst-%d" #define VETH_LEN 12 +#define XFRM_ALGO_NR_KEYS 29 + static int nsfd_parent = -1; static int nsfd_childa = -1; static int nsfd_childb = -1; @@ -75,6 +77,46 @@ const unsigned int ping_timeout = 300; const unsigned int ping_count = 100; const unsigned int ping_success = 80; +struct xfrm_key_entry { + char algo_name[35]; + int key_len; +}; + +struct xfrm_key_entry xfrm_key_entries[XFRM_ALGO_NR_KEYS]; + +static void init_xfrm_algo_keys(void) +{ + xfrm_key_entries[0] = (struct xfrm_key_entry) {"digest_null", 0}; + xfrm_key_entries[1] = (struct xfrm_key_entry) {"ecb(cipher_null)", 0}; + xfrm_key_entries[2] = (struct xfrm_key_entry) {"cbc(des)", 64}; + xfrm_key_entries[3] = (struct xfrm_key_entry) {"hmac(md5)", 128}; + xfrm_key_entries[4] = (struct xfrm_key_entry) {"cmac(aes)", 128}; + xfrm_key_entries[5] = (struct xfrm_key_entry) {"xcbc(aes)", 128}; + xfrm_key_entries[6] = (struct xfrm_key_entry) {"cbc(cast5)", 128}; + xfrm_key_entries[7] = (struct xfrm_key_entry) {"cbc(serpent)", 128}; + xfrm_key_entries[8] = (struct xfrm_key_entry) {"hmac(sha1)", 160}; + xfrm_key_entries[9] = (struct xfrm_key_entry) {"hmac(rmd160)", 160}; + xfrm_key_entries[10] = (struct xfrm_key_entry) {"cbc(des3_ede)", 192}; + xfrm_key_entries[11] = (struct xfrm_key_entry) {"hmac(sha256)", 256}; + xfrm_key_entries[12] = (struct xfrm_key_entry) {"cbc(aes)", 256}; + xfrm_key_entries[13] = (struct xfrm_key_entry) {"cbc(camellia)", 256}; + xfrm_key_entries[14] = (struct xfrm_key_entry) {"cbc(twofish)", 256}; + xfrm_key_entries[15] = (struct xfrm_key_entry) {"rfc3686(ctr(aes))", 288}; + xfrm_key_entries[16] = (struct xfrm_key_entry) {"hmac(sha384)", 384}; + xfrm_key_entries[17] = (struct xfrm_key_entry) {"cbc(blowfish)", 448}; + xfrm_key_entries[18] = (struct xfrm_key_entry) {"hmac(sha512)", 512}; + xfrm_key_entries[19] = (struct xfrm_key_entry) {"rfc4106(gcm(aes))-128", 160}; + xfrm_key_entries[20] = (struct xfrm_key_entry) {"rfc4543(gcm(aes))-128", 160}; + xfrm_key_entries[21] = (struct xfrm_key_entry) {"rfc4309(ccm(aes))-128", 152}; + xfrm_key_entries[22] = (struct xfrm_key_entry) {"rfc4106(gcm(aes))-192", 224}; + xfrm_key_entries[23] = (struct xfrm_key_entry) {"rfc4543(gcm(aes))-192", 224}; + xfrm_key_entries[24] = (struct xfrm_key_entry) {"rfc4309(ccm(aes))-192", 216}; + xfrm_key_entries[25] = (struct xfrm_key_entry) {"rfc4106(gcm(aes))-256", 288}; + xfrm_key_entries[26] = (struct xfrm_key_entry) {"rfc4543(gcm(aes))-256", 288}; + xfrm_key_entries[27] = (struct xfrm_key_entry) {"rfc4309(ccm(aes))-256", 280}; + xfrm_key_entries[28] = (struct xfrm_key_entry) {"rfc7539(chacha20,poly1305)-128", 0}; +} + static void randomize_buffer(void *buf, size_t buflen) { int *p = (int *)buf; @@ -767,65 +809,12 @@ static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from, static int xfrm_fill_key(char *name, char *buf, size_t buf_len, unsigned int *key_len) { - /* TODO: use set/map instead */ - if (strncmp(name, "digest_null", ALGO_LEN) == 0) - *key_len = 0; - else if (strncmp(name, "ecb(cipher_null)", ALGO_LEN) == 0) - *key_len = 0; - else if (strncmp(name, "cbc(des)", ALGO_LEN) == 0) - *key_len = 64; - else if (strncmp(name, "hmac(md5)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "cmac(aes)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "xcbc(aes)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "cbc(cast5)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "cbc(serpent)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "hmac(sha1)", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "hmac(rmd160)", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "cbc(des3_ede)", ALGO_LEN) == 0) - *key_len = 192; - else if (strncmp(name, "hmac(sha256)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "cbc(aes)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "cbc(camellia)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "cbc(twofish)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "rfc3686(ctr(aes))", ALGO_LEN) == 0) - *key_len = 288; - else if (strncmp(name, "hmac(sha384)", ALGO_LEN) == 0) - *key_len = 384; - else if (strncmp(name, "cbc(blowfish)", ALGO_LEN) == 0) - *key_len = 448; - else if (strncmp(name, "hmac(sha512)", ALGO_LEN) == 0) - *key_len = 512; - else if (strncmp(name, "rfc4106(gcm(aes))-128", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "rfc4543(gcm(aes))-128", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "rfc4309(ccm(aes))-128", ALGO_LEN) == 0) - *key_len = 152; - else if (strncmp(name, "rfc4106(gcm(aes))-192", ALGO_LEN) == 0) - *key_len = 224; - else if (strncmp(name, "rfc4543(gcm(aes))-192", ALGO_LEN) == 0) - *key_len = 224; - else if (strncmp(name, "rfc4309(ccm(aes))-192", ALGO_LEN) == 0) - *key_len = 216; - else if (strncmp(name, "rfc4106(gcm(aes))-256", ALGO_LEN) == 0) - *key_len = 288; - else if (strncmp(name, "rfc4543(gcm(aes))-256", ALGO_LEN) == 0) - *key_len = 288; - else if (strncmp(name, "rfc4309(ccm(aes))-256", ALGO_LEN) == 0) - *key_len = 280; - else if (strncmp(name, "rfc7539(chacha20,poly1305)-128", ALGO_LEN) == 0) - *key_len = 0; + int i; + + for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) { + if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0) + *key_len = xfrm_key_entries[i].key_len; + } if (*key_len > buf_len) { printk("Can't pack a key - too big for buffer"); @@ -2305,6 +2294,7 @@ int main(int argc, char **argv) } } + init_xfrm_algo_keys(); srand(time(NULL)); page_size = sysconf(_SC_PAGESIZE); if (page_size < 1) -- 2.34.1

2 years, 2 months

3
3
0 0

[PATCH v5 0/5] userfaultfd: add /dev/userfaultfd for fine grained access control

by Axel Rasmussen

This series is based on torvalds/master. The series is split up like so: - Patch 1 is a simple fixup which we should take in any case (even by itself). - Patches 2-5 add the feature, configurable selftest support, and docs. Why not ...? ============ - Why not /proc/[pid]/userfaultfd? Two main points (additional discussion [1]): - /proc/[pid]/* files are all owned by the user/group of the process, and they don't really support chmod/chown. So, without extending procfs it doesn't solve the problem this series is trying to solve. - The main argument *for* this was to support creating UFFDs for remote processes. But, that use case clearly calls for CAP_SYS_PTRACE, so to support this we could just use the UFFD syscall as-is. - Why not use a syscall? Access to syscalls is generally controlled by capabilities. We don't have a capability which is used for userfaultfd access without also granting more / other permissions as well, and adding a new capability was rejected [2]. - It's possible a LSM could be used to control access instead, but I have some concerns. I don't think this approach would be as easy to use, particularly if we were to try to solve this with something heavyweight like SELinux. Maybe we could pursue adding a new LSM specifically for this user case, but it may be too narrow of a case to justify that. Changelog ========= v4->v5: - Call userfaultfd_syscall_allowed() directly in the syscall, so we don't have to plumb a flag into new_userfaultfd(). [Nadav] - Refactored run_vmtests.sh to loop over UFFD test mods. [Nadav] - Reworded cover letter. - Picked up some Acked-by's. v3->v4: - Picked up an Acked-by on 5/5. - Updated cover letter to cover "why not ...". - Refactored userfaultfd_allowed() into userfaultfd_syscall_allowed(). [Peter] - Removed obsolete comment from a previous version. [Peter] - Refactored userfaultfd_open() in selftest. [Peter] - Reworded admin-guide documentation. [Mike, Peter] - Squashed 2 commits adding /dev/userfaultfd to selftest and making selftest configurable. [Peter] - Added "syscall" test modifier (the default behavior) to selftest. [Peter] v2->v3: - Rebased onto linux-next/akpm-base, in order to be based on top of the run_vmtests.sh refactor which was merged previously. - Picked up some Reviewed-by's. - Fixed ioctl definition (_IO instead of _IOWR), and stopped using compat_ptr_ioctl since it is unneeded for ioctls which don't take a pointer. - Removed the "handle_kernel_faults" bool, simplifying the code. The result is logically equivalent, but simpler. - Fixed userfaultfd selftest so it returns KSFT_SKIP appropriately. - Reworded documentation per Shuah's feedback on v2. - Improved example usage for userfaultfd selftest. v1->v2: - Add documentation update. - Test *both* userfaultfd(2) and /dev/userfaultfd via the selftest. [1]: https://patchwork.kernel.org/project/linux-mm/cover/20220719195628.3415852-… [2]: https://lore.kernel.org/lkml/686276b9-4530-2045-6bd8-170e5943abe4@schaufler… Axel Rasmussen (5): selftests: vm: add hugetlb_shared userfaultfd test to run_vmtests.sh userfaultfd: add /dev/userfaultfd for fine grained access control userfaultfd: selftests: modify selftest to use /dev/userfaultfd userfaultfd: update documentation to describe /dev/userfaultfd selftests: vm: add /dev/userfaultfd test cases to run_vmtests.sh Documentation/admin-guide/mm/userfaultfd.rst | 41 ++++++++++- Documentation/admin-guide/sysctl/vm.rst | 3 + fs/userfaultfd.c | 73 +++++++++++++++----- include/uapi/linux/userfaultfd.h | 4 ++ tools/testing/selftests/vm/run_vmtests.sh | 15 ++-- tools/testing/selftests/vm/userfaultfd.c | 69 +++++++++++++++--- 6 files changed, 172 insertions(+), 33 deletions(-) -- 2.37.1.559.g78731f0fdb-goog

2 years, 2 months

2
9
0 0

[PATCH][next] selftests/bpf: Fix spelling mistake "succesful" -> "successful"

by Colin Ian King

There is a spelling mistake in an ASSERT_OK literal string. Fix it. Signed-off-by: Colin Ian King <colin.i.king(a)gmail.com> --- tools/testing/selftests/bpf/prog_tests/kfunc_call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/kfunc_call.c b/tools/testing/selftests/bpf/prog_tests/kfunc_call.c index 351fafa006fb..eede7c304f86 100644 --- a/tools/testing/selftests/bpf/prog_tests/kfunc_call.c +++ b/tools/testing/selftests/bpf/prog_tests/kfunc_call.c @@ -109,7 +109,7 @@ static void test_destructive(void) { __u64 save_caps = 0; - ASSERT_OK(test_destructive_open_and_load(), "succesful_load"); + ASSERT_OK(test_destructive_open_and_load(), "successful_load"); if (!ASSERT_OK(cap_disable_effective(1ULL << CAP_SYS_BOOT, &save_caps), "drop_caps")) return; -- 2.37.1

2 years, 2 months

3
2
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror